Onion services are websites or applications that users can only access through the Tor network. Formerly known as "hidden services," they provide a way for both the operator and the visitor to remain anonymous while ensuring all traffic is end-to-end encrypted.
What is Onion Services?
Onion services are a specialized part of the web that sit within the Tor anonymity network. Unlike standard websites, their IP addresses and physical locations are hidden, which makes them difficult to censor or track.
Users access these sites via the Tor Browser. When a site is an onion service, the URL bar displays a specific onion icon to indicate a secure connection. Some websites use a feature called Onion-Location to advertise their onion counterpart via [a non-standard HTTP header] (Tor Project Support).
Why Onion Services matter
Implementing an onion service provides several security and structural advantages over the standard web:
- Censorship resistance: Because IP addresses are hidden, it is difficult for adversaries to identify the hosting location or block the service.
- Automatic encryption: All traffic between the user and the service is end-to-end encrypted, removing the absolute necessity for a separate HTTPS certificate.
- Domain cost savings: Addresses are cryptographically generated, meaning [operators do not need to purchase a domain name] (Tor Project Support).
- Authentication: Operators can require a private key or token before a user can access the site, providing a built-in layer of client authorization.
How Onion Services work
Onion services do not use traditional DNS. Instead, they rely on a specific address format and protocol within the Tor network.
- Address Generation: The network automatically generates an address based on public keys.
- V3 Format: Modern onion addresses [consist of 56 letters and numbers followed by .onion] (Tor Project Support).
- Circuit Connection: When a user enters a .onion URL, the Tor Browser establishes a circuit through multiple nodes to reach the service without revealing either party's identity.
- Verification: The cryptography involved ensures the browser connects to the correct location and that no third party is tampering with the connection.
Best practices
Follow these guidelines to ensure the security and accessibility of an onion service:
- Migrate to V3: Ensure you are using the V3 address format. The [shorter 16-character V2 format no longer works] (Tor Project Support) on today’s network.
- Enable Onion-Location: Configure your standard web server to send the Onion-Location header so Tor Browser users see a "purple suggestion pill" to switch to the onion site.
- Secure your backend: Hosting an onion service makes the site more secure, but the underlying application still requires standard security patches.
- Test connectivity: Regularly check your service using a clean Tor Browser instance to ensure it is not returning network errors.
Common mistakes
Mistake: Using an old V2 address. Fix: Generate a new 56-character V3 address, as V2 is deprecated.
Mistake: Typing the address incorrectly. Fix: Double-check every character; even a single error prevents the Tor Browser from finding the site.
Mistake: Ignoring specific error codes. Fix: Use the Tor Browser error titles (like 0xF0 or 0xF6) to diagnose if the site is offline or if the address is invalid. For example, [error code 0xF0 usually means the onionsite is offline] (Tor Project Support).
Mistake: Assuming HTTPS is always required. Fix: While onion services provide encryption, you can still use HTTPS with CA-issued or self-signed certificates for additional identity verification.
Examples
Many major organizations and tools utilize onion services to ensure global access and user privacy:
- News Outlets: BBC News, The Guardian, Deutsche Welle, and ProPublica all maintain onion mirrors to circumvent regional censorship.
- Social and Community Platforms: Facebook and Reddit provide onion addresses to allow users to connect privately.
- Whistleblowing Tools: SecureDrop and GlobaLeaks are software platforms that journalists use to receive documents securely via onion services.
- Search Engines: DuckDuckGo and Brave Search offer onion services for private web searching.
FAQ
How do I access an onion service?
You must use the Tor Browser. You enter the .onion address, which is 56 characters long, into the address bar. Standard browsers like Chrome or Safari cannot resolve .onion addresses without specialized configuration.
Do I need to buy a domain for an onion site?
No. Onion addresses are generated automatically through cryptography. You do not need to register with a domain registrar or pay annual fees for the .onion address itself.
Is an onion service more secure than HTTPS?
Onion services provide all the security of HTTPS with the added benefit of Tor's privacy. They hide the IP address of both the server and the user. However, if your onion site loads scripts from insecure clearnet URLs, the Tor Browser will show a warning icon (an onion with a red slash).
What happens if I get an "Onionsite Not Found" error?
The code 0xF0 indicates the site is likely offline. You should contact the administrator or try again later. If you see code 0xF6, it means the address you entered is invalid.
Can I turn any existing website into an onion site?
Yes. There is a toolkit called [OnionSpray] (Tor Project Community) that allows you to "onionize" an existing website by hosting it as an onionsite.
