Commit 5d08c4a0 authored by Pili Guerra's avatar Pili Guerra
Browse files

Onion Services section

parent 9b86f72d
section: onion services
section_id: onion-services
color: primary
_template: layout.html
title: How do .onion Services work?
subtitle: Learn how .onion services work.
key: 0
html: two-columns-page.html
Onion services are services that can only be accessed over Tor. Running an onion service gives your users all the security of HTTPS with the added privacy benefits of Tor Browser.
## Why onion services?
Onion services offer various security benefits to their users, that are not usually given on the normal web. In particular:
### Location hiding
An onion service's IP is hidden. Onion services are an overlay network on top of TCP/IP/, so in some sense IP addresses are not even meaningful to onion services: they are not even used in the protocol.
### End-to-end authentication
When a user visits a particular onion, they know that the content they are seeing can only come from that particular onion and that no impersonation is possible. This is not the case with the normal web, where reaching a website does not mean that a man-in-the-middle did not reroute to some other location (e.g. DNS attacks).
### End-to-end encryption
Onion service traffic is encrypted from the client to the onion host. This is like getting strong SSL/HTTPS for free.
### NAT punching
Is your network filtered and you can't open ports on your firewall? This could happen if you are in a university campus, an office, an airport or pretty much anywhere. Onion services don't need open ports because they punch through NAT, since they only establish outgoing connections.
## The Onion Service Protocol: Overview
Now the question becomes **what kind of protocol do we need to achieve all these properties?** In particular, on the normal web, we connect to an IP address and we are done, but in this case how do we connect to something that does not have an IP address?
In particular, an onion service's address looks like this: `vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion`
This looks weird and random because in reality it's the _identity public key_ of the onion service and that's one of the reasons we can achieve the security properties from above.
The general concept behind the onion service protocol is that we use the Tor network so that the client (Alice) can introduce itself to the service (Bob), and then sets up a rendezvous with the service. Here is a detailed breakdown of how this happens:
### Act 1: Where the onion service sets up its introduction points
![Onion Services: Step 1](/static/images/onion-services/tor-onion-services-1.png)
As the first step in the protocol, Bob (the onion service) contacts a bunch of Tor relays and asks them to act as his _introduction points_, by establishing long-term circuits to them. These circuits are anonymized circuits, so Bob does not reveal his locations to his introduction points.
As part of this step, Bob gives its introduction point a special "authentication key", so that if any clients come for introductions later the introduction point can use that key to match them to Bob.
### Act 2: Where the onion service publishes its descriptors
![Onion Services: Step 2](/static/images/onion-services/tor-onion-services-2.png)
Now that the introduction points are setup, we need to create a way for clients to be able to find them.
For this reason, Bob assembles an _onion service descriptor_, containing a list of his introduction points (and their "authentication keys"), and signs this descriptor with his _identity private key_. The _identity private key_ used here is the private part of the **public key that is encoded in the onion service address**.
Now, Bob uploads that signed descriptor to a _distributed hash table_ which is part of the Tor network, so that clients can also get it. Bob uses an anonymized Tor circuit to do this upload, so that he does not reveal his location.
### Act 3: Where a client wants to visit the onion service
All the previous steps were just setup for the onion service so that it's reachable by clients. Now let's fast-forward to the point where an actual client wants to visit the service:
![Onion Services: Step 3](/static/images/onion-services/tor-onion-services-3.png)
In this case, Alice (the client) has the onion address of Bob and she wants to visit it, so she connects to it with her Tor Browser. Now the next thing that needs to happen is that Alice goes to the _distributed hash table_ from the step above, and ask for the signed descriptor of Bob.
When Alice receives the signed descriptor she verifies the signature of the descriptor using the public key that is encoded in the onion address. This provides the _end-to-end authentication_ security property, since we are now sure that this descriptor could only be produced by Bob and no one else. And inside the descriptor there are the introduction points which allow Alice to introduce herself to Bob.
### Act 4: Where the client establishes a rendezvous point
Now before the introduction takes place, Alice picks a Tor relay and establishes a circuit to it. Alice asks the relay to become her _rendezvous point_ and gives it an "one-time secret" that will be used as part of the rendezvous procedure.
### Act 5: Where the client introduces itself to the onion service
![Onion Services: Step 4](/static/images/onion-services/tor-onion-services-4.png)
Now, Alice goes ahead and connects to one of Bob's introduction points and introduces herself to Bob. Through this introduction Bob learns Alice's choice of rendezvous point and the "one-time secret".
### Act 6: Where the onion service rendezvous with the client
![Onion Services: Step 5](/static/images/onion-services/tor-onion-services-5.png)
In this last act, the onion service is now aware of Alice's rendezvous point. The onion service connects to the rendezvous point (through an anonymized circuit) and sends the "one-time secret" to it.
Upon the rendezvous point receiving the "one-time secret" from Bob, it informs Alice that the connection has been **successfuly completed**, and now Alice and Bob can use this circuit to communicate with each other. The rendezvous point simply relays (end-to-end encrypted) messages from client to service and vice versa.
In general, the complete connection between client and onion service consists of 6 relays: 3 of them were picked by the client with the third being the rendezvous point and the other 3 were picked by the onion service. This provides _location hiding_ to this connection:
![Onion Services: Step 6](/static/images/onion-services/tor-onion-services-6.png)
## Further resources
This was just a high-level overview of the Tor onion services protocol. Here are some more resources for the curious who want to learn more:
- The original Tor design paper describing the original design:
- The Tor v3 onion services protocol specification.
