Monsters defeated in quest to free .onion from clutches of DNS-snooping demons
Nice friendly IETF monsters, natch
Big steps were taken this week to get The Onion Router (Tor) project's .onion names out of DNS – and away from prying eyes.
Tor helps cloak people's identities online by routing their connections through multiple nodes to internal hidden services, or out to the wider internet via exit relays. Tor is used by all sorts of people: whistleblowers, journalists, activists, crooks, lowlifes, you name it.
These hidden services are reached using a .onion name that is used by the Tor software to locate a server within the Tor network: for example, facebookcorewwwi.onion looks like a normal URL, but is actually an onion name for a Facebook web server in the Tor network. Similarly, frxleqtzgvwkv7oz.onion was the onion name for the Freenode IRC service within the Tor network.
Trouble is, if you give an application an onion name, it may well try to contact a DNS server on the public internet to resolve this name into an IP address to connect to, rather than pass it to a Tor client to handle securely. Anyone eavesdropping on these external lookups can easily work out you're trying to access a hidden service – you'll end up leaving footprints that lead back to you, destroying your privacy.
Software such as the Tor Browser is configured to use .onion names properly, and not toss them out to the public DNS system, but not every app is aware of Tor. So anti-surveillance campaigners Jacob Applebaum and Alec Muffett have proposed an official internet standard to:
- Force applications to either handle .onion names directly, or run them through a Tor proxy to keep information about the connection away from the public internet.
- Force DNS library code and APIs to use the Tor network to resolve .onion domains or responded with the error code NXDOMAIN.
- Force caching DNS servers to return NXDOMAIN for .onion lookups that manage to come their way.
- Force DNS server admins to not handle .onion lookups.
- Force DNS registrars to not register .onion domain names on the public internet.
Such measures are needed because the Tor project decided to start using .onion names before domain-name overseer ICANN started taking applications for new dot-word domains – meaning anyone with enough money to burn could buy the rights to operate all .onion addresses and make life hell for the Tor project.
The good news, for the project, is that IANA – the ICANN-run body that oversees the world's DNS among other things – on Wednesday made .onion a special case domain name, meaning just like addresses ending in .invalid, internet software should treat .onion different to normal domain names.
Crucially, also on Wednesday, the IETF – the backroom techies that help keep the internet ticking over – approved Appelbaum and Muffett's draft standard. Now the document is with the RFC Editor to rubber stamp and publish as a standard that software and systems are expected to obey – thus ring-fencing .onion from the public DNS.
All that's left then is for ICANN to agree to put .onion on its list of reserved generic top-level domains, meaning it won't flog the dot-word off to a registry at a later date.
The IETF's approval is in line with the Internet Architecture Board's decision to rethink the 'net, top-to-bottom, in the face of pervasive surveillance. ®
Editor's note: This story was revised after publication with extra context and information.
Sponsored: Becoming a Pragmatic Security Leader