Tor security improves as .onion becomes a special-use domain name
The .onion domain has been officially designated by the Internet Assigned Numbers Authority (IANA) as a special-use domain name. The move, initiated by the Internet Engineering Task Force (IETF), is meant to make the use of Tor safer.
According to the draft of a standard proposed by Jacob Appelbaum on behalf of The Tor Project and Facebook’s Alec Muffet, the .onion domain should be recognized by users “as having different security properties, and also as being only available through software that is aware of onion names.”
DNS registries/registrars should not register .onion domains, and DNS server operators should not configure an an authoritative DNS server to answer queries for .onion. Applications that implement the Tor protocol should recognize .onion names as special by either accessing them directly, or using a proxy. Caching DNS servers and authoritative DNS servers should return NXDOMAIN (Non-Existent Domain) for all such queries for records for .onion names.
All these changes are geared towards keeping queries for .onion domains away from public DNS servers (and their logs), as such requests could be ultimately be used to uncloak the identity of Tor users.
“In effect, ‘.onion’ will be treated in the same way .local, .localhost, and .example have been dealt with previously—that is, outside the global Domain Name System (DNS). Adding .onion to the Special-Use Domain Names registry will also enable hosts on the Tor network to obtain validated SSL certificates,” Jari Arkko, IETF Chair, explained in a blog post.
SSL certificates should help owners assert and protect the ownership of their .onion sites, and add another level of protection for users.
The Tor anonymity network makes it more difficult for Internet activity to be traced back to the user by filtering their encrypted requests through a network of relays to either hidden services (.onion sites) or the Internet. Hidden services can be reached only through Tor.