Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want

The Tor Project this week rolled out an update to its browser that attempts to make the anonymity-protecting onion routing scheme more approachable.

Version 9.5 arrives on the back of Firefox 77, which debuted on Tuesday with few noteworthy additions beyond security fixes. The Tor Browser is based on a foundation of Firefox code, but goes further in an attempt to provide proper anonymity online.

Online anonymity cannot be guaranteed, but the Tor Browser and Tor protocol are among the most well-regarded privacy protection technologies available to the public and – if properly used – make identification difficult for all but the most capable of adversaries.

The Tor Project itself emerged from federally funded research led by the US Office of Naval Research and DARPA. Tor is an acronym for the original name of the project, The Onion Router, an encrypted networking protocol designed to support anonymous communication – although paradoxically a popular website for Tor users is Facebook.

"With onion services (.onion addresses), website administrators can provide their users with anonymous connections that are metadata-free or that hide metadata from any third party," explains Antonela Debiasi, a UX designer for The Tor Project, in a blog post. "Onion services are also one of the few censorship circumvention technologies that allow users to route around censorship while simultaneously protecting their privacy and identity."

Onion services (e.g. Duck Duck Go's onion site, https://3g2upl4pq6kufc4m.onion/) are accessible through the Tor Browser, or a browser like Firefox if the Tor software is installed locally and the browser has been configured to deal with .onion addresses.

Navigation through dark waters

But they're not very easy to discover. The latest Tor Browser lets web publishers advertise their onion service to Tor users through an HTTP header. Those visiting a website that has an .onion address and the Onion Location setting enabled will see a label that a secure service is available in the web address bar and a prompt to switch to the onion protocol.

This capability is intended to complement another service discovery mechanism known as HTTP Alternative Services, a way for servers to tell clients about alternative addresses or protocols.

The Tor Browser is also testing a way to make the cryptographic alphabet soup of onion addresses easier for people to remember. Toward that end, the project has partnered with Freedom of the Press Foundation (FPF) and the Electronic Frontier Foundation's HTTPS Everywhere to deploy human-readable Secure Drop sites.

Secure Drop is an open-source whistleblower platform for submitting documents online anonymously. It relies on Tor and difficult-to-remember onion addresses like http://qn4qfeeslglmwxgb.onion/. The Secure Drop site is run by activist organization Lucy Parsons Labs.

Under the latest version of the Tor Browser that onion address has an alias, lucyparsonslabs.securedrop.tor.onion. The Tor Project and FPF plan to evaluate the response to this addressing alternative with an eye toward making it more widely available.

The update also supports the ability of onion service administrators to set key pairs for access control and authentication. Those using the Tor Browser can save those keys through the about:preferences#privacy menu in the Onion Services Authentication section.

The Tor Browser is also taking a page – or rather an interface convention – from other browser makers with regard to how it communicates connection security.

Last year, mainstream browser makers turned the green TLS/SSL icon gray to make the insecure connections, dressed in red, stand out more. The Tor Browser is now following suit, making its security indicator gray so the colored icons indicating insecure connections or sites with mixed content are more visibly apparent.

Along similar lines, v9.5 swaps standard Firefox error messages, which conveyed no information about onion connection issues, for a simplified connection diagram that shows the source of the error.

The Tor Browser is available for Android, Linux, macOS, and Windows, and can be downloaded as source code. ®