- Joined
- Jun 24, 2021
- Messages
- 1,651
- Solutions
- 2
- Reaction score
- 1,769
- Points
- 113
- Deals
- 666
OnionShare is an open-source program that allows users to send and receive files, host websites, or chat anonymously using the Tor network. OnionShare runs services locally on a user's computer and then makes them available to others using Onion Services.
By default, OnionShare web addresses are protected with a random password. A typical OnionShare address might look something like this:
http://wavqqa7xslpew5q.onion/renewal-mongoose - for 1.3.2 version
http://onionshare:constrict-purity@by4im3ir5nsvygprmjq74xwplrkdgt44qmeapxawwikxacmr3dqzyjad.onion - for 2.3.2 version
You’re responsible for securely sharing that URL using a communication channel of your choice like in an encrypted chat message, or using something less secure like unencrypted e-mail, depending on your threat model. The people you send the URL to then copy and paste it into their Tor Browser to access the OnionShare service.
Because your own computer is the web server, no third party can access anything that happens in OnionShare, not even the developers of OnionShare. It’s completely private. And because OnionShare is based on Tor onion services too, it also protects your anonymity.
OnionShare version 1.3.2 is installed by default on Whonix and Tails systems. This version only allows file sharing. The newest version is 2.3.2. In addition to sharing files, it allows you to receive files, host a website, and organize anonymous chat. This version is available for Windows / Mac / Linux. Let's consider how both versions work.
In version 2.3.2, you need to open the Share Files tab.
The following parameters can be useful in the program settings:
1. "Stop sharing after the first download". If you disable this option, the files can be downloaded an unlimited number of times, and they will be available while the program window is open. In version 2.3.2, the option is called "Stop sharing after files have been sent" and if it is disabled, recipients will be able to download individual files instead of one large archive.
2. "Use auto-stop timer". By enabling this option, you can set the date and time when the files will be automatically deleted.
3. In version 2.3.2, you can share files all the time, and they will be available from the moment you start the program. To accomplish this, you need to enable "Save this tab, and automatically open it when I open OnionShare".
All subsequent functions are available only in version 2.3.2.
You can deny sending messages if you only want to receive files by selecting the corresponding option. Or disallow file uploads if you only want to exchange messages. For example, in this way you can make an anonymous form for communication.
It is also possible to set up sending notifications if someone sends you files. This is done using the "Use notification webhook" option. When connected, OnionShare will send an HTTP POST request to the specified URL when someone downloads files or sends a message.
To start the OnionShare service and start receiving files, simply click the "Start Receive Mode" button. Anyone loading this address in their Tor Browser will be able to upload files to your computer. You can also click the down “↓” icon in the top-right corner to show the history and progress of people sending files to you.
When someone uploads files to your reception service, by default they get saved to a folder called OnionShare in the home folder on your computer, automatically organized into separate subfolders based on the time that the files get uploaded.
If you need to host your own anonymous e-mail for receiving documents, it is recommended to do this using a separate computer, permanently connected, which is not used for normal work.
As protection when working with suspicious documents, you can use Tails OS, as well as work inside the Qubes or Whonix virtual machine.
However, it is always safe to open messages sent via OnionShare.
If you add an index.html file, it will render when someone loads your website. You should also include any other HTML files, CSS files, JavaScript files, and images that make up the website.
Note that OnionShare only supports hosting static websites. It can’t host websites that execute code or use databases. So, you can’t for example use WordPress. If you don’t have an index.html file, it will show a directory listing instead, and people loading it can look through the files and download them.
By default, OnionShare helps secure your website by setting a strict Content Security Police header. However, this prevents third-party content from loading inside the web page.
If you want to load content from third-party websites, like assets or JavaScript libraries from CDNs, check the “Don’t send Content Security Policy header (allows your website to use third-party resources)” box before starting the service.
