What does it take to start an onion service

@starwars - Mar 2 2021

Views: 515   Stars: 0

article image

From a technical perspective, starting a legit onion site requires a lot of skills beside simply reading through the tor documentation and buy an Eckmar/use Wordpress.

An obvious difference between an onion service and a clearnet one is that onion services are strictly restrained to server-side rendering, requiring workarounds on certain features that are normally easy to implement using clientside scripting, such as jquery or react for instance.

Another main difference is that the backbone structure is extremely different. Propagation delay has to be considered into the calculations and weighted heavier than transmission delay. In other words, while bandwith usage is considered with high priority in clearnet services, the number of requests is even more important in an onion service scenario due to the way onion circuits work. This affects how the site should be coded from bottom up.

The third difference is that since the main point of Tor is to anonymize users, there is no reliable way to ban/blacklist a specific malicious actor. Spam handling is an important issue currently, and up until now, there hasn't been a 100 percent perfect solution to this problem.

Last but not least, security sense is the utmost requirement of all. Very often, we'll have a market appearing with IP leaks or some very basic mistakes. Someone who doesn't have basic sense should NOT run an onion service, there are various examples of onion sites/markets getting hacked or have their hot wallets cleared.

So to sum it up, here's a checklist. Please be sure that you and your service AT LEAST fits the requirements, or there'll be high risks since most of the onion sites are here to conduct illegal activities.

At least one member of your team should...
- have knowledge of at least one server-side rendering technique/framework and is capable of secure coding
- have full knowledge on how tor works
- be capable of creating an isolated instance/container that only allows tor traffic
- know at least the basics to networking and cryptography
- be able to maintain an encrypted database
- understand how to process crypto payments securely
- be able to do tor-oriented optimization (optional, recommended)
- possess intermediate css skills (or your site will be ugly?)


The onion site...
- should not contain javascript or svg
- should not use clearnet plugins or certain sorts of third-party scripts
- should be isolated in a container/instance that only routes traffic through tor and does not contain unnecessary open ports
- should not be in the same container/instance with your payment system
- have some sort of input validation method for forms submitted done on the server side for security reasons
- should not require too many requests to load a single page (optional, recommended)

I know it's a short list, but it is a brief checklist for safety and security.

Comments

Your comment

Name to display

Give stars to author (0~5 stars)

captcha image

Please input captcha text (case insensitive)