The Tor browser is a powerful free tool for browsing the internet anonymously that also unlocks a portion of the deep web in the form of .onion addresses. If you own or are looking to create a website, you may want to learn how to create a .onion site to protect yourself and your visitors.
What is a .onion domain and how does it work?
A .onion domain is the address of a website that can only be accessed through the Tor anonymity browser. Regular browsers won’t be able to navigate the relay of proxy servers that will take users to your website.
How is it different from an ordinary domain?
Ordinary web domains, like .com, .org, .biz, and others are issued by the Internet Corporation for Assigned Names and Numbers (ICANN). There are thousands of different domains out there, but not all of them can be used by everyone (like .apple, for example). Users have to submit proposals to ICANN to register a domain and sub-domain (the part before the period). There are usually costs associated with registering and maintaining the domain of your choice.
Why would I want a .onion address?
A .onion domain has a few key advantages over an ordinary domain (but a few drawbacks as well). Its key feature – that it can only be accessed using a Tor browser – is both a drawback and an advantage. Tor is far from the most popular browser, and many people don’t even know it exists, so you shouldn’t expect massive traffic on your .onion site. However, the Tor browser affords numerous layers of anonymity that are not available on more popular browsers. If you want to ensure near-total anonymity for both you and your visitors, you can’t do much better than a Tor address.
When you create a .onion site, a domain name will automatically be generated for you. It will be a string of 16 random lowercase letters and numbers (from 2 to 7) that the Tor browser can use to navigate to your server. Unfortunately, these random strings cannot be any longer or shorter than 16 characters and are often hard to remember, making it difficult for users to memorize your website and easy for malicious users to create a similar but different domain to potentially confuse visitors.
However, this also means that you do not need to register with ICANN to create your own domain. You won’t need to hide your details from “whois” searches, and your ICANN account won’t be vulnerable to malicious takeovers. You will be completely in control of your privacy and your domain.
Creating a vanity domain – one featuring a recognizable word of your choice – is possible but computationally expensive. Facebook devoted considerable resources to achieving its .onion domain – facebookcorewwwi.onion – and they only needed 8 characters. Getting the exact 16 characters you want could take a single computer billions years to achieve.
1. Create a web server
Tor’s .onion service can give your existing web server a .onion domain if it’s configured correctly. However, the powerful anonymity provided by Tor isn’t worth much if your server leaks personal data or information that advanced users could use to identify you. Tor suggests binding your server to localhost. When you set up your .onion services later, you’ll create a virtual port that visitors can connect through so you don’t reveal your real IP address.
If you require hosting for you onion site, see our bulletproof hosting guide.
Make sure you also scrub your server of any other information that might identify you, your IP, or your location. Remove any reference to your server’s information from any error messages that might be sent to visitors.
2. Configure your server’s .onion services
To do this, you’ll have to open your “torrc” file, which is a text file you received when you set up your Tor browser. For more detailed information on how to modify this file to create a .onion server, follow the instructions on the Tor project’s website.
Once your setup is complete, turn on your Tor browser to generate a public key, or domain, for your website. After that, it’s up to you to distribute it and get people to visit your site. Just be sure not to share the private key with anyone!