Upgrading my .onion site to https

Screenshot of Tor Browser, showing https:// in the URL bar

Until a couple of weeks ago, I didn’t really see the point in giving a .onion site a TLS certificate.

Alec Muffett convinced me:

HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.

Helpfully, getting a TLS certificate for .onion has become very easy in the last couple of years ago.

Sure, it’s not as easy as https for the clearweb, where Let’s Encrypt makes it trivial, and means you don’t need to think about renewals.

But it is still very easy.

It is also much cheaper than when I last looked: €30 / year. Not cheap, but cheap enough for me to give it a try.

The gist is:

And that was it.

The onion site for decoded.legal is now https://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.

If you want to test it, either visit decoded.legal in Tor Browser, and it should redirect automatically (using an alt-svc header), or else visit dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.