IEEE SYMPOSIUM ON SECURITY AND PRIVACY

Bake in .onion for Tear-Free and Stronger

Website Authentication

Paul Syverson | US Naval Research Laboratory

Griffin Boyce | Berkman Center for Internet & Society at Harvard University

Although their inherent authentication properties are generally overlooked in the shadow of the
network-address hiding they provide, Tor’s .onion services might just deliver stronger website
authentication than existing alternatives.

T or is a widely popular infrastructure for anony-

mous communication (www.torproject.org).
Millions of people use Tor’s thousands of relays for
create website authentication, integrity, and other guar-
antees more simply, easily, fully, and inexpensively than
by currently available means.
unfettered, traffic-secure Internet access. Approximately
95 percent of Tor bandwidth traffic is on circuits con- Tor and Onion Services:
necting Tor clients to servers that are otherwise acces- A Brief Background
sible on the Internet.1 Tor also provides protocols for In this article, we sketch the basics of Tor onion ser-
connecting to services on its reserved top-level domain vices. For more details, we refer readers to Roger Din-
.onion, which are only accessible via Tor. gledine and his colleagues’ Tor design paper,2 the Tor
Tor’s .onion design continues the original onion- Project’s high-level graphical description of onion ser-
routing idea of protecting not only clients’ but also serv- vices (www.torproject.org/docs/hidden-services.html
ers’ network location information.2,3 Research to date .en), and related documentation on the Tor homepage
has been so focused on the location-hiding aspects of (www.torproject.org). The “Tor Rendezvous Speci-
onionsites and services that it simply calls them “hidden fication” also provides a more up-to-date and much
servers.” The popular press sometimes uses “Dark Web” more technical description of onion service protocols
to refer to onionsites, but more often than not, usage (https://gitweb.torproject.org/torspec.git/tree
of that term is misleading or incoherent. Because spies /rend-spec.txt).
and criminals attack users from hiding spots through- Tor clients randomly select three of the roughly
out the infrastructure on today’s Internet, rather than 7,400 Tor relays to create a cryptographic circuit to con-
being dark, Tor’s authenticated routing overlay typi- nect to Internet services (https://metrics.torproject.org
cally provides users the only visibility of or control over /networksize.html). Because only the first relay in the
where their traffic goes. Thus, we challenge the common circuit sees the client’s IP address and only the last (exit)
narrow view of onionsites. In this article, we explore relay sees the destination’s IP address, identification is
how individuals might use Tor’s .onion infrastructure to separated from routing. To offer an onion service, a Web

1540-7993/16/$33.00 © 2016 IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2016 15
IEEE SYMPOSIUM ON SECURITY AND PRIVACY

