.onion is a special-use

top level domain A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains ...

name designating an anonymous

onion service Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network, consisting of more than seven thousand relays, to conc ...

, which was formerly known as a "hidden service", reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used ...

s can access sites with .onion addresses by sending the request through the Tor network. The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider. Sites that offer dedicated .onion addresses may provide an additional layer of identity assurance via EV HTTPS Certificates. Provision of an onion site also helps mitigate SSL stripping attacks by malicious exit nodes on the Tor network upon users who would otherwise access traditional HTTPS clearnet sites over Tor.

Format

Addresses in the onion TLD are generally opaque, non-

mnemonic A mnemonic ( ) device, or memory device, is any learning technique that aids information retention or retrieval (remembering) in the human memory for better understanding. Mnemonics make use of elaborative encoding, retrieval cues, and imager ...

, alpha-numerical strings which are automatically generated based on a

public key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

when an

is configured. They are 16 characters long for V2 onion services and 56 characters long for V3 onion services. These strings can be made up of any letter of the alphabet, and decimal digits from 2 to 7, representing in base32 either an 80-bit hash ("version 2", or 16-character) or a 256-bit

ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes ...

public key along with a version number and a checksum of the key and version number ("version 3", "next gen", or 56-character). As a result, all combinations of sixteen base32 characters could potentially be valid version 2 addresses (though as the output of a cryptographic hash, a randomly selected string of this form having a corresponding onion service should be extremely unlikely), while only combinations of 56 base32 characters that correctly encoded an ed25519 public key, a checksum, and a version number (i.e., 3) are valid version 3 addresses. It is possible to set up a partially human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of

key pairs Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

(a computational process that can be parallelized) until a sufficiently desirable URL is found. The "onion" name refers to

onion routing Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of ne ...

, the technique used by Tor to achieve a degree of

anonymity Anonymity describes situations where the acting person's identity is unknown. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea he ...

WWW to .onion gateways

Proxies into the Tor network like Tor2web allow access to onion services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the onion service can

fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfa ...

the browser, and access user IP address data. Some proxies use caching techniques to provide better page-loading than the official

Tor Browser Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It directs Internet traffic through a free, worldwide, volunteer overlay network, consisting of more than seven thousand relays, to con ...

.exit (defunct pseudo-top-level domain)

.exit was a pseudo-top-level domain used by Tor users to indicate on the fly to the Tor software the preferred

exit node Exit(s) may refer to: Architecture and engineering * Door * Portal (architecture), an opening in the walls of a structure * Emergency exit * Overwing exit, a type of emergency exit on an airplane * Exit ramp, a feature of a road interchange ...

that should be used while connecting to a service such as a

web server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initia ...

, without having to edit the configuration file for Tor (''torrc''). The syntax used with this domain was ''hostname'' + ''.exitnode'' + ''.exit'', so that a user wanting to connect to http://www.torproject.org/ through node ''tor26'' would have to enter the URL ''http://www.torproject.org.tor26.exit''. Example uses for this would include accessing a site available only to addresses of a certain country or checking if a certain node is working. Users could also type ''exitnode.exit'' alone to access the IP address of ''exitnode''. The .exit notation was deprecated as of version 0.2.9.8. It is disabled by default as of version 0.2.2.1-alpha due to potential application-level attacks, and with the release of 0.3-series Tor as "stable" may now be considered defunct.

Official designation

The domain was formerly a pseudo-top-level domain host suffix, similar in concept to such endings as

.bitnet BITNET was a co-operative U.S. university computer network founded in 1981 by Ira Fuchs at the City University of New York (CUNY) and Greydon Freeman at Yale University. The first network link was between CUNY and Yale. The name BITNET original ...

and

.uucp UUCP is an acronym of Unix-to-Unix Copy. The term generally refers to a suite of computer programs and communications protocol, protocols allowing remote execution of commands and transfer of Computer file, files, email and netnews between compute ...

used in earlier times. On 9 September 2015

ICANN The Internet Corporation for Assigned Names and Numbers (ICANN ) is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces ...

IANA The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Intern ...

and the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...

designated .onion as a 'special use domain', giving the domain an official status following a proposal from

Jacob Appelbaum Jacob Appelbaum (born 1 April 1983) is an American independent journalist, computer security researcher, artist, and hacker. He studied at the Eindhoven University of Technology and was a core member of the Tor project, a free software network d ...

of the Tor Project and

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

security engineer Alec Muffett.

HTTPS support

Prior to the adoption of

CA/Browser Forum The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications ...

Ballot 144, an

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is en ...

certificate for a .onion name could only be acquired by treating .onion as an Internal Server Name. Per the CA/Browser Forum's Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015. Despite these restrictions,

DuckDuckGo DuckDuckGo (DDG) is an internet search engine that emphasizes protecting searchers' privacy and avoiding the filter bubble of personalized search results. DuckDuckGo does not show search results from content farms. It uses various APIs of ...

launched an onion site with a self-signed certificate in July 2013;

obtained the first SSL Onion certificate to be issued by a Certificate authority in October 2014, Blockchain.info in December 2014, and

The Intercept ''The Intercept'' is an American left-wing news website founded by Glenn Greenwald, Jeremy Scahill, Laura Poitras and funded by billionaire eBay co-founder Pierre Omidyar. Its current editor is Betsy Reed. The publication initially reporte ...

in April 2015. ''

The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...

'' later joined in October 2017. Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as 'special use' in September 2015, .onion meets the criteria for RFC 6761. Certificate authorities may issue SSL certificates for HTTPS .onion sites per the process documented in the

's Baseline Requirements, introduced in Ballot 144. As of August 2016, 13 onion domains are https signed across 7 different organisations via

DigiCert DigiCert, Inc. is an American digital security company headquartered in Lehi, Utah, with offices in Australia, Ireland, Japan, India, France, South Africa, Switzerland and United Kingdom. As a certificate authority (CA) and trusted third party, ...

References

External links

* * * * * {{DEFAULTSORT:ONION Dark web Computer-related introductions in 2004 Top-level domains sv:Toppdomän#Generiska toppdomäner