.onion
Tor | |
Intended use | To designate an onion service reachable via Tor |
---|---|
Actual use | Used by Tor users for services in which both the provider and the user are anonymous and difficult to trace |
Registration restrictions | Addresses are "registered" automatically by Tor client when an onion service is set up |
Structure | Names are opaque strings generated from public keys |
Documents | |
Dispute policies | N/A |
.onion is a special-use
The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider. Sites that offer dedicated .onion addresses may provide an additional layer of identity assurance via
Format
Addresses in the onion TLD are generally opaque, non-
The "onion" name refers to onion routing, the technique used by Tor to achieve a degree of anonymity.
WWW to .onion gateways
Proxies into the Tor network like
.exit (defunct pseudo-top-level domain)
.exit was a
The syntax used with this domain was hostname + .exitnode + .exit, so that a user wanting to connect to http://www.torproject.org/ through node tor26 would have to enter the URL http://www.torproject.org.tor26.exit.
Example uses for this would include accessing a site available only to addresses of a certain country or checking if a certain node is working.
Users could also type exitnode.exit alone to access the IP address of exitnode.
The .exit notation was deprecated as of version 0.2.9.8.[7] It is disabled by default as of version 0.2.2.1-alpha due to potential application-level attacks,[8] and with the release of 0.3-series Tor as "stable"[9] may now be considered defunct.
Official designation
The domain was formerly a
On 9 September 2015
HTTPS support
Prior to the adoption of CA/Browser Forum Ballot 144, an HTTPS certificate for a .onion name could only be acquired by treating .onion as an Internal Server Name.[13] Per the CA/Browser Forum's Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015.[14]
Despite these restrictions,
Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as 'special use' in September 2015, .onion meets the criteria for RFC 6761.[20] Certificate authorities may issue SSL certificates for HTTPS .onion sites per the process documented in the CA/Browser Forum's Baseline Requirements,[21] introduced in Ballot 144.[13]
As of August 2016, 13 onion domains are https signed across 7 different organisations via DigiCert.[22]
See also
References
- ^ Winter, Philipp. "How Do Tor Users Interact With Onion Services?" (PDF). Retrieved 27 December 2018.
- ^ "Intro to Next Gen Onion Services (aka prop224)". The Tor Project. Retrieved 5 May 2018.
- ^ "Encoding onion addresses [ONIONADDRESS]". gitweb.torproject.org. Retrieved 8 February 2021.
- ^ "Scallion". GitHub. Retrieved 2 November 2014.
- ^ Muffett, Alec (31 October 2014). "Re: Facebook brute forcing hidden services". tor-talk (Mailing list). Simple End-User Linux. Retrieved 2 November 2014.
- ^ "Onion.cab: Advantages of this TOR2WEB-Proxy". Archived from the original on 21 May 2014. Retrieved 21 May 2014.
- ^ "Tor Release Notes". Retrieved 4 October 2017.
- ^ "Special Hostnames in Tor". Retrieved 30 June 2012.
- ^ "Tor 0.3.2.9 is released: We have a new stable series!". The Tor Project. Retrieved 7 May 2018.
- ^ Nathan Willis (10 September 2015). "Tor's .onion domain approved by IETF/IANA". LWN.net.
- ^ Franceschi-Bicchierai, Lorenzo (10 September 2015). "Internet Regulators Just Legitimized The Dark Web". Retrieved 10 September 2015.
- ^ "Special-Use Domain Names". Retrieved 10 September 2015.
- ^ a b "CA/Browser Forum Ballot 144 – Validation rules for .onion names". 18 February 2015. Retrieved 13 September 2015.
- ^ "Baseline Requirements for the Issuance and Management Publicly-Trusted Certificates, v1.0" (PDF). Archived from the original (PDF) on 14 January 2016. Retrieved 13 September 2015.
- ^ _zekiel (1 July 2013). "We've updated our Tor hidden service to work over SSL. No solution for the cert. warning, yet!". Reddit. Retrieved 20 December 2016.
- ^ Muffett, Alec (31 October 2014). "Making Connections to Facebook more Secure". Retrieved 11 September 2015.
- ^ Alyson (3 December 2014). "Improved Security for Tor Users". Retrieved 11 September 2015.
- ^ Lee, Micah (8 April 2015). "Our SecureDrop System for Leaks Now Uses HTTPS". Retrieved 10 September 2015.
- ^ Sandvik, Runa (27 October 2017). "The New York Times is Now Available as a Tor Onion Service". The New York Times. Retrieved 17 November 2017.
- ^ Arkko, Jari (10 September 2015). ".onion". Retrieved 13 September 2015.
- ^ "Baseline Requirements Documents". 4 September 2013. Retrieved 13 September 2015.
- ^ Jamie Lewis, Sarah (7 August 2016). "OnionScan Report: July 2016 – HTTPS Somewhere Sometimes". Retrieved 15 August 2016.
External links
- "Tor Browser". Tor Project.
Anonymous browsing via Tor, used to access .onion sites
- "Tor: Onion Service Configuration Instructions". Tor Project.
- "Tor Rendezvous Specification". Tor Project.
- Biryukov, Alex; Pustogarov, Ivan; Weinmann, Ralf-Philipp (2013), "Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization" (PDF), Symposium on Security and Privacy, IEEE
- "Ballot 144". CA/Browser Forum. 18 February 2015.