If you want to host a long-term website using OnionShare (meaning not something to quickly show someone something), it’s recommended you do it on a separate, dedicated computer always powered on and connected to the Internet, and not on the one you use regularly. Save the tab (see Save Tabs) so you can resume the website with the same address if you close OnionShare and re-open it later. If your website is intended for the public, you should run it as a public service (Do Not Use Passwords option).
When someone joins the chat room, they get assigned a random name. They can change their name by typing a new name in the box in the left panel and pressing Enter. Since the chat history isn’t saved anywhere, it doesn’t get displayed at all, even if others were already chatting in the room. In an OnionShare chat room, everyone is anonymous. Anyone can change their name to anything, and there is no way to confirm anyone’s identity.
However, if you create an OnionShare chat room and securely send the address only to a small group of trusted people using encrypted messages, you can be reasonably confident the people joining the chat room are the ones you want there.
But how OnionShare chatting is useful when we already have messaging apps with encrypted chatting option? The thing is that OnionShare leaves no traces.
If you for example send a message to a Signal or a Telegram group, a copy of your message ends up on each device (the devices, and computers if they set up Signal or Telegram Desktop) of each member of the group. Even if disappearing messages is turned on, it’s hard to confirm all copies of the messages are actually deleted from all devices, and from any other places (like notifications databases) they may have been saved to. OnionShare chat rooms don’t store any messages anywhere, so the problem is reduced to a minimum.
OnionShare chat rooms can also be useful for people wanting to chat anonymously and securely with someone without needing to create any accounts. For example, a store can contact an employee: send an OnionShare address using a disposable e-mail address, and then wait for the journalist to join the chat room, all without compromising their anonymity.
By default, all OnionShare services are protected with the username onionshare and a randomly generated password. If someone takes 20 wrong guesses at the password, your onion service is automatically stopped to prevent a brute force attack against the OnionShare service. Sometimes you might want your OnionShare service to be accessible to the public, like if you want to set up an OnionShare receive service, so the public can securely and anonymously send you files. In this case, it is recommended to turn off password by selecting “Don’t use a password” option.
By default, when people open the OnionShare page in the Tor browser, they see the default service name. For example, the default chat title is "OnionShare Chat". If you want to specify your own title for the service, use the "Custom title" setting before starting the service.
1. You can use the Tor version that comes with OnionShare. This is the simplest, most reliable, default way to connect OnionShare to the Tor network, and is recommended for most users.
2. If the Tor browser is already installed on your computer, and you prefer not to launch a second parallel processor, you can use the processor associated with the Tor browser. To complete this, you need the Tor browser to be running in the background for the entire duration of OnionShare's use.
3. Using the system process tor. Configuration requires relatively advanced skills, such as editing configuration files and administering the operating system. In OS Tails and Whonix, OnionShare is configured this way.
You can use the built-in obfs4 pluggable transports, the built-in meek_lite (Azure) pluggable transports, or custom bridges, which you can obtain from Tor’s BridgeDB. If you need to use a bridge, try the built-in obfs4 ones first.
By default, OnionShare web addresses are protected with a random password. A typical OnionShare address might look something like this:
http://wavqqa7xslpew5q.onion/renewal-mongoose - for 1.3.2 version
http://onionshare:constrict-purity@by4im3ir5nsvygprmjq74xwplrkdgt44qmeapxawwikxacmr3dqzyjad.onion - for 2.3.2 version
You’re responsible for securely sharing that URL using a communication channel of your choice like in an encrypted chat message, or using something less secure like unencrypted e-mail, depending on your threat model. The people you send the URL to then copy and paste it into their Tor Browser to access the OnionShare service.
Because your own computer is the web server, no third party can access anything that happens in OnionShare, not even the developers of OnionShare. It’s completely private. And because OnionShare is based on Tor onion services too, it also protects your anonymity.
OnionShare version 1.3.2 is installed by default on Whonix and Tails systems. This version only allows file sharing. The newest version is 2.3.2. In addition to sharing files, it allows you to receive files, host a website, and organize anonymous chat. This version is available for Windows / Mac / Linux. Let's consider how both versions work.
