Behind the Scenes of Onion Services

Category: Web Security Readings - Last Updated: Fri, 22 Mar 2019 - by Ziyahan Albeniz

In this article, we discuss how the domain name of the services in the Tor network are set and what security risks they may pose. We examine a study from Princeton University concerned with the habits of Tor users in order to determine the potential impacts of security risks.

Behind the Scenes of Onion Services

Onion Services allows users to host their websites over Tor without the necessity of external third party domain and hosting services. Onion Services can also be used by those who want to connect their applications behind a NAT firewall to the internet without exposing them directly to chat applications and SSH services.

What is Tor?

In 2003, The Onion Router (Tor) started out as a browser extension called Tor Button, that ensured the privacy of the user. When it was activated on compatible browsers, Tor would establish the connection over multiple relays. In each relay, only the necessary information would be passed on in order to hop onto the next relay, until the final destination was reached.

As it got user attention and appreciation, the Tor Button was upgraded to become the Tor Browser Bundle, and then to its final form, the Tor Browser. The Tor Browser is based on the Mozilla Firefox web browser and shares a large part of its code base. Tor became the preferred browser for many security researchers.

In 2004, Tor became a service that not only hid the identity of its users, but it also added a feature that allowed various groups to voice their opinions and ideas freely without censorship. This feature is known as Onion Services.

How to Start the Onion Service

It’s pretty easy to initiate the Onion service. You can start a new Onion service by making the following changes on the torrc file, which contains the settings for Tor. Once you do that, your Onion service will be ready to use.

The Two Important Directives in the torrc File

The two important directives in the file: HiddenServiceDir and HiddenServicePort:

  • The HiddenServiceDir directive stores the directory path where two files are stored. One of them is the hostname file that holds the domain name of your service that your visitors need to reach you over the Tor network. The other file is the private_key file that holds your private key. When the service is started, the files will be generated.
  • The HiddenServicePort directive tells Tor on which port it should listen for the hidden service and to which address to forward that traffic.

In the hostname file, you can see the domain (in this example, zw4gc4ynslwe32mj) used for the Onion service with the .onion extension.

As illustrated, the domain (zw4gc4ynslwe32mj.onion) will be used to access your Onion Service.

How to Change Your Domain Name

How was this domain name generated? Can it be changed to something that is easier to remember? Generally, well-known Onion Services have much prettier domain names. For example, Facebook uses the domain name: facebookcorewwwi.onion.

The Tor service generates a pair of RSA keys as a first step to make an Onion domain. The private_key file holds the private key of the RSA key pair.

The next step to generate the domain is to get a summary of the public key using the SHA-1 algorithm. The first 80 bits of this summary are encoded with base32 to make a string of 16 characters. These 16 characters make up the scrambled part of the zw4gc4ynslwe32mj.onion domain.

Since the domain name is directly generated from the public key, the user can verify the public key of the domain. Therefore, this system is referred to as 'self-certifying'.

How to Get Friendlier Domain Names

In order to obtain a domain name like facebookcorewwwi.onion, you need to use a computer with high processing power to repeat the steps above to generate a key that contains the target keyword (such as “facebook”). Such domains are called vanity domains, and though we don't recommend it, there are websites that generate them for you.

Security Risks of Regular Onion Domains

There are more significant disadvantages for domain names than simply being not user-friendly (vanity domains). And, they put at risk the security of users who want to access Onion Services on the Tor network. Since Tor doesn’t have a built-in validation system for checking the legitimacy of domains, users employ different methods to make determine the security of their browsing.

Research on Tor Services User Habits

In 2016, Facebook announced that 1 Million People Use Facebook Over Tor (via their Onion service), making it suitably significant sample size for academic research. In June 2018, the daily visits of the Tor service were around 100,000.

Princeton University published an academic paper in 2018 How Do Tor Users Interact With Onion Services? concerning user interactions with Tor services. Presented in Usenix, the paper reveals detailed information on user habits and was the result of interviews with 17 people and surveys conducted with 517 participants. The researchers also analyzed 15,471 domain names with the .onion extension that were acquired over a period of two days from a type B DNS root server.

Results of the Research

The results state that Tor users have difficulties in:

  • Finding available Tor services
  • Keeping and storing discovered services for next time
  • Uncovering phishing attacks

Survey respondents stated that 47.58% of the time, they access .onion domains over links on social media. This was followed by Tor’s famous search engines, The Hidden Wiki and Ahmia, at a rate of 46.42%. And 46% of users stated that they randomly encounter such websites.

Vanity domains might ease access to domains, but someone with enough resources can craft a website to look exactly like vanity domains such as facebookcorewwwi.onion. Therefore attackers can easily trick users into clicking a domain name with a similar prefix to that of Facebook.

How Users Validate Websites

How do users verify that the website is the one they attempted to access? Remember, the domain can be spoofed since it may be generated by an attacker with enough resources. Most domains such as Facebook use EV certificates for verification purposes. Acquiring these certificates rips down the anonymity that Tor services provide. Therefore it’s not the best option to require for verification.

Tor users validate the websites they visit using self-developed methods:

  1. 64% of users believe that visiting a website by copying and pasting the address is more fault-proof
  2. 52% of users bookmark websites
  3. 45% of users check the address bar
  4. 39% of users state that they found the .onion domains of the websites from non-Tor websites (for example, Facebook officially announced its Tor domain name facebookcorewwi.onion through
  5. 35% of users check websites' SSL/TLS certificates

Summary of the Research

Findings of the research can be summarized as follows:

  • Since the domain names are secret by default, finding .onion extension websites is very difficult
  • Although vanity domains are made to be easy to remember, they can make users feel more secure than they should
  • Users don’t have access to a stable tool or method to verify .onion domains

Possible Fixes and Updates

In February 2018, the Tor Project announced that a new Onion service was under development. The domain names will be 56 characters long instead of 16 characters, and will hold the public key, checksum and version information. Instead of the deprecated SHA-1 algorithm, SHA-3 algorithm will be used with the Elliptic Curve algorithm, allowing the entire public key to be stored in the domain. This is a definite security improvement, but the fact that character strings will get longer will make legibility concerns much worse.

Why doesn’t the Tor Browser implement an SSL/TLS verification technology extension? That would use the certification on valid domains to verify the onion domain. For example, Facebook already has implemented SSL/TLS. If the steps above are conducted in the public key of the domain, the user can easily verify the certificate.

Although Tor began with the goal of providing users anonymous and censor-free browsing features, implementing security sometimes requires some proof of identity on the server side to ensure the users aren’t tricked into engaging with malicious websites. As Onion Services get more and more popular, hosts and clients will have to develop new security measures without relinquishing the anonymity they signed up for in the first place.


Dead accurate, fast & easy-to-use Web Application Security Scanner