How Do Tor Users Interact With Onion Services?

Philipp Winter, Anne Edmundson, and Laura M. Roberts, Princeton University;

Agnieszka Dutkowska-Żuk, Independent;
Marshini Chetty and Nick Feamster, Princeton University
https://www.usenix.org/conference/usenixsecurity18/presentation/winter

This paper is included in the Proceedings of the

27th USENIX Security Symposium.
August 15–17, 2018 • Baltimore, MD, USA
ISBN 978-1-931971-46-1

Open access to the Proceedings of the

27th USENIX Security Symposium
is sponsored by USENIX.
 How Do Tor Users Interact With Onion Services?

Philipp Winter Anne Edmundson Laura M. Roberts

Princeton University Princeton University Princeton University
Agnieszka Dutkowska-Żuk Marshini Chetty Nick Feamster
Independent Princeton University Princeton University

Abstract messaging [4] and file sharing [15]. The Tor Project
currently does not have data on the number of onion
Onion services are anonymous network services that are service users, but Facebook reported in 2016 that more
exposed over the Tor network. In contrast to conventional than one million users logged into its onion service in one
Internet services, onion services are private, generally not month [20].
indexed by search engines, and use self-certifying domain Onion services differ from conventional web services
names that are long and difficult for humans to read. In in four ways; First, they can only be accessed over the Tor
this paper, we study how people perceive, understand, and network. Second, onion domains are hashes over their
use onion services based on data from 17 semi-structured public key, which make them difficult to remember. Third,
interviews and an online survey of 517 users. We find that the network path between client and the onion service is
users have an incomplete mental model of onion services, typically longer, increasing latency and thus reducing the
use these services for anonymity and have varying trust in performance of the service. Finally, onion services are
onion services in general. Users also have difficulty dis- private by default, meaning that users must discover these
covering and tracking onion sites and authenticating them. sites organically, rather than with a search engine.
Finally, users want technical improvements to onion ser- In this paper, we study how users cope with these id-
vices and better information on how to use them. Our iosyncrasies, by exploring the following questions:
findings suggest various improvements for the security
and usability of Tor onion services, including ways to au- • What are users’ mental models of onion services?
tomatically detect phishing of onion services, more clear • How do users use and manage onion services?
security indicators, and ways to manage onion domain • What are the challenges of using onion services?
names that are difficult to remember.
Because onion services depend on the Tor Browser and
the underlying Tor network to exchange traffic, some of
1 Introduction our study also explored users’ mental models of Tor itself,
but this topic is not the focus of our paper.
The Tor Project’s onion services provide a popular way To answer these questions, we employed a mixed-
of running an anonymous network service. In contrast methods approach. First, we conducted exploratory inter-
to anonymity for clients (e.g., obfuscating a client IP ad- views with Tor and onion service users to guide the de-
dress using a virtual private network), Tor onion services sign of an online survey. We then conducted a large-scale
provide anonymity for servers, allowing a web server to online survey that included questions on Tor Browser,
obfuscate its network location (specifically, its IP address). onion service usage and operation, onion site phishing,
An operator of a web service may need to anonymize the and users’ general expectations of privacy. Next, we con-
location of a web service to escape harassment, speak out ducted follow-up interviews to further explore the topics
against power, or voice dissenting opinions. and themes that we discovered in the exploratory inter-
Onion services were originally developed in 2004 and views and survey. We complemented this qualitative data
have recently seen growing numbers of both servers and with an analysis of “leaked” DNS lookups to onion do-
users. As of June 2018, The Tor Project’s statistics count mains, as seen from a DNS root server; this data gave
more than 100,000 onion services each day, collectively us insights into actual usage patterns and allowed us to
serving traffic at a rate of nearly 1 Gbps. In addition to corroborate some of the findings from the interviews and
web sites, onion services include metadata-free instant surveys.

USENIX Association 27th USENIX Security Symposium 411

 We find that many Tor users misunderstand technical Tor Circuit
aspects of onion services, such as the nature of the do-
Tor Browser Guard Middle
main format, rendering these users more vulnerable to
phishing attacks. Second, we find that users have many is-
sues using and managing onion services, including having Rendezvous
trouble discovering and tracking new onion domains. Our
data also suggests that users may visit onion domains that Onion Service Guard Middle Middle
are slight variations of popular onion domains, suggesting Tor Circuit
that typos or phishing attacks may occur on onion do-
Figure 1: A path to an onion service typically has six Tor
mains. Third, users want improvements to onion services relays. Both the client and the onion service create a Tor circuit
such as improved performance and easier ways to keep (comprising two and three relays, respectively) to a rendezvous.
track of and verify onion domains as authentic. Many
of the shortcomings that we discover could be addressed 2 Background: What Are Onion Services?
with straightforward and immediate improvements to the
Tor Browser, including improved security indicators and Originally called “hidden services”, onion services were
mechanisms to automatically detect domains that may be renamed in 2015 to reflect the fact that they provide more
typos or phishing attacks. than just the “hiding” of a service [11]—more importantly,
Tor is currently testing the next generation of onion they provide end-to-end security and self-certifying do-
services, which will address various security issues and main names. Beyond The Tor Project’s nomenclature, the
upgrade to faster, future-proof cryptography. The findings “web” of onion services is occasionally referred to as the
from our work can inform the design of privacy and secu- “Dark Web”. In this paper, we use only the term onion
rity enhancements to onion services and Tor Browser at a services.
critical time as these improvements are being deployed. Onion services are TCP-based network services that are
This paper makes the following contributions: accessible only over the Tor network and provide mutual
anonymity: the Tor client is anonymous to the server,
• We provide new, large-scale empirical evidence from and the server is anonymous to the client. Clients access
Tor users that sheds light on how these users perceive, onion services via onion domains that are meaningful
use, and manage onion services. Our work confirms only inside the Tor network. A path between a client and
and extends previous findings on Tor Browser users’ onion service has six Tor relays by default, as shown in
mental models [9]. Figure 1; the client builds a circuit to a “rendezvous” Tor
relay, and the onion service builds a circuit to that same
• We provide empirical evidence that characterizes relay. Neither party learns the other’s IP address.
onion domain name lookups based on a dataset from To create an onion domain, a Tor daemon generates an
the .onion requests from DNS B root, both extend- RSA key pair, computes the SHA-1 hash over the RSA
ing previous work on onion domain usage [18, 33] public key, truncates it to 80 bits, and encodes the result
and corroborating our findings about usability and in a 16-character base32 string (e.g., expyuzz4wqqyqhjn).
security problems that we identified in the survey Because an onion domain is derived directly from its
and interview data. public key, onion domains are self-certifying: if a client
knows a domain, it automatically knows the correspond-
• Based on our findings, we identify usability obsta-
ing public key. Unfortunately, this property makes the
cles to the adoption of onion services and suggest
onion domain difficult to read, write, or remember.
possible design enhancements, including publishing
As of February 2018, The Tor Project is deploying the
mechanism for onion services and a Tor Browser ex-
next generation of onion services, whose domains have
tension that allows its users to securely and privately
56 characters [16, § 6] that include a base32 encoding
bookmark onion domains.
of the onion service’s public key, a checksum, and a ver-
sion number. New onion services will also use elliptic
All code, data, and auxiliary resources are available at curve cryptography, allowing the entire public key to be
https://nymity.ch/onion-services/. embedded in the domain, as opposed to only the hash of
The rest of this paper is structured as follows. Section 2 the public key. These changes will naturally improve the
provides background on onion services, and Section 3 security of onion services but have important implications
presents related work. Section 4 presents the methods for usability, particularly as unreadable onion domain
for our interviews, online survey, and DNS data analy- names get longer.
sis. Section 5 presents results, Section 6 discusses the One way to make onion domains more readable
implications of these findings, and Section 7 concludes. is to repeatedly generate RSA keys until the result-

