I’m currently having a hard time wrapping my head around Tor hidden services (onions), i.e. the Tor Rendezvous protocol + HTTPS. That is to say, while browsing the dark web (who came up with this silly name anyways?), I came across several websites/hidden services with a (self-signed) SSL certificate. Isn’t this total non-sense or is it me missing the point here?
I mean HTTPS serves two purposes:
- providing end-to-end encryption
- ensuring the authenticity of the content provider
Now, to my understanding onions provide both of these by design. The connection is end-to-end encrypted (it never leaves the Tor network and, as a result, even protects against exit-node eavesdropping) + without possessing the private key, the content provider couldn’t provide the hidden service after all. So, basically, attaching a SSL certificate to a hidden service currently doesn’t make any sense at all to me and I’m looking forward to some discussion … or even better: please prove me wrong that I can learn something.