.Onion Officially Recognized as Special-Use Domain

Good news for .onion sites: The .onion domain is now recognized as a special-use, top-level domain by the Internet Engineering Steering Group, thanks to efforts by Facebook and The Tor Project.

This means that publicly trusted SSL Certificates can continue to be issued for .onion domains following the deprecation of internal names, which is happening later this year. Additionally, this means Tor website operators can authenticate themselves to users by using publicly trusted SSL Certificates. These certificates are essential to help combat phishing and MITM attacks for Tor users.

What Led to This Point

For the .onion address to be an accepted special-use, top-level domain, an RFC by the Internet Engineering Task Force (IETF) had to be approved: Draft RFC for .onion name. In addition, .onion had to be recognized by Internet Assigned Numbers Authority (IANA) on the official list as a special-use domain.

In November 2014, DigiCert issued an Internal Name Certificate to Facebook’s .onion address, which enabled users to browse Facebook anonymously through the Tor browser. And up until now, .onion was considered an internal name, but internal names are being deprecated later this year. If .onion was not recognized as a top-level domain before November 1, 2015, the certificates would have had a maximum validity period through October 31, 2015, and would then need to be revoked.

What This Means for the Future of Tor Security

The IETF and IANA approvals ensure that SSL Certificates can continue to be issued to .onion names in accordance with the CA/B Forum .onion vetting guidelines.

The CA/B Forum guidelines for vetting .onion names, outlined in Ballot 144—Validation Rules For .Onion Names, are the same. EV SSL Certificates are still required with a special use-case that allows wildcard names in an EV Certificate.

Posted in Browser, Encryption, News

6 thoughts on “.Onion Officially Recognized as Special-Use Domain

  1. It’s estimated that there are over 22 million photos and videos of child pornography hosted on Tor servers. Additionally, thousands of Tor users have been arrested for child sex trafficking and abuse. The Tor project is in serious denial that this kind of behavior is happening within the deep/dark web space, but the numbers from the criminal justice system simply don’t lie. Tor and .onion domains have many benefits in terms of privacy and security, however they can be easily used for the wrong reasons as well. With this new announcement that Tor website operators can authenticate themselves using publicly trust SSL Certificates, has DigiCert taken any steps towards ensuring these .onion domains are not being secured for nefarious purposes such as child pornography and human trafficking?

    1. DigiCert has specific policies and procedures in place that prohibit our certificates from being used for unlawful purposes, such as those that you’ve described, and as noted in our “Certificate Policy” and “Certificate Practices Statement” documents. In addition to issuing only EV SSL Certificates for .onion sites, which requires a more stringent validation process for organizations as set forth for EV Certificates by the CA/Browser Forum, we also make available easy reporting of any activity that concerned parties have about any site to which we have issued an EV SSL Certificate that they believe violates our policies, as found here: https://www.digicert.com/ev-ssl-revocation.htm. Thank you.

    2. Firstly, child pornography and sex trafficking happen just as much offline as they do in places like Tor. They also have clearnet sites, shall we just nuke the entire internet then? There’s no way for DigiCert to verify anything more with .onion domains than they would with normal domains and it’s not their job. We already have laws to deal with these people.

      Further, securing the .onion domain with an SSL certificate means absolutely nothing aside from the EV portion (verifying the company applying for the cert is a legitimately registered business). Tor is already encrypted, and .onion domains can be created in seconds with the built in Tor software. The certificates in this case are only there to assure people that the .onion site they’re visiting are associated with a business. It doesn’t control how they operate, it doesn’t add any more security, it doesn’t really do much at all.

Comments are closed.