HTTPS is crucial when off relay to keep traffic encrypted, but obtaining TLS certs for onion hosts that are accepted by Tor browser is not easy.
If Tor could accept mkcert certificates, either:
immediately,
when user permits, or
if the mkcert CA root is in the system trust store
It would make it a lot easier to provide this added protection, and the UX would be much better than “Potential security risk ahead.”
I ask this question to consider the possible real, technical, security negatives of accepting mkcert certificates for onion hosts. Is it a terrible idea?
The reason it’s so important to me is because I have a product for remote browsing (BrowserBox) and I consider it super useful to be able to serve this over TOR, because it’s sort of in the same vein. As in, some people who may benefit from RBI, may also want to access it over TOR, or access the Tor network.
I think people use RBI because they demand better security and privacy, and some of them use it for cyber investigations. The ability to access TOR or serve BrowserBox as an onion site (both of which we support) is useful. However, without the ability to get a TLS cert for .onion sites, the UX on Tor browser is not great.
I used to provide a link for people to download the server’s mkcert CAroot.pem file and they can then choose to put it into their keychain/trust store. But turns out Tor Browser (in contrast to the other browsers like Chrome, Firefox, etc) - does not see/trust this installed mkcert CAroot, and you still get the “Unknown Issuer” security gate.