I see that the Tor Browser automatically adds an exception for this DIG website. I didn’t change any settings. This issue occurs not only on my installation of Tor but also on a fresh installation in a VM.
Why has Tor added exceptions automatically? Is it part of Tor’s code? I also tried clicking the “Remove Exceptions” button, but it doesn’t do anything.
I am attaching some screenshots below. Thank you
It seems tor browser would automatically allow access to tor websites with incorrect SSL certificates that has the correct subject Alt Name.
Anyway I don’t think that matters. It doesn’t affect your security in any way.
Upon clicking the onion icon, the Tor browser clearly indicates that the connection is not secure, though
Do you mean that the HTTPS certificate of the website is either incorrect or compromised, but the connection is secure because the data is already encrypted while transmitted through Tor servers?
Are you 100% sure about it? I don’t want to take any risks. In my understanding, it is just not guaranteed that the data was not tampered with. Is that correct?
According to your recommendation, should I avoid interacting with the website just for this reason?
Why is an onion-site using https in the first place? Typo?
Please read Tor Project | How do Onion Services work? , Onion Service traffic is encrypted from the client to the onion host, and the public key is encoded in the Onion Service address.
Please take a look at Tor Project | HTTPS for your Onion Service .
I’ve red that, and again — why would an onion site use SSL?
When visiting a site over the Onion Services protocol, the Tor protocol prevents data in transit from being read or manipulated by man in the middle attacks, and the Onion Service protocol validates that the user is connected to the domain name in the browser address bar. No certificate authority is required for this proof, because the name of the service is the actual public key used to authenticate the underlying connection.
You can see it after clicking on the onion lock icon > Connection is secure > ‘Verified by,’ which indicates the provider. In the case of the BBC, it’s Degicert, for example, the same organization that also provides SSL certificates for regular sites.
@Lind @Protium_serratum I don’t know why I’ve started to see that warning for more and more websites. I also see it on Dread now. Can you check if this is normal by visiting the website, or if I am being targeted?
Yes, it tells there there is a SSL-cert in use. But that is different thing than why.
That long url includes same functionality than SSL. That’s why we have two files inside ’HiddenServiceDir’: hs_ed25519_public_key and hs_ed25519_secret_key.
The right answer is propably someone didn’t know how to do mirroring.
A webserver has put a certificate around the onion address. One can do so to make the first outer connection look like clear web traffic, or help the server to distinguish between a clear web access or an onion access to the desired service digdig …
Or what ever else reasons. Digdig… has a self signed certificate, the above BBC site has a CA signed certificate.
Due to the inner onion url you should be save.
When I visited that site by TBB I got similar like you got. When I used a standard browser through a Tor expert bundle approach the Browser presented the do you want to accept the certificate page to proceed manually.
I wonder why TBB forwards automatically.
Thanks for reading, cheers
The connection between your tor browser and the hidden service is encrypted with Tor hidden service encryption so you don’t need to worry about middle relays or clearnet malicious actors intercepting your traffic.
The self-signed SSL certificate, I don’t know, maybe the hidden service owner setup a self-signed SSL cert, thinking it would make the connection more secure or just followed whatever guides they found online configuring NGINX (or any httpd they used).
It’s unlikely anyone has compromised the certificate, because if they do replaced the certificate, they’re already in the hidden service’s server, and they can already do whatever they want without replacing the cert (which will only alert users). Also, the security offered by hidden service’s encryption doesn’t matter in this case anyway.
It most likely is an honest mistake on the owner’s side. There’s no practical or theoretical security problem in this case. But it does show that the owner has a poor understanding of how tor hidden service work. If that’s a huge problem for you, then you should avoid it, but it all depends on you.
Take Proton AG as an example, this is their hidden service certificate:
Aside from providing security beyonds Tor hidden service’s encryption, their SSL certificate certifies that this hidden service is indeed Proton AG’s hidden service (possible if they used DigiCert EV certificates, which costs a lot to organizations). As most hidden service domain names looked alike (garbled encryption key), there has been cases where counterfeit hidden services are spun up to scam people. This additional identity certification provides a useful tool for its users to identify that this is indeed the hidden services they wanted to visit.
I visited the site and yes I also received the cert warning, I also created a hidden service so I can experience with how to create such a situation, and yes that could happen if hidden service owners don’t understand how hidden service work and tries to add self-signed SSL cert to it. You’re likely not being targetted, it’s just a pretty common mistake.
