Onionize your Workflow with the Onion Guide Fanzine

by gaba | March 27, 2021

At the Tor Project, we build technologies that allow anybody to access the Internet privately. We maintain the software that runs the Tor network as well as utilities and clients to use the network. We also collect anonymous data on the network that allows us to detect problems that may occur, and we connect with the users of the Tor network through training and feedback exercises that help to improve our tools.

In some places, the organizations and individuals we work with are in risk of persecution for the digital services they run. It could be reproductive rights services that are criminalized in some countries or content that is censored by an Internet provider or government. Or it could be that they need to protect their own users when accessing their content and find a way for their community to use Tor Browser for protection.
 
One way we help human rights defenders and organizations take back their right to privacy online is by helping them to use and set up onion services. Websites that are only accessible over Tor are called "onions" and end in the TLD .onion. For example, the DuckDuckGo onion is https://3g2upl4pq6kufc4m.onion. You can access these websites by using Tor Browser. The addresses must be shared with you by the website host, as onions are not indexed in search engines in the typical way that other websites are.
 
Last year, thanks to the support of Digital Defenders Partnership, we wrote a series of Onion Guides intended to make it easier for our partners to correctly and safely set up their own onion services. To create these Onion Guides, we collected and improved existing disparate information about the benefits of onion services and how to set them up for a website. 
 
During the last activity of this project, we ran a survey between December 2020 and January 2021. The participants were partner organizations and individuals who were known to use onion services and had received training from Tor in the past. All questions asked were related to the Onion Guides and onion services. Five people responded to this survey.
“[Tor] offers the possibility for those of us who do work for social transformation to access the Internet safely, without exposing ourselves or exposing our processes, but also, it is a tool that is there and can be even more accessible to different people in different territories.” - Survey response.
When asked if they can define onion services, all participants in this study gave different answers. Some related to specific services, like OnionShare and SecureDrop; others associated onion services to a service without metadata; only two participants answered that it is a service that can only be accessed over the Tor network.
 
When asked if onion services respond to the threats they or their organizations face, most participants answered YES. One of the participants answered NO. Same for the question asking if you feel safer using onion services.
 
When asked to define the best benefit of using onion services, most participants answered (a) anonymity; followed by (b) accessing digital security guides and tools; other mentions were: (c) sharing and storing documents and sensitive information; and (d) NAT punching.
 
When asked if they would recommend onion services to anyone, all survey participants answered YES, because of safety.
 
You can find the Onion Guide in our community portal, well as the section on Onion Services, in English, Spanish and Portuguese. Feel free to use it to set up your own .onion site, and let us know how it works for you.

Comments

Please note that the comment area below has been archived.

March 09, 2021

Permalink

The fanzine recommends OnionShare and Ricochet Refresh. Neither has been audited. OnionShare's chat implementation is in fact completely new. If Tor Project recommends it, Tor Project should at least warn people. Otherwise, do a thorough review rather than a recommendation.

The fanzine and community documents for onion services would also do well to mention 1) vanity domain generators for v3 onion addresses, 2) OnionBalance, and 3) possibly EOTK. Newbies from the clearnet are used to memorable domain names. Larger sites demand load balancers. These are important for convincing web and network administrators to set up an onion service.

Read:
https://blog.torproject.org/search/node?keys=vanity
https://blog.torproject.org/search/node?keys=OnionBalance

> Five people responded
> When asked if onion services respond to the threats they or their organizations face, one of the participants answered NO. Same for the question asking if you feel safer using onion services.

I'm curious what that one's reasons were.

> The fanzine recommends OnionShare and Ricochet Refresh. Neither has been audited. OnionShare's chat implementation is in fact completely new. If Tor Project recommends it, Tor Project should at least warn people. Otherwise, do a thorough review rather than a recommendation.

You raise an important point. I was not aware that OnionShare has not been audited, which is troubling because I constantly recommend it. I agree that security audits for key privacy products is essential, but I also acknowledge that these are time consuming and expensive.

Tor Project has had good success with asking for donations specifically for the Bug Squash campaign which as all agree is critically important but also deeply unglamorous. I wonder how other users would respond to a similar campaign calling for donations specifically intended to audit things often used with Tor, such as OnionShare.

March 28, 2021

Permalink

If you start promoting onions as a next generation to TLS, CA, DNS, etc. infrastructure, your message will be much more understandable by the broad audience.

March 28, 2021

Permalink

Ransomware attacks on healthcare sites is one of the most dangerous threats facing ordinary citizens everywhere (even ones who do not spend much time online). And one major way intrusions into healthcare networks happen is when HIPAA entities try to share information about many or sometimes just one patient. Even before the most recent horrors involving munged sftp type transfers, I have urged the US Congress to recommend OnionShare for small transfers, e.g. patient sends own test results to a new provider, but USG has been happy to say nothing about the fact that the standard way of transferring PHI files is unencrypted fax machine. Outrageous!

Simillarly for other lockdown-enforced activities such as sharing a file with a local government agency, social services agency, political campaign, etc.

