Onion service (hidden service)

An onion service (formerly “hidden service”) is a server that is reachable only through the Tor network, with an .onion address that does not resolve through normal DNS. Both client and server are anonymous to each other: the server’s real IP address is not revealed to clients, and the client’s real IP address is not revealed to the server. The architecture used by SecureDrop, ProtonMail’s onion mirror, the New York Times onion mirror, BBC onion mirror, and the broader category of Tor-only services.

What it means in practice

The structural property that makes onion services distinct: the connection never leaves the Tor network. A normal Tor session routes through three hops to an exit node and then to a normal internet service, with the exit-relay-to-destination leg unencrypted at the Tor layer (only TLS provides confidentiality from there). An onion-service session uses six Tor hops total (three on each side) and never exits the Tor network, providing end-to-end encryption at the Tor layer and full anonymity for both endpoints. The use cases that justify the architecture: SecureDrop for whistleblower-to-journalist file transfer where neither side wants the other identified, services in censorship-heavy jurisdictions where the regular DNS access is blocked, and high-anonymity services where exit-node observation is part of the threat model.

Who uses them, and against whom

Operated by: SecureDrop instances at over 70 newsrooms (NYT, Guardian, WaPo, Reuters, BBC, ProPublica, ICIJ, dozens more), ProtonMail and Proton VPN running onion mirrors of their main services, BBC News operating an onion mirror specifically for users in censorship-heavy jurisdictions where the bbc.co.uk domain is blocked, the Tor Project running its own services as onion services, plus the broader category of activist and human-rights organizations operating Tor-only services. Adversaries: nation-state services attempting to deanonymize onion services through traffic-correlation attacks (the academic literature is extensive), criminal exit-relay operators harvesting cleartext credentials from non-onion-service Tor traffic, and the structural threat that an onion service’s server can be deanonymized through application-layer mistakes (not the Tor layer itself but the configuration that fails to compartment).

What you can change today

If your work justifies onion-service consumption, use Tor Browser to access the onion mirrors of services you already use: ProtonMail at protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion, BBC at bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh7745uqd.onion, NYT at nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion, Facebook at facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion (the Facebook onion exists for users in censorship-heavy jurisdictions where Facebook is blocked). For high-target users: SecureDrop submission is the documented workflow when contacting newsrooms about sensitive material; the journalists’ onion address is published on each newsroom’s tip page.

Related articles