Usability Roadmap Scenarios - Certificates¶
- Version: v2023.Q2
Proposals evaluation¶
Summary¶
- All existing certificate proposals are non-conflicting!
- That means they could be pursued in parallel, so there's no block in here for people wishing to invest on any.
- What is limited though:
- Each proposal feasibility.
- Available resources.
- Results.
- Double check if a proposal does not bring any serious issues.
- Then some prioritization/decision is needed.
- This document presents a summarized comparison between proposals.
- This needs further review and discussion.
Development cycle¶
Development can be split into the following stage:
- Engineering: work to implement the proposal at the client side in various places (clients, libraries, standards etc).
- Operation: work to implement the proposal at the server side (i.e, the certification infrastructure where issuance happens, if applicable).
- Governance: what takes to bring the implementation upstream or to be widely adopted.
Level requirement:
- While some proposals might need all three to be successful, some might only need engineering and governance work.
- Proposals that are only engineered may remain in a prototype stage.
Requirements and prioritizations¶
- Prioritize what can be done without client or library modifications, as these are harder to implement, maintain, upstream and standardize.
- Minimize effort, challenges and risks.
- Consider the paths of least resistance when analyzing a solution.
Overall assessment criteria: the highest value on each stage (engineering, operation and governance).
Effort¶
Effort estimates the amount of work involved for each level.
| Proposal | Engineering effort | Operation effort | Governance effort | Overall assessment |
|---|---|---|---|---|
| Existing CA validation | None (already done) | None (already there) | None (already done) | None |
| ACME for .onion | High | Medium | High | High |
| Self-signed certificates | Very High | None | Very High | Very High |
| Self-signed X.509 from .onion | Very High | None | Very High | Very High |
| Same Origin Onion Certificates (SOOC) | High | None | Very High | Very High |
| DANE for .onion | High | None | Very High | Very High |
| Onion-only CAs | Low | High | High | High |
Challenge¶
Estimate the difficulty in solving open questions while implementing a given proposal.
| Proposal | Engineering challenge | Operation challenge | Governance challenge | Overall assessment |
|---|---|---|---|---|
| Existing CA validation | None (already done) | None (already there) | None (already done) | None |
| ACME for .onion | Low | Low | Medium (adoption by CAs) | Medium |
| Self-signed certificates | High | None | High | High |
| Self-signed X.509 from .onion | High | None | High | High |
| Same Origin Onion Certificates (SOOC) | Low | None | High | High |
| DANE for .onion | Low | None | High | High |
| Onion-only CAs | High | High | High | High |
Risk¶
Estimates the risk involved in the proposal not be successfully implemented in a given level.
| Proposal | Engineering risks | Operation risks | Governance risks | Overall assessment |
|---|---|---|---|---|
| Existing CA validation | None (already done) | None (already there) | None (already done) | None |
| ACME for .onion | Low | Low | Medium | Medium |
| Self-signed certificates | High | None | ? | High |
| Self-signed X.509 from .onion | High | None | ? | High |
| Same Origin Onion Certificates (SOOC) | High | None | ? | High |
| DANE for .onion | High | None | ? | High |
| Onion-only CAs | Low | Medium | ? | Medium |
Conclusion¶
By the current evaluation, "ACME for .onion" seems like the best option so far, since it
- Has High effort, whereas others have Very High effort (except for "Onion-only CAs" which is also High but it's not as general as the "ACME for .onion").
- Faces Medium challenges, whereas others have Very High.
- Faces Medium risks, whereas others have Very High effort (except for "Onion-only CAs" which is also Medium but it's not as general as the "ACME for .onion").
It also opens two possibilities:
-
Adoption by existing Certificate Authorities such as Let's Encrypt. This alternative has the minimal effort for Tor, since there are already specs being funded by OTF and Let's Encrypt may implement a version for themselves.
-
Running an .onion-only CA. Some Onion Service operators may not like to have their .onion addresses published into CT Logs, so having an alternative .onion-only Certificate Authority is also being considered, but that requires a lot more effort to implement beyond having an ACME for .onion implementation, but having this implementation paves the way for the "Onion-only CAs" proposal.
As stated in the certificate proposals document, there are two existing and similar proposals for bringing .onions to ACME, and ACME for Onions seems to be the one in a more mature state.
If this proposal cannot get traction in the CA space, then it's still possible to consider other certificate proposals.
In short, ACME for Onions is a proposal that can be implemented and/or maintained with less effort from Tor's side and won't depend on changes in applications and libraries (it would work out of the box for TLS clients).
ACME for Onions roadmapping¶
As the previous section concluded, the ACME for Onions proposal seems to be the one with better chances to succeed.
This section gives a roadmap example on how it could be implemented, while a detailed analysis on ACME for Onions is available in a special appendix.
To ease adoption by Certificate Authorities (CAs), it's worth reducing the complexity for the initial implementation by not requiring the ACME Server to proxy their requests through Tor:
- Stage 0:
- Goal: Reduce a Certificate Authority (CA) problem into an Operation (DevOps) problem.
