TL;DR: the Tor .onion mirror of this site has moved. The old .onion address will forward to the new .onion address until Onion Service V2 is deprecated later in 2021.

I've got a new home on the anonymizing Tor network! It's:

http://martymcgfuraocsgy2a25btl5srhifcdud6m4eiphz2mq6fafttwh7qd.onion/

Tor What Now?

Tor aka "the onion router" is an anonymizing network that protects the identity and location of users by bouncing their traffic through a set of volunteer servers, with encryption at each layer to make it harder for any given server to figure out who is sending what to whom.

Tor can also protect the identity and location of the sites and services that users are accessing, using a "rendezvous server" where the user's encrypted layers meet a similar set of encrypted layers to the server.

These were originally known as "hidden services", and are often what folks are referring to when they speak mysteriously of the "dark web". In recent years, to shake off some of the suspicion raised by the word "hidden", these have been renamed to Onion Services.

A Partial History

I first set up a ".onion" address for my site back in mid-2016 when I was playing with some decentralized web projects (decentralized web projects which I later forgot 😬). I used a tool called Shallot to generate a "vanity" URL that started with my usual online handle of schmarty. Once it was up and running, you could visit http://schmartyp7qtjzn7.onion/ and see the same content as my main domain https://martymcgui.re/

Sometime later (2019?) I got the hint from a (now lost to me) blog post to use Apache's mod_substitute to rewrite the HTML you get when visiting the site. This let me replace URLs for images, video, and other files from the not-onion website with .onion URLs. This cleanup keeps network requests for my content inside the Tor network.

Last year, the Tor Project announced Onion-Location, a way for sites to announce when they have a .onion version available. I added Onion-Location to my site so folks viewing it in the Tor browser could be redirected to the .onion version in one click. They also sent me some stickers for my trouble. Pretty neat!

Meanwhile, back in late 2017, Tor rolled out a new Onion Service version 3, with several improvements, including new, longer (and incompatible-with-V2) .onion domains. Folks running Onion Services were encouraged to move to the new system and in mid-2020 a timeline was announced to shut down V2 Onion Services.

I've had the upgrade on my list for a while and just hadn't got around to it. Then some discussion about V2 and V3 .onions in the IndieWeb chat got a little spicy and reminded me that I should just buckle up and do it.

Enough History, What About the Update?

What's in a (.onion) Name?

Today I hope that I am less vain than I was in 2016. I still wanted a little bit of myself in my new .onion address! So I grabbed mkp224o, a program for generating and filtering .onion address keys. The probability of generating a key with the a sequence that you want goes down very quickly as you make the sequence longer. So, the more specific your vanity desires, the longer you'll need to run a tool like mkp244o to have a chance to a .onion that you like. At 8 characters, "martymcg" seemed like pressing my luck, but I started it up and let it run overnight.

The next day, bless random number generation, I had a hit! This gave me the keys I'd need to run a site at martymcgfuraocsgy2a25btl5srhifcdud6m4eiphz2mq6fafttwh7qd.onion.

Is This Server Maintenance? 💁🏻‍♂️🦋

With keys in hand, I set about getting this new onion service set up on the frankly ancient and creaky server that hosts my site.

I wasn't sure what minimum version of tor I'd need, and the server was running – oh my gosh – Ubuntu 14.04. So the update paused here while I reflexively upgraded to 16.04, breaking a bunch of my Python sites. After some time struggling to solve Apache mod_wsgi segmentation faults (!), I invoked YOLO Ops and upgraded to 18.04. Miracle of miracles – my sites worked again! Having pressed my luck once I decided not to go for 20.04 today. Did I learn anything from this? Probably not.

Unfortunately (and perhaps obvious in hindsight) the Ubuntu 18.04 package for tor was an obsolete version. Ultimately I added the Tor PPA and am, finally, running the recommended recent version of tor.

I Thought this was About an Onion Service

At last I was ready to set up this new V3 onion service. I copied over the files generated by mkp224o to a new folder under /var/lib/tor and updated the file permissions to match tor's expectations. (Seriously, make sure to follow the mkp224o README instructions for file ownership and permissions exactly or tor just won't start).

With the key files in place, I edited /etc/tor/torrc to make a new onion service definition for the domain, pointed at my web server. Shortly after, I could see my web server's default site at my new .onion domain and the rest of the process was more familiar website plumbing.

I copied the Apache virtualhost config from my old V2 .onion to a new config for the V3 .onion. This was pretty much just a copy/paste/find-replace job. With the new virtualhost enabled and Apache restarted, I could see my site!

To make things official, it was time to clean up more Apache configs. I updated my main site to use the new .onion domain for Onion-Location, so Tor Browser users will be prompted to go there automatically. I also updated the old V2 .onion domain to redirect to the new one.

What's Next?

V2 .onions are set to stop working on Tor Browser in July 2021, and be entirely removed from the network in October 2021. At that point I'll shut down the old service.

While this website's update is done, I'm not finished upgrading personal onion services. I've got several that I've set up over the years for server-to-server connections and for services like Home Assistant that only "exist" on my home network but that I might occasionally access from out in the world. They're great for punching through firewalls!

What Does This Have to Do with IndieWeb?

The somewhat cataclysmic end of V2 onion services had folks in the IndieWeb chat questioning whether a .onion could ever be trustworthy for identity. It's true that the Tor Project is likely someday to replace and sunset V3 domains if a security need arises! .onion domain longevity is not a promised feature.

That said, V2 onion services were around for the past 15 years! My own V2 .onion domain has been up trouble-free for 5 years. That's longer than I've held many "real" domains! And, I didn't have to give my identity information and money to register my .onion like a regular TLD, or remember to feed the blockchain like Namecoin's .bit TLD, or worry about a DNS registrar bumping up prices, serving a takedown notice, letting a scammer transfer it away, squatting or selling it because I forgot to update my payment info, or getting caught up in trade and border disputes. Domains change and people move their stuff around. We figure it out.

I think a much (much) bigger barrier to IndieWeb adoption of .onions is the requirement of running a tor service and making requests through it in order to access onion services. Maybe it's not a big surprise (or hardship) that folks can only visit a .onion website via a specialized browser like Tor Browser. However, for many of the interactive building blocks of the IndieWeb to work, sites need to be able to talk server-to-server. Following feeds on .onion sites, or sending and receiving Webmentions with them, would require making a wide plurality of software "onion-aware".

Is that doable? Yeah, with a lot of goodwill, motivation, and collaboration.

Is it likely to happen? I guess that depends on how many folks make a .onion site their home on the web. 😏