Marty McGuire

Recent Posts

Wed May 5

Are you staying hydrated during eternal Caturday?

Tue May 4

What are you shaking off during eternal Caturday?

Mon May 3
🔖 Bookmarked left alone, together

“the amount of energy that would be required for all of us to monitor everyone we’ve ever given any data to, forever, is just too much”

Time to greet a new week of eternal Caturday!

Sun May 2

Are you keeping your eye on the ball during eternal Caturday?

Updating my Tor mirror to Onion Service V3

TL;DR: the Tor .onion mirror of this site has moved. The old .onion address will forward to the new .onion address until Onion Service V2 is deprecated later in 2021.

I've got a new home on the anonymizing Tor network! It's:


Tor What Now?

Tor aka "the onion router" is an anonymizing network that protects the identity and location of users by bouncing their traffic through a set of volunteer servers, with encryption at each layer to make it harder for any given server to figure out who is sending what to whom.

Tor can also protect the identity and location of the sites and services that users are accessing, using a "rendezvous server" where the user's encrypted layers meet a similar set of encrypted layers to the server.

These were originally known as "hidden services", and are often what folks are referring to when they speak mysteriously of the "dark web". In recent years, to shake off some of the suspicion raised by the word "hidden", these have been renamed to Onion Services.

A Partial History

I first set up a ".onion" address for my site back in mid-2016 when I was playing with some decentralized web projects (decentralized web projects which I later forgot 😬). I used a tool called Shallot to generate a "vanity" URL that started with my usual online handle of schmarty. Once it was up and running, you could visit http://schmartyp7qtjzn7.onion/ and see the same content as my main domain

Sometime later (2019?) I got the hint from a (now lost to me) blog post to use Apache's mod_substitute to rewrite the HTML you get when visiting the site. This let me replace URLs for images, video, and other files from the not-onion website with .onion URLs. This cleanup keeps network requests for my content inside the Tor network.

Last year, the Tor Project announced Onion-Location, a way for sites to announce when they have a .onion version available. I added Onion-Location to my site so folks viewing it in the Tor browser could be redirected to the .onion version in one click. They also sent me some stickers for my trouble. Pretty neat!

Meanwhile, back in late 2017, Tor rolled out a new Onion Service version 3, with several improvements, including new, longer (and incompatible-with-V2) .onion domains. Folks running Onion Services were encouraged to move to the new system and in mid-2020 a timeline was announced to shut down V2 Onion Services.

I've had the upgrade on my list for a while and just hadn't got around to it. Then some discussion about V2 and V3 .onions in the IndieWeb chat got a little spicy and reminded me that I should just buckle up and do it.

Enough History, What About the Update?

What's in a (.onion) Name?

Today I hope that I am less vain than I was in 2016. I still wanted a little bit of myself in my new .onion address! So I grabbed mkp224o, a program for generating and filtering .onion address keys. The probability of generating a key with the a sequence that you want goes down very quickly as you make the sequence longer. So, the more specific your vanity desires, the longer you'll need to run a tool like mkp244o to have a chance to a .onion that you like. At 8 characters, "martymcg" seemed like pressing my luck, but I started it up and let it run overnight.

The next day, bless random number generation, I had a hit! This gave me the keys I'd need to run a site at martymcgfuraocsgy2a25btl5srhifcdud6m4eiphz2mq6fafttwh7qd.onion.

Is This Server Maintenance? 💁🏻‍♂️🦋

With keys in hand, I set about getting this new onion service set up on the frankly ancient and creaky server that hosts my site.

I wasn't sure what minimum version of tor I'd need, and the server was running – oh my gosh – Ubuntu 14.04. So the update paused here while I reflexively upgraded to 16.04, breaking a bunch of my Python sites. After some time struggling to solve Apache mod_wsgi segmentation faults (!), I invoked YOLO Ops and upgraded to 18.04. Miracle of miracles – my sites worked again! Having pressed my luck once I decided not to go for 20.04 today. Did I learn anything from this? Probably not.

Unfortunately (and perhaps obvious in hindsight) the Ubuntu 18.04 package for tor was an obsolete version. Ultimately I added the Tor PPA and am, finally, running the recommended recent version of tor.

I Thought this was About an Onion Service

At last I was ready to set up this new V3 onion service. I copied over the files generated by mkp224o to a new folder under /var/lib/tor and updated the file permissions to match tor's expectations. (Seriously, make sure to follow the mkp224o README instructions for file ownership and permissions exactly or tor just won't start).

With the key files in place, I edited /etc/tor/torrc to make a new onion service definition for the domain, pointed at my web server. Shortly after, I could see my web server's default site at my new .onion domain and the rest of the process was more familiar website plumbing.

I copied the Apache virtualhost config from my old V2 .onion to a new config for the V3 .onion. This was pretty much just a copy/paste/find-replace job. With the new virtualhost enabled and Apache restarted, I could see my site!

Tor Browser screenshot showing the new .onion address and part of my homepage.