412 27th USENIX Security Symposium USENIX Association

 3 Related Work

Usage and mental models of Tor Browser. Forte et al.

(a) Conventional domain. studied the privacy practices of contributors to open col-
laboration projects such as the Tor Project and Wikipedia
to learn about how privacy concerns affect their contri-
bution practices [9]. The study, based on 23 interviews,
(b) Onion service. found that contributors worry about an array of threats,
Figure 2: Tor Browser 7.0.10’s user interface on Windows including surveillance, violence, harassment, and loss
10 when accessing the Tor Project website via a conventional of opportunity. This study was not focused on hidden
domain and the corresponding onion service. The onion service services at all. Additionally, Gallagher et al. conducted
lacks a padlock; Tor developers are addressing this issue [1].
semi-structured interviews to understand both why people
use Tor Browser and how they understand the technol-
ogy [10]. The study found that experts tend to have a
ing domain contains some desired string (e.g., “face- network-centric view of the Tor network and use it fre-
book”). These so-called vanity onion domains in- quently, whereas non-experts have a goal-oriented view
clude Facebook (facebookcorewwwi.onion), ProPublica and see Tor Browser as a black-box service. Our work cor-
(propub3r6espa33w.onion), and the New York Times roborates these findings but is focused on onion services,
(nytimes3xbfgragh.onion). Vanity onion domains still rather than generally on Tor Browser.
typically have strings of characters that are not meaning-
ful words, but they may be easier to memorize. These Usability of Tor Browser installation. Tor Browser has
domains are relatively expensive to create: given base32’s seen many usability improvements since its creation in
alphabet size of 32 characters, a vanity prefix of length 2003 [31], from a Tor “button” to Tor Browser Bundle
n takes an average of 0.5 · 32n key creations, Given a set (now called the Tor Browser). Ten years ago, Clark et
of domains that contain a vanity prefix, one can search al. used cognitive walkthroughs to study how users in-
this set for a domain that is the easiest to remember, for stall, configure, and run Tor Browser [5]. The work re-
example by using a Markov model to filter domains that vealed hurdles such as jargon-laden documentation, con-
resemble English words. The popular scallion tool [30] fusing menus, and insufficient visual feedback. Norcie et
parallelizes the search for vanity domains. al. identified “stop-points” in the installation and use of
the Tor Browser Bundle [21]; these stop-points require
Even if the onion domain is more readable, the user still user action but instead cause confusion. the study rec-
needs to have a way of discovering the onion service in the ommended various changes to the installation process
first place. In contrast to conventional network services, and evaluated them in a follow-up study. Lee et al. [14]
onion services are designed to be difficult to discover. The studied the usability of Tor Launcher, the graphical con-
operator of an onion service must manually advertise the figuration tool that allows users to configure Tor Browser,
domain, for example by manually adding it to onion site and found that 79% of users’ connection attempts in a
search engines such as Ahmia [22]. The lack of a go-to simulated censored environment failed, but that various
service such as a “Google for onion services” prompted design improvements could reduce these difficulties.
the community to devise various ways to disseminate Usability of onion domain names. Previous work aimed
onion services through a variety of search engines and to improve the usability of onion domain names. Sai and
curated lists. Fink proposed a mnemonic system that maps 80-bit onion
Tor Browser aims to make user access to onion domains domains to sentences [26]. Their work is inspired by
seamless. Figure 2a shows the interface when accessing mnemonicode, which maps binary data to words [36].
The Tor Project’s web site; Figure 2b shows a connection Victors et al. designed the Onion Name System [35],
to the corresponding onion site. Additionally, because the which allows users to reference an onion service by a
unreadability of onion domains can make clients more readable, globally unique identifier. Kadianakis et al.
susceptible to phishing attacks, website operators who designed an API that allows Tor clients to configure name
want to provide their website as an onion service and do systems (e.g., GNS [28] or OnioNS [35]) on a per-domain
not care about their own anonymity can get an extended basis [12].
validation (EV) digital certificate for their .onion domain Onion domain usage patterns. If a conventional DNS
so that clients can be assured that they are connecting to resolver attempts to resolve an .onion domain (as might
the correct site. For example, Facebook’s onion service happen when a user enters such a domain name into a nor-
has a certificate associated with it, and this added layer of mal browser), the resulting DNS lookup for the domain
security is reflected in the Tor Browser. will “leak”to the DNS root servers. Previous studies have

