AM
Uploaded byAlec Muffett
PDF, PPTX1,458 views

Setting-up a .Onion address for your Website, v1.5

Setting up an .onion address allows websites to be accessed through the Tor network in order to provide greater privacy, security, and accessibility for users. There are several options for serving content on .onion addresses, including creating a dedicated onion site, configuring content management systems to be onion-aware, or installing an onion shim to rewrite requests and responses between a normal website and its onion domain. Considerations for onionifying a website include certifications, content leakage prevention, and whether to restrict certain features like payments over Tor.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
setting up a .onion address …for your website v1.5 - @alecmuffett 2017
why .onion? • you have an audience, or you have a community • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
how does onion help? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability • .onion => hard to block, hard to monitor • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
mobile ux? yes! • mac / win / linux • tor browser (integrated) • android • orbot (tor) + orfox (browser) • ios • onion browser • other ios in progress
so: what is .onion? top level domain name for the "onion" namespace
what is a namespace? • namespace is "an address & what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs tor browser • …they all connect you to a remote computer
how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: it is formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
wait, subdomains on
 a network address? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www…" bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
how do you
 choose addresses? • ipv4 addresses: you take what you are given (mostly) • ipv6 addresses: ditto • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: you "mine" one, a little like bitcoin • more mining => "better quality" address
how to serve .onion? several options: 1. set up a dedicated website with duplicate content • e.g.: various dedicated onion sites 2. make your CMS aware of ".onion" domain/traffic • e.g.: facebook 3. install an onion shim • e.g.: propublica, new york times
1. dedicated server • hypothetical: you have a separate web server, and it… • is configured to know about its onion address • serves duplicate content where necessary • essentially runs as a standalone service
2. onion-aware CMS • hypothetical: you have a web server, and it… • serves content to .com, .co.uk, .za, .in, … • distinct content for each domain / different URLs • why not just add yet another domain name? • tag all requests arriving from your .onion • ensure that such tagged requests are properly responded-to, citing your onion address(es)
3. onion shim • hypothetical: you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and tor • which bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • via custom engineering, or Enterprise Onion Toolkit
 (free, libre, open-source toolkit for enterprise onions)
summary
 (or: blend these together...) 1. dedicated onion site • rare, use-case dependent 2. onion-aware CMS • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
notes • don't forget to onionify your CDN where possible • try to avoid content-leakage between domains • accidentally wandering-off to the .com site • e.g. OAuth redirects • use horizontal load-balancing for backend scale • free solution (onionbalance) exists • onions (even via rewriting) are astonishingly efficient
finally • you will almost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • chiefly because payment providers sometimes block tor, and this can lead to poor user experiences…
summary • this is an evolving environment! • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge experimental fun!

More Related Content

PDF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
PDF
I'm the butcher would you like some BeEF
byMichele Orru
 
PDF
Dark Fairytales from a Phisherman
byMichele Orru
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
PDF
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
byMichele Orru
 
PDF
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
PDF
Setting Up .Onion Addresses for your Enterprise, v3.5
byAlec Muffett
 
PDF
Why and How to use Onion Networking - #EMFCamp2018
byAlec Muffett
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
byMichele Orru
 
I'm the butcher would you like some BeEF
byMichele Orru
 
Dark Fairytales from a Phisherman
byMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
byMichele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
byMichele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
byMichele Orru
 
Setting Up .Onion Addresses for your Enterprise, v3.5
byAlec Muffett
 
Why and How to use Onion Networking - #EMFCamp2018
byAlec Muffett
 

Similar to Setting-up a .Onion address for your Website, v1.5

PDF
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
byapidays
 
PDF
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
byJie Liau
 
PPTX
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
PPTX
Osint - Dark side of Internet
byRaghav Bisht
 
PPTX
Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance...
byAbhinav Biswas
 
PDF
HITCONHITCONHITCON_FreeTalk_2024_DarkWeb
byJie Liau
 
PDF
HITCON FreeTalk 20240726 - Dark side of the Force - 探索暗網威脅【 議題一:Drive Into th...
byHacks in Taiwan (HITCON)
 
PDF
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
byAmirali Sanatinia
 
PPTX
Introduction to DARK WEB_students 2023.pptx
byRobertDanso
 
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
byapidays
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
byJie Liau
 