(or other) server creates Tor circuits to multiple intro- be returned by some other, possibly malicious, server.
duction points that await clients’ connection attempts. In addition to the integrity guarantee, users rely on
Clients wanting to connect to a particular onion service authentication so that their queries are revealed only
use the onion address to look up its introduction points to DuckDuckGo. The onion address alone doesn’t
in a directory. In a successful interaction, clients and offer this. Using the traditional Web trust infrastruc-
onionsites both create Tor circuits to a client-selected ture, Facebook offers a DigiCert certificate for its onion
rendezvous point. The rendezvous point mates their cir- addresses to ensure that users aren’t misled by onion-
cuits, which then interact over the rendezvous circuit sites purporting to be official.
like ordinary Web clients and servers. Although cryptographic binding is essential to
Because a properly configured onionsite commu- the technical mechanisms of trust, users also rely
nicates only over the Tor circuits it creates, this proto- on human-readable familiarity, for example, that the
col hides its network location—thus the name “hidden browser indicates graphically that they’ve made a
service.” But the .onion system has other important fea- certified encrypted connection as a result of typing
tures, including self-authentication. The onion address “facebook.com” into the browser. To some extent, it’s
is actually a hash of the onionsite’s public key. For possible to make use of this familiarity in onionspace.
example, if users want to connect to the DuckDuckGo By generating many keys whose hash had “facebook”
(https://duckduckgo.com) search engine’s onion ser- as the initial string and then searching the full hashes
vice, they use the address 3g2upl4pq6kufc4m.onion. for an adequately felicitous result, Facebook obtained
The Tor client, recognizing this as an onion address, the facebookcorewwwi.onion address. However, this
knows to use the above protocol rather than pass the method won’t work widely, because it’s difficult to gen-
address through a Tor circuit for DNS resolution at the erate custom addresses in this way.
exit. Avoiding a DNS resolution outside the Tor net- The Onion Name System is an attempt at a system
work protects against leakage of client interests by pre- for globally unique but still human-meaningful onion-
venting observation of DNS lookups as well as against site names.4 This has the advantage of not depend-
any of the well-known DNS hijinks, such as redirec- ing on existing naming schemes, such as the domain
tion by ISPs or rogue DNS servers and cache poison- registration system. Nevertheless, we can leverage the
ing. The public key corresponds to the key that signs effective usage and infrastructure that existing nam-
the directory system’s list of introduction points and ing approaches have evolved through experience and
other service descriptor information. In this way, onion design. We focus herein on approaches that link onion
addresses are self-authenticating. addresses to already meaningful ways of referring to
For services such as DuckDuckGo, the onion ser- sites. In particular, we focus on a case in which an indi-
vice’s value lies not in its location hiding but in the Tor vidual controls a registered domain name, although it’s
connection’s additional authentication and assurance also possible to bind to other meaningful Web locations
of improved route security. Because the Tor circuits such as a Facebook page or WordPress blog.
necessary to reach introduction and rendezvous points If you have a registered domain name, why not just
are there to protect the confidentiality of server net- obtain certificates from traditional authorities, as Face-
work location, their complexity, latency, and network book has done? For many server operators, getting even
overhead aren’t needed to provide improved authen- a basic server certificate is just too much of a hassle.
tication or route security. Nonetheless, there are per- The application process can be confusing. It usually
formance advantages to providing an onion service to costs money. It’s tricky to install correctly. It’s a pain to
users wanting to connect to a site via Tor (for example, update.5 These are not original observations. Indeed,
skirting the effects of exit relay bandwidth scarcity). that description is actually a quote from Josh Aas’s first
And Tor proposals (the Tor equivalent of the Internet blog entry for Let’s Encrypt, a new certificate authority
Engineering Task Force’s [IETF’s] RFCs) to standard- dedicated, among other things, to making TLS certifica-
ize simplified onion services without location hiding tion free and automatic for most websites.
are underway. Facebook’s onion service already uses Setting up a certificate using the existing X.509
such simplifications. public-key infrastructure system can take hours or
even days. When a collective or organization operates
Knowing to Which Self to Be True the website, SSL/TLS certificates have been known to
DuckDuckGo’s onion address is self-authenticating take months because of ownership and authorization
in that it binds the service descriptor information to questions. This time cost is in addition to the certifi-
3g2upl4pq6kufc4m.onion. Presumably, users want cate’s monetary cost, if any. In contrast, setting up an
assurance that they’re reaching DuckDuckGo and onionsite takes a few minutes and costs nothing. Once
receiving DuckDuckGo search results, not what might Tor is installed, you simply add two lines to your torrc

