Q: Can browser apps access tor onion sites? Such sites could not have a valid certificate, right? So I'm guessing they cannot.
So then tor usage is limited to having the client tunnel everything through tor and out through some exit node to a regular website with a valid cert.
You sent me down a rabbit hole, but onion sites don’t need a CA
https://onionservices.torproject.org/research/proposals/usability/certificates/
That is interesting and detailed information.
Web apps running in Chrome or Firefox or Safari wont work with any of those solutions though AFAICT. Clients would have to run on the Tor browser to access .onion relays. Which is sensible anyways (using a tor proxy w/o the tor browser is risky).
Such sites can have valid TLS certs. They don't need them, because they are already encrypted at the network layer, but some people put TLS certs on there in addition. This is mainly just to appease people who don't understand the security details and have only been trained that the green shield means secure and everything else is not (which, to be fair, is a rule that *almost* always holds). In any case, the traffic will still need to be routed through Tor, but it will not go out an exit node
More info here:
https://onionservices.torproject.org/research/proposals/usability/certificates/
