Layering Onions: Do we really need HTTPS?
After I published the July OnionScan report there were many discussions on twitter and elsewhere about the reasons why an onion service would expose a HTTPS endpoint.
In the context of a clearweb site HTTPS provides many security properties, however the hidden service protocol supporting onion services also provides these properties.
Theoretically, the value in supporting HTTPS for an onion server is in the certificate. All onion domains wanting to setup HTTPS have to opt for an extended validation (EV) certificate.
These certificates act as an external validation, stating that "this onion is associated with this real world entity" - this allows non-profits and sites like Facebook a way to offer their users location privacy while still providing assurance to their users that they are using the right site - even if the name is difficult to remember.
This argument falls over if users are unable to recognise,or understand the value of, an EV certificate.
If you trust an analysis by Digicert then users trust EV certs more and so adopting EV certificates for onion services run by well known organisations makes sense. But does the rest of the research community agree?
It appears that once users understand what EV certificates are and how to identify them then they are conditioned to trust them more (see:Exploring User Reactions to New Browser Cues
or Extended Validation Certificates for one example of a study.)
However, researchers have also found that the presence of an EV certificate does not make users less prone to phishing attacks. and browser vendors have found it difficult to build consistently understood SSL warnings for non-technical users..
While the research area is new, split across multiple browsers and sample populations, and is rapidly changing it seems fair to say that:
- users do not understand the benefit of an EV certificate over a regular certificate,
- but, they hold an assumption that the presence of any HTTPS certificate is better than *no HTTPS certificate.
To that end, the trend of well known charities, non-profits and corporations opting for launching a HTTPS onion makes sense. It encourages users to fallback to well known security advice (at least to them), and allows the organization to present an "equal" security posture for their clearweb and onion sites.
However, this does leave the question open that if Tor opted for an alternative UX where onion services were given the greenbar treatment - would users go the extra mile to check for an EV certificate?
My intuition says no.