What does it mean when hidden services have that lock with the red line thru?
It says
>Connection is not secure Logins entered on this page could be comprimised
I've seen it on forums. Is it safe?
Also is this new? I don't reckon seeing this in the past. I haven't visited any .onions in ages.
here's what im talking about
either its not encrypted
or the certificate is botched (or a self-generated SSL cert)
>>61193160
Who's going to sign a .onion address though?
>>61193118
Firefox (or at least the variant of it used for the tor bundle, apparently) shows this for non-HTTPS pages.
Tor makes HTTPS much less vital than normal, and may not be needed at all. I wouldn't worry about this.
>>61193194
It can be done: https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert/
>>61193244
thats what I thought
I use Tails anyway so everything is in theory encrypted with Tor
so .onions dont need SSL. How the fuck could they get my real IP if im using no javascript etc?
Its literally impossible, SSL cert or not
what would be the difference of having an SSL cert in an onion website anyway?
>>61193244
>>61193862
The exit node might be sniffing your traffic. Or do I have a fatal misunderstanding of how hidden networks work?
>>61193880
but what are they sniffing?
that some random IP visit X place?
who cares? they can't do shit nothing
heres a thread about this:
https://www.reddit.com/r/onions/comments/6gkb44/some_sites_have_lock_with_red_line_tbru_it_saying/
i honestly dont get it
>>61194072
Suppose you're an admin at some .onion forum. If you login or even just connect after authenticating your details (including session tokens if they don't expire quick) are sent in plaintext.
>>61193118
retarded tor browser devs have still not removed the cert warning. theres no reason to have it when you cant buy certs for onions.
>>61194122
not with hidden services
>>61194420
Right, so that's why I asked if I misunderstood how hidden services worked. I figured I was wrong.
>>61194383
>>61194420
so there's nothing to worry about if you are visiting a .onion right?
>>61194122
read from here:
>Exits are not used in onion circuits (nodes that are also exit nodes may do onion traffic also but they don't act as exits when doing that).
>Also I am not a cryptographer nor do I have a perfect understanding of Tor's internals, but .onion addresses are hashes derived from the onion's public key, therefore the first node (or any) in a onion circuit could not get plaintext traffic (Assuming the onion you are 'talking' to isn't colluding with anyone). I could be wrong.
also from my understanding, you can't even install SSL certs in onions so this is nonsense and bad design by tor browser devs
>>61193118
go back
>>61194706
You can install SSL certs on onions, and although the encryption is redundant, you can use it to verify the identity of a website.
For example, facebookcorewwwi.onion has an SSL certificate to prove its identity.
>>61194803
what is that facebook onion about?
but at the end of the day for the end user, it doesn't matter right?
given that you are using tails, no javascript, etc, your anonimity regardless of SSL or not
>>61194803
Tor hidden service connections are encrypted end-to-end and also node-by-node, it's pretty pointless to have SSL on top of that.
>>61193118
U BEEN PWNED KIDDO
>>61194957
>>61194902
The issue is that there could be a hidden service that mirrors facebook designed to collect user credentials and identities. The EV SSL certificate allows the end user to know that the server that they are connecting to is actually the official facebook servers.
Having a hidden service eliminates the possibility of exit nodes snooping on traffic, so having a hidden service that can be verified with 100% certainty that the site is official is incredibly useful.