.onion is a special-use top level domain
name designating an anonymous onion service
, which was formerly known as a "hidden service", reachable via the Tor
network. Such addresses are not actual DNS name
s, and the .onion TLD is not in the Internet DNS root
, but with the appropriate proxy software installed, Internet programs such as web browser
s can access sites with .onion addresses
by sending the request through the Tor network.
The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider. Sites that offer dedicated .onion addresses may provide an additional layer of identity assurance via EV HTTPS Certificates
. Provision of an onion site also helps mitigate SSL stripping
attacks by malicious exit nodes
on the Tor network upon users who would otherwise access traditional HTTPS clearnet
sites over Tor.
Addresses in the .onion TLD are generally opaque, non-mnemonic
, alpha-semi-numerical strings which are automatically generated based on a public key
when an onion service
is configured. They are 16 characters long for V2 onion services and 56 characters long for V3 onion services. These strings can be made up of any letter of the alphabet, and decimal digits from 2 to 7, representing in base32
either an 80-bit hash
("version 2", or 16-character) or a 256-bit ed25519
public key along with a version number and a checksum of the key and version number ("version 3", "next gen", or 56-character). As a result, all combinations of sixteen base32 characters could potentially be valid version 2 addresses (though as the output of a cryptographic hash, a randomly selected string of this form having a corresponding onion service should be extremely unlikely
), while only combinations of 56 base32 characters that correctly encoded an ed25519 public key, a checksum, and a version number (i.e., 3) are valid version 3 addresses.
It is possible to set up a partially human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of key pairs
(a computational process that can be parallelized
) until a sufficiently desirable URL is found.
The "onion" name refers to onion routing
, the technique used by Tor to achieve a degree of anonymity
WWW to .onion gateways
Proxies into the Tor network like Tor2web
allow access to onion services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the onion service can fingerprint
the browser, and access user IP address data. Some proxies use caching techniques to provide better page-loading than the official Tor Browser
.exit (defunct pseudo-top-level domain)
.exit was a pseudo-top-level domain
used by Tor
users to indicate on the fly to the Tor software the preferred exit node
that should be used while connecting to a service such as a web server
, without having to edit the configuration file for Tor (''torrc'').
The syntax used with this domain was ''hostname'' + ''.exitnode'' + ''.exit'', so that a user wanting to connect to http://www.torproject.org/
through node ''tor26'' would have to enter the URL ''http://www.torproject.org.tor26.exit
Example uses for this would include accessing a site available only to addresses of a certain country or checking if a certain node is working.
Users could also type ''exitnode.exit'' alone to access the IP address of ''exitnode''.
The .exit notation was deprecated as of version 0.2.9.8. It is disabled by default as of version 0.2.2.1-alpha due to potential application-level attacks, and with the release of 0.3-series Tor as "stable" may now be considered defunct.
The domain was formerly a pseudo-top-level domain
host suffix, similar in concept to such endings as .bitnet
used in earlier times.
On 9 September 2015 ICANN
and the IETF
designated .onion as a 'special use domain', giving the domain an official status following a proposal from Jacob Appelbaum
of the Tor Project and Facebook
security engineer Alec Muffett
Prior to the adoption of CA/Browser Forum
Ballot 144, an HTTPS
certificate for a .onion name could only be acquired by treating .onion as an Internal Server Name.
Per the CA/Browser Forum's Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015.
Despite these restrictions, DuckDuckGo
launched an onion site with a self-signed certificate in July 2013; Facebook
obtained the first SSL Onion certificate to be issued by a Certificate authority in October 2014, Blockchain.info
in December 2014, and The Intercept
in April 2015. ''The New York Times
'' later joined in October 2017.
Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as 'special use' in September 2015, .onion meets the criteria foRFC 6761
Certificate authorities may issue SSL certificates for HTTPS .onion sites per the process documented in the CA/Browser Forum
's Baseline Requirements, introduced in Ballot 144.
As of August 2016, 13 onion domains are https signed across 7 different organisations via DigiCert
* Dark web
* List of Tor onion services
* Onion routing
Category:Computer-related introductions in 2004