Next-Generation Tor Onion Services Will Be More Anonymous, Secure

The Tor Project, the group behind the Tor anonymity network and the corresponding Firefox ESR-based Tor browser, announced that Tor-native “onion” services will soon become more anonymous and secure.

What Is An Onion Service?

An onion service is essentially a website or online service that uses a “.onion” domain name you can only access only through the Tor browser instead of using a more common Top Level Domain such as .com.

According to the Tor Project, onion services can serve the following purposes:

news organizations use them for private information disclosure (see SecureDrop)websites use them to defeat censorship and provide a secure gateway for their users (e.g. ProPublica)the cryptocurrency ecosystem uses them to perform private transactions and miningpeople use them for their reachability and permanent onion address if they are behind NAT or dynamic IP

Facebook, as well as The New York Times, have set-up their own onion services to make it easier for their users to avoid censorship in certain countries, or simply to offer an enhanced level of privacy. Of course, when you do use the Tor network, whether it’s to visit a random website or Facebook, it’s implied that you wouldn’t use your personal information on those websites, otherwise you give-up whatever anonymity benefits you may have gained from using the Tor browser.

New Onion Technology

Although onion services are supposed to be anonymous, the Tor Project team has always said that the technology making onion services “anonymous” was not quite as good as the technology making Tor users anonymous when visiting websites via the Tor browser. In other words, Tor web surfers have benefited from a higher degree of anonymity than onion service operators.

The Tor team has been working on the new onion technology for the past four years, which aims to increase the anonymity level for onion services. In the legacy onion system the network itself could be leveraged to learn about the onion addresses that were using it.

With the new onion system, the onion services are completely private. Only you, the owner of the onion, and those to whom you will disclose the address, will know about your onion service’ address. Nobody outside of their tight private groups could discover certain onion addresses, unless one of the group members disclosed it to others.

Websites such as Facebook, ProPublica, and The New York Times will likely want their address to be known to the whole public, so this benefit will not apply to them.

To make onion addresses less easy to find on the network, their address length is now much larger and they look like this:7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion.

The new onion system includes improved cryptography and other features, too, such as:

a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)b) Improved directory protocol, leaking much less information to directory servers.c) Improved directory protocol, with smaller surface for targeted attacks.d) Better onion address security against impersonation.e) More extensible introduction/rendezvous protocol.f) A cleaner and more modular codebase.

More Features To Come

The Tor Project group intends to add new features in the future, including: offline service keys, advanced client authorization, a control port interface, improved guard algorithms, secure naming systems, statistics, mixed-latency routing, and potentially blockchain support and AI logic. However, the team said they first still need to test the new onion system and build the new features slowly over time.

Presumably, because the Tor Project is a nonprofit, development of new features is also a function of how much money is being donated to the project. The organization recently announced a collaboration with Mozilla, in which Mozilla promises to match individual donations up to $500,000 in total.

The Tor team said that they don’t plan on killing support for the legacy onion system version 2.0 just yet, and that it will remain the default for the next few years. How long exactly it will be supported depends on how fast onion services switch to the new version 3.0 of the onion system. Users who want to try available v3 onion services can download the latest alpha-stage Tor browser release.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.