USENIX Association 27th USENIX Security Symposium 413

taken advantage of this leaked information to characterize we targeted lay-people and aimed to maximize cultural,
the popularity of various onion domains [18, 33]. We gender, geographic location, education, and age diversity.
build on previous work, applying similar analysis with a The Tor Project advertised this survey both in a blog
focus on whether the lookups suggest usability problems post [37] and via Twitter. We also advertised the study
with onion services or the presence of phishing attacks. on Princeton’s Center for Information Technology (CITP)
blog and recruited participants in person at an Internet
freedom event.
4 Method Recruiting a representative sample of Tor users is dif-
ficult, and our recruiting techniques likely resulted in
We used a mixed-methods approach involving interview
a biased population for several reasons. First, we be-
and survey data, as well as analysis of DNS query data.
lieve that The Tor Project’s blog and Twitter account
This section details our interviews (Section 4.1), large-
are followed by disproportionately more technical users,
scale online survey (Section 4.2), and the DNS dataset
whereas non-technical users may not generally follow
that we use for our analysis (Section 4.3).1
news and updates related to Tor via the project’s blog and
Twitter feed. Second, Tor users value their privacy more
4.1 Interviews than the average Internet user, so the users we recruited
may not be as honest and candid about their browsing
To help us understand users’ mental models of onion ser-
habits as we would like.
vices, onion service usage, and the challenges and benefits
of onion services, we conducted qualitative interviews, Interviews. We conducted 13 interviews in person and
which allowed us to design the survey. four interviews remotely—over Skype, Signal, WhatsApp,
and Jitsi—depending on the medium that our participants
preferred. Two participants declined to have their inter-
4.1.1 Procedure
views recorded; we recorded the rest of the interviews
Interview Guide. We developed a question set that with the permission of the participant. All participants an-
served as the basis for each interview,2 basing our de- swered the interview questions and completed the sketch-
sign on prior work [9] but focusing particularly on onion ing exercise. Each interview ended with a debriefing
services. The semi-structured nature of our interviews phase to ask if our participants had any remaining ques-
allowed us to deviate from this question set by asking tions. We compensated participants with a $20 gift card.
follow-up questions as appropriate. We conducted our first interview on July 13, 2017 and the
We followed standard consent procedures for all par- last on October 20, 2017. The median interview time was
ticipants. We began by asking demographic information 34 minutes, with interviews ranging from 20–50 minutes.
(gender, age range, occupation, country of residence, and Transcription and Analysis. We transcribed our inter-
level of education), followed by questions about users’ view recordings and employed qualitative data coding to
general online behavior. We concluded with questions analyze the transcripts [29]. In the two cases where we
about Tor Browser and onion services (e.g., when users did not have interview recordings, we relied on our field
started to use these services, how they track onion links notes. We developed a codebook based on our research
as well as the drawbacks and strengths of these services questions and used a combination of deductive coding to
based on their own experiences). To gather data about identify themes of interest we agreed upon and inductive
users’ mental models of Tor browser and onion services, coding to discover emergent phenomena and to expand
we designed a brief sketching exercise similar to those the initial codebook. We had ten parent codes in total,
used in other work [25]. We asked participants to draw with examples such as “Mental model of onion services”,
sketches of how they believed Tor and onion services “Search habits”, and “Reasons for using onion services”;
worked and followed up on these drawings in interviews. and 168 child codes, including “Definition- anonymous”,
Recruitment. To select eligible interview subjects, we “Word of mouth”, and “Curiosity”. After we reached con-
created a short pre-interview survey3 asking users if they sensus on the phenomena of interest, at least two members
were over 18 years of age, if they had used Tor Browser of our team (sometimes up to four) read and coded each
and onion services, and how they would rate their general transcript. We also held regular research meetings with
privacy and security knowledge. To the extent possible, the entire team of authors to discuss the coded transcripts
and reach consensus on the final themes.
1 Princeton University’s institutional review board (IRB) approved

this study (Protocol #8251).

2 The question set is available at https://nymity.ch/ 4.1.2 Participants
onion-services/pdf/interview-checklist.pdf.
3 The pre-interview survey is available at https://nymity.ch/ We interviewed 17 subjects, as summarized in Table 1.
onion-services/pdf/pre-interview-survey.pdf. We only present aggregate demographic information to

414 27th USENIX Security Symposium USENIX Association

protect the identity of our interview participants. We times also called cognitive interviewing) to improve the
believe that our sample is biased towards educated and wording of our survey questions [6]. Pretesting reveals
technical users—almost 60% of our participants have a if respondents understand questions consistently and the
postgraduate degree—but our sample also shows the di- way we intended them to be interpreted. Five pre-testers
versity among Tor’s user base: our participants comprised helped us iteratively improve the survey; after pre-testing
human rights activists, legal professionals, writers, artists, and revisions, we launched the survey.
and journalists, among others. In remainder of the paper, Recruitment. As with our interviews, we advertised our
we use the denotation ‘P’ to refer to interview participants. survey in a blog post on The Tor Project’s blog [37],
on its corresponding Twitter account, the CITP blog at
4.2 Online Survey Princeton, and on three Reddit subforums.5 Unlike our
interview participants, our survey respondents were self-
Shortly after we conducted our first batch of interviews,
selected. As with interview recruitment, we expect this
we designed, refined, and launched an online survey to
recruitment strategy biased our sample towards engaged
complement our interview data.4
users because casual Tor users are unlikely to follow The
Tor Project’s social media accounts.
4.2.1 Procedure
We did not offer incentives for participation because we
Survey Design. We created our survey in Qualtrics be- wanted respondents to be able to participate anonymously
cause an unmodified Tor Browser could display it cor- without providing email addresses. Despite the lack of
rectly. Unfortunately, Qualtrics requires JavaScript, and incentives, we collected enough responses. Our survey
Tor Browser deactivates if it is set to its highest security ran from August 16–September 11, 2017 (27 days).
setting. Several users complained about our reliance on Filtering and Analysis. Some of the survey responses
JavaScript in the recruitment blog post comments [37]. were low-quality; people may have rushed their answers,
All respondents consented to the survey and confirmed aborted our survey prematurely, or given deliberately
that they were at least 18 years old. Our survey was wrong answers. To mitigate these effects, we excluded
only available in English, but we targeted an international participants who either did not finish the survey or who
audience because Sawaya et al. showed that cultural failed more than two out of four attention checks. We con-
differences yield different security behavior [27], and pay- ducted a descriptive analysis on the survey data. We also
ing attention to these differences is central to The Tor computed correlation coefficients between every question
Project’s global mission. pair in the survey, which did not yield significant results.
Most of our survey focused on onion services, but we We thus focus on results from the descriptive analysis.
also included usage questions about Tor in general be- Each percentage is reported out of the total sample; we
cause Tor Browser is used to access onion services. Our denote cases when survey participants chose not to re-
survey had of 49 questions, most of which were closed- spond as ‘No Response’. Two researchers performed a
ended questions. The first set of questions asked for basic deductive coding pass on the open-ended survey questions
demographic information such as age, gender, privacy based on our interview codebook and held meetings to
and security knowledge rating, and education level. Next, reach consensus on the final themes discussed. In rest of
the survey asked about Tor usage, such as how frequently the paper, we denote survey participants with ‘S’.
the Tor Browser was used. We also asked about onion
services usage in detail, including questions concerning
the usability of onion links, how users track and manage 4.2.2 Participants
onion domain links, whether (and why) users had ever
set up or operated an onion site, and whether users were We collected 828 responses, but only 604 (73%) com-
aware of onion site phishing and impersonation. The last pleted the survey, and 517 (62%) passed at least two at-
set of questions focused on users’ general expectations tention checks. The rest of the paper focuses on these 517
of privacy and security when using onion services. We responses. Table 2 shows the demographics of our survey.
incorporated four attention checks to measure a respon- As we expected, respondents were young and educated:
dent’s degree of attention [3]. To ensure that participants more than 71% were younger than 36, and 61% had at
felt comfortable answering questions, we did not make least a graduate or post-graduate degree. 44% percent
questions mandatory. The survey took about 15 minutes also considered themselves at least highly knowledgeable
to complete. in matters of Internet privacy and security.
Survey Testing. We used cognitive pretesting (some-
4 The full survey is available at https://nymity.ch/ 5 https://reddit.com/r/tor/, https://reddit.com/r/onions/

