The doc page for hidden services should discuss HTTPS issues
Currently, the doc page at https://www.torproject.org/docs/tor-hidden-service.html.en says nothing about providing HTTPS services, but, given that Facebook deployed such service, it should provide this information.
At least the following topics should be covered:
-
Self-identifying nature of onion domains and the questionable need for HTTPS: even HTTP over Tor network is encrypted, and only the owner of the private key can get the traffic.
-
The Facebook case for using HTTPS: linking the hidden service to a real-world identity using a certificate issued by a real CA.
-
The Facebook mistake: they did not staple the OCSP response to their TLS handshake. As a result, the browser contacts the OCSP responder provided by a CA, and some browsers (including Chrome) do so bypassing the Tor network and thus deanonymizing the user and defeating the whole point of having a hidden service.
I am not 100% sure about the above, and thus did not edit the wiki directly. A good starting point for the first two issues is this text: https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
Trac:
Username: patrakov