I hope Tor Project, EFF, Micah Lee, etc. can join me in asking Congress to fund federal programs to expand the Tor network in order to handle a large increase in onion traffic.

March 28, 2021

Permalink

Speaking of SecureDrop, it would be wonderful if Tor Project had one. Actually you probably do, but it seems to be a secret if so.

Do you mean to deliver documents to the Tor Project? I've no idea, but would be surprised if they do, given its extensive procedures ( https://docs.securedrop.org/en/stable/journalist.html ) would seem overkill for the needs of opensource security devs, so less heavyweight alternatives probably suffice. Obviously they provide a GPG key for secure-email to tor-security list, and of course ProtonMail or similar (perhaps RiseUp) via TOR give opportunity for security and anonymity to discuss stuff, including maybe some kind of special delivery (perhaps via other https://community.torproject.org/onion-services/ Tools like OnionShare or GlobalLeaks, or similar). Best wishes anyway

Do you mean to deliver documents to the Tor Project? I've no idea, but would be surprised if they do, given its extensive procedures ( https://docs.securedrop.org/en/stable/journalist.html ) would seem overkill for the needs of opensource security devs, so less heavyweight alternatives probably suffice. Obviously they provide a GPG key for secure-email to tor-security list, and of course ProtonMail or similar (perhaps RiseUp) via TOR give opportunity for security and anonymity to discuss stuff, including maybe some kind of special delivery (perhaps via SecureDrop or other https://community.torproject.org/onion-services/ Tools like OnionShare or GlobalLeaks, or similar). Best wishes anyways, and thanks again to the Tor Project team/volunteers for all they manage to do

SecureDrop is for file sharing. It's designed for whistleblowers and tries to protect the anonymity of the whistleblower. Tor Project makes software. It has PGP keys and the Anonymous Ticketing Portal for reporting bugs. SecureDrop is for a different situation.

https://www.torproject.org/contact/
https://www.torproject.org/about/people/
https://blog.torproject.org/anonymous-gitlab

March 28, 2021

Permalink

It's very irresponsible that this post introducing the concept of onions would give a V2 address as it's primary "for example" this late into the sunset of V2. Posts like this should be aiming to IMPROVE public understanding of onions, not be introducing obsolete legacy confusions to newcomers. If V2 is being phased out then STOP promoting it to people - months ago!

There are quite a few privacy projects and protocols where upgrading to v3 onions is non trivial
Especially those mired in the Python2 Obsolescence, with nowhere to go.

Bitmessage (BM) variants ( especiially those forked from early, reliable codebases ) are one such
functional example. It some respects it matter little that the v3 standard is an improvement.

It is going to be damaging when they stop working, or simply become vulnerable to downgrade
attacks as the limited number of published onion servers goes to zero when its no longer supported
over the tor network at all.

April 02, 2021

Permalink

> If you start promoting onions as a next generation to TLS, CA, DNS, etc. infrastructure, your message will be much more understandable by the broad audience.

That sounds good to me, but I doubt I have the technical knowledge to really understand how onions compare to the decades old TLS, CAs, DNS infrastructure.

What I think I understand (someone please correct me if I am wrong) is that

o Surfing to onions (via Tor Browser) runs right around the deeply insecure DNS infrastructure, which in itself would appear to greatly improve privacy and cybersecurity protections.

o The new way of obtaining certs for onions could possibly (yes?) obstruct governments which coerce a CA into creating genuine certificates their "security services" can abuse to punt malware disguised as a "security upgrade" to journalists, dissidents, whistle-blowers, human rights researchers, offshoring researchers, environmental defenders, activists, opposition politicians, and other people all governments/elites dislike.

o Many of the most horrific data-breaches occur when two (civilian) agencies of the same government try to overcome software incompatibilities with some jury-rigged unsafe file transfer operation when they try to share massive amounts of sensitive data (e.g. COVID-19 vaccination status). But small scale breaches (especially of personal health data) may be just as harmful to the victim. Onions (via OnionShare and Tor Browser) are not yet capable of coping with large scale file transfers, but appear to be ideally suited for private and secure one-to-one transfer of sensitive files between lawyer and client, doctor and patient, two small small medical clinics. If so, onions (and Tor Browser and OnionShare) could at one stroke help people managing transfers of sensitive information protect themselves and their clients/patients.

April 04, 2021

Permalink

9 months ago you said (please action given v2 deprecation timeline):

> Can you please post the correct v3 addresses for all Tor Project onions?

The Tor Project will very very soon have most of its services on v3 addresses. The missing up to date packages for Onion Balance (with v3 support) in Debian have been uploaded and we'll soon deploy it.

April 04, 2021

Permalink

I've been using Tor for a little while now and really like it. I'm still new to the .onion services and only know a few sites. So I'm interested in learning more. I believe privacy is a big concern. Especially for journalists across the world. As in the case of, Myanmar and the middle-east. I've been to Thailand and hear they are having some troubles right now.