Facebook helps Tor project get official recognition for .onion hidden sites
With the efforts from Facebook and the Tor project, it should become easier to browse securely via SSL on the so-called Darknet.
By Ian Paul
PCWorldOct 29, 2015 8:01 am PDT
The dark web got just a little bit brighter thanks to the efforts of Facebook and the Tor project. The pair, with help from many others, has successfully petitioned the Internet Engineering Task Force (IETF) to designate web addresses ending in “.onion” as special use domain names. The IETF is the standards-setting body for the Internet.
That may not sound entirely exciting, but its ramifications are important as it makes running a .onion hidden site that much easier. First, the Internet Corporation For Assigned Names and Numbers (ICANN) cannot make .onion a regular top-level domain. That means .onion won’t be sold off during a round of domain name expansion.
Second, it should make it easier for .onion hidden sites to obtain HTTPS (SSL/TSL) certificates for secure, encrypted browsing. In fact, this appears to be Facebook’s primary motivation for working with Tor to get official recognition for .onion.
Facebook saw its .onion site as a means for users around the world to connect to Facebook in relative anonymity while being perfectly public within Facebook itself. People living under an oppressive regime, for example, could use Tor to connect to Facebook without tipping off local authorities.
Why this matters: Tor and the so-called dark web (or darknet) are often associated with criminal enterprises like the defunct online black market Silk Road. But there are many important uses for a Tor hidden site, such as maintaining anonymity under an oppressive government, protected communications between a journalist and whistleblower, or simply avoiding government mass-surveillance as a matter of principle. The IETF’s recognition of .onion helps to legitimize hidden sites and clarify their importance.
An epic tale of deadlines and bureaucracy
While Facebook now had its .onion site up and running, its future was still in doubt.
The problem, as described by Facebook engineer Alec Muffett, was that Facebook obtained an SSL certificate for its .onion site using an arcane loophole in the way security certificates are issued.
That loophole is due to be closed November 1, 2015 meaning any SSL certificates using it, such as Facebook’s .onion site, would then be invalid.
For Facebook, having an official and valid SSL certificate for its .onion site was non-negotiable. If the company couldn’t maintain an official SSL cert, the .onion site would have to disappear.
Luckily, in February 2015 the CA/Browser Forum—a consortium of Internet companies that decides what kind of websites can get SSL certificates and what kind can’t—created rules for .onion sites to obtain SSL certificates.
But the CA/B Forum said that they would only issue certificates to these sites if .onion became an officially recognized special use domain by November 1, 2015. Thus Facebook and Tor began their effort to meet that deadline, which they recently did.
It’s not clear, in practice, if obtaining an SSL certificate for a .onion site will now be as standard as doing the same for a .com or .net. But DigiCert, the certificate authority that worked with Facebook on its .onion SSL certificate last year, expects to see more requests.
“I believe there will be an increased number of requests for .onion certificates,” DigiCert vice president of business development Jeremy Rowley said via email. “However, I do not think .onion issuance will ever become part of a certificate authority’s standard business. Issuing for a .onion domain removes the site operator’s anonymity. Most .onion operators would prefer to keep this anonymity, making use of .onion certificates limited only to those companies which are really focused on providing end-user anonymity (like Facebook). That said, we are happy to issue certificates to any legitimate company looking to help build customer trust.”
Obtaining an SSL certificate for a .onion site also isn’t as simple as it is for a regular site. “.Onion sites may only obtain EV certificates. EV Certificates require a high-level of identity validation that ties an existing, registered, entity to the certificate’s public key,” Rowley said. “This is a far greater level of scrutiny than what most .com and .net sites go through to obtain a certificate. Unfortunately, this means certificates are not really available to individuals operating a .onion domain for now. I’m working on changing that.”