- ACME
onion-csr-01challenge is implemented. - No CAA field check is done.
- Pros:
- That means just an ACME API transaction to have a certificate.
- Smaller implementation complexity.
- Support for wildcard certificates.
- Cons:
- The lack of
http-01andtls-alpn-01challenges means that Onion Services split into a Tor frontend proxy and a backend HTTPS connector will need additional logic in the client side in order to obtain a certificate, but this can be fixed by (re-)generating certificates in a dedicated box to be later deployed into production machines. - Having no CAA check may not reduce the risk of certificate missuance,
but in practice:
- Those certificates would be ineffective to run MITM attacks in the Onion Server.
- They could be detected by CT Logs (for CAs using this technology).
- The lack of
- Stage 1:
- ACME Challenges implemented:
http-01.
- ACME Challenges implemented:
- Stage 2:
- ACME Challenges implemented:
tls-alpn-01.
- ACME Challenges implemented:
- Stage 3 (Optional):
- CAA descriptor field checking is enabled for
http-01andtls-alpn-01.
- CAA descriptor field checking is enabled for
- Stage 4 (Optional):
- CAA descriptor field checking is enabled for
onion-csr-01.
- CAA descriptor field checking is enabled for
Rationale:
- "Inclusion of onion certificate into current ACME system face the difficulty of requiring the certificate authority's ACME to connect to Tor network for checking" (statement source).
- But a CA would not be required to implement all the challenges introduced by ACME for Onions or the CAA descriptor field check.
- The CA/B baseline requirements does not require CAA checking for .onion addresses (Section 3.2.2.8), neither requires that a CA implements all challenges (Appendix B).
- Then a CA could start by offering .onion certificates through ACME with only the
onion-csr-01challenge and no CAA checking, which means the CA would not need to connect to Tor to check an .onion and issue a certificate. - So a CA might start by implementing a subset of the ACME for Onions draft
spec, which would involve automating the
onion-csr-01challenge. - That would not require any change in the CA/B baseline requirements; and no major changes in the ACME for Onions spec would be needed, shielding the roadmap from any uncertainties in the processes happening either at CA/B or at the IETF.
- In summary, the baseline requirements already allows CAs to issue a cert for an .onion by only receiving the CSR and the signed nonce, and ACME would just be the automation method chosen by the CA; and CAA checking is not currently required for .onion addresses.
Tor Browser Enhancements¶
Additionally to implementing new methods for HTTPS certification, users could benefit from Tor Browser improvements in the UI widgets responsible for displaying connection security information.
These improvements may be done in parallel with bringing certificate automation to Onion Services.
Enhanced User Interface (UI) indicators¶
Announcing that a connection "is secure" can have ambiguous meanings depending on how it's presented. Maybe it will be intrinsically ambiguous if presented by a single piece of user interface, since at this level the user can't know if the "connection is secure" because of the Onion Service connection and also for the additional HTTPS connection:
-
The Onion Service connection is kind of self-authenticating since the public key and the URL are tied together and the connection is peer-to-peer encrypted. But at the same time it's not self-authenticating since there's no intrinsic way to authenticate the onionsite with the entity it declares to represent. This further authentication needs to be done externally, with many existing ways.
-
In the other hand, HTTPS certificates use an entirely different model of Certificate Authority-based authentication, where an authenticated relationship is established between the site and a DNS-based name -- or sometimes also with legal documents in case of Extended Validation (EV) certs are used. A TLS connection is also peer-to-peer encrypted, but the authentication is somehow "external" and "hierarchical" (in the sense that it depends on an external and hierarchical chain of trust implemented with built-in Certificate Authorities keys in a browser).
While each model works satisfactorily well on their application domains, mixing both together in a single bit of UX may generate different, often ambiguous interpretations.
Different scenarios¶
As pointed by this comment about previously-tested scenarios, some additional results could be considered to expand the current behavior, like the following:
| Scenario Name | Result |
|---|---|
| HTTP Onion | Onion Icon |
| HTTPS Onion Self-Signed | Onion Icon + connection security details |
| HTTPS Onion Self-Signed SOOC | Onion Icon + connection security details |
| HTTPS Onion Unknown CA | Onion Icon + connection security details |
| HTTPS Onion EV | Onion Icon + EV Name |
| HTTPS Onion Wrong Domain | Onion Warning Icon, Warning Splash Screen |
| HTTPS Onion Expired Self-Signed Cert | Onion Warning Icon, Warning Splash Screen |
| HTTP(S) Onion + HTTP Script | Onion Slash Icon |
| HTTP(S) Onion + HTTP Content | Onion Warning Icon |
| HTTP(S) Onion + HTTPS Content | Onion Icon |
| HTTPS Onion + HTTP Form | Onion Icon + Warning Popup on Form Submit |
Perhaps the Onion Icon could be customized to have a different appearance according to the scenario.
It's also important to discuss whether to disable self-signed certificate warnings when visiting .onion sites, considering the consequences for the choice, as certificates are important to authenticate that a site really belongs to the expected peer etc.