Girish Mahajan (Editor)


Updated on
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Introduced  2004
Registry  Tor
TLD type  Host suffix
.onion KickassTorrents Enters The Dark Web Gets TOR39s Official Onion URL

Status  Not in root, but used by Tor clients, servers, and proxies
Intended use  To designate a hidden service reachable via Tor
Actual use  Used by Tor users for services in which both the provider and the user are anonymous and difficult to trace


.onion is a special-use top level domain suffix designating an anonymous hidden service reachable via the Tor network. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with .onion addresses by sending the request through the network of Tor servers. The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider.


.onion url17jpg


Addresses in the .onion TLD are generally opaque, non-mnemonic, 16-character alpha-semi-numeric hashes which are automatically generated based on a public key when a hidden service is configured. These 16-character hashes can be made up of any letter of the alphabet, and decimal digits from 2 to 7, thus representing an 80-bit number in base32. It is possible to set up a human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of key pairs (a computational process that can be parallelized) until a sufficiently desirable URL is found.

The "onion" name refers to onion routing, the technique used by Tor to achieve a degree of anonymity.

WWW to .onion gateways

.onion This Onion Farmer Is Squatting on 40 Million Dark Web Domains

Proxies into the Tor network like Tor2web allow access to hidden services from non-Tor browsers and for search engines that are not Tor-aware. By using a gateway, users give up their own anonymity and trust the gateway to deliver the correct content. Both the gateway and the hidden service can fingerprint the browser, and access user IP address data. Some proxies use caching techniques to provide better page-loading than the official Tor Browser.


.onion wwwthehiddenwikinetwpcontentuploads201305i

.exit is a pseudo-top-level domain used by Tor users to indicate on the fly to the Tor software the preferred exit node that should be used while connecting to a service such as a web server, without having to edit the configuration file for Tor (torrc).

The syntax used with this domain is hostname + .exitnode + .exit, so that a user wanting to connect to through node tor26 would have to enter the URL

Example uses for this include accessing a site available only to addresses of a certain country or checking if a certain node is working.

Users can also type exitnode.exit alone to access the IP address of exitnode.

The .exit notation is disabled by default as of version due to potential application-level attacks.

Official designation

The domain used to be pseudo-top-level domain host suffix, similar in concept to such endings as .bitnet and .uucp used in earlier times.

On 9 September 2015 ICANN, IANA and the IETF designated .onion as a 'special use domain', giving the domain an official status following a proposal from Jacob Appelbaum of the Tor Project and Facebook security engineer Alec Muffett.

HTTPS support

SSL stripping attacks from malicious exit nodes on the Tor network are a risk to users accessing traditional HTTPS clearnet sites. Sites offering dedicated .onion addresses can provide an additional layer of identity assurance via certificates, though the encryption itself is redundant, given Tor's native encryption features.

Prior to the adoption of CA/Browser Forum Ballot 144, a HTTPS certificate for a .onion name could only be acquired by treating .onion as an Internal Server Name. Per the CA/Browser Forum's Baseline Requirements, these certificates could be issued, but were required to expire before 1 November 2015. Despite these restrictions, four organizations went ahead with certificate authority partnerships to do so; these were DuckDuckGo in July 2013, Facebook in October 2014, in December 2014, and The Intercept in April 2015.

Following the adoption of CA/Browser Forum Ballot 144 and the designation of the domain as 'special use' in September 2015, .onion meets the criteria for RFC 6761. Certificate authorities may issue SSL certificates for HTTPS .onion sites per the process documented in the CA/Browser Forum's Baseline Requirements, introduced in Ballot 144.

As of August 2016, 13 onion domains are https signed across 7 different organisations via DigiCert.


.onion Wikipedia