- Presentations about onion services
\ No newline at end of file
......@@ -14,6 +14,61 @@ subtitle: Learn how to set up a .onion of your very own.
key: 1
html: onion-services.html
cta: Get Started
html: two-columns-page.html
This guide will go over setting up an onion service for your website:
## Step 0: Get a working Tor
As part of this guide we will assume you have a functional Tor in your machine. Tor should be up and running correctly for this guide to work. You should also know where Tor's configuration files are.
To setup Tor, Windows users can follow the [Windows howto](, OS X users should follow the [OS X howto](, and Linux/BSD/Unix users should follow the [Unix howto](
## Step 1: Get a web server working
As a first step you should setup a web server locally, like nginx or lighttpd. Setting up a web server can be complex. We're not going to cover how to set up a web server here. If you get stuck or want to do more, find a friend who can help you. We recommend you install a new separate web server for your onion service.
You need to configure your web server so it doesn't give away any information about you, your computer, or your location. This is not an easy task and in the end of this document we will offer more resources on how to make this possible.
Once your web server is set up, make sure it works: open your browser and go to http://localhost:8080/, where 8080 is the webserver port you chose during setup (you can choose any port, 8080 is just an example). Then try putting a file in the main html directory, and make sure it shows up when you access the site.
## Step 2: Configure your Tor onion service
The next step is opening the config file of Tor (torrc) and doing the appropriate configurations to setup an onion service. Depending on your operating system and setup, your Tor configuration file can be at a different location or look different. You will need to put the following two lines in your torrc:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80
The `HiddenServiceDir` line specifies the directory which should contain information and cryptographic keys for your onion service. You will want to change the `HiddenServiceDir` line, so that it points to an actual directory that is readable/writeable by the user that will be running Tor.
The `HiddenServicePort` line specifies a _virtual port_ (that is, the port that people visiting your onion service will be using), and in the above case it says that any traffic incoming to port 80 of your onion service should be redirected to `` (which is where the web server from step 1 is listening).
## Step 3: Restart Tor and check that it worked
Now save your `torrc` and restart Tor.
If Tor starts up again, great. Otherwise, something is wrong. First look at your logfiles for hints. It will print some warnings or error messages. That should give you an idea what went wrong. Typically there are typos in the torrc or wrong directory permissions (See the logging FAQ entry if you don't know how to enable or find your log file.)
When Tor starts, it will automatically create the `HiddenServiceDir` that you specified (if necessary). Make sure this is the case.
## Step 4: Test that your onion service works
Now to get your onion service address, go to your `HiddenServiceDir` directory, and find a file named `hostname`. The `hostname` file in your hidden service configuration directory contains the hostname for your new Onion v3 hidden service. The other files are your hidden service keys, so it is imperative that these are kept private. If your keys leak, other people can impersonate your hidden service, deeming it compromised, useless and dangerous to visit.
Now you can connect to your onion service using the Tor Browser and you should get the html page you setup back in step 1. If it doesn't work, look in your logs for some hints, and keep playing with it until it works.
## Step 5: More advanced tips
The above guide is just a baseline to setup an onion service. In this section we will offer more resources to better configure and protect your onion service:
- Best practices for onion services
- More advanced tips for onion services
- Advanced onion service security
\ No newline at end of file
......@@ -14,6 +14,8 @@ subtitle: Add more security and authenticity for your .onion.
key: 2
html: onion-services.html
html: two-columns-page.html
Coming soon
<div class="container py-5">
<div class="row py-5">
<div class="col-lg-7">
<div class="col-8">
{{ this.body }}
<div class="col-lg-5">
<img src="/static/images/home/png/{{ this.section_id }}.png" class="img-fluid" alt="{{ _(this.section) }}" />
<div class="col-4 bg-light">
<div class="illo-container">
<img src="/static/images/home/png/{{ this.section_id }}.png" class="img-fluid" alt="{{ this.section }}" />
<h2 class="text-primary"><u>{{ _('Learn more about onion services here') }}
<a href="{{ this.path|url }}overview/"><h2 class="text-primary"><u>{{ _('Learn more about onion services here') }}
<i class="fas fa-arrow-right"></i></u>
<div class="row py-5">
{% for child in this.children|sort(attribute='key') %}
{% if child.key != '0' %}
<div class="col-sm-6 col-md-6 col-sm-12 col-xl-6 py-4">
<div class="card h-100 border-0">
<div class="card-body">
<h2 class="text-primary display-2"><i class="fas fa-{{ child.image }}"></i></h2>
<h4 class="card-title text-primary">{{ child.title }}</h4>
<p class="card-text">{{ child.subtitle }}</p>
<a href="{{ this.path }}">Call to action <i class="fas fa-arrow-right"></i></a>
<a href="{{ child.path|url }}">{{ child.cta }} <i class="fas fa-arrow-right"></i></a>
{% endif %}
{% endfor %}
<div class="row py-5 text-center mx-auto">
......@@ -32,14 +36,15 @@
<div class="row mx-auto">
<div class="col-6">
<a href="">
<h3 class="text-primary text-center mx-auto"><u>{{ _('Learn more') }}
<i class="fas fa-arrow-right"></i></u>
<div class="col-6">
<h3 class="text-primary text-center mx-auto"><u>{{ _('Check out the code') }}
<a href=""><h3 class="text-primary text-center mx-auto"><u>{{ _('Check out the code') }}
<i class="fas fa-arrow-right"></i></u>
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment