.Onion Officially Recognized as Special-Use Domain

September 11, 2015 Jeremy Rowley

Good news for .onion sites: The .onion domain is now recognized as a special-use, top-level domain by the Internet Engineering Steering Group, thanks to efforts by Facebook and The Tor Project.

This means that publicly trusted SSL Certificates can continue to be issued for .onion domains following the deprecation of internal names, which is happening later this year. Additionally, this means Tor website operators can authenticate themselves to users by using publicly trusted SSL Certificates. These certificates are essential to help combat phishing and MITM attacks for Tor users.

What Led to This Point

For the .onion address to be an accepted special-use, top-level domain, an RFC by the Internet Engineering Task Force (IETF) had to be approved: Draft RFC for .onion name. In addition, .onion had to be recognized by Internet Assigned Numbers Authority (IANA) on the official list as a special-use domain.

In November 2014, DigiCert issued an Internal Name Certificate to Facebook’s .onion address, which enabled users to browse Facebook anonymously through the Tor browser. And up until now, .onion was considered an internal name, but internal names are being deprecated later this year. If .onion was not recognized as a top-level domain before November 1, 2015, the certificates would have had a maximum validity period through October 31, 2015, and would then need to be revoked.

What This Means for the Future of Tor Security

The IETF and IANA approvals ensure that SSL Certificates can continue to be issued to .onion names in accordance with the CA/B Forum .onion vetting guidelines.

The CA/B Forum guidelines for vetting .onion names, outlined in Ballot 144—Validation Rules For .Onion Names, are the same. EV SSL Certificates are still required with a special use-case that allows wildcard names in an EV Certificate.

Previous Article
How Mixed Content Compromises Security
How Mixed Content Compromises Security

Mixed content compromises a website's security.

Next Article
Major Browsers Announce RC4 Deprecation in Early 2016
Major Browsers Announce RC4 Deprecation in Early 2016

Admins should take action if RC4 is part of current server configurations.