Browsers 03-25-2015

The Current State of .Onion Certificates and What Happens Next

Jeremy Rowley

Digital certificates allow users to verify they are connecting to a legitimate website and browse worry-free. Last year, DigiCert issued a certificate to Facebook’s .onion address and has since issued certificates to several other .onion addresses. These certificates allow Tor users to browse anonymously while still being able to identify that the website is operated by an official organization.

Internal Name Deprecation

Though these .onion certificates are currently valid, DigiCert issued the certificates knowing they might need to be revoked this fall. This is because .onion does not exist in the Internet’s DNS root zone and is not recognized by the Internet Engineering Steering Group (IESG) as a top-level domain (TLD).

Because .onion is not recognized, these .onion certificates are considered internal name certificates. The CA/Browser Forum has deprecated the use of public SSL Certificates for internal names and they will no longer be allowed after November 1, 2015. Unless .onion is recognized as a reserved TLD, all .onion certificates will expire in October 2015.

What This Means for Tor Users

Without publicly-trusted SSL Certificates for .onion domains, Tor website operators will not be able to authenticate themselves to users by using public SSL Certificates. These certificates are essential to help combat phishing and MITM attacks for Tor users.

These certificates are also important for data encryption in Tor. Though Tor's internal PKI system provides encryption, it is only 1024-bit. The use of an SSL Certificate raises the encryption to 2048 bits, making the data more secure.

Getting .Onion Recognized

The CA/B Forum solidified validation rules for .onion names last month. This is a good first step to allow .onion websites to obtain SSL Certificates.

However, for .onion certificates to be live past October, .onion needs to be recognized as a reserved TLD by the IESG. Until then, DigiCert will continue to issue .onion certificates with the intent to revoke them before the November deadline.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


How—and why—to automate certificate management


Why compliance is the foundation of digital trust