Goodbye, passwords in OnionShare

Posted September 26, 2021 in onionshare

I'm excited to announce that OnionShare 2.4 is now out and the major change in this version is that we've completely gotten rid of passwords! Private OnionShare services are now protected using private keys (aka client authentication) on the Tor layer instead of instead of basic authentication on the HTTP layer. Check out the new version at onionshare.org!

Before today, OnionShare web addresses looked something like this:

http://onionshare:constrict-purity@by4im3ir5nsvygprmjq74xwplrkdgt44qmeapxawwikxacmr3dqzyjad.onion

The first part, onionshare:constrict-purity, is an HTTP basic authentication username (always 'onionshare') and random password. Basically, if you load that address in Tor Browser without the username and password part, it would prompt the user to login. If you didn't have the password and guessed wrong enough times, OnionShare would detect a potential attack and shut down the service.

Today though, the passwords are gone! OnionShare 2.4 addresses look something like this:

http://oy5oaslxxzwib7fsjaiz5mjeyg3ziwdmiyeotpjw6etxi722pn7pqsyd.onion

And the private keys look something like this:

K3N3N3U3BURJW46HZEZV2LZHBPKEFAGVN6DPC7TY6FHWXT7RLRAQ

When you start an OnionShare service you get both, and you have to give both to the people who want to use your service. For example, lets say you want to send a super secret Nintendo ROM to your friend. You open OnionShare, drag the file in, and start the server.

You open up an encrypted messaging app like Signal and then send both the OnionShare address and the private key. When your friend opens Tor Browser and pastes the address, Tor itself will pop up a little window asking for the private key.

If they don't have it then it's simply impossible to connect.

Once your friend copies and pastes the correct private key, they can access the onion site like normal and download the secret Nintendo ROM.

The command line version, of course, works the same way. Let's say you want to set up a secret chat room. You can do that like this (in this case, running the command line version from the snap package):

onionshare.cli --chat --title "retro gamerz only"

If you want to run a public OnionShare service that anyone can access and doesn't have a secret key, like if you're setting up an anonymous dropbox, then just check the "This is a public OnionShare service (disables private key)" box before starting the server, or use the --public flag on the command line.