onion-services/pdf/survey-questions.pdf. https://reddit.com/r/samplesize/.

USENIX Association 27th USENIX Security Symposium 415

 Age # % Gender # % Continent of residence # % Education # %
18–25 2 11.8 Female 5 29.4 Asia 3 17.6 No degree 1 5.9
26–35 10 58.8 Male 12 70.6 Australia 1 5.9 High school 3 17.7
36–45 4 23.5 Europe 4 23.5 Graduate 3 17.7
46–55 1 5.9 North America 8 47.1 Postgraduate 10 58.8
South America 1 5.9
Table 1: The distribution over gender, age, country of residence, and education for our 17 interview subjects. We do not show
per-person demographic information to protect the identity of our interview subjects.
Gender # % Age # % Education # % Domain knowledge # %
Male 438 84.7 18–25 186 35.9 No degree 25 4.8 None 1 0.2
Female 49 9.4 26–35 180 34.8 High school 172 33.2 Mild 35 6.8
Other 25 4.8 36–45 87 16.8 Graduate 214 41.4 Moderate 178 34.4
No Response 5 1.0 46–55 43 8.3 Post graduate 102 19.7 High 227 43.9
56–65 16 3.1 No Response 4 0.4 Expert 75 14.5
> 65 3 0.6 No Response 1 0.2
No Response 2 0.4

Table 2: The distribution over gender, age, education, and domain knowledge of the survey respondents. Providing demographic
information was optional, so we lack data for some respondents.

4.3 Domain Name Service (DNS) Queries 4.4 Limitations

We analyzed .onion domains leaked via the Domain As we previously mentioned, we asked The Tor Project
Name System (DNS) to better understand onion service to disseminate our survey on its blog and Twitter account,
usage and look for specific evidence of usability issues which likely yielded the following biases.
(e.g., onion domains with typographical errors, phishing Non-response bias. People who noticed our call for vol-
attacks). Although onion domains are only resolvable unteers but decided against participating may have valued
inside the Tor network, Internet users may attempt to ac- their privacy too much, falsely believed that their perspec-
cess an onion site using a browser that is not configured tive is irrelevant, lacked time, or had other reasons not to
to use Tor, resulting in the DNS query for onion domain participate. Nevertheless, non-respondents may exhibit
“leaking” to conventional DNS resolvers—and ultimately traits that are fundamentally different from those who did
to a DNS root server. Because all onion lookups to a participate.
conventional DNS server will result in a cache miss, all Survivor bias. Our participants generally were able to
leaked onion lookups will ultimately go to a DNS root tolerate Tor Browser’s usability issues, which is why they
server. Thus, DNS root servers see a good sample of are still around to tell their tale. We likely did not hear
leaked onion domains. Our work builds on a previous from people who decided that Tor Browser was not for
analysis of a similar data set that was conducted several them and were thus unable to tell us what drove them
years ago and which was not focused on onion services away. The danger of survivor bias lies in optimizing the
specifically like our work [18, 33]. user experience for the subset of people whose tolerance
We obtained about several days of DNS data from for inconvenience is higher than the rest.
the B root server through the IMPACT Cyber Trust pro- Self-selection bias. Due to the nature of our online sur-
gram [34]. This data has several hundred pcap files, which vey, participants could voluntarily select themselves into
contain full packet captures with pseudonymized IP ad- our set of respondents. These respondents may be un-
dresses of all DNS traffic to the B root from September usually engaged, technical, and opinionated. Indeed, the
19, 2017 10:00 UTC to September 21, 2017 23:59 UTC. demographic for our online survey in Section 4.2 was
We analyzed the DNS queries dataset and present our re- young and educated; perhaps Tor Browser’s population
sults alongside our findings from the survey and interview is young and educated, as well, but we have no way of
results. We extracted the QNAME of each DNS query, knowing.
which yielded 15,471 correctly formatted onion domains
that were 16 characters long (representing an 80-bit hash
of the owner’s public key) had has any letters of the al- 5 Results
phabet and numbers between 2 and 7. These lookups, of
course, may not always correspond to a real onion site, We organize the presentation of our findings by topic, in-
but they do reflect that some machine issued a DNS query cluding how users perceive and use (Section 5.1), manage
for that onion domain for some reason. (Section 5.2), and wish to improve (Section 5.3) onion