16 IEEE Security & Privacy March/April 2016

file to define where Tor will store the onion service’s validation (DV) certificates, which typically require a
key information and port, if necessary. Then, simply simple email confirmation based on information in the
start Tor for the key and address to be generated. To WHOIS database.
migrate the service elsewhere, add these files to the new Furthermore, the .onion top-level domain itself
machine, then configure and start Tor as before. The Tor was unofficial until recently. However, an IETF RFC
Project provides additional tips and advanced options reserving .onion as one of the handful of special-use
(www.torproject.org/docs/tor-hidden-service.html domain names was approved as a proposed standard
.en). Even if Pretty Good Privacy (PGP) encryption in October 2015.7 With this RFC’s official release, the
is used for the binding (as we describe later) and the approval of certificates for .onion addresses is now on
process of learning to create a PGP key and signature firmer footing.8
is considered, the time investment is dramatically less
than with X.509. Our Onions Ourselves
As of this writing, Let’s Encrypt services are available As noted, onionsites already provide self-authenticated
only in beta release. None- binding of public keys to
theless, it’s already onion addresses—
quite popular and suc- We explore how individuals might use but not to something
cessful. Should it be Tor’s .onion infrastructure to create recognizably associ-
willing to offer onion ated with that site.
domain certificates,
website authentication more simply, We seek an authenti-
Let’s Encrypt could easily, fully, and inexpensively. cation solution for all
be an easy way for websites, especially
onionsite operators to moderately popular
take advantage of the tradi- or short-lived ones such
tional certification infrastructure. This is already a focus as webpages for individuals, hometown sports teams,
of Let’s Encrypt discussions, both internally and with one-time local events, small businesses, and municipal
its community (https://community.letsencrypt.org/t election campaigns. Although these are smaller targets
/if-when-will-le-support-onion-addresses/341/10). than the more popular, long-lived sites, they’re subject
Traditional SSL certificate problems go beyond to similar controversies and attacks. Even if they aren’t
questions of cost and convenience. The trust hierar- the targets of attacks, they might be collateral victims.
chy is opaque to direct usage, and the sheer number Sometimes, users of these less popular or temporary
of trusted authorities is large enough to be of concern. sites don’t have Internet accounts that permit setting up
In particular, there have been numerous man-in-the- servers. Onionsites can generally work with this limita-
middle (MITM) attacks through certificate manipula- tion because they make only outbound client connec-
tion as well as hacking of certificate authorities or cer- tions. Similarly, onionsites can be used to administer
tificate validation software leading to use of fraudulent systems behind restrictive firewalls that permit only
certificates for several popular websites.6 outbound connections. Even if users do have Internet
The Electronic Frontier Foundation’s SSL Obser- accounts that permit them to provide Web services,
vatory (www.eff.org/observatory) monitors and doc- their providers might not offer HTTPS, or offer it only
uments the occurrence of such problems. Google’s at an additional fee.
Certificate Transparency (www.certificate-transparency With Tor’s user base in the millions and growing,
.org) effort is similar but broader, adding, among other website owners might also want to ensure that their sites
things, append-only signed public logs that make unde- are accessible to Tor users. Sites such as Facebook use
tectable certificate shenanigans harder to achieve. onion services to give Tor users better performance,
The problems with certificates, though real, are security, and user experiences than what they receive
largely moot for those wanting to create onion ser- when connected over a simple Tor circuit to facebook.
vices. As of this writing, the Certification Author- com.8 On the other hand, those with small personal sites
ity (CA)/Browser Forum (https://cabforum.org) might discover that their hosting provider blocks access
has approved only extended validation (EV) cer- from Tor exits. When product designer Glenn Sorren-
tificates for .onion addresses. This limits the certifi- tino realized that this was true of his site, glennsorrentino.
cates’ use to those with the significant time, money, com, he set up a version on a small personal system at
and desire required to complete the extensive iden- at3o24mj2rfabkca.onion. Doing so offered other ben-
tity validation process. EV certificates are primarily efits as well, but his motivation was reachability for Tor
used by large businesses; individuals, organizations, users. Note that because the Tor network is designed
and small businesses more commonly obtain domain to be reached even by users experiencing censorship,

