Opened 6 years ago

Closed 6 years ago

#13625 closed enhancement (fixed)

The doc page for hidden services should discuss HTTPS issues

Reported by: patrakov Owned by: Sebastian
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Currently, the doc page at says nothing about providing HTTPS services, but, given that Facebook deployed such service, it should provide this information.

At least the following topics should be covered:

  1. Self-identifying nature of onion domains and the questionable need for HTTPS: even HTTP over Tor network is encrypted, and only the owner of the private key can get the traffic.
  1. The Facebook case for using HTTPS: linking the hidden service to a real-world identity using a certificate issued by a real CA.
  1. The Facebook mistake: they did not staple the OCSP response to their TLS handshake. As a result, the browser contacts the OCSP responder provided by a CA, and some browsers (including Chrome) do so bypassing the Tor network and thus deanonymizing the user and defeating the whole point of having a hidden service.

I am not 100% sure about the above, and thus did not edit the wiki directly. A good starting point for the first two issues is this text:

Child Tickets

Change History (3)

comment:1 Changed 6 years ago by patrakov

Note that a similar ticket for enabling OCSP stapling exists for the Tor project site: #13067

comment:2 Changed 6 years ago by atagar

Component: DocTorWebsite
Owner: changed from atagar to Sebastian

comment:3 Changed 6 years ago by Sebastian

Resolution: fixed
Status: newclosed

I linked to the blog post in question. I think the ocsp stapling issue warrants spending too much time on, it works as it should in Tor Browser.

Note: See TracTickets for help on using tickets.