Private File Sharing with OnionShare | NSC #73




OnionShare uses the TOR network to securely and anonymously send or receive files with a remote party anywhere in the world. It does this by temporarily spinning up a TOR node on your computer, creating a unique TOR site, and allowing the remote party to either download or upload from the TOR browser.


We have covered how to securely send files in the past, but OnionShare is a bit unique. By using the TOR network, we gain not only the multiple layers of encryption, but also the privacy that is inherent in using TOR. Since OnionShare creates a TOR hidden service, you don’t need to worry about endpoint attacks. When connecting to an onion site, all traffic stays within the TOR network. As opposed to .com websites where you need to reach out to the regular internet. This means there are no endpoints for an attacker to try to exploit. You use three relays, the onion site uses three relays and you connect at a random destination with all the traffic completely encrypted. Theoretically, there are no weak-points, though there will almost definitely be one in the future.


As far as privacy, it is nearly impossible to tell who both the client and the onion site host is when using TOR. This and the fact that a new link is generated every time you want to share a file make this a very easy way to share files anonymously. This is only true if you’re not stupid about setting up the host. If you are using a monitored internet connection, it may be possible to use timing and deductive reasoning to de-anonymize you as seen in many cases. Just because you are using TOR does not mean you can do things without consequences.

Shareable Link Generation

Similar to how Firefox Send generates a sharable url, OnionShare generates a random TOR address. OnionShare uses the v3 version of onion URLs which are 56 characters in length. These onion addresses are ephemeral addresses, meaning they are used only once. Couple this with the two random words that are added to the end and you get an address that is nearly impossible to guess. If your onion address was somehow discovered and someone tried to bruteforce those two random words, OnionShare would shut down after 20 attempts. There are over 60 million possible two word slugs, so an attacker would have a 0.003% chance of guessing correctly in 20 attempts.

Sharing Files

Sharing files is very simple and intuitive with OnionShare. You choose which files you want to upload from your local storage and click the Start Sharing button. After a few seconds, a unique onion link is generated. The sensitivity of those files determines how you send the link. The ideal solution would be to use a secure communication means to send that link to the intended recipient to ensure that no other third parties have access. If you don’t care, sending this link over Facebook or some other Big Brother approved messenger is perfectly fine.

Receiving Files

To receive files, you need to start up a receiving node by first going to the receive files tab. From there, you click the Start Receive Mode button and wait for it to complete. You will have an onion address after the process is complete. Be careful who you give this out to, as this can be used to upload files directly to your computer. This link can only be opened through the TOR network and allows a secure means of transferring files to your computer. BE CAREFUL if you intend to open any executable files acquired through OnionShare.

Other Use Cases

OnionShare can also be used as an anonymous drop point anywhere in the world thanks to their command line version. OnionShare can be setup to run persistently on a computer, server, raspberry pi, etc. This allows you to be anywhere in the world with an internet connection and still have a secure way to access your files. You can also set OnionShare to receive mode and drop files onto your server remotely. This could be very useful if you are collecting sensitive data that you don’t want found on you. Just upload it, destroy any copies and grab it on the other side.

Just remember not to keep the onion address and the slug in the same place! It is best to remember the two random words and write down the onion address. This way, if the address gets found on you, they still need the slug to access your files.

OnionShare can be downloaded here: https://onionshare.org/. Alternatively, you can download it using their onion site here: lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion

NOTE: When installing on Linux, we noticed a lack of longer v3 addresses. It turned out that the Ubuntu repository has an out of date TOR version. Adding the official TOR repository fixed this problem. More details here: https://www.torproject.org/docs/debian.html.en#ubuntu

Questions, Comments, Concerns?

Feel free to leave a comment letting us know what you think!


Leave a Reply

Your email address will not be published. Required fields are marked *