Upgrading my .onion site to https
Until a couple of weeks ago, I didn’t really see the point in giving a .onion site a TLS certificate.
Alec Muffett convinced me:
HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.
Helpfully, getting a TLS certificate for .onion has become very easy in the last couple of years ago.
Sure, it’s not as easy as https for the clearweb, where Let’s Encrypt makes it trivial, and means you don’t need to think about renewals.
But it is still very easy.
It is also much cheaper than when I last looked: €30 / year. Not cheap, but cheap enough for me to give it a try.
The gist is:
- create an account with Harica, the Greek entity which will issue the certificate
- keep a copy of the private key
- upload the challenge to
.well-known/pki-validation
so that it is accessible via the .onion domain for which you want the certificate to be issued - wait a few days, for Harica to carry our the verification
- when it has passed verification, pay Harica, and download the files it has generated
- upload the certificate files plus the private key to the webserver
- configure the webserver to use https, and route Tor traffic to it
- for Tor, I edited /etc/tor/torrc to amend the existing Hidden Service description, to add a listener for port 443 redirecting to 8443 on localhost
- for the webserver, I added a new virtualhost to the apache config, listening on 8443, with the normal config for TLS. Once it worked, I configured it to redirect http to https, to use https by default
- add a reminder to your calendar, since you’ll need to renew it manually
And that was it.
The onion site for decoded.legal is now https://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.
If you want to test it, either visit decoded.legal in Tor Browser, and it should redirect automatically (using an alt-svc
header), or else visit dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.
You may also like:
- Brave, Tor, and http-only .onion sites
- Browsers for people who just want a browser
- Safer Internet Day 2022. At least we know what were trying to achieve. Right?
- The Wild West Web fallacy
- End to end encryption, and services which let you meet and message people you do not already know
- A prohibition on end to end encryption could leave you with #NoPlaceToHide. And that's not a good thing.
- The end to end encryption debate: 1: the (very) basics of encryption
- Confession time
- Temporarily and automatically changing firewall rules to permit Lets Encrypt certificate renewals
- Installing Mobian with full disk encryption on PinePhone
- Changing a (known) LUKS passphrase
- Making [vulnerable group] safe online: unpicking those who spin a line to sell their proposal
- Unlocking a LUKS-encrypted partition via ssh on Debian 10 and Debian 11
- DNS-over-https on macOS and iOS
- Supervision is not the same as total surveillance