Security researcher Alec Muffett on how to implement SSL-over-Onion

Internet users longing for privacy-first browsing may increasingly find themselves reliant on the Tor network, with some calling for the adoption of a method that would enable Domain Validation (DV) certificates to be used for Onion sites.

Onion hidden services, those running on Tor’s anonymous network, already build on the encryption provided by Tor to protect users, as HTTPS strives to do for those surfing the Clear Web.

But as more and more new web features move towards requiring HTTPS to function, those wanting to use things like WebRTC (Web Real-Time Communication) through Tor may find themselves locked out due to the lack of DV SSL certificates.

“Tor goes to considerable lengths to enable secure networking in a way which people can get running without registering with an ISP, a DNS provider, nor a web host,” Alec Muffett, security researcher and a director at Open Rights Group, told The Daily Swig.

“It seems strange, therefore, that anyone who wants to use HTTPS over these Onion network addresses needs to register themselves with a certificate authority (CA), thereby disclosing their existence to the world via ‘certificate transparency’, and inviting the world’s hackers to try and break in,” he said.

“If I want to run a WebRTC server for my friends and family, for family chats, why should I have to announce my choice to do so, whose business is it other than mine?”

Regrettably, Extended Validation (EV) certificates are limited to corporations and other legal entities, as enforced by background checks; this severely limits individual access to HTTPS-over-Onion.

“I feel that, with removal of CAs from the operational risk model, there’s an opportunity to enable a lot of exciting functionality on Onion networks,” Muffett said.

“Tor already works on HTTPS, it’s already working with zero changes on EV certs, so let’s make a way to have DV certs.”

Muffett proposes a solution to bring Tor’s mechanism of trust onto browsers such as Firefox through the use of homebrew DV certificates, so that the browser can use the assurance that Tor Onions already provide, rather than using a CA.

To implement SSL-over-Onion, sites should be allowed to use homebrew DV certificates, and in the restricted situation of a .onion domain, their ‘homebrew’ nature would be ignored in favor of checks against the Onion address, he says.

“My proposal is that TorBrowser, and, eventually, any Tor-enabled browser, would, in limited circumstances, honor DV-style certificates,” Muffett said.

“That’s all. In theory, it’s just a few dozen lines of code that would need to go into TorBrowser and/or Firefox.”

Muffett adds that latency shouldn’t be a problem either, highlighting how HD video streaming over Tor was once deemed “impossible” due to the slower bandwidth on the volunteer-run Tor network.

“But now you can get an experience [HD video streaming over Tor] which is generally somewhere between acceptable and good,” he said.

“Plus, video-conferencing over Tor won’t get better unless people are doing it.”