.onion domain name introduction

.onion is a top-level domain suffix for addressing special purposes on the Tor network. This suffix does not belong to the actual domain name and is not included in the root zone of the domain name. But with the right proxy software installed, such as browser-like web software, specific requests can be sent through the Tor server to access the .onion address. The use of this technology can make it difficult for information providers and users to be tracked by the network hosts or outside users that pass through them.

Format

.onion The address of the top-level domain is a difficult-to-remember and incomprehensible 16-bit, half-letter, half-digit hash automatically generated by the public key after the Tor service is configured. this 16-bit hash consists of any letter of the alphabet and a decimal number from 2 to 7 to represent 80 digits encrypted using base32. It is feasible to find suitable URLs and set up human-readable .onion addresses (e.g., beginning with the organization name) by generating a large number of key pairs in parallel.

The word "onion" in this name refers to onion routing technology for anonymous purposes.

World Wide Web to .onion gateway

Proxy services such as Tor2web allow browsers and search engines that do not use Tor technology to access hidden services on the Tor network. If such a gateway is used, the user gives up his anonymity and has to trust only that what the gateway is transmitting is correct. Both the gateway and the hidden service recognize the browser and know the user IP address data. Some proxies use caching technology to provide faster access than the Tor browser.

.exit

.exit is a pseudo-top-level domain used by Tor users to indicate the preferred exit node that Tor should use when connecting to a service such as a web server, without editing the configuration file Tor (torrc).

The syntax for using this pseudo-top-level domain is: hostname + .exit. Exit node + .exit. if the user wants to use node tor26 to access http://www.torproject.org/, just enter http://www.torproject.org.tor26.exit.

Examples of this include visiting sites that are only available in a particular country or checking that a node is working properly.

The user can also access the IP address of the export node by entering the export node.exit directly.

.exit functionality is disabled by default in version 0.2.2.1-alpha due to the potential risk of an application layer attack.

Official designation

.onion domain names were once pseudo-TLD host suffixes, which are roughly identical in concept to the early use of .bitnet and .uucp.

On September 9, 2015, ICANN, the Internet Corporation for Assigned Names and Numbers, and the Internet Engineering Task Force designated .onion as a "special purpose domain name" on the recommendation of Jacob Appelbaum of the Tor Project and Alec Muffett, a Facebook security engineer, placing it under official status.

HTTPS support

SSL Stripping attacks originating from malicious egress nodes on the Tor network are enough to threaten access to traditional HTTPS sites on the Minnet. Although the encryption itself is technically redundant, the .onion-addressed site can give Tor native encryption capabilities through an additional layer of certificates that provide identity assurance. The provision of HTTPS certificates also requires browser functionality to be enabled, otherwise these features will not be available to users of the .onion site.

Before CA/Browser Forum Ballot 144 was adopted, HTTPS certificates in the name of .onion could only be obtained by treating .onion as an internal server name. According to the CA/Browser Forum benchmarking requirements, these certificates may be issued, but must expire by November 1, 2015. Despite these limitations, four organizations (DuckDuckGo, signed in July 2013, Facebook, signed in October 2014, Blockchain.info, signed in December 2014, and The Intercept, signed in April 2015) have signed on to the Accreditation Agency Partnership.

The .onion domain name passed RFC 6761 following the CA/Browser Forum vote No. 144 in September 2015 and the adoption of .onion as a "special purpose domain name". Certificate issuers may issue SSL certificates for .onion sites in accordance with the process documented in the benchmarking requirements introduced by the CA/Browser Forum in Poll 144.

As of August 2016, DigiCert has signed 13 .onion domains from seven different organizations.