Hacker News new | past | comments | ask | show | jobs | submit login

Tor has end-to-end encryption for onion addresses, but TLS provides identity validation as well as encryption. So you can be sure that the .onion address hasn't been spoofed (or that you typo'd it). In addition, if you have both the .onion and .com on the same certificate, you get the additional benefit of binding both addresses together as being part of the same logical website.

Unless it's an EV certificate or the same cert as .com, I don't see how https helps against spoofing or typoing.

The same cert is how this should be handled. EV is /fine/ but is not practical for people that don't want to verify their legal identity (they just want to verify that they are the authorised source for x.com and y.onion).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact