The Tor Project [1] has spawned a whole global community dedicated to the concept of anonymous browsing. The project's Tor Browser [2], which lets the user surf the web without leaving a trail or trace, was originally intended to help dissidents in totalitarian countries communicate without surveillance, but since then, it has become popular with whistle-blowers, drug buyers, and millions of everyday users who simply don't want to submit to the culture of tracking and targeting that exists on the mainstream Internet.

The core technology behind the Tor Browser is a technique known as onion routing. Onion routing routes a message through a message of participating routers that could be anywhere on the Internet. A data packet takes a random path through a series of the routers. The packet is encapsulated in multiple layers of encrypted routing information. Each router receives the packet and uses its private key to decrypt the outermost layer, which contains a destination address for where to forward the packet, and then sends the data on to the next link in the chain.

The power of onion routing is that no single router on the network has complete knowledge of where the packet came from and where it is going. Each router can only read the single layer specifically encrypted and addressed to it. This technique is known as onion routing, because the many layers of encrypted routing information resemble the layers of an onion that are gradually peeled away as the packet makes its way through the network. (For more information, see the "How Private?" box.)

The Tor Browser is a standard tool at this point that is well known to many Linux users, and tutorials on how to use Tor have appeared in many forms – including in this magazine.

Less well known is OnionShare [3], a useful tool that lets you anonymously share files on Tor networks. Even users who are not interested in long-term participation in the Tor community have learned that OnionShare can be an easy and secure way to post a file without the need for commercial cloud services.

Anonymous File Sharing

Version 2.0 of OnionShare was released earlier this year and is not yet available in the package sources of the major distributions. Even the brand-new Ubuntu 19.04 "Disco Dingo" runs version 1.3.2 of the program. On the homepage, however, the developers point users to an Ubuntu PPA that supports the installation of the latest version with just a few commands (Listing 1). On Arch Linux, you will find OnionShare in the AUR of the same name. If you can't find a suitable package for your distribution, see the instructions online for tips on building the current version from scratch [7]. (For a CLI variant, see the "OnionShare as a Service" box.)

After you install, OnionShare will appear in the application menu of the desktop environment. At startup, the program automatically connects to the Tor network. The user interface is very simple. At the top there are two tabs named Share Files and Receive Files. The settings can also be opened via the gearwheel icon. The arrow below expands information about the history in a sidebar.

To share files, drag the desired files from the file manager into the application window or use the Add button at the bottom of the window to open a selection dialog. Once you have added one or more files, start the service by pressing the green Start sharing button (Figure 1).

Figure 1: File sharing made easy: Drag files into the window, click on Start sharing, and send the URL to the contact. Configuration of the router is not required.

Download via Browser

To send data to a contact, communicate the OnionShare address now displayed in the window in the style of http://Tor_address.onion/slug (Figure 2).

Figure 2: Send the OnionShare address to your contact. The history shows how often and when a file was downloaded – but not by whom.

The Tor address is a string of characters assigned to you by Tor (as shown in Figure 2). The slug consists of a random combination of two words at the end of the address, adding an additional layer of complexity to resist guess attacks.

You can share the information either through a secure chat or some manual method. Note that the OnionShare address changes each time the application is started, as long as you do not enable a persistent address in the settings. The text cannot be selected directly in the window; to copy it to the clipboard, click Copy Address. Port forwarding or further configuration of the WiFi router are not usually required.

Your contact does not need a special program to download the data. All they need is the Tor Browser, which is available for all common operating systems or any browser with a Tor client enabled in the system (Figure 3). After you press Download Files, the shared data ends up as a ZIP archive on the user's hard disk. However, version 2.0 of the OnionShare client no longer bundles individual files in an archive. In the test, downloading the files also worked on an Android smartphone connected to the Tor network with Orbot [8].

Figure 3: To download data shared via OnionShare, you need the Tor Browser or an active Tor client on your own computer.

Receiving Anonymous Data

OnionShare 2.0 not only allows users to share files anonymously but also to receive them anonymously [9]. To receive files anonymously, switch to the Receive Files tab and activate Receive mode by pressing Start Receive Mode. You will again see an OnionShare address, similar to the one you received when you sent the mail; you have to give this address to your contact. If, for example, you would like to offer whistle-blowers a portal for sending data in the scope of your journalistic work, you can also publish the address on your homepage.

Uploading data does not differ much from downloading. The Tor Browser acts as the client again. Instead of the list of offered files, you will see an almost empty page. A click on Browse… opens a file browser where you can select the data to be uploaded. On pressing Send Files, the browser then transfers the file. On the OnionShare program page, you will see the transferred files arriving. After the transmission has been completed, terminate the service by clicking on Stop Receive Mode. By default, the program stores the data below OnionShare/ in the user's home directory.