If you have ever dreamed about TLS certificate for your onion site, now you can buy one. It was already possible but very expensive. If I remember correctly only DigiCert offer certificate for onion domain, and the price is about 350 USD. It was not expensive for Facebook, so they implemented it in their onion domain (click the link and check how it looks).
Now it is much cheaper thanks to Harrica (a Root CA Operator founded by Academic Network (GUnet), a civil society nonprofit from Greece). Check this great post on Tor Project to get more info. Anyway, now it cost 30 USD per year.
Everyone knows that communication in Tor is already encrypted. So why TLS for onion?
- Websites with complex setups and that are serving HTTP and HTTPS content
- To help the user verify that the .onion address is indeed the site you are hosting (this would be a manual check done by the user looking at the cert registration information)
- Some services work with protocols, frameworks, and other infrastructure that has HTTPS connection as a requirement
- In case your web server and your tor process are in different machines
Why I haven’t bought it yet? I have better ideas to spent 30 USD at the moment :) Anyway, I think in the near future TLS for onion will be available for free, for example provided by Let’s Encrypt. Harrica solution is probably first big step to simplify the whole process and free certificates in the near future.
If you are one of the people who would like to buy cert and set it up, follow Kushal guide.
Also make sure you are doing it for onion v3 because Tor will no longer support v2 and support will be removed from the code base.
PS: Don’t forget to update your Tor Browser to the latest one ;)