416 27th USENIX Security Symposium USENIX Association

Figure 3: A sketch of interviewee P03’s mental model of onion
services. The participant referred to several layers of protection.
Figure 4: Comparison of two sketches from interviewee P13.
services. We interleave the results from our online sur- The first sketch shows the P13’s mental model of Tor and the
vey with our interviews and domain name system data as second one P13’s mental model of onion services.
appropriate.
browser but at least one did not see any connection be-
5.1 Perception and Use tween Tor and onion services. Only three interview par-
ticipants knew that onion services do not only provide
We first explore how users perceive onion site technology anonymity to the visitors to a website but also to the onion
and why they use onion sites. website provider themselves. In contrast to these inter-
viewees who had some sense of what an onion service
5.1.1 Incomplete mental models of onion services was, nearly half of our interviewees (8/17) were confused
about how to define onion services, were unsure how
We asked only our interviewees (not our survey partic- onion services function or how to describe them, and did
ipants) about their mental models of onion services be- not understand how onion services protect them. Some of
cause it is difficult to collect this type of information our interviewees did not distinguish disguising their IP ad-
from a survey. This section thus presents results from the dress from disguising their real-world identity and instead
interviews only. used the umbrella term “anonymity” to refer to both con-
Perceptions of what an onion service is. We asked our cepts. This conflation of concepts paints an incomplete
interview participants how they defined an onion service, picture of the security and privacy guarantees that the Tor
how they work, and what types of content and services network provides, with only a few interviewees recogniz-
they tend to host. Terminology was inconsistent and some- ing that anonymity is not completely achievable with Tor
times confusing: some interviewees referred to onion onion services: “What’s the point of going to Facebook
services as the dark web and others as hidden services. using onion services when their business model is still
(Recall that The Tor Project only uses the term onion about collecting your data?” (P7). Other participants
services). About half of our interviewees (9/17) knew simply thought of onion services as P08 characterized
that onion services enabled a user to access Web content them: “[the] Internet without hyperlinks.” Some of our
anonymously. Six interviewees stated that onion services participants were not aware that onion services provide
provide extra layers of protection, an idea that is well- end-to-end security and self-certifying names. Syverson
illustrated in Figure 3,6 and further elaborated on by par- and Boyce explored how onion services can improve web-
ticipant P03:“I think it’s to do with the different hops that site authentication [32], but these benefits are difficult to
you build - different layers of making it difficult to find out convey to non-technical users, and even some experts ad-
who this person is.” Four interviewees stated that onion vocated an “all or nothing” approach to online anonymity,
services work in a similar manner to Tor but with different overlooking important nuances.
encryption methods, which we can see on Figure 4. A The presence of a large quantity onion domains in the
minority of participants had sophisticated understanding: root DNS data corroborates prior studies that suggest
they referred to the encryption of data on the end points either Internet users are attempting to visit an onion do-
of a connection; three interviewees referred to the fact main in a non-Tor browser indicating a misunderstanding
that last hop along the encrypted path corresponds to an of onion links, that browsers are loading content with
onion link. onion links using pre-fetching, or that some web pages
Perception of anonymity. Five interview participants or malware are attempting to load resources from onion
drew the connection between Tor and onion services, stat- sites [18, 33].
ing that onion services have to be accessed through Tor Perceptions of what an onion service is used for. Inter-
6 All sketches are available online at https://nymity.ch/ viewees had various perceptions of what onion services
onion-services/mental-models/. were used for or why they existed in the first place. In-

USENIX Association 27th USENIX Security Symposium 417

 used by the Tor network.”
Additional Anonymity 70.79
Anonymity was also the main reason why our inter-
viewees used onion services (6/17). Another reassuring
Additional Security 62.28 factor for two of our interviewees was the feeling of secu-
Only Way to Access Content 46.61 rity and safety that onion services provide. Furthermore,
two interview participants thought of onion services as
Other 44.68
“harm reduction technique.” P10 preferred to use Face-
Curiosity About “Dark Web” 27.07 book’s onion domain because it impedes tracking efforts.
Clicking Links
Additionally, 47% of survey respondents and three inter-
18.76
viewees viewed onion services as the only way to access
No Response 6.18 content they enjoy, making the use of onion services a
0 25 50 75 100
necessity.
Percentage of Participants Non-browsing activities. Of our survey respondents who
used onion services (485/517), 64% had these services for
Figure 5: Reasons for using onion services. purposes other than web browsing. Several protocols such
as the chat application Ricochet [4] and the file sharing
terviewees sometimes associated onion services with il- application OnionShare [15] were purpose-built on top
licit content such as the drug trade or credit card data of onion services while existing TCP-based tools such
sales (2/17) or felt that onion services may be the technol- as ssh can transparently use onion addresses instead of
ogy behind anonymous purchases. Similarly, as reported traditional IP addresses. Less than a quarter (21%) of our
later in the paper, many survey respondents also voiced survey participants used onion services for non-browsing
concern about illegal and questionable content on onion activities at least once a month such as remote login (ssh)
services, described by some as a “Wild West”. Phishing or chat (IRC or XMPP). Our interviewees similarly men-
sites, honeypots, and compromised onion sites further tioned using onion services to access Pirate Bay (1/17),
contribute to this perception. Ricochet (1/17), TorChat (1/17), and OnionShare (1/17).
Work or personal reasons. Survey respondents who se-
5.1.2 Onion services used mostly for more anonymity lected “Other” (45%) for onion service usage provided
many reasons, including personal (18/517), with the most
Usage. Our survey asked how often our respondents predominant personal reason being that an onion service
browse onion services. The usage frequency was almost gives a machine behind a network address translation
uniformly distributed among our survey respondents; 24% (NAT) device a stable identifier and can be reached from
use onion sites less than once a month, 22% use them any other user on the Tor network (there are other ways
about monthly, 25% weekly, and 23% daily. The remain- to achieve this goal, but for these users, setting up an
ing 6% had never used an onion service. We also asked onion service was the easiest way). Several interviewees
our interviewees if they had used onion in the last three used onion services to accomplish specific tasks. Five
months; seven had and seven had not, with four of the interviewees reported that they use onion services simply
latter group explaining that they had used onion services for their work, while four stated personal reasons, such
before, just not in the last three months. Only two inter- as for a personal blog, or giving someone access to their
viewees had never used onion services before at all. home network. Two interview participants used onion
Anonymity and onion service content. The majority of services for educational purposes. P3 used onion services
our survey participants who used onion services did so to help teach students about the dark web: “I was teach-
because of the additional anonymity (71%) and the ad- ing a class on Internet technology and regulations. We
ditional security (62%) (see Figure 5). For instance, six were basically showing students how Tor works and part
survey respondents commented on the onion domain for- of what I have to do as a teaching assistant was make
mat, indicating that they believed the seemingly-random students go and basically get to the moment where they
characters in onion domains are the reason why onion ser- either hire a hitman, buy drugs, or buy weapons. Just to
vices are anonymous: “Onion services stay anonymous show that it’s possible. And then obviously we didn’t buy
through changing their domain, and I feel that there is it.”
a possibility of decreased anonymity with a constant do- Other survey respondents reported using onion services
main name.” (S436). These participants also believed to reduce the load on exit relays, to do technical research,
that vanity domains are “less anonymous” because part and to access sites that are otherwise unavailable. For
of their domains is clearly not random. One survey par- instance, 7/517 used onion services for hosting a service,
ticipant (S454) further wrote:“I understand vanity onion one survey respondent admitted using onion services for
domains are a sign of the weakness of the hash algorithm e-book piracy, two used onion services as an alternative

418 27th USENIX Security Symposium USENIX Association

 Not at All Somewhat Extremely
End-to-end Security 24.17 Slightly Moderately

Curiosity 23.4
De-anonymization
NAT Traversal 21.66
Anonymity 17.98
Denial of Service
Automatic Creation 10.83
Other 8.7
Phishing
No Response 60.73

