Digital certificates allow users to verify they are connecting to a legitimate website and browse worry-free. Last year, DigiCert issued a certificate to Facebook’s .onion address and has since issued certificates to several other .onion addresses. These certificates allow Tor users to browse anonymously while still being able to identify that the website is operated by an official organization.
Internal Name Deprecation
Though these .onion certificates are currently valid, DigiCert issued the certificates knowing they might need to be revoked this fall. This is because .onion does not exist in the Internet’s DNS root zone and is not recognized by the Internet Engineering Steering Group (IESG) as a top-level domain (TLD).
Because .onion is not recognized, these .onion certificates are considered internal name certificates. The CA/Browser Forum has deprecated the use of public SSL Certificates for internal names and they will no longer be allowed after November 1, 2015. Unless .onion is recognized as a reserved TLD, all .onion certificates will expire in October 2015.
What This Means for Tor Users
Without publicly-trusted SSL Certificates for .onion domains, Tor website operators will not be able to authenticate themselves to users by using public SSL Certificates. These certificates are essential to help combat phishing and MITM attacks for Tor users.
These certificates are also important for data encryption in Tor. Though Tor’s internal PKI system provides encryption, it is only 1024-bit. The use of an SSL Certificate raises the encryption to 2048 bits, making the data more secure.
Getting .Onion Recognized
The CA/B Forum solidified validation rules for .onion names last month. This is a good first step to allow .onion websites to obtain SSL Certificates.
However, for .onion certificates to be live past October, .onion needs to be recognized as a reserved TLD by the IESG. Until then, DigiCert will continue to issue .onion certificates with the intent to revoke them before the November deadline.