www.computer.org/security 17
IEEE SYMPOSIUM ON SECURITY AND PRIVACY

another way to solve this problem could be to run the Another potential place to post the association is
site as an onion service from the same Web server but Keybase (https://keybase.io), a “people directory”
connecting to Tor via bridges and obfuscating pluggable in beta release. Keybase lets you look up by username
transports (www.torproject.org/docs/bridges). GitHub, Reddit, Twitter, and Bitcoin identifiers signed
We focus primarily on using onionsites to improve with the same PGP key. Incidentally, Keybase has an
authentication, setting properties of network location onion address (http://fncuwbiisyh6ak3i.onion) for its
hiding aside as orthogonal to our goals. However, these registered domain address.
properties can be complementary for some use cases. Given onionsites’ authentication benefits, why
Authenticated hidden services are an appealing option bother with a non–onionsite version? Providing a site
for those who’d like to secure their onionsites for per- at the registered domain makes it available to users not
sonal use. Unlike with traditional websites, which are coming over Tor. Typically, an onionsite can still be
discoverable online before authentication, users lacking accessed via Tor2web (https://tor2web.org), a web-
authentication information for private onionsites won’t site that proxies connections from non–Tor clients
be able to determine easily whether they exist, nor will to onionsites. Such proxying services might provide
they be able to probe them for vulnerabilities. Config- broader availability; however, at best, they offer overtly
uring onionsites for obfuscation of site existence, and acknowledged MITM onionsite connections. Because
thus site vulnerability, is ideal for operating a personal we’re focused on not merely maintaining but improv-
cloud service. With privacy and cost in mind, many peo- ing authentication, we’ll say no more about such proxies
ple operate their own cloud infrastructures to store files and limit our discussion to secure onionsite access for
and calendar entries by using open source systems such current and future Tor users. Site operators wanting to
as Cozy (https://cozy.io) and OwnCloud (https:// provide wider, if less secure, access should do so by con-
owncloud.org). Authenticated hidden services are also necting to the registered domain name, which is hope-
often used as personal RSS readers, because onionsites fully at least protected by HTTPS.
ensure some level of feed integrity—particularly impor- Finally, Google and other traditional search and
tant when fetching news feeds that don’t utilize TLS. indexing engines don’t generally reflect links to onion-
Users can, and often do, create Facebook or similar sites, unless onionsites associated with registered
pages that are protected by HTTPS and TLS certificates. domains are included in the sites’ metadata, as in our
But then the service must depend on the host’s reputa- glennsorrentino.com example. The Ahmia search
tion, trust, policies, and protections—not to mention engine (https://ahmia.fi) is limited to onionsites and
dynamics—rather than let users understand and con- thus likely to be known only to those already familiar
trol these aspects of their own services. with them. However, its creator, Juha Nurmi, has agreed
A simple way to bind the onionsite public key to a to link onion and registered domain addresses in Ahmia,
known entity that uses widely available mechanisms together with the GPG signatures that bind the linking.
is to provide a signature on the onion address, such He’s also suggested to us that Ahmia could automatically
as a PGP/GNU Privacy Guard (GPG) signature. The test the signatures and check the registered-domain and
signed text can be included on the onionsite, making it onion sites. Thus, even if they aren’t comfortable per-
self-authenticating in this sense as well. The trust level forming PGP verification, users who trust Ahmia (and
in the authentication is then equivalent to the trust in their connection to Ahmia) can verify that the same
the public key doing the signing. Such techniques are party operates a pair of websites. Onionsite crawling
already used for signing code. For example, the Tor and indexing are in their infancy and thus aren’t as rep-
Project offers signatures on all sources and binaries it resentative of their target space as Google’s and similar
makes available for download. sites’ much more mature indexing of the surface Web.
Signers can also post the signed onion address to a
public site, such as their Facebook page. Indeed, a useful Usability, Convenience, and Security
public site for doing this would be an unauthenticated Because most onionsite visitors use Tor Browser,
version of the same service as the one the onionsite deployment and debugging of onion services are faster
offers. The unauthenticated version and the onion- than for their registered domain counterparts—there’s
site version should contain signed pointers to each only one browser to test, with only minor user varia-
other so that anyone can check their association. For tion. Website operators can assume that users don’t
example, by posting his PGP signature at both http:// have AdBlock or other browser extensions that affect
glennsorrentino.com/onion-binding.php and http:// how content is displayed. Plug-ins such as Java and
at3o24mj2rfabkca.onion/onion-binding.php, Sorren- Flash that might mitigate Tor Browser’s privacy protec-
tino binds the addresses of his site’s unauthenticated tions are disabled by default. Many privacy-conscious
and authenticated versions. users enable the NoScript extension to block JavaScript

