Last updated

TLD typeHost suffix
StatusNot in root, but used by Tor clients, servers, and proxies
Registry Tor
Intended useTo designate an onion service reachable via Tor
Actual useUsed by Tor users for services in which both the provider and the user are anonymous and difficult to trace
Registration restrictionsAddresses are "registered" automatically by Tor client when an onion service is set up
StructureNames are opaque strings generated from public keys
Dispute policiesN/A
Registry website www.torproject.org

.onion is a special-use top level domain name designating an anonymous onion service, which was formerly known as a "hidden service", [1] reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with .onion addresses by sending the request through the Tor network.


The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider. Sites that offer dedicated .onion addresses may provide an additional layer of identity assurance via EV HTTPS Certificates [ citation needed ]. Provision of an onion site also helps mitigate SSL stripping attacks by malicious exit nodes on the Tor network upon users who would otherwise access traditional HTTPS clearnet sites over Tor.[ citation needed ]


Addresses in the .onion TLD are generally opaque, non-mnemonic, alpha-numerical strings which are automatically generated based on a public key when an onion service is configured. They are 16 characters long for V2 onion services and 56 characters long for V3 onion services. [2] These strings can be made up of any letter of the alphabet, and decimal digits from 2 to 7, representing in base32 either an 80-bit hash ("version 2", or 16-character) or a 256-bit ed25519 public key along with a version number and a checksum of the key and version number ("version 3", "next gen", or 56-character). As a result, all combinations of sixteen base32 characters could potentially be valid version 2 addresses (though as the output of a cryptographic hash, a randomly selected string of this form having a corresponding onion service should be extremely unlikely), while only combinations of 56 base32 characters that correctly encoded an ed25519 public key, a checksum, and a version number (i.e., 3) are valid version 3 addresses. [3] It is possible to set up a partially human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of key pairs (a computational process that can be parallelized) until a sufficiently desirable URL is found. [4] [5]

The "onion" name refers to onion routing, the technique used by Tor to achieve a degree of anonymity.

WWW to .onion gateways

Proxies into the Tor network like Tor2web allow access to onion services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the onion service can fingerprint the browser, and access user IP address data. Some proxies use caching techniques to provide better page-loading [6] than the official Tor Browser. [7]

.exit (defunct pseudo-top-level domain)

.exit was a pseudo-top-level domain used by Tor users to indicate on the fly to the Tor software the preferred exit node that should be used while connecting to a service such as a web server, without having to edit the configuration file for Tor (torrc).

The syntax used with this domain was hostname + .exitnode + .exit, so that a user wanting to connect to http://www.torproject.org/ through node tor26 would have to enter the URL http://www.torproject.org.tor26.exit.

Example uses for this would include accessing a site available only to addresses of a certain country or checking if a certain node is working.

Users could also type exitnode.exit alone to access the IP address of exitnode.

The .exit notation was deprecated as of version [8] It is disabled by default as of version due to potential application-level attacks, [9] and with the release of 0.3-series Tor as "stable" [10] may now be considered defunct.

Official designation

The domain was formerly a pseudo-top-level domain host suffix, similar in concept to such endings as .bitnet and .uucp used in earlier times.

On 9 September 2015 ICANN, IANA and the IETF designated .onion as a 'special use domain', giving the domain an official status following a proposal from Jacob Appelbaum of the Tor Project and Facebook security engineer Alec Muffett. [11] [12] [13]

HTTPS support

Prior to the adoption of CA/Browser Forum Ballot 144, an HTTPS certificate for a .onion name could only be acquired by treating .onion as an Internal Server Name. [14] Per the CA/Browser Forum's Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015. [15]

Despite these restrictions, DuckDuckGo launched an onion site with a self-signed certificate in July 2013; [16] Facebook obtained the first SSL Onion certificate to be issued by a Certificate authority in October 2014, [17] Blockchain.info in December 2014, [18] and The Intercept in April 2015. [19] The New York Times later joined in October 2017. [20]

Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as 'special use' in September 2015, .onion meets the criteria for RFC 6761. [21] Certificate authorities may issue SSL certificates for HTTPS .onion sites per the process documented in the CA/Browser Forum's Baseline Requirements, [22] introduced in Ballot 144. [14]

As of August 2016, 13 onion domains are https signed across 7 different organisations via DigiCert. [23]

See also

Related Research Articles

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Proxy server Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

Public key certificate Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of network nodes called onion routers, each of which "peels" away from a single layer, uncovering the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. While onion routing provides a high level of security and anonymity, there are methods to break the anonymity of this technique, such as timing analysis.

Comodo Security Solutions, Inc. is a cybersecurity company headquartered in Clifton, New Jersey in the United States.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

An Extended Validation Certificate (EV) is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested.

