I briefly mentioned .onion URLs in my article about Tor. These anonymous sites, officially called hidden services, are sometimes called the darknet. It sounds like the realm of only the most talented hackers, but most web developers could set up their own site with ease.
I ran one in my Chicago apartment for a couple of months.
How does a site on Tor help readers?
The Tor web browser keeps your web browsing anonymous by bouncing your signal through multiple computers on the way to its destination.
When you visit a site on the public-web, your request leaves the Tor network via an exit node, which may be monitored. Sites with .onion URLs are hosted inside Tor’s network, so requests to the site never go public / unencrypted. As always, you need to be careful what you share (for example, don’t send your real name or mailing address unless you trust someone).
How does a site on Tor help publishers?
Just as the Tor browser protects readers on the web, it also protects writers. Hosting a site on Tor allows you to write blogs or host services anonymously, without fear of being tracked, blocked, or censored online.
If a site’s publishers are arrested and searched, even they cannot reveal who their users are, because users arrive over Tor. This builds trust in difficult environments.
The darknet is best known for illegal markets such as the Silk Road, but has had success stories in recent years:
- WikiLeaks retreated to the darknet after their .org domain was revoked under US government pressure
- SecureDrop is used by several news organizations to receive information from anonymous sources
- Facebook, DuckDuckGo, and ProPublica are now on Tor
What steps do I take to get started?
If you know how to serve a website from localhost (your own computer), then you can serve a darknet site. If you don’t know, no worries… but you do need to read up on that first.
If you downloaded Tor Browser Bundle earlier, you can activate web hosting right away in a dropdown: https://www.torproject.org/docs/tor-hidden-service.html.en Start your localhost server, and make sure its port is selected in Tor Browser’s settings. A randomized .onion address will be generated.
You can verify that the site is online by entering your .onion URL into Tor Browser, or using a regular web browser on the Tor2Web portal.
If you use Tor on any campus, corporate, cloud, or otherwise monitored network, your traffic can be noticed. If your website became popular, it would be difficult for you to run the site on a laptop or home internet connection. This puts you in an intentionally uncomfortable area, because companies that host darknet sites get a lot of police visits. You might need to host the site at home, find a trustworthy institution (such as a newspaper or university), or shop around for server hosting payable in Bitcoin.
Can someone see my site without Tor?
Tor2Web is a portal for people to see what’s on Tor without browsing it themselves. Publishers are still protected inside the Tor network, but readers are sending data over the public web, trusting Tor2Web, and accepting all of the issues which come with that.
Why is my .onion URL so weird? Can I get another one?
An .onion URL’s random letters and numbers are a shorthand for the key which your computer uses to claim your site. Where the public-web has official registries for .com and .org, Tor uses these keys to preserve a decentralized system, which unfortunately makes URLs more cryptic.
Protect your key, and only delete it if you decide to start over with a new URL.
Popular sites on Tor use Shallot or similar tools to try keys until the resulting URL matches a pattern (for example, beginning with your website name). The more customization that you have, the longer it will take to find a match. The computer that generated ProPublica’s propub3r6espa33w.onion URL in 30 minutes would take years to find a URL starting with propublica.
Facebook’s https://facebookcorewwwi.onion is notable for two reasons:
- It was the first, or one of the first on Tor, to have HTTPS. Nearly every other .onion URL uses HTTP and relies on Tor’s own encryption / key validation.
- The long, meaningful URL hinted that Facebook either used massive computing power, or broke Tor’s key-to-URL system in some way. Facebook engineers have maintained that they generated URLs starting with ‘facebook’ and were lucky about the remainder.
Do smart people trust Tor sites?
Don’t people go to jail for running darknet sites?
I encourage you to look up how Ross Ulbricht was convicted for running the Silk Road market. He was noticed not because he was using Tor, but for suspicious activity online and in public: sharing source code on StackOverflow, Googling Silk Road URLs, receiving a box of counterfeit passports, and ultimately logging into Silk Road at the library. Even this evidence took years for teams to put together. The average darknet blog wouldn’t get a fraction of this scrutiny.
Less cautious admins have been noticed for using Tor at home, downloading spyware, or for buying a Tesla with Bitcoin. Don’t be that guy.
The best tool out there for testing that your darknet site doesn’t reveal your location is OnionScan.
And that’s why you should use Tor hosting
The main Tor Project guide: https://www.torproject.org/docs/tor-hidden-service.html.en
disclosure — I contributed code to an earlier version of OnionScan