18 IEEE Security & Privacy March/April 2016

as well. Despite this, rich content such as video, audio, TLS certificates will likely remain the primary ground
and interactive storytelling are still available for design- for linking public, human-readable domain names to
ers willing to use HTML5 and CSS3. And because signatures that authenticate websites.
Tor Browser generally restricts what it will process
more than other browsers do, operators wanting to offer Let’s Authenticate
access to their Tor Browser–tested site at a registered Again, unlike conventional Web URLs, onion addresses
domain shouldn’t have to make any changes. are connected inextricably to the site authentication
What we’ve described so far implies relatively man- key. Thus, if you’ve publicized the onion address on,
ual PGP/GPG signature authentication. It would be for example, blogs, Twitter, or Facebook, people fol-
straightforward to create a lowing those address links
plug-in that verifies won’t be vulnerable
the signature and the to hijacks or MITM
trust in it, then gives With Tor’s user base in the millions attacks by a subverted
users different indica- and growing, website owners might CA. This significantly
tions depending on also want to ensure that their sites raises the bar on the
the results. Related hijacker. Further-
tools have already
are accessible to Tor users. more, non-CA-based
been developed; for MITM techniques,
example, Monkey- such as forcing the
sphere (http://web.monkeysphere.info) is a Firefox site to fall back to a non-SSL version (for example, by
plug-in that uses the PGP trust infrastructure for vali- using SSLStrip) or to use a weaker cipher to communi-
dation only when the browser doesn’t accept the TLS cate (for example, via BEAST or FREAK), won’t be pos-
certificate validation by default. A simpler plug-in could sible because, unlike for conventional Web addresses,
also check the Ahmia validation suggested earlier. the onion address and key are linked inextricably and
Website operators can now use our PGP approach generated cryptographically.
(at least manually). Although our approach could ben- Given the success of Let’s Encrypt, we envision
efit from usability developments and simplification, eventual incorporation of TLS with onionsites for the
it can complement other approaches, as it doesn’t rely “everyman” users we described. Whereas certificate
fundamentally on the deployment and continued com- transparency and the like will help increase trust in
mitment to new infrastructure. Instead, it can rely on authenticating such sites via their certificates, onion
whatever authentication infrastructure is popular and addresses’ self-authentication adds to this trust in two
likely to be maintained for independent reasons. ways. They strengthen the certificate-based authentica-
The PGP web of trust builds up signature authority tion that certificate transparency addresses, and the use
in a decentralized manner from direct personal connec- of onion routing implies authentication of the route,
tions and introductions. This fits more naturally with, for not just the destination. And both of these are under
example, community, local business, personal, and col- more direct owner control. But, it’s not just for the little
laborative work sites, for which local or personal trust guys. The US General Services Administration—which
relationships are important.9 By contrast, the X.509 trust negotiates federal-friendly terms of service (ToS) for
model is a hierarchical centralized trust chain delegated the US government10 —has negotiated an amend-
down from a national or global corporate trust anchor. ment to the Let’s Encrypt Subscriber Agreement for
PGP remains much less familiar than TLS. Popular US government users. And Let’s Encrypt already has
familiarity is, however, not so much with TLS as with significant US government adoption (https://crt
interfaces such as the lock icon in the browser search .sh/?Identity=%25.gov&iCAID=7395).
bar. This indicates little more than whether TLS and
certificates from default-accepted authorities are in Creating the Domain Validation Certificate
operation. However, most users lack even this basic We assume that the certificate to be obtained will
understanding: to them it means “secure.” It’s up to us to have the onion address listed as a SAN (subjectAlt-
design systems so that such simple judgments are cor- Name) in the certificate issued for the registered
rect and users will naturally do the right thing. As noted, domain name. Currently, CA/Browser Forum policy
similar PGP interfaces have been designed but haven’t allows only registered domain names and wildcards
been developed extensively the way TLS interfaces thereof, such as *.duckduckgo.com. The only excep-
have—unsurprising given TLS’s fundamental role in tion is for EV certificates, which are prohibitive for
global e-commerce. For those who don’t otherwise rely many site owners and, hence, problematic. None-
on the PGP web of trust’s social or local protections, theless, in response to numerous requests, DigiCert