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
Osint - Dark side of Internet
byRaghav Bisht
 
Are TOR Hidden Services really hidden? Demystifying HS Directory surveillance...
byAbhinav Biswas
 
HITCONHITCONHITCON_FreeTalk_2024_DarkWeb
byJie Liau
 
HITCON FreeTalk 20240726 - Dark side of the Force - 探索暗網威脅【 議題一:Drive Into th...
byHacks in Taiwan (HITCON)
 
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
byAmirali Sanatinia
 
Introduction to DARK WEB_students 2023.pptx
byRobertDanso
 

More from Alec Muffett

PDF
How To Think Clearly About Cybersecurity v2
byAlec Muffett
 
PDF
Sex, Lies & Instant Messenger v3
byAlec Muffett
 
PDF
You and Your Phone are Huge Threats to the Net
byAlec Muffett
 
PDF
Sex, Lies and Instant Messenger v2
byAlec Muffett
 
PDF
How To Think Clearly About Cybersecurity v1
byAlec Muffett
 
PDF
Sex, Lies and Instant Messenger v1
byAlec Muffett
 
How To Think Clearly About Cybersecurity v2
byAlec Muffett
 
Sex, Lies & Instant Messenger v3
byAlec Muffett
 
You and Your Phone are Huge Threats to the Net
byAlec Muffett
 
Sex, Lies and Instant Messenger v2
byAlec Muffett
 
How To Think Clearly About Cybersecurity v1
byAlec Muffett
 
Sex, Lies and Instant Messenger v1
byAlec Muffett
 

Recently uploaded

PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PDF
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
Top 10 API Automation Testing Tools: Features, Pros & Cons
byhenrycavill30521
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 

Setting-up a .Onion address for your Website, v1.5

  • 1.
    setting up a .onionaddress …for your website v1.5 - @alecmuffett 2017
  • 2.
    why .onion? • youhave an audience, or you have a community • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
  • 3.
    how does onionhelp? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability • .onion => hard to block, hard to monitor • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
  • 5.
    mobile ux? yes! •mac / win / linux • tor browser (integrated) • android • orbot (tor) + orfox (browser) • ios • onion browser • other ios in progress
  • 7.
    so: what is.onion? top level domain name for the "onion" namespace
  • 8.
    what is anamespace? • namespace is "an address & what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
  • 9.
    how do addresseswork? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs tor browser • …they all connect you to a remote computer
  • 10.
    how is .onionunusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: it is formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
  • 11.
    wait, subdomains on
 anetwork address? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www…" bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
  • 12.
    how do you
 chooseaddresses? • ipv4 addresses: you take what you are given (mostly) • ipv6 addresses: ditto • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: you "mine" one, a little like bitcoin • more mining => "better quality" address
  • 13.
    how to serve.onion? several options: 1. set up a dedicated website with duplicate content • e.g.: various dedicated onion sites 2. make your CMS aware of ".onion" domain/traffic • e.g.: facebook 3. install an onion shim • e.g.: propublica, new york times
  • 14.
    1. dedicated server •hypothetical: you have a separate web server, and it… • is configured to know about its onion address • serves duplicate content where necessary • essentially runs as a standalone service
  • 15.
    2. onion-aware CMS •hypothetical: you have a web server, and it… • serves content to .com, .co.uk, .za, .in, … • distinct content for each domain / different URLs • why not just add yet another domain name? • tag all requests arriving from your .onion • ensure that such tagged requests are properly responded-to, citing your onion address(es)
  • 16.
    3. onion shim •hypothetical: you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and tor • which bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • via custom engineering, or Enterprise Onion Toolkit
 (free, libre, open-source toolkit for enterprise onions)
  • 17.
    summary
 (or: blend thesetogether...) 1. dedicated onion site • rare, use-case dependent 2. onion-aware CMS • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
  • 18.
    notes • don't forgetto onionify your CDN where possible • try to avoid content-leakage between domains • accidentally wandering-off to the .com site • e.g. OAuth redirects • use horizontal load-balancing for backend scale • free solution (onionbalance) exists • onions (even via rewriting) are astonishingly efficient
  • 19.
    finally • you willalmost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • chiefly because payment providers sometimes block tor, and this can lead to poor user experiences…
  • 20.
    summary • this isan evolving environment! • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge experimental fun!