Tor gains extra security as .onion becomes Special-Use Domain Name
Tor -- The Onion Router -- is used as a way of browsing the web (more) anonymously. Most well-known for providing access to what has become known as the Dark Web, Tor has faced competition from other secure browsing systems such as HORNET. But now it is set to benefit from key changes that will improve security and have further implications.
Engineering Task Force (IETF) along with Internet Assigned Numbers Authority, part of ICANN, has granted formal recognition to the .onion domain, adding it to the list of Special-Use Domain Names. Previously known as a psdeuo-TLD it was technically possible for the .onion domain to be used on the regular web -- now it is limited to Tor. There is also the possibility of site-specific encryption and the use of security certificates.
Tor may be famed for the likes of Silk Road and other such sites, but the anonymity and security it offer is important for many reasons. Of course the Tor network is not only home to nefarious websites (although it's fair to say that this accounts for a reasonable percentage of traffic), it is also used by news outlets as a way to anonymously gather news, and Facebook even has a secure presence.
The official recognition of .onion will automatically help to improve security, helping to reduce the ability to identify or locate users. The IETF documentation explains what the change means for accessing .onion sites:
Applications (including proxies) that implement the Tor protocol MUST recognize .onion names as special by either accessing them directly, or using a proxy (e.g., SOCKS [RFC1928]) to do so. Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion, and SHOULD NOT perform a DNS lookup.
Other key clauses bolster security further:
Name Resolution APIs and Libraries: Resolvers MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN.
Caching DNS Servers: Caching servers, where not explicitly adapted to interoperate with Tor, SHOULD NOT attempt to look up records for .onion names. They MUST generate NXDOMAIN for all such queries.
Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN.
The prospect of SSL and TLS certification is important for the wider adoption of Tor as it helps to give users confidence that the sites they are dealing with are what they say they are. Speaking to Motherboard, Richard Barnes, the Firefox Security Lead at Mozilla, said:
This enables the Tor .onion ecosystem to benefit from the same level of security you can get in the rest of the web. It adds a layer of security on top.