www.computer.org/security 19
IEEE SYMPOSIUM ON SECURITY AND PRIVACY

now provides instructions for ordering .onion certifi- Connecting to Onionsites

cates.11 We’ll explore some concerns and reasons why Assuming an onionsite has been configured and certi-
the approach set out in this section supports changing fied, how should users connect to it? If users request a
current restrictions. But, first, we describe how this connection to the onion address by, for example, click-
approach would work if onion addresses were allowed ing a link, then the connection should proceed as nor-
as names in DV certificates. mal. But if users request a connection to the associated
You could simply create a self-signed certificate bind- registered domain address, they could be redirected
ing the onion and registered-domain names. But then a automatically to the onionsite as a security enhance-
popup would warn users because the browser won’t trust ment. Additions to the HTTPS Everywhere (www.eff
you to be a signing authority. Such warnings are impor- .org/https-everywhere) ruleset could accomplish this.
tant because most people use Tor precisely for safer con- HTTPS Everywhere—a browser extension incor-
nections to registered domain addresses. We’re pursuing porated by default in Tor Browser and available for
a strengthening of—not an alternative to—the current Firefox, Chrome, and Opera—rewrites requests to con-
authority-based Web authentication infrastructure, to nect to sites via unencrypted HTTP to HTTPS requests.
which user experience is central. Thus, we want to avoid This does more than add an “S” to the request. Some-
both accepting self-signed certificates without warning times a site’s encrypted and unencrypted versions
and adding to circumstances in which popup warnings are in different domain locations. Conversely, add-
occur superfluously. ing an “S” to an HTTP request might connect users to
Onion addresses should receive at least the same a page that the domain owner intended for purposes
DV level of checking as occurs now for registered other than a heightened-security version of the HTTP
domain names. The latest ballot-approved CA/Browser site. Like HTTP Strict Transport Security (HSTS),
Forum’s baseline requirements list several ways to dem- HTTPS Everywhere helps guard against SSLStrip and
onstrate domain control.12 The most familiar is prob- similar attacks. HTTPS Everywhere also includes the
ably responding to an email sent to administrator@ SSL Observatory. Note that the ruleset could also be
[registered domain] or a similar address. The baseline expanded to allow redirection to onionsites using the
requirements also let certificate applicants demonstrate GPG binding approach we described earlier.
their ability to make requested changes, such as add- Another advantage of using HTTPS Everywhere to
ing a nonce to a page whose name terminates in the direct registered domain requests to onionsites is that
requested domain name. So, a validation query proto- DNS lookup of an IP address won’t be associated with
col can be used that freshly connects to the onionsite the domain name. This means that such connections
and asks whether it’s acceptable to certify association won’t be affected by attacks on DNS resolution or by
of the onionsite with the registered domain. This can observations of DNS lookups exiting the Tor network.
also verify that the onionsite is configured properly. The
CA should issue the certificate only if all DV checks are An Onion by Any Other Name
completed successfully. Would Cert as Sweet
An email or other check of the registered domain So, why not just permit onion addresses to be used as
must also include the onion name. If applicants could names in certificates? CA/Browser Forum discussions
obtain a certificate for multiple registered domain have raised two broad classes of objections.
names by showing control of only one, they could First, currently deployed onion addresses and proto-
fraudulently authenticate other sites covered by the cols rely on SHA-1 and RSA-1024, both of which have
certificate. Onion addresses’ self-authentication lim- reached the end of their effective-security lifetimes. But
its this risk. This check alone wouldn’t prevent people Tor client and relay software has transitioned in stable
from obtaining certificates for onion addresses not releases to SHA-256 and Ed25519, which are adequate
under their control. But, because they wouldn’t pos- for the foreseeable future. And Tor is expected to tran-
sess the onion address’s private key, people tricked sition onion services to these cryptographic primitives
into going to that address simply wouldn’t connect within the year. Therefore, any valid objections based on
successfully. Nonetheless, many subtle authentication this concern will be short-lived. More important, when
attacks are possible when users are confused about combined, onion protections can only add to TLS and
who they’re connecting to and in what role, espe- certificate protections. Breaking the private RSA-1024
cially if authentication protocol runs are interleaved.13 key associated with an onion address that has an appro-
Therefore, we recommend that the certificate-issuing priately stronger TLS key and certificate doesn’t, by
protocol include a check that whoever controls the itself, allow an attacker to subvert a certified TLS ses-
onion address authorizes its binding to the registered sion with the onionsite. Conversely, MITM, cipher deg-
domain name. radation, or other certificate or TLS instance attacks

20 IEEE Security & Privacy March/April 2016

aren’t possible with onion addresses unless the attacker 6. L.-S. Huang et al., “Analyzing Forged SSL Certificates in
also breaks the self-authentication. the Wild,” Proc. IEEE Symp. Security and Privacy (SP 14),
Second, for various reasons, some individuals sup- May 2014, pp. 83–97.
port a CA’s ability to link real-world identities to issued 7. J. Appelbaum and A. Muffett, “The ‘.onion’ Special-Use
certificates, as occurs when validating registered domain DomainName,”InternetEngineeringTaskForce,Oct. 2015;
names. This is why only EV certificates have been https://tools.ietf.org/html/rfc7686.
approved for onion addresses. But the described design 8. A. Muffett, “RFC 7686 and All That …,” Facebook,
proposes that a DV certificate for an onion address be 23 Oct. 2015; www.facebook.com/notes/alec-muffett
issued only when it’s fully bound to a registered domain /rfc-7686-and-all-that/10153809113970962.
name and validated by the same process as for the reg- 9. P. Zimmerman, “Why OpenPGP’s PKI Is Better than an
istered domain name. Whatever benefits such linking X.509 PKI,” OpenPGP Alliance, 27 Feb. 2001; www.open
provides is supported as strongly for the onion address pgp.org/technical/whybetter.shtml.
as for the registered domain name alone. 10. “List of Negotiated Terms of Service Agreements,” US
General Services Administration, 2015; www.digitalgov
.gov/resources/negotiated-terms-of-service-agreements.

A decade ago, websites available via encrypted and

authenticated connections were relatively rare.
Providing users with such options seemed the prov-
11. “Ordering a .Onion Certificate from DigiCert,” Digi-
Cert, 15 Dec. 2015; https://blog.digicert.com/ordering
-a-onion-certificate-from-digicert.
ince of the paranoid rather than standard good practice. 12. “CA/Browser Forum Baseline Requirements Certificate
Whether or not our specific design recommendations Policy for the Issuance and Management of Publicly-
are adopted, we hope that in our general approach, read- Trusted Certificates, Version 1.3.0,” CA/Browser Forum,
ers recognize prospective changes, which onionsites 16 Apr. 2015; https://cabforum.org/wp-content/uploads
facilitate, that are as important to the future of secure /CAB-Forum-BR-1.3.0.pdf.
and robust access to and use of the Internet as certifi- 13. P. Syverson and I. Cervesato, “The Logic of Authentica-
cates and TLS were at the turn of the century. We also tion Protocols,” Proc. Int’l School on Foundations of Security
hope our expanded view of Tor’s onion services will Analysis and Design on Foundations of Security Analysis and
encourage others to explore this fascinating system for Design (FOSAD 00), LNCS 2171, 2001, pp. 63–136.
novel properties and applications.
Paul Syverson is a mathematician at the US Naval
Acknowledgments Research Laboratory, Center for High Assurance
We thank the anonymous reviewers for their feedback and Computer Systems. His research interests include
suggestions. We have also benefited from conversations with computer and communications security and pri-
many people, including Richard Barnes, Roger Dingledine, vacy with an emphasis on theory, design, and analy-
Peter Eckersley, Eric Mill, Alec Muffett, Mike Perry, Seth sis of traffic-secure systems, especially onion routing.
Schoen, and Ryan Sleevi. Syverson received an MA and PhD in philosophy and
an MA in mathematics from Indiana University. He’s
References an Electronic Frontier Foundation Pioneer, Foreign
1. G. Kadianakis and K. Loesing, Extrapolating Network Policy Global Thinker, and ACM Fellow. Contact him
Totals from Hidden-Service Statistics, Tor tech. report at paul.syverson@nrl.navy.mil.
2015-01-001, Tor Project, 31 Jan. 2015; https://research
.torproject.org/techreports/extrapolating-hidserv-stats Griffin Boyce is a fellow at the Berkman Center for Inter-
-2015-01-31.pdf. net & Society at Harvard University and a senior
2. R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The censorship researcher for the Open Internet Tools
Second-Generation Onion Router,” Proc. 13th USENIX Project. He works on various anticensorship projects,
Security Symp. (SSYM 04), Aug. 2004, p. 21. including Satori and Cupcake Bridge. Contact him at
3. D.M. Goldschlag, M.G. Reed, and P.F. Syverson, “Onion griffin@cryptolab.net.
Routing for Anonymous and Private Internet Connec-
tions,” Comm. ACM, vol. 42, no. 2, 1999, pp. 39–41.
4. J. Vickers, “OnioNS-server: The Onion Name System—
Networking Protocols,” GitHub, 28 Sept. 2015; https://
github.com/Jesse-V/OnioNS-server.
5. J. Aas, “Let’s Encrypt: Delivering SSL/TLS Every-
where,” Let’s Encrypt, 18 Nov. 2014; https://letsencrypt Selected CS articles and columns are also available for
.org/2014/11/18/announcing-lets-encrypt.html. free at http://ComputingNow.computer.org.

www.computer.org/security 21