Security Audit on .onion addresses

Hello guys,

I was wondering if there is a way to "deactivate" a security audit ("Unsecured Websites") on an .onion address? I'm not aware if there is a possibility to have an .onion address on HTTPS, but in general since those are on Tor network, aren't they secured by that in general?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @ondrejfuhrer

    There is not, currently, a way to disable the warning. There isn't a restriction on using HTTPS on .onion addresses. I would not necessarily recommend relying on Tor alone for secure transit of the data between you and the endpoint, but I don't claim to be an expert on Tor.

    Ben

  • I'ld like to +1 considering this request. It's the opinion of the Tor team that Tor provides a secure tunnel for HTTP. Here's some examples illustrating that:

    1) Tor's hidden service documentation recommends HTTP.
    2) The official Tor project's hidden service (expyuzz4wqqyqhjn.onion) uses HTTP.
    3) The Tor Browser calls hidden service's using HTTP secure in its UI.
    4) There's only example of an HTTPS hidden service I'm aware of is Facebook's. The Tor team has commented on Facebook's use of TLS in a blog entry (https://blog.torproject.org/facebook-hidden-services-and-https-certs). To summarize the post, they believe it's not a terrible idea as user's have been trained to look for HTTPS in URLs but it's unnecessary.

    To my knowledge, getting a valid TLS certificate for a .onion address isn't easy so most hidden service must use bare HTTP.

    I'm not a Tor expert either, but I am a longtime Tor user, and to my eye the 1password warning about my .onion address not being secure doesn't seem accurate.

    I hope I've been able to provide some background information on Tor's hidden services, perhaps enough to sway you into considering removing the security warning for HTTP url's to .onions domains. 🤞🏻

  • BenBen AWS Team

    Team Member

    @apersonontheinternet

    If you add a tag called HTTP to these items Watchtower will no longer warn you about them.

    Ben

This discussion has been closed.