Tor (network) Free and open-source anonymity network based on onion routing

Tor is free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network, consisting of more than seven thousand relays, for concealing a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace the Internet activity to the user. Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

Internet censorship circumvention is the use of various methods and tools to bypass internet censorship.

Alec Muffett Software engineer, security expert

Alec David Edward Muffett is an Anglo-American internet-security evangelist, architect, and software engineer. He is principally known for his work on Crack, the original Unix password cracker, and for the CrackLib password-integrity testing library; he is also active in the open-source software community.

Tor2web HTTP proxy for Tor hidden services

Tor2web is a software project to allow Tor hidden services to be accessed from a standard browser without being connected to the Tor network. It was created by Aaron Swartz and Virgil Griffith.

ProtonMail end-to-end encrypted email service

ProtonMail is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland by scientists who spent time at the CERN research facility. ProtonMail uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

.tor is a pseudo-top-level domain host suffix implemented by the OnioNS project, which aims to add DNS infrastructure to the Tor network enabling the selection of meaningful and globally-unique domain name for hidden services, which users can then reference from the Tor Browser.

The Facebook onion address located at facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion, is a site that allows access to Facebook through the Tor protocol, using its .onion top-level domain.


SIGAINT was a Tor hidden service offering secure email services. According to its FAQ page, its web interface used SquirrelMail which does not rely on JavaScript. Passwords couldn't be recovered. Users received two addresses per inbox: one at sigaint.org for receiving clearnet emails and the other at its .onion address only for receiving emails sent from other Tor-enabled email services. Free accounts had 50 MB of storage space and expired after one year of inactivity. Upgraded accounts had access to POP3, IMAP, SMTP, larger size limits, full disk encryption, and never expired.

A wireless onion router is a router that uses Tor to connect securely to a network. The onion router allows the user to connect to the internet anonymously creating an anonymous connection. Tor works using an overlaid network which is free throughout the world, this overlay network is created by using numerous relay points created using volunteer which helps the user hide personal information behind layers of encrypted data like layers of an onion. Routers are being created using Raspberry Pi adding a wireless module or using its own inbuilt wireless module in the later versions.


  1. Winter, Philipp. "How Do Tor Users Interact With Onion Services?" (PDF). Retrieved 27 December 2018.
  2. "Intro to Next Gen Onion Services (aka prop224)". The Tor Project. Retrieved 5 May 2018.
  3. "Encoding onion addresses [ONIONADDRESS]". gitweb.torproject.org. Retrieved 8 February 2021.
  4. "Scallion". GitHub. Retrieved 2 November 2014.
  5. Muffett, Alec (31 October 2014). "Re: Facebook brute forcing hidden services". tor-talk (Mailing list). Simple End-User Linux. Retrieved 2 November 2014.
  6. "Onion.cab: Advantages of this TOR2WEB-Proxy". Archived from the original on 21 May 2014. Retrieved 21 May 2014.
  7. "Tor Browser Bundle" . Retrieved 21 May 2014.
  8. "Tor Release Notes" . Retrieved 4 October 2017.
  9. "Special Hostnames in Tor" . Retrieved 30 June 2012.
  10. "Tor is released: We have a new stable series!". The Tor Project. Retrieved 7 May 2018.
  11. Nathan Willis (10 September 2015). "Tor's .onion domain approved by IETF/IANA". LWN.net.
  12. Franceschi-Bicchierai, Lorenzo (10 September 2015). "Internet Regulators Just Legitimized The Dark Web" . Retrieved 10 September 2015.
  13. "Special-Use Domain Names" . Retrieved 10 September 2015.
  14. 1 2 "CA/Browser Forum Ballot 144 - Validation rules for .onion names" . Retrieved 13 September 2015.
  15. "Baseline Requirements for the Issuance and Management Publicly-Trusted Certificates, v1.0" (PDF). Retrieved 13 September 2015.
  16. _zekiel (1 July 2013). "We've updated our Tor hidden service to work over SSL. No solution for the cert. warning, yet!". Reddit. Retrieved 20 December 2016.
  17. Muffett, Alec (31 October 2014). "Making Connections to Facebook more Secure" . Retrieved 11 September 2015.
  18. Alyson (3 December 2014). "Improved Security for Tor Users" . Retrieved 11 September 2015.
  19. Lee, Micah (8 April 2015). "Our SecureDrop System for Leaks Now Uses HTTPS" . Retrieved 10 September 2015.
  20. Sandvik, Runa (27 October 2017). "The New York Times is Now Available as a Tor Onion Service". The New York Times . Retrieved 17 November 2017.
  21. Arkko, Jari (10 September 2015). ".onion" . Retrieved 13 September 2015.
  22. "Baseline Requirements Documents" . Retrieved 13 September 2015.
  23. Jamie Lewis, Sarah (7 August 2016). "OnionScan Report: July 2016 - HTTPS Somewhere Sometimes" . Retrieved 15 August 2016.