0 25 50 75 100 100 50 0 50 100

Percentage of Participants Responses

Figure 6: Reasons for running onion services. Figure 7: Concerns of onion service operators about attacks.

to a virtual private network and two used them to make using onion services for work, such as to help Internet
their website as private and personal as they could. users upload leaked documents to their whistleblower
Exploring the dark web. 27% of our survey respondents website anonymously. In another example, P5 used onion
and two interviewees wanted to find out more about the services in the academic peer review process to allow
dark web and onion domain content (3/517) as reasons to authors to submit source code or supplementary material
use onion services. Two interviewees used onion services anonymously: “If one of the other reviewers connects
for fun and social reasons—to “toy around” (P7) and to our university site, and we have some sort of tracking
also, as a way of spending time with friends, as well as to information on there, we would be deanonymizing the re-
“show off” around them by using a technology unfamiliar viewer. We put it on a Tor hidden service to make sure that
to most users. Interestingly, 19% of survey respondents the reviewer remains blind in academic review process.”
said that they use onion services for no particular reason Phishing concerns. We inquired how concerned the sur-
but have clicked on onion links occasionally. vey respondents were about three potential attacks on
their own onion services: (i) somebody setting up a phish-
5.1.3 Onion sites operated for various reasons ing site for the operator’s site, (ii) a denial-of-service
attack, and (iii) a deanonymization attack. According
Setting up an onion service. 39% of survey respondents to the results, shown in Figure 7, less than 8% of our
had set up an onion service at some point. Of the re- survey respondents who operated an onion service were
spondents who had set up onion services of their own at least somewhat concerned about all of these attacks.
(266/517), 31% had run their onion service for private use Only a small percentage, 15%, claimed to be extremely
while 21% had run them for the public. Figure 6 gives concerned about somebody deanonymizing their onion
an overview of the reasons our respondents have for run- service, 10% were extremely concerned about an onion
ning onion services. For instance, the majority of those site being taken offline, and only 9% were concerned
with onion services used them for end-to-end security, about an onion site being impersonated for phishing pur-
curiosity, or NAT traversal. Only 18% survey respondents poses. Indeed, in the open-ended responses, we noted that
had set up onion services for anonymity, such as to pro- several respondents lamented the difficulty of protecting
tect their visitors and provide security on their sites. In onion services from application-layer deanonymization
the open-ended responses, eleven survey respondents set attacks. Matic et al. demonstrated some of these attacks
up onion services because then their websites could be in 2015 [17].
accessed from anywhere in the world, and seven survey
respondents set up an onion service simply to test and 5.1.4 Varying trust in Tor and onion services
learn how they work. Another two survey participants
ran onion mirror sites to their personal websites, and at Our survey asked how safe our respondents feel when
least one had an onion service as a backup website in using Tor Browser and onion services, respectively. Fig-
case he lost control over his personal domain. Finally, at ure 8 shows that onion services were actually perceived
least two survey respondents set up onion for business as less safe than Tor browser. 85% of survey respondents
purposes, work requirements, or to add valuable content feel at least somewhat safe or very safe using Tor Browser
to the onion community. In a similar vein, at least two as compared to only 66% of onion service users.
interviewees spoke about setting up onion services or Reasons for trust. Survey responses indicated that par-

USENIX Association 27th USENIX Security Symposium 419

 content I access over onion services. When I want content
Very Unsafe Neutral Very Safe from a service, I tend to distrust it from the beginning.”
Somewhat Unsafe Somewhat Safe
Two interviewees mentioned that websites cannot identify
you as the general advantage of onion services but at least
Tor Browser three participants pointed out that websites actually can
determine your identity if you write down your personal
details as well as if you log in into any private accounts
while using onion services. Similarly, 20 survey respon-
dents also raised concerned and mentioned not wanting
Onion Services to log in to onion sites because they believe it defeats the
purpose by revealing private data.
100 0 100 200 300 400 Moreover, one interview participant (P10) claimed that
Responses using onion links may influence the usability of their “nor-
mal” corresponding websites—the person shared a story
Figure 8: Safety that respondents perceive when using Tor in which they postulated that their Facebook account had
Browser and onion services. been flagged for suspicious activity and then was deac-
tivated because they had logged in through Tor Browser.
ticipants, most of whom (85%) rated themselves as non- These interview participants did not realize that while the
experts (versus 15% self-rated experts) in knowledge company indeed knows who is logging in, it does not
about Internet privacy and security, lacked the ability know Tor users’ IP address or operating system.
to evaluate (or even understand) the Tor network’s design
which is why they deferred to expert opinion, their gut
feeling, or the trust they place in Tor developers to gauge 5.2 Discovery and Management
how much to trust these services. As S450 put it:‘There’s
We now explore how users discover and keep track of
a safety tradeoff. My connection to onion sites is more
onion sites.
secure from outside eyes, but onion sites are more likely to
be scams.’ With respect to onion services, the majority of
survey respondents expressed that the added security and 5.2.1 Discovering onion links is not straightforward
anonymity made them feel safe (117/517). Another factor
contributing to the perceived security of onion services is Recall that a freshly set up onion service is private by
that advertising companies are nowhere near as present on default, leaving it up to its operator to disseminate the
onion services as they are on the Web. 80/517 respondents domain. Established search engines such as Google are
trusted Tor and themselves to be safe on onion services therefore generally inadequate to find content on onion
while only a minority of interviewees were content and services. Therefore discovering onion services is not as
believed in the future of onion services (4/17) or placed straightforward as with regular domains Figure 9 illus-
their trust in them (2/17). Additionally, 30/517 partici- trates the results from our survey.
pants said they would also choose onion services over Social networking site and search engines. The three
regular websites because they trust them. most popular ways that almost half of our survey partic-
Reasons for distrust. 90/517 of survey respondents were ipants discovered onion sites by were via (i) social net-
skeptical of trusting onion services because of the possi- working sites such as Twitter and Reddit (48%), (ii) search
bility of phishing, the fact that onion services are hard to engines such as Ahmia,7 (46%) and (iii) randomly en-
verify as authentic, and a concern that tracking can still countering links when browsing the Web (46%). Sur-
occur even with onion services (59/517). Furthermore, at vey respondents who selected “Other” (16%) for how
least 20/517 respondents said their trust of onion services they discover onion links predominantly brought up
would depend on the content of the services themselves. independently-maintained onion domain aggregators. A
Some survey respondents did not have a clear understand- noteworthy example is the Hidden Wiki used by 13 sur-
ing of onion services or thought they were the same as vey respondents, a community-curated and frequently-
regular websites and reported as much (34/517). forked wiki that contains categorized links to onion ser-
Although our interviewees tended to see onion services vices. At least 34 survey respondents searched for onion
as safer than corresponding websites (eight versus four links on regular browsers and 18 of these respondents
participants), six participants felt that users should be looked specifically at regular websites to see if they had
careful when using onion services. Not all participants 7 Ahmia.fi is an onion site search engine that crawls user-submitted
trusted onion services (5/17) and one expressed frustra- onion domains. It publishes the list of all indexed onion services at
tion such as P06:“I’m pretty distrusting with most of the https://ahmia.fi/onions/.

420 27th USENIX Security Symposium USENIX Association

 many (28/517) complained in the open-ended responses
Social Networking 47.58
about link rot on aggregators where onion links were bro-
ken, unusable, or outdated. There is significant churn
Search Engine 46.42 among onion sites, and our respondents were frustrated
Random Encounters 46.23 that aggregators are typically not curated and therefore
link to numerous dead domains. The lack of curation
Word of Mouth 18.18
also leads to these aggregators’ containing the occasional
Other 16.25 scam and phishing site. The difficulty of telling apart two
given onion domain names exacerbates this issue for users.
Not Interested 4.26
15/517 did not trust onion link lists because it is hard to
No Response 6.57 validate if they are legitimate or not. 28/517 complained
0 25 50 75 100
about filtering onion sites related to their interests with
Percentage of Participants several wanting to avoid illegal and pornographic content,
which is often difficult if the description is vague and the
Figure 9: Methods of discovering onion services. onion domain reveals nothing about its content. For this
reason, 5/517 wished aggregators were more verbose in
their description of onion sites.
a corresponding onion link. In our interviews, two par-
ticipants mentioned these techniques too. Between one Lack of good search engines. Many survey respon-
to three survey respondents mentioned each of the fol- dents complained about the lack of good search engines
lowing: using onion link lists generated by onion spiders, (33/517) and were not aware of search engines such as
onion.torproject.org, ddg.onion, Imageboard, Google, and Ahmia. Among survey respondents who were aware of
even Wikipedia. such engines, many were dissatisfied with both the search
We observed similar patterns in our interview respon- results and the number of indexed onion sites. Unsurpris-
dents. Interviewees told us that they find onion links by ingly, a “Google for onion sites” was a frequent wish.
word of mouth (6/17), using a search engine tool (5/17) Similarly, one of the biggest issues for our interview par-
including tools like DuckDuckGo (1/17), The Pirate ticipants was that onion sites are hard to find (5/17), or
Bay (1/17), Reddit (1/17), ahmia.fi (1/17), and the search as P13 put it: “How do you find stuff if you don’t know
widget in the Tor browser (1/17). More of our intervie- what you’re looking for or only have a vague idea?” 10
wees discovered onion services passively (6/17) by just survey respondents desired a better searching solution for
happening to hear about or know about specific onion onion services even with recognizing that this would be
services while five interviewees told us that they looked a tradeoff for security so services should have opt-in and
actively for onion links, browsing for the content they opt-out options for discovery. As summarized by one sur-
needed. vey respondent: “Tor is still like the early 1990s Internet
where websites were spread by word of mouth and by
Random encounters or word of mouth. A significantly lists of links. In Tor, people publish lists of onion sites
less popular discovery mechanism was discovering links and I pick the ones I’m interested in. Every Tor search
through word of mouth, which has the advantage that engine is poor and unreliable. Lists of links like Fresh
domains come from a trusted source (18% of survey re- Onions, while useful, often get out of date quickly, since
spondents). 19/517 were frustrated that it was difficult to many onion sites are unreliably hosted. Tor desperately
find out if a regular website had an onion service version needs a good search engine to find onion sites and ide-
even if they visited their website. Only 4% of our sur- ally some way of identifying what those sites are about
vey respondents—indicated that they were not interested before clicking on them, since we lack that info in the
in learning about new onion services because they only URL.” (S339)
use their own sites (7/517). Similarly, two interviewees
claimed that they never searched for new onion links.
5.2.2 Saving and tracking onion links is difficult
Link discovery challenges. The majority of our survey
respondents (55%) reported that they were satisfied with Bookmarking links. Conventional domains are often
how they discover onion services but a significant pro- easy to remember and recognize; most onion domains
portion of our participants (38%) were not and 7% did are random strings. We explored how users coped with
not respond to this question. Those satisfied reported this challenge. Most survey respondents (52%) use Tor
that they had no interest in learning about new onion ser- Browser’s bookmarks or a web-based bookmarking tool
vices, in part because they only use a small set of onion (3%) to save onion domains as seen in Figure 10. At least
services. Among the survey respondents who were not two interview participants reported bookmarking links as
satisfied with how they discover onion services (38%), well. While convenient, this method of saving onion links