Sending files.
To anonymously and securely send files or folders to other people, you need to drag them into the open window of the OnionShare program or add using the "Add" button, then click the "Start Sharing" button. After that, a unique link will be generated that can be sent to the recipient. The link can only be opened through the Tor Browser, and the recipient will follow it to the page where he can download the archive with the files. After a successful download, the page and files are deleted.In version 2.3.2, you need to open the Share Files tab.
The following parameters can be useful in the program settings:
1. "Stop sharing after the first download". If you disable this option, the files can be downloaded an unlimited number of times, and they will be available while the program window is open. In version 2.3.2, the option is called "Stop sharing after files have been sent" and if it is disabled, recipients will be able to download individual files instead of one large archive.
2. "Use auto-stop timer". By enabling this option, you can set the date and time when the files will be automatically deleted.
3. In version 2.3.2, you can share files all the time, and they will be available from the moment you start the program. To accomplish this, you need to enable "Save this tab, and automatically open it when I open OnionShare".
All subsequent functions are available only in version 2.3.2.
Receive Files.
You can use OnionShare to let people anonymously upload files directly to your computer, essentially turning it into an anonymous dropbox. Open a “Receive tab” and set the desired settings. You can choose where you want to save the files and messages you get.You can deny sending messages if you only want to receive files by selecting the corresponding option. Or disallow file uploads if you only want to exchange messages. For example, in this way you can make an anonymous form for communication.
It is also possible to set up sending notifications if someone sends you files. This is done using the "Use notification webhook" option. When connected, OnionShare will send an HTTP POST request to the specified URL when someone downloads files or sends a message.
To start the OnionShare service and start receiving files, simply click the "Start Receive Mode" button. Anyone loading this address in their Tor Browser will be able to upload files to your computer. You can also click the down “↓” icon in the top-right corner to show the history and progress of people sending files to you.
When someone uploads files to your reception service, by default they get saved to a folder called OnionShare in the home folder on your computer, automatically organized into separate subfolders based on the time that the files get uploaded.
If you need to host your own anonymous e-mail for receiving documents, it is recommended to do this using a separate computer, permanently connected, which is not used for normal work.
Possible risks.
Just like with malicious e-mail attachments, it’s possible someone could try to attack your computer by uploading a malicious file to your OnionShare service. OnionShare does not add any safety mechanisms to protect your system from malicious files.As protection when working with suspicious documents, you can use Tails OS, as well as work inside the Qubes or Whonix virtual machine.
However, it is always safe to open messages sent via OnionShare.
Website hosting.
To host a static HTML website with OnionShare, open a website tab, drag the files and folders that make up the static content there, and click “Start sharing” when you are ready.If you add an index.html file, it will render when someone loads your website. You should also include any other HTML files, CSS files, JavaScript files, and images that make up the website.
Note that OnionShare only supports hosting static websites. It can’t host websites that execute code or use databases. So, you can’t for example use WordPress. If you don’t have an index.html file, it will show a directory listing instead, and people loading it can look through the files and download them.
By default, OnionShare helps secure your website by setting a strict Content Security Police header. However, this prevents third-party content from loading inside the web page.
If you want to load content from third-party websites, like assets or JavaScript libraries from CDNs, check the “Don’t send Content Security Policy header (allows your website to use third-party resources)” box before starting the service.
If you want to host a long-term website using OnionShare (meaning not something to quickly show someone something), it’s recommended you do it on a separate, dedicated computer always powered on and connected to the Internet, and not on the one you use regularly. Save the tab (see Save Tabs) so you can resume the website with the same address if you close OnionShare and re-open it later. If your website is intended for the public, you should run it as a public service (Do Not Use Passwords option).
Anonymous chat.
