ⓘ .onion


ⓘ .onion

.onion is a special-use top level domain suffix designating an anonymous onion service reachable via the Tor network. Such addresses are not actual DNS names, and the.onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with.onion addresses by sending the request through the Tor network.

The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider. Sites that offer dedicated.onion addresses may provide an additional layer of identity assurance via EV HTTPS Certificates, and provision of an HTTP certificate also enables browser features which would otherwise be unavailable to users of.onion sites. Provision of an onion site also helps mitigate SSL stripping attacks by malicious exit nodes on the Tor network upon users who would otherwise access traditional HTTPS clearnet sites over Tor.


1. Format

Addresses in the.onion TLD are generally opaque, non-mnemonic, 16- or 56-character alpha-semi-numerical strings which are automatically generated based on a public key when an onion service is configured. These strings can be made up of any letter of the alphabet, and decimal digits from 2 to 7, representing in base32 either an 80-bit hash "version 2", or 16-character or an ed25519 public key. As a result, all combinations of sixteen base32 characters could potentially be valid version 2 addresses though as the output of a cryptographic hash, a randomly selected string of this form having a corresponding onion service should be extremely unlikely, while only combinations of 56 base32 characters that correctly encoded an ed25519 public key, a checksum, and a version number i.e., 3 are valid version 3 addresses. It is possible to set up a human-readable.onion URL e.g. starting with an organization name by generating massive numbers of key pairs a computational process that can be parallelized until a sufficiently desirable URL is found.

The "onion" name refers to onion routing, the technique used by Tor to achieve a degree of anonymity.


2. WWW to.onion gateways

Proxies into the Tor network like Tor2web allow access to onion services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the onion service can fingerprint the browser, and access user IP address data. Some proxies use caching techniques to provide better page-loading than the official Tor Browser.


3.exit defunct pseudo-top-level domain

.exit was a pseudo-top-level domain used by Tor users to indicate on the fly to the Tor software the preferred exit node that should be used while connecting to a service such as a web server, without having to edit the configuration file for Tor torrc.

The syntax used with this domain was hostname +.exitnode +.exit, so that a user wanting to connect to through node tor26 would have to enter the URL.

Example uses for this would include accessing a site available only to addresses of a certain country or checking if a certain node is working.

Users could also type exitnode.exit alone to access the IP address of exitnode.

The.exit notation was deprecated as of version It is disabled by default as of version due to potential application-level attacks, and with the release of 0.3-series Tor as "stable" may now be considered defunct.


4. Official designation

The domain was formerly a pseudo-top-level domain host suffix, similar in concept to such endings as.bitnet and.uucp used in earlier times.

On 9 September 2015 ICANN, IANA and the IETF designated.onion as a special use domain, giving the domain an official status following a proposal from Jacob Appelbaum of the Tor Project and Facebook security engineer Alec Muffett.


5. HTTPS support

Prior to the adoption of CA/Browser Forum Ballot 144, a HTTPS certificate for a.onion name could only be acquired by treating.onion as an Internal Server Name. Per the CA/Browser Forums Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015.

Despite these restrictions, DuckDuckGo launched an onion site with a self-signed certificate in July 2013; Facebook obtained the first SSL Onion certificate to be issued by a Certificate authority in October 2014, in December 2014, and The Intercept in April 2015. The New York Times later joined in October 2017.

Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as special use in September 2015.onion meets the criteria for RFC 6761. Certificate authorities may issue SSL certificates for HTTPS.onion sites per the process documented in the CA/Browser Forums Baseline Requirements, introduced in Ballot 144.

As of August 2016, 13 onion domains are https signed across 7 different organisations via DigiCert.

  • The potato onion also known as multiplier onion is a variety of the Aggregatum Group of Allium cepa, similar to the shallot, although producing larger
  • Onion skinning is a 2D computer graphics term for a technique used in creating animated cartoons and editing movies to see several frames at once. This
  • Cry, Onion Italian: Cipolla Colt, lit. Onion Colt also known as The Smell of Onion is a 1975 Spaghetti Western comedy film directed by Enzo G. Castellari
  • Glass Onion is a song by the English rock band the Beatles from their 1968 double album The Beatles also known as the White Album The song was
  • Apple Onion is an American - British animated television series created for Cartoon Network by George Gendi, a former storyboard artist on The Amazing
  • French onion dip or California dip is an American dip typically made with a base of sour cream and flavored with minced onion and usually served with
  • March 2007, The Onion launched The Onion News Network, a daily web video broadcast that had been in production since mid - 2006. The Onion invested about
  • Bangalore rose onion locally called gulabi eerulli, is a variety of onion grown in and around Bangalore in Karnataka. It got the Geographical Indication
  • Wild Onion dinners are social gatherings held in the spring by various Native American tribes in Oklahoma, especially southeastern tribes. The meals focus

Users also searched: