SSL for .onion Sites — HTTPS Encryption for Tor Hidden Services

Tor provides strong encryption between the client and your hidden service, so SSL might seem redundant. However, HTTPS on .onion addresses provides several critical benefits. First, it authenticates your .onion address — a CA-signed certificate proves that the site visitors are connecting to is controlled by the entity that passed validation, preventing phishing attacks that use similar-looking .onion addresses.

Second, HTTPS enables browser features that are restricted to secure contexts. Service workers, the Web Crypto API, geolocation, camera access, and many other modern web APIs require HTTPS even on .onion domains. Without SSL, your Tor hidden service cannot use these capabilities, limiting the applications you can build.

Third, HTTPS provides defense-in-depth. If a vulnerability is discovered in Tor's encryption layer, your SSL certificate provides an independent layer of protection. Security best practice is to never rely on a single encryption mechanism when two complementary layers are available at minimal cost.

In 2015, the CA/Browser Forum approved the issuance of SSL certificates for .onion domains, recognizing them as legitimate special-use domain names. Certificate authorities can now issue DV and EV certificates for .onion addresses following the same validation principles as clearnet domains, with modifications suited to the Tor ecosystem.

Domain validation for .onion certificates typically works by verifying that you control the private key associated with the .onion address. This can be done by signing a challenge with your hidden service's private key or by serving a validation file from your .onion address that the CA retrieves over the Tor network.

AnubizHost handles the entire .onion SSL issuance process. We coordinate with the certificate authority, manage the validation challenge on your hidden service, and install the certificate on your server. The process typically takes 1-3 business days for DV certificates. EV certificates for .onion domains require additional business verification and may take 1-2 weeks.

Extended Validation certificates are particularly valuable on the Tor network, where phishing is a persistent problem. Malicious actors create .onion addresses that visually resemble legitimate services, tricking users into entering credentials or sending cryptocurrency. An EV certificate with your verified organization name provides an unmistakable trust signal that is extremely difficult to forge.

Major organizations like Facebook (facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion) use EV certificates on their .onion sites to help users verify authenticity. AnubizHost can help smaller organizations achieve the same level of trust, ensuring your legitimate .onion service is clearly distinguishable from imposters.

The EV validation process for .onion domains follows the same rigorous standards as clearnet EV certificates: legal entity verification, physical address confirmation, phone verification, and authorized requester authentication. The result is a certificate that ties your verified business identity to your .onion address in a way that no attacker can replicate.

Configuring SSL on a Tor hidden service requires specific server settings that differ from clearnet HTTPS. The web server must listen on the .onion address, the certificate must be configured for the .onion hostname, and Tor must be configured to pass HTTPS traffic correctly. AnubizHost handles all of this during the installation process.

We configure your hidden service with TLS 1.3, perfect forward secrecy, and OCSP stapling. HTTP Strict Transport Security (HSTS) headers are set to ensure returning visitors always use HTTPS. We also configure your .onion address in the Alt-Svc header of any companion clearnet site, enabling Tor Browser to automatically discover and use your hidden service.

Ongoing management is handled by our automation. Certificate renewal, private key rotation, and security updates are applied without downtime. Your .onion site maintains continuous HTTPS availability, and our Tor-based monitoring probes verify both Tor reachability and certificate validity every five minutes. If any issue is detected, our team is alerted immediately.