What Are Onion Services?
Onion services (formerly called hidden services) are websites and services that are only accessible through the Tor network. They provide anonymity to both the user AND the server operator—neither knows the others IP address.
Onion Address Format (v3)
xyzabcdefghijklmnopqrstuvwxyz234567abcdefghijklmnopqrstuvw.onion
Version 3 onion addresses are 56 characters long and derived from the services Ed25519 public key.
How They Work
onion-service@connection:~
Step 1: Server Setup
- Server selects Introduction Points (IPs)
- Publishes descriptor to Distributed Hash Table (DHT)
Step 2: Client Lookup
- Client downloads descriptor from DHT
- Creates circuit to a Rendezvous Point (RP)
Step 3: Connection
- Client contacts server via Introduction Point
- Both meet at Rendezvous Point
- 6-hop circuit: Client → RP ← Server
Result: Neither knows the others real location
- Server selects Introduction Points (IPs)
- Publishes descriptor to Distributed Hash Table (DHT)
Step 2: Client Lookup
- Client downloads descriptor from DHT
- Creates circuit to a Rendezvous Point (RP)
Step 3: Connection
- Client contacts server via Introduction Point
- Both meet at Rendezvous Point
- 6-hop circuit: Client → RP ← Server
Result: Neither knows the others real location
Version 2 vs Version 3
Version 2 (Deprecated)
16-character addresses using SHA-1 and RSA-1024. Officially deprecated in 2021 due to cryptographic weaknesses.
Version 3 (Current)
56-character addresses using Ed25519 and SHA-3. Much stronger cryptography. All new services use v3.
Legitimate Uses
- News Organizations: NYT, BBC, The Guardian all operate onion services for sources
- Privacy Tools: ProtonMail, DuckDuckGo offer onion access
- Whistleblowing: SecureDrop instances worldwide
- Censorship Circumvention: Facebook, Twitter operate onions for blocked countries