That may not sound entirely exciting, but its ramifications are important as it makes running a .onion hidden site that much easier. First, the Internet Corporation For Assigned Names and Numbers (ICANN) cannot make .onion a regular top-level domain. That means .onion won’t be sold off during a round of domain name expansion.
Second, it should make it easier for .onion hidden sites to obtain HTTPS (SSL/TSL) certificates for secure, encrypted browsing. In fact, this appears to be Facebook’s primary motivation for working with Tor to get official recognition for .onion.
Last October, Facebook unveiled its own .onion site at facebookcorewwwi.onion/ (you can only access this site using the Tor network). Facebook’s .onion site even had an official SSL certificate, which was unheard of at the time.
Facebook saw its .onion site as a means for users around the world to connect to Facebook in relative anonymity while being perfectly public within Facebook itself. People living under an oppressive regime, for example, could use Tor to connect to Facebook without tipping off local authorities.
If you’re not clear what Tor and hidden sites are, check out PCWorld's primer on the “darknet.”
Why this matters: Tor and the so-called dark web (or darknet) are often associated with criminal enterprises like the defunct online black market Silk Road. But there are many important uses for a Tor hidden site, such as maintaining anonymity under an oppressive government, protected communications between a journalist and whistleblower, or simply avoiding government mass-surveillance as a matter of principle. The IETF’s recognition of .onion helps to legitimize hidden sites and clarify their importance.
While Facebook now had its .onion site up and running, its future was still in doubt.
The problem, as described by Facebook engineer Alec Muffett, was that Facebook obtained an SSL certificate for its .onion site using an arcane loophole in the way security certificates are issued.
That loophole is due to be closed November 1, 2015 meaning any SSL certificates using it, such as Facebook’s .onion site, would then be invalid.
For Facebook, having an official and valid SSL certificate for its .onion site was non-negotiable. If the company couldn’t maintain an official SSL cert, the .onion site would have to disappear.
Luckily, in February 2015 the CA/Browser Forum—a consortium of Internet companies that decides what kind of websites can get SSL certificates and what kind can’t—created rules for .onion sites to obtain SSL certificates.
But the CA/B Forum said that they would only issue certificates to these sites if .onion became an officially recognized special use domain by November 1, 2015. Thus Facebook and Tor began their effort to meet that deadline, which they recently did.
It’s not clear, in practice, if obtaining an SSL certificate for a .onion site will now be as standard as doing the same for a .com or .net. But at least the official recognition is in place. In the future, Tor project member Jacob Appelbaum hopes to see “easy to issue certificates” for .onion sites come from the nascent Let’s Encrypt project.
via The Verge