Post
New blogpost:
"decoded.legal's .onion site no longer has TLS / https"
I've just turned off the TLS cert and config for dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.
This does not affect decoded.legal's clearweb site.
https://neilzone.co.uk/2026/02/decodedlegals-onion-site-no-longer-has-tls--https/
@neil From a technical perspective, someone running a tor exit node could spoof the destination website, so a TLS certificate allows detection of this. Having said that, I can’t imagine there’s significant demand for a tor site in the first place.
> someone running a tor exit node could spoof the destination website
.onion traffic doesn't go through an exit node?
@neil You’re correct; my bad choice of description there - but doesn’t the same apply to the final node (whether or not it exits the tor network)?
@barsteward Not as far as I know, but then, were it true, it would be a significant weakness in Tor / .onion services, which I should have thought would be widely publicised...
@neil Maybe I need to check my understanding of tor routing!
@barsteward @neil Isn't the "final node" Neil's?
My blog is also available as a .onion service, and this particular post is available at
:)
