Stealth Onion Services

Allan Nordhøy edited this page Sep 17, 2018 · 4 revisions

OnionShare has an advanced option, "Create Stealth Onion Service". This will make your onion service much more secure, but it also makes it much more difficult for the recipient to connect to it.

NOTE: As of OnionShare 2.0, Stealth mode can only be used with legacy (v2) style onion addresses. Stealth mode is not yet possible in Tor for next-gen or v3 style .onions.

What is a stealth onion service?

With normal onion services, anyone that knows your onion address can connect to it over the Tor network. When you use OnionShare, this should only be you and the person you send the link to. However, it's also possible that malicious Tor nodes that serve as hidden service directories could learn the onion address and try to connect to it. Even if this happens, OnionShare is still secure -- see the security design document for more info -- but it's better if it's simply impossible for anyone else to connect to the onion service at all.

This is what stealth onion services are. If you're using a stealth onion service and an attacker learns your onion address, they still can't connect to it. To connect, you need to edit your Tor configuration file and add a secret HidServAuth string to it. This way, even malicious Tor nodes that are hidden service directories can't connect to your OnionShare service at all.

As long as you're using a new enough version of Tor (such as the latest Tor Browser), OnionShare's stealth onion services will work fine in Windows and macOS X. Check the Linux support page in the wiki for details on support in Linux distributions.

How to send files with stealth onion services

Open OnionShare and add the files you'd like to share. Check "Advanced Options", and then check "Create Stealth Onion Service" before you click "Start Sharing". After the onion service is ready, OnionShare will include two buttons, "Copy URL" and "Copy HidServAuth". You'll need to copy both of these and send them to the recipient.

In this example, here are the two pieces of info I need to send to the recipient for them to download the file:

  • URL: http://fjqkh7xe7ol4tqws.onion/duct-crock
  • HidServAuth: HidServAuth fjqkh7xe7ol4tqws.onion 9OVr5C6O7eyaJk8drubXVw

Note that if I just send someone the URL, their Tor Browser will refuse to ever connect to it. First, they need to add the HidServAuth string to their Tor config file and restart Tor Browser. Then, they'll be able to load the URL with Tor Browser.

How to receive files with stealth onion services

Warning: This isn't the easiest thing to do for newbies, which is why stealth onion service support is an advanced option in OnionShare. You'll have to know how to navigate your filesystem and edit text files.

Make sure Tor Browser is closed. Now, open the torrc file that's built-in to Tor Browser in a text editor. This process is slightly different depending on your operating system.

  • In macOS X, edit ~/Library/Application Support/TorBrowser-Data/Tor/torrc.
  • In Windows, edit C:\Users\[user]\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc.
  • In Linux, edit ~/[path_to_tor_browser]/Browser/TorBrowser/Data/Tor/torrc.

Add the HidServAuth string to the bottom of the file. For example, I'm going to add this line to the end of my torrc file:

HidServAuth fjqkh7xe7ol4tqws.onion 9OVr5C6O7eyaJk8drubXVw

Now save the file and exit, and restart Tor Browser. Now you can load the corresponding OnionShare URL in Tor Browser (in my case, http://fjqkh7xe7ol4tqws.onion/duct-crock) and it will work. After you're done downloading the file being shared, you can remove the HidServAuth line from your torrc file again.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.