The .onion domain gets official recognition, and a chance to be more secure.
The so-called dark web is often mistakenly believed to be just an unsanctioned space of the internet that hosts dingy, illegal websites. But in reality, it's home to websites such as Facebook, and countless whistleblower platforms hosted on the privacy-protecting and anonymizing Tor network.
On Wednesday, thanks to newly announced decisions by internet regulators, these sites are getting some official recognition, and will be able to more easily offer better security to their users.
The Internet Assigned Numbers Authority (IANA)—a department within the organization that oversees the domains of the internet known as the Internet Corporation for Assigned Names and Numbers (ICANN)—along with the Internet Engineering Task Force (IETF), designated the .onion domain, used for sites hosted on the Tor network, as a "Special Use Domain," giving it an official status that it previously lacked.
With this change, the IETF and IANA "recognize that there are legitimate reasons to use the Tor anonymity network and its hidden services," Runa Sandvik, a security researcher who has worked with the Tor Project in the past, told Motherboard in an email.
This also means that from now on, the .onion domain can only be used within the Tor network. Nobody can claim that domain on the regular internet. And, more importantly, this opens up the possibility for .onion sites administrators to get security certificates and enable encryption on their sites.
"This enables the Tor .onion ecosystem to benefit from the same level of security you can get in the rest of the web," Richard Barnes, the Firefox Security Lead at Mozilla, told Motherboard in a phone call. "It adds a layer of security on top."
"This enables the Tor .onion ecosystem to benefit from the same level of security you can get in the rest of the web."
This won't just enhance the privacy protections of .onion sites, but also ensure that those sites really belong to who they claim to belong to, since SSL and TLS certificates are also an insurance of ownership.
Before Wednesday, there was no official, sanctioned way to get a certificate to enable TLS encryption on an .onion site. A few sites, such as Facebook's deep web site, or The Intercept's anonymous submission portal, had already obtained such certificates, but through an exception, Barnes explained.
For Jacob Appelbaum, a security researcher who proposed this change to the IETF along with Facebook security engineer Alec Muffett, this is good news for internet users.
It means that the IETF is "starting to take privacy seriously," and "working towards privacy by design," he told Motherboard in an encrypted chat.