On 26/01/2026 11.59, Clara Engler via tor-dev wrote:
A potential downside however might be, that this allows for easier detection of Tor traffic. For example, tools such as WireGuard, which usually do not come with a Tor consensus required for detecting Tor traffics, may flag traffic as Tor-traffic if the `ClientHello` contains a 40-character base16 hostname followed by .home.arpa`.
Once we are migrated to Arti on the network side, I don't think it would be unreasonable to begin thinking about a Tor network where we manage the keys ourselves, but where the Arti Relay daemon can request a valid certificate via the ACME protocol from a provider such as Let's Encrypt. For censorship reasons, we should, of course, always fall back to self-signed certificates and not rely on the WebPKI for TLS trust validation in the case where the ACME certificate request fails and no certificate is issued.
Cheers, Alex -- Alexander Hansen Færøy _______________________________________________ tor-dev mailing list -- [email protected] To unsubscribe send an email to [email protected]
