.Onion is a top-level Internet domain used by anonymous websites on the Tor network accessibly only from the Tor anonymity browser. This means that standard browsers like Microsoft Edge, Google Chrome, and Mozilla Firefox will not have access to sites using the onion domain as they are unable to navigate the relay of proxy servers from which Tor is created.
Why create an Onion Site?
When you choose to create an onion site, you’re doing so more for the anonymity of site users than anything else. When the domain name is automatically generated for you, you'll receive a randomized address of 56 characters ranging from a-z and 1-9. A v3 address will always end in a 'd' due to the way v3 onion service names are encoded.
What is the difference between V2 and V3 onion address?
V3 onion service has a number security and privacy improvements over V2 which is now deprecated. The most obvious difference between V2 and V3 onion services is the different address format. V3 onion addresses have 56 characters instead of 16 (because they contain a full ed25519 public key, not just the hash of a public key).
What type of TLS certificates are supported for onion domains?
The CAB Forum, recognized as the official regulator of certificate policies, has adopted ballot SC27v3, which dictates Certification Authorities can now issue certificates for the new V3 onion address.
Why would an Onion site need a TLS certificate?
While the onion service provides some of the same protections offered by an HTTPS connection, there are additional benefits a TLS certificate can offer, some listed below:
This is a two-step process, first enroll for a certificate order, during the enrolment you will include the onion domain and supply a CSR generated from the server where you plan to install the certificate. Secondly, after the order is submitted, proving ownership over each domain is required. To prove domain ownership, a DCV (Domain Control Validation) must be completed for each supplied non-onion domain – see Supported DCV methods for all options.
How do I demonstrate control over my onion domain?
To demonstrate ownership over an onion domain, requires a special procedure which is different from the standard DCV methods. The procedure requires a special Onion CSR be signed from the Tor server. This CSR is different from those you would need to enroll for a certificate, and the process of generating the CSR uses a special algorithm (ed25519) which for this purpose is only to prove ownership of the onion domain.