This post is coming a bit late, giving updates about Onion Services
based on the transcript from the 2024 State of the Onion presentation.
Companion slides are available here.
Onion Services
Onion Services is a communication technology for exchanging data using the Tor
network.
Usually, whenever a Tor user is surfing around, their connection exits the Tor
network at some point to reach a destination on the internet.
But with Onion Services, the communication from one point to another happens
entirely inside the Tor network, all the time.
This brings a lot of benefits to users, service operators and the Tor
network in general:
-
For users, it means additional privacy safeguards, such as improved
anonymity and end-to-end encryption. -
For service operators, it also brings censorship resistance and built-in
protections against denial of service. -
For the Tor network, Onion Services can alleviate the load on exit nodes,
since it’s connections don’t need to reach the exits.
Announcing the Onion Services Ecosystem docs
This technology had it’s 20th anniversary. And yet, not as many people know
about it, or use it as we would like. So, to celebrate this birthday, we are
announcing a comprehensive documentation effort at
onionservices.torproject.org.
This documentation is directed to everyone: for those who wants to understand
and use the technology to the ones interested with advanced topics such as the
current research.
Onionspray
In this year we also launched a rebranded tool called Onionspray,
which allows existing sites to be offered through Onion Services, so
any website can be “onionized”. This means your website can be turned
into what we call an onionsite.
Onionspray works as a proxy between an Onion Service connection and the
website, bringing many benefits to operators:
-
Onionspray is a self-contained software with everything needed to
configure an onionsite. -
There’s no need to adapt existing setups: Onionspray can be installed in a
separate environment, and no changes are usually needed in the website.
If you or your organization is planning to set up an Onion Service, well, why
not giving Onionspray a try? On top of the benefits for operators, it adds a
layer of censorship resistance to your site, ensuring its availability
to more audiences worldwide.
Onion Services implementations
Onionspray relies on the current Tor implementation, called “C Tor” or
“little tor”, a tool that’s battle tested and extremely stable. Onionspray
will be supported as long as C Tor is supported.
For the long run, the Tor core software is being rewritten to be safer,
easier to use, maintain and understand. This new implementation already exists
and it’s called “Arti”.
Check the implementations page for the current status of both C Tor
and Arti regarding Onion Services functionality.
Thanks to the huge effort of the Arti engineers, a lot of progress
has been made recently, and you can test Onion Services with Arti now.
Oniongroove
In order to support Arti early adopters and also provide a seamless migration
from C Tor to Arti, we are already prototyping the next
generation tool for managing onionsites, which we’re calling “Oniongroove”.
Oniongroove aims to support both the old C Tor and the new Arti as
engines, making the migration to Arti easier.
Certificates
Another important topic in the Onion Service land recently is certificates.
Whenever you browse the internet regularly, the connection between your
computer and a service is usually encrypted, and the safety of this
communication happens through the verification of a special type of
certificate.
With Onion Services, the connection is peer-to-peer encrypted by default, which
means that no additional certificates are needed.
But as the web and other internet technologies mature, certificates are
starting to be a requirement in order to unleash functionalities, especially in
web browsers, such as the faster connection protocol HTTP/2 and payment processing.
That’s why it’s important to improve the certificate ecosystem to fully support
Onion Services.
This is a hard problem, and an ongoing effort, but there has been some important
work done to solve this.
The most relevant one should bring automation to the process of issuing
certificates for Onion Services, through an enhancement in a protocol called
ACME.
The ACME for Onions project is composed of tools and also an
Internet Draft, which hopefully will turn into an Internet Standard
soon.
We are also looking into other, non-conflicting alternatives that can also be
used for certification, so service operators can decide which one fits best their
use case.
Improving the certificate functionality will put Onion Services in parity
with the modern stack of web development.
For more information, the the certificates documentation.
Upcoming Onion Discovery research
Onion Services are recognizable by their long addresses. A typical address
looks like a big string ending in .onion.
This is hard to type, and even harder to memorize.
Having a way to provide human friendly addresses for Onion Services is a long
awaited feature, and also a hard problem to solve, maybe even harder than
certificates.
To move things forward, we’re planning to begin a research project to
investigate existing proposals and also new, innovative ways to solve this
problem. We expect that, after doing this research, we’ll have a better
understanding on the pieces involved, the decision criteria to choose the best
proposals as well as what’s should be done in terms of road mapping.
We hope that building one thing at a time will get us there, eventually 
The initial steps on this research are already available at the Onion
Discovery documentation section.
Summary
This post briefly described the many moving parts involved in making Onion
Services easier to use, and that this year has brought us several steps
closer:
-
The Onion Service Ecosystem Documentation makes it easier for both newbies and tech-savvy folks to understand and use onion services.
-
Onionspray is a useful plug-and-play kit to jumpstart the onionization
of your existing website. -
Our ongoing certificate work and Arti implementation positions us to future
proof this technology, so we can take full advantage of its benefits for the
years to come. -
Finally, we expect we can start soon a research to improve the usability
of Onion Service addresses.
Thank you and happy onionization!