As protests are sparkling around the world, we know that the struggles for a more just society are closely surveilled by those in power. The things that we do online, where we are, the websites that we’ve visited, who we’ve talked to… this data is being collected and analyzed to draw the social graph of activists and used to determine who to monitor. As many digital security trainers point out: protests may have an end, but metadata lasts forever.
At the Tor Project, we develop privacy enhancing technologies to protect and advance human rights. One of these technologies built inside of Tor is called Onion Services. Onion services are a way to protect users’ metadata, like their real location, and offer end-to-end authentication and end-to-end encryption by default when a user visits a website. One can easily spot an onion service as the domains are a public key encoded as an address ending with .onion.
Since users have a legitimate and increasing concerns about their safety online, developers, system administrators, and websites owners can and should offer a more secure experience to users. If you run a website, you can improve its security by offering a version of your site over onion services. Recently, we implemented a way to announce and publicize your onion site using Onion-Location. When a user visits a website that has both onion services and Onion-Location enabled, Tor Browser will display an information pill telling them that there’s a more secure version of the website ,and the user will be asked to opt-in to upgrade to the onion service on their first use. If the user already opted-in for their network security upgrade, they will get directly to the onion site.
Many web administrators have already joined us and made their websites available over onion services and Onion-Location. For example, ProPublica, DEF CON, Privacy International, Riseup.net, Systemli.org, and Write.as. And now, we invite you to join this campaign: #MoreOnionsPorfavor.
Setting up an onion site with Onion-Location
Some onions are very easy to cultivate, but for others, you may need professional support. For enterprise scale websites, we recommend getting in touch with us: [email protected].
First, you need to configure your web server so it doesn’t give away any information about your user’s location. As with any other service connected to the internet, it can be risky if it’s misconfigured. Therefore, we recommend reading and following onion services documentation and best practices.
After you’ve configured your web server and onion service, you can setup Onion-Location. Configuration should only take a few minutes. It’s worth mention that Onion-Location will only work if you’ve already setup a TLS certificate for your domain, i.e. Let’s Encrypt.
Once you’ve set up your onion site, send an email to <[email protected]> and announce it on your favorite social media using the hashtag #MoreOnionsPorfavor. Next month, we will select some onion site operators to receive a Tor swag as a token of our gratitude for your help defending the secure internet. Set up your onion site and email us by August 10th to qualify.