Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet

.Onion Gets a Boost From IETF, IANA: Now It's a Special-Use Domain 37

An anonymous reader writes: As tweeted by Jacob Appelbaum, the Internet Assigned Numbers Authority today listed .onion as a special-use domain, and the IETF approved a Draft RFC for the domain describing its intended uses. As described on the Facebook Over Tor page, "Jointly, these actions enable '.onion' as special-use, top-level domain name for which SSL certificates may be issued in accordance with the Certificate-Authority & Browser Forum 'Ballot 144' — which was passed in February this year. ... Together, this assures the validity and future availability of SSL certificates in order to assert and protect the ownership of Onion sites throughout the whole of the Tor network."
This discussion has been archived. No new comments can be posted.

.Onion Gets a Boost From IETF, IANA: Now It's a Special-Use Domain

Comments Filter:
  • by Ecuador ( 740021 ) on Thursday September 10, 2015 @06:46AM (#50493433) Homepage

    Holy crap, I haven't read TFA of course, but does this mean they have devoted a top-level domain to parody news?

    • by Anonymous Coward

      Nah, that would be called .slashdot.

    • In recent elections here in the US, we've been reading of studies showing that the voters who are most knowledgeable about the candidates and the issues are those who follow various satirical news sites. The Daily Show, the Colbert Report, the Onion, and even Wait Wait Don't Tell Me have been named as being highly correlated with informedness. So yes, it makes sense at least minimal sense to have a satire/parody/humor top-level domain.

      Of course, Poe's Law applies even here, and we'll continue to see ar

  • by iTrawl ( 4142459 ) on Thursday September 10, 2015 @06:59AM (#50493489)

    Having the host of the .onion be verified in the real world, while keeping their users anonymous is a good thing. You really don't need to know _where_ in the world I am or what my IP address is when I come to your website. You might even be able to track my persona as usual, and serve me "relevant" ads as usual, but with no clue as to who I am or where I come from (unless I tell you), and that's fine too, while I can regenerate my persona (erase cookies and the like) at any point and start over.

    What about Terry Wrist? You should get better at infiltration. Thinking everybody might be Terry Wrist and tapping them accordingly is just lazy, and the real Terry Wrist might still get away because you didn't look in the right place.

    • The .onion domain is more geared towards websites run as hidden service so they cannot be identified. If you already use TOR, you can browse regular or hidden service websites anonymously already. The .onion domain protects the hidden service websites from being discovered. For example, SilkRoad ran as a hidden service which made it harder to trace who ran it (but it was eventually discovered by other social engineering means).

      That makes SSL for .onion useless. SSL is for authenticating the operator's ident

      • I would have thought that X.509 Certificates issued by the conventional Certificate Authorities for ".onion" sites would worse than useless as they'd violate the anonymity of the site.

      • Comment removed based on user account deletion
      • by iTrawl ( 4142459 )

        I'm not talking about SilkRoad and MurderMeForCash or whatever, but for real world legal sites. Dread Pirate Roberts would never apply for an SSL ('cause that would be stupid) but legit sites that would like to serve the extremely paranoid too, would. The security of the connection is not the main purpose of that cert (Tor already takes care of that), but the confirmation of the identity of the site. fakebootrandomletters.onion would be unable to validate their identity as Facebook, so I don't get phished t

      • by allo ( 1728082 )

        you want to identify a domain with a server (not the other way round without the domain information first). SSL does that. You do not want to identify a server with a real ip (tor does this).

        And tor even prevents from correlating two domains at the same server.

      • That makes SSL for .onion useless. SSL is for authenticating the operator's identity of the website. Why would a website simultaneously choose to be identified and not identified at the same time? That's oxymoron.

        Well, technically, they do not really need to verify the ownership of .onion address as only person who can run a service on that particular .onion address would be someone who has corresponding private key. So CA can blindly generate certificate for that .onion address, just to ensure that contents offered from that particular site is not modified in transit. (It indeed has very limited use cases, considering Tor already encrypts and is relatively harder to play MITM over the hidden service.) Perhaps SSL

  • Last time I checked, the reason you had an SSL certificate issued (as opposed to just generating a private one) was to validate the identity of the website. Services that run on .onion domains do so to remain anonymous.

    One can already access "normal" websites through the Tor network, so I am really not sure what the point of all this is. I guess I would assume that if a site operator purchases a ".onion" certificate from a Certificate Authority, they do not understand the reasons for the security model. I

    • SSL certs do multiple things - protecting your connection, but also demonstrating that you've connected to the destination you thought you did. That destination might be a well-known brand name, or it might be some random person, or it might be some website you don't care who's running it - but you might want to know that the "buy-drugs-here.onion" you're connecting to today is the same "buy-drugs-here.onion" you connected to yesterday. A self-signed cert doesn't always give you that.

      • by allo ( 1728082 )

        the .onion domain does guarantee this just as a certificate, because it's just a fingerprint of a key. (a certificate is a signature of the fingerprint plus identity information like a domain name).

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...