How does .onion work

What Is svchost. Browse All Privacy and Security Articles Browse All Linux Articles Browse All Buying Guides. Best iPhone 13 Pro Case. Best Bluetooth Headphones for Switch. Best Roku TV. Best Apple Watch. Best iPad Cases. Best Portable Monitors. Best Gaming Keyboards. Best Drones. Best 4K TVs. Best iPhone 13 Cases. Best Tech Gifts for Kids Aged Awesome PC Accessories. Best Linux Laptops. Best Bluetooth Trackers. Best eReaders. Best Gaming Monitors.

Computers send data across the internet in small packets. They don't just carry pieces of the data that's being sent, such as an image or text.

They also contain all sorts of metadata which includes the origin and destination of the packet. It prevents ISPs, the government, and hackers from reading their content. However, anyone intercepting the packet can still see who sent the packet and where it's going. If the site that person is visiting is forbidden in their country, then it doesn't matter that the data inside the packet can't be read.

Onion routing uses multiple layers of encryption to obscure that additional information about the data packet. These heavily-encrypted packets are then sent from your computer to their destination along a random route through thousands and thousands of volunteer computers.

Each node on this network received the packet and strips a layer of encryption, before sending it on. The last node, or "exit" node, take away the last bit of extra encryption before sending the packet to its final destination. Because of this elaborate method of routing packets, no one along the way knows who the original sender is or where the data is going, apart from the exit node that is. Which does know the final address, but nothing else.

The end effect of this is that anyone who uses Tor is almost impossible to track through the Tor network itself. It's a military-grade solution that's been adapted for all the uses we know the Dark Web for today.

Everyone knows the format of surface web URLs these days. That we address is translated by a DNS server into the specific IP address of the server that hosts it. Onion addresses look different. For example, this is the official Facebook. This still looks pretty readable for a human, just like a normal URL. This is actually pretty uncommon.

Since these addresses are generated using a randomized process. This process yields a string of characters. No one is going to remember them. Facebook had to pull some high-end trickery in order to make an onion domain that actually says what they wanted.

This is a test site created by the Tor project. It's a more typical example of what onion addresses look like. If you type an onion address into your regular browser right now and try to visit the site, you'll get an error message. In particular, an onion service's address looks like this: vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.

This looks weird and random because it's the identity public key of the onion service. That's one of the reasons we can achieve the security properties above.

The onion service protocol uses the Tor network so that the client can introduce itself to the service, and then set up a rendezvous point with the service over the Tor network. Here is a detailed breakdown of how this happens:. Let's imagine that your local newspaper decides to set up an onion service using SecureDrop to receive anonymous tips. As the first step in the protocol, the onion service will contact a bunch of Tor relays and ask them to act as its introduction points by establishing long-term circuits to them.

These circuits are anonymized circuits, so the server does not reveal the service location to the introduction points. The onion service will hide and protect itself behind the Tor network by only allowing access through three introduction points that it connects to through a two-hop Tor circuit.

Now that the introduction points are set up, we need to create a way for clients to be able to find them. For this reason, the onion service assembles an onion service descriptor , containing a list of its introduction points and "authentication keys" , and signs this descriptor with the onion service's identity private key. The identity private key used here is the private part of the public key that is encoded in the onion service address. The onion service upload that signed descriptor to a distributed hash table , which is part of the Tor network, so that clients can also get it.

It uses an anonymized Tor circuit to do this upload so that it does not reveal its location. Say you want to anonymously send some tax fraud data to your local newspaper through its SecureDrop. You find the onion address for the newspaper's SecureDrop from a public website or friend. All the previous steps were just set up for the onion service so that it's reachable by clients. This is where onion routing comes in. Attention reader! Refer to this image for details.

Skip to content. Change Language. Related Articles. Computer Network Fundamentals. Physical layer. Data Link layer.