|TLD type||Pseudo-domain-style host suffix|
|Status||Not in root, but used by Tor clients, servers, and proxies|
|Intended use||To designate a hidden service reachable via Tor|
|Actual use||Used by Tor users for services in which both the provider and the user are anonymous and difficult to trace|
|Registration restrictions||Addresses are "registered" automatically by Tor client when a hidden service is set up|
|Structure||Names are opaque strings generated from public keys|
|Documents||Tor design document|
.onion is a pseudo-top-level domain host suffix (similar in concept to such endings as .bitnet and .uucp used in earlier times) designating an anonymous hidden service reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as Web browsers can access sites with .onion addresses by sending the request through the network of Tor servers. The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider.
Addresses in the .onion pseudo-TLD are generally opaque, non-mnemonic, 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when a hidden service is configured. These 16-character hashes can be made up of any letter of the alphabet, and decimal digits from 2 to 7, thus representing an 80-bit number in base32. It is possible to set up a human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of key pairs (a computational process that can be parallelized) until a sufficiently desirable URL is found.
WWW to .onion gateways
Proxies into the Tor network like Tor2web allow access to hidden services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the hidden service can fingerprint the browser, and access user IP address data. Some proxies use caching techniques to provide a better page-loading than the official Tor Browser. To use a gateway, replace the domain suffix .onion of any hidden service with, for example, .tor2web.org.
.exit is a pseudo-top-level domain used by Tor users to indicate on the fly to the Tor software the preferred exit node that should be used while connecting to a service such as a web server, without having to edit the configuration file for Tor (torrc).
The syntax used with this domain is hostname + .exitnode + .exit, so that a user wanting to connect to http://www.torproject.org/ through node tor26 would have to enter the URL http://www.torproject.org.tor26.exit.
Example uses for this include accessing a site available only to addresses of a certain country or checking if a certain node is working.
Users can also type exitnode.exit alone to access the IP address of exitnode.
The .exit notation is disabled by default as of version 0.2.2.1-alpha due to potential application-level attacks.
- "Scallion". GitHub. Retrieved 2014-11-02.
- Muffett, Alec (2014-10-31). "Re: Facebook brute forcing hidden services". tor-talk (Mailing list) (Simple End-User Linux). Retrieved 2014-11-02.
- "Onion.cab: Advantages of this TOR2WEB-Proxy". Retrieved 2014-05-21.
- "Tor Browser Bundle". Retrieved 2014-05-21.
- "tor2web.org: visit anonymous websites". Retrieved 2009-09-16.
- "Special Hostnames in Tor". Retrieved 2012-06-30.
- Tor: Hidden Service Configuration Instructions
- Tor Rendezvous Specification
- Article explaining Tor Hidden Services
- Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann (2013), Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization (PDF), IEEE Symposium on Security and Privacy