By Mike on 26th Mar 2018
EV certificates verify websites: they're useful in any situation where web users need to know who they're communicating with, but they're especially useful for onion sites, which use names that are a base32 representation of a public key like swursuzpievjanml.onion - as a result, EV certificates are the only type used for onions. Even vanity prefixes can still be generated by anyone who desires that prefix, with a different set of trailing characters. So having something that ties a site to a company, charity, individual sole trader, or othr legal entity is useful.
We've made a few changes to how we handle certificates that include .onion names recently, and they're worth discussing here:
Unlike regular EV certs, where every domain has to be reviewed by a human, so wildcards aren't permitted, onion EV certs allow wildcards. Previously customers had to email us about onion wildcards and we'd manually add them to the certificate, our ordering and certificaste management platform has now been updated to accept wildcards on any .onion site.
Older generation onion sites used SHA1 as a hashing scheme. SHA1 is now widely considered broken, so part of the mitigation was including a full copy of the pubkey inside the cert itself, preventing it being used for another site via a SHA1 collision. Customers using older generation sites had to email us the sites full pubkey seperately from applying for the cert.
New generation onion sites like Ablative don't use SHA1, so the extra field isn't required. While we recommend current gen onion names, we still support previous gen onions if you needed.
When any onion domains are detected for new EV certs, the UI will restrict the certificate lifetime to one year, as .onion certificates have a max lifetime of one year.
We'll also be rolling out further onion changes soon. We're always interested in feedback from the community or new ways we can improve the verification process so please let us know your thoughts.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!