Thoughts on .onion sites — andreasglashauser.com

I really like the idea behind .onion sites. Onion addresses are self-authenticating, which means the address is tied directly to the cryptographic key used by the service. That is a stronger form of authentication than relying on a certificate authority to vouch for such a binding.

In practice, this means that if you already have the correct onion address of a site, you can be confident that you are reaching the service that actually controls that address. However, the challenge is that you still need a trustworthy way to obtain the correct onion address in the first place. That makes the system excellent in theory, but difficult to use in practice.

Onion sites also have several other unique use cases:

Anonymous publishing and hiding a server’s physical location
Whistleblower systems and secure source contact through tools like SecureDrop
Invite-only private services, where you need not only the onion address but also use Tor’s built-in client authorization
Self-hosting behind NAT or restrictive firewalls, as seen in tools like Lightning services
Temporary file drops, disposable websites, and chats without relying on a third-party platform using eg. OnionShare
Messaging systems with no central public server identity, such as Briar

I have now also made this website available via an onion address: http://metrsww4o7yeijgkdp6otpu5hu2bz5uizntuxan6cbed5sm6w2kknayd.onion/

I cannot think of a particularly practical reason why accessing this site via its onion address would be useful. Perhaps it would have been more relevant when Tor still had its “Prioritize .onion sites when known” feature, which automatically upgraded a connection to an onion address when possible. That feature was removed in early 2024 because of potential fingerprinting risks.

Still, I have wanted to offer this option for a while, mainly to learn how onion services are set up. I learned that it is surprisingly easy; the Tor Project provides a straightforward guide here.

At the moment, I use Wireguard to access my home network. I have been thinking about trying onion addresses for some of the services I host for myself, mainly out of curiosity and to see how well it works in practice as an experiment. While this is still just a rough idea, I do find it very appealing.