ICANNWiki

Tor: Difference between revisions

MarkWD (talk | contribs)
Bureaucrats, Check users, Interface administrators, Administrators (Semantic MediaWiki), Curators (Semantic MediaWiki), Editors (Semantic MediaWiki), steward, Suppressors, Administrators, Temporary account IP viewers
25,069 edits
VisualWikitext
Created page with "'''Tor''' ('''The Onion Routing''') is a free and open-source overlay network and software stack that implements onion routing to anonymise low-latency TCP traffic, typically via the Tor Browser, by relaying it through a global network of volunteer-operated relays. It also disposes of its own set of services which use the .onion Special-Use Domain Name. It is developed and maintained by the non-profit Tor Project and is widely used for privacy protection.<ref nam..."
 
 
Line 21: Line 21:


== Governance Aspects ==
== Governance Aspects ==
Tor is not an IETF standards-track protocol and the <code>.onion</code> suffix is not operated under ICANN contracts. Governance is centred on the Tor Project as a non-profit organisation, with technical decisions made in interaction with a research and free-software community. Tor nonetheless raises Internet governance questions because it:
Tor is not an IETF standards-track protocol and the <code>.onion</code> suffix is not operated under ICANN contracts. Governance is steered by the Tor Project as a non-profit organisation, with technical decisions made in interaction with researchs and the free-software community. Tor raises Internet governance questions because it:


* constitutes a widely deployed alternative naming and routing system coexisting with the public DNS;
* Constitutes a widely deployed alternative naming and routing system coexisting with the public DNS;
* weakens the link between IP addresses, geography, and identity that many governance and enforcement processes rely upon;
* Weakens the link between IP addresses, geography, and identity that many governance and enforcement processes rely upon;
* affects the effectiveness of network-level policy tools such as DNS-based blocking and traffic logging.
* Affects the effectiveness of network-level policy tools such as DNS-based blocking and traffic logging.


=== Alternative Naming and the DNS ===
=== Alternative Naming and the DNS ===
Tor’s onion services rely on a naming system where hostnames ending in <code>.onion</code> are resolved by Tor’s rendezvous protocol rather than by DNS resolvers.<ref name="tor-intro" /><ref name="icann-darkweb" /> [[RFC 7686]] designates <code>.onion</code> as a [[Special-Use Domain Name]] and instructs DNS software not to send such queries into the public DNS, formalising Tor’s namespace while keeping it outside the ICANN-administered root zone.<ref name="rfc7686">[https://datatracker.ietf.org/doc/html/rfc7686 J. Appelbaum, A. Muffett, "The '.onion' Special-Use Domain Name", RFC 7686, IETF, October 2015.]</ref>
Tor’s onion services rely on a naming system where hostnames ending in <code>.onion</code> are resolved by Tor’s rendezvous protocol rather than by DNS resolvers.<ref name="tor-intro" /><ref name="icann-darkweb" /> [[RFC 7686]] designates <code>.onion</code> as a Special-Use Domain Name and instructs DNS software not to send such queries into the public DNS, formalising Tor’s namespace while keeping it outside the ICANN-administered root zone.<ref name="rfc7686">[https://datatracker.ietf.org/doc/html/rfc7686 J. Appelbaum, A. Muffett, "The '.onion' Special-Use Domain Name", RFC 7686, IETF, October 2015.]</ref>


ICANN’s Security and Stability Advisory Committee (SSAC) uses <code>.onion</code> as a canonical example of "other name resolution systems that also use domain names", where DNS syntax is reused but resolution follows a different protocol.<ref name="sac078">[https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-078-16-02-2016-en.pdf ICANN SSAC, "SAC078: SSAC Advisory on Uses of the Shared Global Domain Name Space", 16 February 2016.]</ref> SAC078 notes that such systems "exist in the domain name space, but [...] use methods of resolution other than the DNS" and flags the need to understand their security and stability implications.<ref name="sac078" />
ICANN’s SSAC uses <code>.onion</code> as a canonical example of "other name resolution systems that also use domain names", where DNS syntax is reused but resolution follows a different protocol.<ref name="sac078">[https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-078-16-02-2016-en.pdf ICANN SSAC, "SAC078: SSAC Advisory on Uses of the Shared Global Domain Name Space", 16 February 2016.]</ref> SAC078 notes that such systems "exist in the domain name space, but [...] use methods of resolution other than the DNS" and flags the need to understand their security and stability implications.<ref name="sac078" />


