Onions + HTTPS


I’m currently having a hard time wrapping my head around Tor hidden services (onions), i.e. the Tor Rendezvous protocol + HTTPS. That is to say, while browsing the dark web (who came up with this silly name anyways?), I came across several websites/hidden services with a (self-signed) SSL certificate. Isn’t this total non-sense or is it me missing the point here?

I mean HTTPS serves two purposes:

  1. providing end-to-end encryption
  2. ensuring the authenticity of the content provider

Now, to my understanding onions provide both of these by design. The connection is end-to-end encrypted (it never leaves the Tor network and, as a result, even protects against exit-node eavesdropping) + without possessing the private key, the content provider couldn’t provide the hidden service after all. So, basically, attaching a SSL certificate to a hidden service currently doesn’t make any sense at all to me and I’m looking forward to some discussion … or even better: please prove me wrong that I can learn something.


I wrote a bit about that here:

Few points to consider:

  • Extra layer of encryption, when .onion encryption can be broken, SSL encryption might still be safe. (It doesn’t come without disadvantages. We could also argue about attack surface, performance, etc.)
  • SSL uses stronger encryption than current .onion
  • .onion is not really encrypted end-to-end, but Tor-to-Tor. When the server setup involves forwarding connections from the Tor client to a load balancer and/or other servers, SSL can still make sense.

end-to-end encryption? HTTPS provides that?how interesting I thought only cover traffic could provide end to end encryption if you don’t know what I mean by cover traffic this is what I mean Imgur: The magic of the Internet

Looks like they are using padding and cover traffic as synonyms.

SSL encrypts end-to-end (browser to server), .onion encrypts Tor to Tor.