Onion Garden via Wikimedia Madmad1234, CC BY-SA 4.0

Remaking the .onion site

I spent a minutes this May Day weekend to revisit my now archived blog post on mirroring a website on a hidden .onion address using EOTK. When migrating back to WordPress earlier this year, I decided to let the rest of the internet keep the blog’s previous version. As needed, I’ll resurface some of the posts that may still have legs. But one thing I wanted to eventually do is reboot the mirror of this site that’s only available via the Tor Browser, and also check if my instructions were still any good.

That post had good SEO on this specific topic, but I started feeling leery about some sections as elements in the tech stack have had minor changes as they’ve updated over time. Technical howtos have shorter shelf lives the more specific they get. And the old mirror had died when the SSL certificate had died, and I couldn’t be arsed to buy another one (more on below, if you’re interested).

Without repeating everything in that old post here’s a short recap: sites found with .onion urls are only accessible using the Tor Browser, which is a tool that helps its users stay anonymous on the web and circumvent censorship. Because .onion addresses are only accessible inside the Tor network, they’re basically “hidden.” There’s much more to it, here’s a FAQ if you’re interested.

EOTK is the kit that gets your site most easily mirrored as a hidden service. I wrote my blog as essentially a short-cut to the main bits if someone were to do it using my setup, and broke it down into two parts: The EOTK bit, and the SSL bit. This time around, the EOTK bit took me about 10 minutes in total, once the server was set up. I’ve let the SSL bit go for the time being.

Launch the Tor Browser and find this site at: https://dhuelowganysmmaka4gsa6vbtnczenozspzhbfjh7hcrzxphca3iyqid.onion/

For some reason the blog title substitutes the site name with the onion address. Some day I’ll do something about that. It seems to like to change whatever is in a site’s header as <title> or <h1>. You’ll also notice I haven’t done the SSL part yet. Now, there are valid reasons for setting SSL on hidden service site. SSL are useful for encrypting data, but also in verifying a site’s ownership, so you know you’re at the right one.

My problem is that I find it hard to justify paying for SSL, which is, after all, just a protocol. Unless you’re a company or institution with financial, legal or other liabilities needing third-party verification (which is a service), it should be free. It’s like paying for http to appear at the front of your website, or spending a nickel every time you move a file across FTP. It’s bad enough DNS has been reduced to being a real estate scam, what’s next, a meter next to your SSH session?

When Harica.gr started offering SSL certificates to let .onion addresses use https, they did so at the low, low price of € 5.58. That was just on this side of reasonable, and far from the only other .onion SSL dealer, Digicert ($344 for a 1-year SSL certificate at the time). Harica has since increased it’s price to € 30, which is also too much for a mirror of a site that’s already got it’s https sorted through LetsEncrypt on the clear web.

Unless you’re the BBC or Facebook, there’s no reason for circle-of-trust, expensive SSL certificates. But it should exist as a capability for the rest of us. But as my site is a read-only experience for the odd member of the general public who stumbles across it, I’ll leave it as is for now. Anyone the old blog’s tutorial still works.