SAC123, on the evolution of Internet name resolution, explicitly describes Tor as an "alternative naming system" used by an application that bypasses administrator-controlled DNS settings: the Tor Browser uses Tor naming for <code>.onion</code> names while forwarding other names to the local DNS stack.<ref name="sac123">[https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-123-15-12-2023-en.pdf ICANN SSAC, "SAC123: SSAC Report on the Evolution of Internet Name Resolution", 15 December 2023.]</ref> The report links this to broader trends in which:
SAC123, on the evolution of Internet name resolution, explicitly describes Tor as an "alternative naming system" used by an application that bypasses administrator-controlled DNS settings: the Tor Browser uses Tor naming for <code>.onion</code> names while forwarding other names to the local DNS stack.<ref name="sac123">[https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-123-15-12-2023-en.pdf ICANN SSAC, "SAC123: SSAC Report on the Evolution of Internet Name Resolution", 15 December 2023.]</ref> The report links this to broader trends in which:


* applications embed their own name resolution logic;
* Applications embed their own name resolution logic;
* users are less aware of which naming system is being used; and
* Users are less aware of which naming system is being used; and
* the path from a human-readable identifier to a service becomes less predictable.<ref name="sac123" />
* The path from a human-readable identifier to a service becomes less predictable.<ref name="sac123" />


From an ICANN and IETF perspective, Tor therefore sits at the intersection of debates on special-use names, private-use TLDs, name collisions, and the long-term viability of a single, coherent naming system.
From an ICANN and IETF perspective, Tor therefore sits at the intersection of debates on special-use names, private-use TLDs, name collisions, and the long-term viability of a single, coherent naming system.
Line 43: Line 43:
Because Tor circuits obscure the association between user IP addresses and destinations, they complicate attribution models that assume an IP address reliably identifies an endpoint. Exit relays receive traffic from many users and are often operated by volunteers in different jurisdictions, creating operational challenges for:
Because Tor circuits obscure the association between user IP addresses and destinations, they complicate attribution models that assume an IP address reliably identifies an endpoint. Exit relays receive traffic from many users and are often operated by volunteers in different jurisdictions, creating operational challenges for:


* law-enforcement agencies, which must rely on investigative techniques other than simple IP logs;
* Law-enforcement agencies, which must rely on investigative techniques other than simple IP logs;
* service operators, who may treat Tor exit IPs as sources of abuse or probing and respond with blocking or CAPTCHAs;
* Service operators, who may treat Tor exit IPs as sources of abuse or probing and respond with blocking or CAPTCHAs;
* incident response teams, which must distinguish Tor-mediated traffic from direct connections.<ref name="domainsure" /><ref name="tor-wiki" />
* Incident response teams, which must distinguish Tor-mediated traffic from direct connections.<ref name="domainsure" /><ref name="tor-wiki" />


At the same time, Tor is explicitly used by journalists, NGOs, and ordinary users to evade censorship and surveillance, and is promoted by some public broadcasters and civil-society organisations as a recommended circumvention tool in heavily filtered environments.<ref name="tor-wiki" /><ref name="icann-darkweb" /> This dual use makes Tor central to policy debates about:
At the same time, Tor is explicitly used by journalists, NGOs, and ordinary users to evade censorship and surveillance, and is promoted by some public broadcasters and civil-society organisations as a recommended circumvention tool in heavily filtered environments.<ref name="tor-wiki" /><ref name="icann-darkweb" /> This dual use makes Tor central to policy debates about:


* whether and how network operators or states should attempt to block or discourage Tor usage;
* Whether and how network operators or states should attempt to block or discourage Tor usage;
* the proportionality and collateral damage of measures such as blocking public relays, DPI-based detection of Tor protocols, or legal pressure on relay operators;
* The proportionality and collateral damage of measures such as blocking public relays, DPI-based detection of Tor protocols, or legal pressure on relay operators;
* the responsibilities (if any) of the Tor Project and relay operators to respond to widespread criminal misuse, especially where national or international law is engaged.<ref name="guardian-2025" />
* The responsibilities (if any) of the Tor Project and relay operators to respond to widespread criminal misuse, especially where national or international law is engaged.<ref name="guardian-2025" />


=== Centralisation, Trust, and Infrastructure Role ===
=== Centralisation, Trust, and Infrastructure Role ===
Retrieved from "https://staging.icannwiki.org/Tor"