Sauteed onions associate registered domain names with onion addresses. These associations are established in TLS certificates, making them publicly enumerable in append-only CT logs.
One of the most prominent use-cases of sauteed onions is to help users defeat censorship of TLS sites: onionsites can be used if they are discoverable, which is what sauteed onions help with. This tightens the relation between registered domain names, HTTPS, and onionsites.
Search for onion addresses
You can use any existing certificate search service to check if a registered domain name has an associated onion address. What we will be looking for is a domain name on the form:
Let’s give it a go using crt.sh.
What is the onion address of
Below is the search result.
So, the onion address is:
A search service that is tailored specifically for sauteed onions is available and operated by us. Try:
Setup for site owners
Suppose that you have a website, for example:
and that you have an associated onion address (if not, see FAQ):
To set up sauteed onions, you need a TLS certificate for
www.sauteed-onions.org with the following SAN:
The required steps:
- Configure the above SAN in DNS. Just like
www.sauteed-onions.org, it needs to be resolvable at the time of issuing the certificate so that the CA can validate the domain.
- Follow the usual steps that are required to obtain a TLS certificate for
www.sauteed-onions.org, but also add the above SAN to satisify the sauteed onion criteria.
Note that this works with any of today’s CAs. See some examples below. Don’t forget step 1.
# do the usual certbot configuration, but list all SANs with the -d option $ certbot --apache -d\ www.sauteed-onions.org,\ qvrbktnwsztjnbga6yyjbwzsdjw7u5a6vsyzv6hkj75clog4pdvy4cydonion.www.sauteed-onions.org
When using Nginx rather than Apache, you might need to change
/etc/nginx/nginx.conf to increase the value of
server_names_hash_bucket_size to, say, 128. Don’t forget to reload