You can use OnionShare to set up a private, secure chat room that doesn’t log anything. Just open a chat tab and click “Start chat server”. After you start the server, copy the OnionShare address and send it to the people you are planning to chat with. If it’s important to limit exactly who can join, use an encrypted messaging app to send out the OnionShare address. People can join the chat room by loading its OnionShare address in Tor Browser. The chat room requires JavaScript, so everyone who wants to participate must have their Tor Browser security level set to “Standard” or “Safer”, instead of “Safest”.When someone joins the chat room, they get assigned a random name. They can change their name by typing a new name in the box in the left panel and pressing Enter. Since the chat history isn’t saved anywhere, it doesn’t get displayed at all, even if others were already chatting in the room. In an OnionShare chat room, everyone is anonymous. Anyone can change their name to anything, and there is no way to confirm anyone’s identity.
However, if you create an OnionShare chat room and securely send the address only to a small group of trusted people using encrypted messages, you can be reasonably confident the people joining the chat room are the ones you want there.
But how OnionShare chatting is useful when we already have messaging apps with encrypted chatting option? The thing is that OnionShare leaves no traces.
If you for example send a message to a Signal or a Telegram group, a copy of your message ends up on each device (the devices, and computers if they set up Signal or Telegram Desktop) of each member of the group. Even if disappearing messages is turned on, it’s hard to confirm all copies of the messages are actually deleted from all devices, and from any other places (like notifications databases) they may have been saved to. OnionShare chat rooms don’t store any messages anywhere, so the problem is reduced to a minimum.
OnionShare chat rooms can also be useful for people wanting to chat anonymously and securely with someone without needing to create any accounts. For example, a store can contact an employee: send an OnionShare address using a disposable e-mail address, and then wait for the journalist to join the chat room, all without compromising their anonymity.
How does the encryption work?
Because OnionShare relies on Tor onion services, connections between the Tor Browser and OnionShare are all end-to-end encrypted (E2EE). When someone posts a message to an OnionShare chat room, they send it to the server through the E2EE onion connection, which then sends it to all other members of the chat room using WebSockets, through their E2EE onion connections. OnionShare doesn’t implement any chat encryption on its own. It relies on the Tor onion service’s encryption instead.Some advanced features.
You can make any OnionShare service persistent. For example, you can host a website that will have the same address even after restarting your PC. To accomplish this, select the option “Save this tab, and automatically open it when I open OnionShare”.By default, all OnionShare services are protected with the username onionshare and a randomly generated password. If someone takes 20 wrong guesses at the password, your onion service is automatically stopped to prevent a brute force attack against the OnionShare service. Sometimes you might want your OnionShare service to be accessible to the public, like if you want to set up an OnionShare receive service, so the public can securely and anonymously send you files. In this case, it is recommended to turn off password by selecting “Don’t use a password” option.
By default, when people open the OnionShare page in the Tor browser, they see the default service name. For example, the default chat title is "OnionShare Chat". If you want to specify your own title for the service, use the "Custom title" setting before starting the service.
Connecting to Tor.
Pick a way to connect OnionShare to Tor by clicking the “⚙” icon in the bottom right of the OnionShare window to get to its settings.1. You can use the Tor version that comes with OnionShare. This is the simplest, most reliable, default way to connect OnionShare to the Tor network, and is recommended for most users.
2. If the Tor browser is already installed on your computer, and you prefer not to launch a second parallel processor, you can use the processor associated with the Tor browser. To complete this, you need the Tor browser to be running in the background for the entire duration of OnionShare's use.
3. Using the system process tor. Configuration requires relatively advanced skills, such as editing configuration files and administering the operating system. In OS Tails and Whonix, OnionShare is configured this way.
Using Tor bridges.
If your access to the Internet is censored, you can configure OnionShare to connect to the Tor network using Tor bridges. If OnionShare connects to Tor without one, you don’t need to use a bridge. To configure bridges, click the “⚙” icon in OnionShare.You can use the built-in obfs4 pluggable transports, the built-in meek_lite (Azure) pluggable transports, or custom bridges, which you can obtain from Tor’s BridgeDB. If you need to use a bridge, try the built-in obfs4 ones first.
Last edited by a moderator: