Hidden services

So, for those of you who never heard about it, there's some hidden services in the wild. They're called .onion if you use Tor - and you should.

Facebook, for instance, also have a .onion. My blog to.

It's neat, it helps protect privacy of the user and escape mass surveillance and censorship. Anyone should do it if they're even remotely interested in protecting their users (I mean, even facebook did it. You can't be worse thanthem on this bsasis, except if you're a bank).

But, users still need to know that the .onion exist, and they still need to redirect there. And the onion adresses are anything but human friendly. They're hard to remember, and a mistake in one character might land you on a totally different website.

It would be nice that, the same way HTTPS Everywhere redirects you to https enabled website when you go for the non-encrypted version, there would be some way to redirect users who uses tor to the .onion version.

Onionify all the things

The cloudflare way

So, you can perfectly do the same thing that cloud flare is doing. Get a list of exit nodes, and - on your web-server - when a queries go from one of them, redirect to the hidden services.

It needs an updated list of exit node. Can probably be done, but then you also need control of the webserver (which might not necessarily be the case) and some cron jobs.

I need to do a bit more research on that anyway.

HTTP Headers

You can also probably add a header server side which would advertise the .onion. Or advertise address in DNSSEC zones one way or another. But then, you need the browser to be aware of that and to do those check before going on the website.

I think it's probably the best way to do it. And it probably isn't a lot of code (might need to do a plugin for that, to agree with everyone on a standard, and write a RFC).

Plain JS

Or you can control the browser with something on your content whch is aware of the onion. And which can check if the browser is able of using them.

That's what JS is for. A simple HEAD query sent by the client to the onion will tell you if the client can connect to your .onion.

It's probably dirty, it's JS it does asks permission to do it, but the bit of script I've write works fine.

It can be embedded on any page to redirect to a hidden service.


The code is straightforward. No dependencies. You do not need jquery for doing just a query, you need XMLHttpRequest.

It ca also be easily adaptable (just change the content of the onion variable), and it works from anywhere your client lands.

Better privacy for the user in 15 lines of JS.

The code is here, licenced under WTFPL. There's probably way to do it in a cleaner way, and I said earier, I think it would be better to have a .onion dectection feature in the browser, but it's there now.

And the more you'll use it, the more people will land on your onions. WHich will improve both Tor network - more casual surf is always good - and the privacy of your users.

Have fun.