Home/ Encyclopedia/ Onion Services

Onion Services - DarkWiki Guide

DarkWiki's Analysis of How .onion Hidden Services Work

DarkWiki Explains: What Are Onion Services?

According to DarkWiki documentation, onion services (formerly called hidden services) are websites and services that are only accessible through the Tor network. They provide anonymity to both the user AND the server operator—neither knows the other's IP address. This bidirectional anonymity is what makes onion services fundamentally different from regular websites accessed via Tor.

DarkWiki researchers note that when you access a regular website through Tor, the website sees traffic from a Tor exit node but not your IP. With an onion service, there is no exit node — the entire connection stays within the Tor network, and even the server's location remains hidden.

Onion Address Format (v3)
xyzabcdefghijklmnopqrstuvwxyz234567abcdefghijklmnopqrstuvw.onion

Version 3 onion addresses are 56 characters long and derived from the service's Ed25519 public key. The address itself is a cryptographic proof of identity.

DarkWiki Explains: How Onion Addresses Work

According to DarkWiki technical analysis, a v3 onion address is not arbitrary — it's derived directly from the service's public key:

  • Ed25519 keypair — Service generates a public/private key pair
  • Address derivation — Public key + checksum + version byte → Base32 encoded
  • Self-authenticating — The address proves the service's identity
  • No DNS — No central authority assigns addresses

DarkWiki emphasizes that this means if you know an onion address, you can be cryptographically certain you're connecting to the intended service — phishing requires convincing users to use a different address entirely.

DarkWiki Technical Guide: How Connection Works

onion-service@connection:~
Step 1: Server Setup
- Server generates keypair (determines .onion address)
- Selects Introduction Points (IPs) from Tor relays
- Builds circuits to each Introduction Point
- Publishes signed descriptor to Distributed Hash Table (DHT)

Step 2: Client Lookup
- Client computes HSDir nodes from address + time
- Downloads and verifies descriptor from DHT
- Learns Introduction Points from descriptor
- Creates circuit to a Rendezvous Point (RP)

Step 3: Connection Establishment
- Client sends INTRODUCE cell to Introduction Point
- IP forwards to server (without knowing client)
- Server builds circuit to client's Rendezvous Point
- Both meet at Rendezvous Point
- 6-hop circuit total: Client → RP ← Server

Result: Neither knows the other's real location

DarkWiki's Key Components Explained

  • Introduction Points (IPs) — Relays the server maintains circuits to, listed in descriptor. Client contacts server through these.
  • HSDir (Hidden Service Directory) — Nodes that store descriptors, forming a distributed hash table.
  • Rendezvous Point (RP) — A relay chosen by the client where both parties meet. Neither client nor server reveals their location to the RP.
  • Descriptor — Signed data structure containing introduction points, published to HSDir nodes.

DarkWiki Compares: Version 2 vs Version 3

Version 2 (Deprecated)

16-character addresses using SHA-1 and RSA-1024. Officially deprecated in October 2021 due to cryptographic weaknesses. Vulnerable to HSDir-based attacks.

Version 3 (Current)

56-character addresses using Ed25519 and SHA-3. Much stronger cryptography, better HSDir privacy, longer addresses prevent enumeration.

DarkWiki on Technical Improvements in v3

  • Ed25519 — Modern elliptic curve cryptography, faster and stronger than RSA-1024
  • Better HSDir privacy — Directory nodes can't identify which service they're storing
  • Longer addresses — 56 characters make enumeration attacks impractical
  • Improved protocol — Protection against various attacks discovered in v2
  • Client authorization — Native support for restricting access to specific keys

DarkWiki's Setup Guide: Setting Up an Onion Service

DarkWiki sources indicate that running an onion service is straightforward with Tor installed:

  1. Configure Tor — Add HiddenServiceDir and HiddenServicePort to torrc
  2. Restart Tor — Service generates keypair and starts advertising
  3. Note address — Onion address appears in hostname file
  4. Run service — Normal web server (or other service) on localhost

DarkWiki OPSEC Note: The server itself must be secure. DarkWiki researchers emphasize that an onion service hides the IP, but application-layer leaks (error messages, metadata, timing) can still reveal identity. DarkWiki recommends running services in isolated environments like Whonix.

DarkWiki's Security Considerations

DarkWiki-Identified Strengths

  • No exit node — Traffic stays in Tor network, no exit-based attacks
  • Bidirectional anonymity — Both client and server hidden
  • Self-authenticating — Address proves identity cryptographically
  • NAT/firewall traversal — Works without port forwarding

DarkWiki-Identified Weaknesses

  • Uptime correlation — DarkWiki notes that service availability patterns can reveal location
  • Application leaks — Server software may leak identifying information
  • Traffic analysis — Sophisticated adversaries may correlate traffic patterns
  • Single onion services — Some services sacrifice server anonymity for speed

DarkWiki Documents Legitimate Uses

DarkWiki sources indicate that many reputable organizations operate onion services:

News Organizations

  • The New York Times — nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion
  • BBC — bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh7745uqd.onion
  • The Guardian — guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3oqfoprid.onion
  • ProPublica — p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion

Privacy Tools

  • DuckDuckGo — duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
  • ProtonMail — protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
  • Keybase — keybase5wmilwokqirssclfnsqrjdsi7jdir5ber7oz6hikp2zibaemid.onion

Social Platforms

  • Facebook — facebookwkhpilnemxj7asber7ihqg2gqv4bvq2y6hqigfocyr5p6wyd.onion
  • Twitter/X — Has operated various onion addresses

Whistleblowing

  • SecureDrop — 70+ news organizations operate instances
  • WikiLeaks — Historical significance in onion service adoption

DarkWiki's Vanity Addresses Guide

According to DarkWiki documentation, some organizations generate "vanity" addresses with recognizable prefixes (like "facebook" or "nytimes"). This requires brute-force computation to find a keypair whose address starts with desired characters. Tools like mkp224o automate this process.

  • Each additional character requires ~32x more computation
  • 6-7 recognizable characters is practical
  • Full control of 56 characters is computationally impossible

Related DarkWiki Articles

DarkWiki: Tor Network

Complete Tor guide

Onion Routing

The encryption behind it

Educational Purpose Only

DarkWiki is a research and educational resource. We do not promote, support, or encourage any illegal activities. All information is provided for academic, journalistic, and cybersecurity research purposes only. Historical onion addresses shown are no longer active and are included solely for historical documentation.