Nq8g_iOs 0 Posted ... AirVPN was ahead of the curve getting the site on Tor quickly using its new v3 addresses. Today I logged into The Hidden Wiki using Tails and spotted the new Protonmail v3 .onion address and tested it out. I was able to log into Protonmail using the new v3 .onion domain address and TLS with my Protonmail user name and password. So then I tried logging into AirVPN's regular domain address https://airvpn.org/ thru Tails/Tor and was *unable* to log in with my account credentials. The error message said my user name and password did not exist. I checked the site information for AirVPN in the web browser and it said the connection was TLS secured, and the certificate was thru Let's Encrypt. I don't want to log in to AirVPN using its v3 .onion address, as the site information says its an HTTP only connection, doesn't use TLS, has no site certificate, and through Tor, its not a good idea sending user account data unencrypted. But then I was able to log into AirVPN https://airvpn.org/ on another PC with a normal direct Internet connection, and was able to easily log into AirVPN with my account credentials. But I was noticing many popular websites in The Hidden Wiki now have v3 .onion addresses and they all seem to be connecting using HTTPS, TLS and are site secured by DigiCert Inc certificates: Facebook, BBC, The Intercept, DuckDuckGo, Deutsche Welle, NYT Secure Drop, etc, they're all using DigiCert Inc certificates in TLS secured connections connecting thru Tails & Tor. At the time my login to https://airvpn.org/ failed Tails said my connection was coming out of Switzerland. I'm not sure, is Let's Encrypt having problems? I've been able to log into AirVPN directly using Tails before, this was the first time I've seen that happen. Got me wondering, is my login to Protonmail thru Tails using its v3 .onion address possibly compromised if the AirVPN login attempt failed? It seemed to be the Protonmail.com website, all my emails were there, drafts I'd written, emails I'd sent out, etc. It's just unusual to see the AirVPN login be denied like that using Tails & going thru Tor with the regular domain address for AirVPN. Makes me think, would the AirVPN login be less vulnerable to this kind of denial of service (possible interception attempt of login credentials?) when going thru Tor/Tails if the site were using a DigiCert Inc certificate for the TLS connections? Maybe check out the Let's Encrypt certificates thru Tor to make sure they're not vulnerable to a MITM redirect? Not sure if this was a bug or a hack, but does seem like logging into v3 .onion sites TLS encrypted using DigiCert Inc certificates are maybe less vulnerable, if it was an attack using forged Let's Encrypt certificates. I hate to think that's even possible. Anyway, Idk if this is a heads up, possible problem with the Let's Encrypt certificates, or a bug. I don't want to raise a false alarm, but maybe somebody should take a look at logins into AirVPN using Tor with Tails. -Ew;g_n Quote Share this post Link to post
Staff 9972 Posted ... Hello! Adding SSL/TLS to an onion service is not necessary::https://tor.stackexchange.com/questions/6447/do-all-onion-addresses-use-ssl-tls Of course it can be used. The certificate becomes more an additional auth tool which is not needed for the security and integrity of data in transit. Kind regards Quote Share this post Link to post
Staff 9972 Posted ... Now, AirVPN .onion website is served under SSL/TLS. Some reason here: https://community.torproject.org/onion-services/advanced/https/ (we're writing this post from .onion under SSL) Quote Share this post Link to post