To make things official, it was time to clean up more Apache configs. I updated my main site to use the new .onion domain for Onion-Location, so Tor Browser users will be prompted to go there automatically. I also updated the old V2 .onion domain to redirect to the new one.

What's Next?

V2 .onions are set to stop working on Tor Browser in July 2021, and be entirely removed from the network in October 2021. At that point I'll shut down the old service.

While this website's update is done, I'm not finished upgrading personal onion services. I've got several that I've set up over the years for server-to-server connections and for services like Home Assistant that only "exist" on my home network but that I might occasionally access from out in the world. They're great for punching through firewalls!

What Does This Have to Do with IndieWeb?

The somewhat cataclysmic end of V2 onion services had folks in the IndieWeb chat questioning whether a .onion could ever be trustworthy for identity. It's true that the Tor Project is likely someday to replace and sunset V3 domains if a security need arises! .onion domain longevity is not a promised feature.

That said, V2 onion services were around for the past 15 years! My own V2 .onion domain has been up trouble-free for 5 years. That's longer than I've held many "real" domains! And, I didn't have to give my identity information and money to register my .onion like a regular TLD, or remember to feed the blockchain like Namecoin's .bit TLD, or worry about a DNS registrar bumping up prices, serving a takedown notice, letting a scammer transfer it away, squatting or selling it because I forgot to update my payment info, or getting caught up in trade and border disputes. Domains change and people move their stuff around. We figure it out.

I think a much (much) bigger barrier to IndieWeb adoption of .onions is the requirement of running a tor service and making requests through it in order to access onion services. Maybe it's not a big surprise (or hardship) that folks can only visit a .onion website via a specialized browser like Tor Browser. However, for many of the interactive building blocks of the IndieWeb to work, sites need to be able to talk server-to-server. Following feeds on .onion sites, or sending and receiving Webmentions with them, would require making a wide plurality of software "onion-aware".

Is that doable? Yeah, with a lot of goodwill, motivation, and collaboration.

Is it likely to happen? I guess that depends on how many folks make a .onion site their home on the web. 😏

Sat May 1

Are you working out where you fit in during eternal Caturday?

🔁 Reposted
post from Why Diversity is Important
Basecamp announced it would ban “societal and political discussions” at work. Although I’m sure some folks were ecstatic to hear that mentions of BLM or social awareness talks are banned from the work place and work space, the majority of folks were not happy to hear this news. …
Fri Apr 30

Are you phoning it in during eternal Caturday?

Thu Apr 29

Have you set up shop during eternal Caturday?

📕 Finished reading Fugitive Telemetry by Martha Wells ISBN: 9781250765376
Wed Apr 28

Second shot and feeling vaxxed!!

Are you making a home of temporary things during eternal Caturday?

Tue Apr 27

Are you watching and waiting together during eternal Caturday?

🔁 Reposted
post from The DEI rollback
Yesterday, Jason Fried, Basecamp’s CEO, shared an internal memo he’d written about changes at the company. In it, he details how political discussions are no longer acceptable at work, and how benefits he considers to be “paternalistic” - like gym memberships and farmer’s market …
Mon Apr 26

Ready to climb out of your weekend box and face eternal Caturday?

📗 Want to read Mismatch by Kat Holmes ISBN: 9780262038881
Sun Apr 25

Are you remembering to relax your muscle tension during eternal Caturday?

Sat Apr 24

Have your boundaries blurred during eternal Caturday?

Fri Apr 23
🔖 Bookmarked 11 Years of Inspiration

“I visit this space often. Sometimes to wander and wonder, other times to gather ideas for something new.”

Are you using all your senses during eternal Caturday?

Thu Apr 22

Have you followed the instructions exhaustively during eternal Caturday?

Wed Apr 21
🔖 Bookmarked Adactio: Journal—Get the FLoC out

“The flaw in Google’s reasoning is the fundamental idea that tracking is necessary for advertising. That’s simply not true. Sacrificing user privacy is fundamental to behavioural advertising …but behavioural advertising is not the only kind of advertising. It isn’t even a very good kind of advertising.”

Have you bitten off more than you can chew during eternal Caturday?

Tue Apr 20

Are you claiming things for yourself during eternal Caturday?

Mon Apr 19

Do you have your eyes open during eternal Caturday?

🔖 Bookmarked Second Beat Songs — it’s time to get real for a second

“this every-other-beat thing … was invented by the wonderful @paulsultimatearchive​! You might recognize him as the original creator of 250 miles, which is the every-other-beat version of 500 Miles by The Proclaimers.

… it got me thinking, and I started experimenting with the Infinite and Eternal Jukeboxes, and I started making some of these skipped-beat songs for myself.”

☑ RSVP'd to an event
Webmentions Beyond
Webmentions haven't really been revisited in some time (and with the advent of people leaning to This is a chance to see what's been really wanted, what hasn't worked and where we can go with it.
I'm going!

Looking forward to this IndieWeb Popup! Despite my occasional salty-sounding post about Webmention I am very optimistic about their power as a tool for the web.

Sun Apr 18

Are you sleeping soundly during eternal Caturday?

Sat Apr 17

Have you found a cozy place during eternal Caturday?