Frequently asked questions
Below is a list of frequently asked questions.
What is a sauteed onion?
Any TLS setup where the certificate declares an onion address. Two SANs are
required to establish an onion association from
What does a sauteed onion do?
It makes a site’s associated onion address as transparent as its TLS certificate. For example, this provides forward censorship resistance because TLS certificates are stored in public append-only CT logs.
Why is it called a sauteed onion?
It is a cooking analogy. An onion that is sauteed becomes transparent.
Who uses sauteed onions?
We provide an enumeration that is based on CT logs, and additionally operate an exact-match search service API.
Are sauteed onions replacing .onion addresses?
No, you still need to visit an onionsite via Tor.
If you are interested in the use of onion addresses for self-authentication and hijack resistance in browsers without Tor access, see the work of Syverson, Finkel, Eskandarian, and Boneh.
Are sauteed onions replacing .onion certificates?
No, you need to obtain a certificate with a
.onion address to get HTTPS to
your onion site.
Similarly, sauteed onions would be orthogonal to SOOC certificates.
Are sauteed onions replacing SecureDrop names?
No, but like SecureDrop names it would be possible to deliver a list of sauteed onions for local querying in a web extension or natively in Tor Browser.
Are sauteed onions replacing Onion-Location?
No, but “certificate-based onion location” via sauteed onions could be a future improvement. For example, it would be difficult to claim association with someone else’s onion address without detection. It also works for use-cases of Onion-Location that are “not web”.
We prototyped a web extension that implements certificate-based Onion-Location.
Are .onion addresses part of the TLS ecosystem?
Yes, the CA/B forum voted to allow domain validation of .onion addresses in
February, 2020. Obtaining a TLS certificate with a registered domain name and a
.onion address is not controversial and supported by DigiCert and
The main reasons for defining sauteed onions based on onion addresses that are encoded as subdomains are robustness and backwards-compatibility. In the future, a sauteed onion X.509v3 extension would likely be preferable. A lengthier discussion of the trade-offs is available in our pre-printed paper.
Of note is that no additional certificates are issued for existing TLS sites,
but CAs need to verify one more registered domain name. When compared to an
.onion address, CT logs need to store a handful of extra bytes per
sauteed onion setup. We argue that this is a reasonable use of resources when
weighted towards the benefit and intended use-case: a good mechanisms to
discover onion addresses for TLS sites that opted-in to resist censorship.
How do I set up an onion service?
The Tor Project provides a guide for setting up an onion service.
You may also be interested in Alec Muffett’s Enterpise Onion Toolkit (EOTK). It is a tool that deploys onion service access for existing websites.
How can I contribute to sauteed onions?
Reach out to say hello, provide feedback, and help with open issues. There is also plenty of future work, see further details in our pre-printed paper.
If you have a registered domain name and an associated onion address, setup sauteed onions.