USENIX Association 27th USENIX Security Symposium 421

 most often mentioned technique was copy and pasting
Tor Bookmark 51.84 domains, done by four interviewees, followed by three in-
Local Text File 36.75 terviewees who simply click on links they encounter. Two
Trusted Web Pages 34.62 interviewees would go to onion sites using bookmarks
No Solution 25.73 while another two use Google to get to onion services.
Search Engine 18.18 Only one interview participant told us that they typed
Memorize 16.63 the domains from their notes. Given the high number of
Other 9.28 (possibly insecure) home-baked solutions, a Tor Browser
Pen and Paper 7.93 extension that solves the problem of saving and tracking
Web Bookmark 2.51 onion links seems warranted.
No Response 6.19
0 25 50 75 100 5.2.3 Onion domains are hard to remember
Percentage of Participants
Memorization reasons. Our participants often memo-
Figure 10: Strategies to manage onion domains. rized onion domains to make it easier to visit onion sites
and to minimize traces of their browsing habits. Of the
leaves a trace of (presumably) visited sites on somebody’s survey respondents who memorize onion domains, we
computer. One of Tor Browser’s security requirements is found that most respondents do no memorize any onion
“disk avoidance”—the browser must not write anything domains (60%) and less than a third (30%) memorize one
to disk that would reveal the user’s browsing history [24, to four onion domains. Only 3% can memorize more
§ 2.1]. Bookmarking links is a violation of this security than four domains. Survey respondents who memorized
requirement, albeit one that users seem to want. domains (65% of all respondents) did so (i) automatically
because of typing a domain many times (20%) (ii) to al-
Ad-hoc tracking methods. Somewhat less popular low them to open an onion site more quickly (17%), and
amongst our survey participants was saving onion do- (iii) to ensure that they are visiting the correct site and not
mains in local text files (37%), getting them from trusted a phishing site (15%). Only 9% were privacy conscious
websites (35%), using search engines (18%), memorizing and did so because bookmarking onion domains leaves
domains (17%), using some other techniques (9%), or a trace. 5% of the respondents gave other reasons for
employing pen and paper (8%). Of the 9% of our survey memorizing onion links. In these open-ended responses,
respondents who selected “Other”, 15/517 stated that they 18 survey participants said that memorizing was simply
store onion domains in an encrypted manner—either in a easy for them, even unintentional. Among these partici-
text file or in their password manager. Other techniques pants, there were only 8/517 that specifically mentioned
mentioned by only one or two survey respondents each the Facebook onion site as very easy to remember. Only
included using auto-complete, storing them on a personal a few survey respondents (3/517) did not memorize onion
blog or using Twitter to find links, emailing the links to sites at all.
oneself, using redirect rules to automatically go to the
Memorization challenges. Our interview participants
.onion domain, storing the links in a virtual machine, or
generally found onion domains problematic in terms of
using Hidden Wiki. Four of our interviewees reported
having to remember random strings of letters and numbers.
that they store onion services in a list and three remember
Four interviewees perceived onion domains as too long.
(some) onion services. Other techniques for saving onion
Among these participant was one who further complained
links mentioned by interviewees mirrored those of the
about random characters in onion domains. At least two
survey and included using a Twitter feed to track onion
interviewees criticized onion links for being hard to re-
links (1/17) and using TorChat as storage places for onion
member. This viewpoint was echoed in our survey, where
links (1/17). Moreover, one interviewee believed that Tor
participants rated URLs such as expyuzz4wqqyqhjn.onion
Browser remembers onion links and another interview
and torproz4wqqyqhjn.onion as harder to remember be-
participant (P1) explained: “The onion services we run
cause the “numbers make the names harder to remember.”
professionally we keep track of because we operate the
Other survey respondents stated that vanity domains are
server, so that’s easy.” Notably, just over one-quarter of
easier to remember when they can be pronounced as de-
our survey respondents (26%) did not have a good solu-
scribed in the example quote by survey respondent (S46):
tion to the problem of tracking onion links and similarly
“phonetic pronunciation plays a large part in how I re-
two interviewees pointed out that they lacked an onion
member onions.” Many other survey respondents stated
link management mechanism.
that onion domains that are supported by a mnemonic are
Reaching onion domains quickly. We also asked our in- also easier to remember; we elaborate on this result in
terviewees how they typically reach onion services. The Section 5.2.4.

422 27th USENIX Security Symposium USENIX Association

 regular onion domains: “In terms of mnemonics and eas-
Very Difficult Neutral Very Easy ier recollection if you can chunk words that are associated
Somewhat Difficult Somewhat Easy
with daily life and not just a random. If there’s entropy
facebookcorewwwi.onion in the stream, there’s no way I’m going to remember
more than a few characters” (P18). P10 had a different
torprojectqyqhjn.onion
perspective that suggested these vanity domains make
onion services more usable: “I think that for people who
don’t spend a lot of time using those types of services, it
torproz4wqqyqhjn.onion
definitely gives you a more familiar framework for think-
ing about where you are on the Internet. If people think
expyuzz4wqqyqhjn.onion . . . people have a pretty strange geographic metaphors for
400 200 0 200 400
navigating the Internet, but I think this idea of where are
Responses you? Well, I’m at this place I can’t even name, I can’t say
it out loud, I think that can be a barrier for people.”
Figure 11: Expected difficulty memorizing four onion domains. Phishing and security. If users focus on the vanity part
of a domain only, attackers can create an similar domain
5.2.4 Vanity domains: more memorable, less trusted that features the original’s prefix but differs in subsequent
characters. Nurmi [23] and Monteiro [19] have both
Memorizability. The majority of our survey respondents documented such an attack, but its effectiveness is not
appreciated vanity domains because they were easy to known.
remember (64%) and easy to recognize (64%), and they Indeed, in several cases, both survey (29/517) and in-
provided a unique “branding” (34%). Some survey re- terview participants found that vanity domains were not
spondents indicated that a vanity prefix—like a traditional practical and seemed to distrust them because they felt
domain—informs about an onion service’s content, let- they made phishing easier: “I don’t think it’s useful be-
ting visitors know what to expect and thus preventing cause . . . it’s followed by another random word . . . and
unpleasant surprises but at least 3/517 wanted more clues phishing can still copy that . . . I don’t think what I can re-
to let visitors know more about what the domain content member is safe now.” (P17). Similarly, as S94 explained:
is or for some content to be harder to find. As S423 wrote: “We also get false expectations of security from such do-
“For less important, high traffic sites (social media like mains. Somebody can generate another onion key with
Facebook), it’s okay. For sites handling much more sensi- same facebookcorewwwi address. It’s hard but may be
tive/potentially illicit content, its a good idea to make it possible. People who believe in uniqueness of generated
difficult to find.” characters, will be caught and impersonated.”. Among
Only 15% did not have an opinion about vanity do- our survey respondents, there was also concern that the
mains, 8% reported that they disliked vanity onion do- short and recognizable prefixes tempt users to verify only
mains, and 7% did not see a benefit of vanity do- the prefix and ignore the non-vanity part of the onion
mains. We asked survey respondents about whether domain, as epitomized by one survey respondent: “I only
or not they memorize vanity domains—specifically memorize the first part of the domain.” (S96) while an-
facebookcorewwwi.onion—and how difficult they find it other wrote: “If there isn’t some cognizable word at the
to memorize onion domains of differing levels of van- start, it’ll be more difficult for me to determine if I’m go-
ity. Only 20% of respondents replied that facebook- ing to the correct domain or a scam. I may end up going
corewwwi.onion is among the sites that they have mem- to less onion sites as a result.” (S355)
orized. This is because it is “easy to memorize” (S391) This viewpoint was echoed by our interview partici-
and “after seeing [it] many times, I automatically start to pants, who noticed that vanity domains can negatively
memorize it.”(S94) Depending on the format of the vanity affect security. P13 explained: “I think in theory, on the
domain, our survey respondents expressed differing levels one [hand], it makes it easier for you to recognize where
of ease for memorizing them; these results are shown in you are, it makes it easier for you to perhaps, share the
Figure 11. Most participants found it easier to memorize URL or type it out. On the other hand, I’ve seen con-
vanity domains with a longer recognizable prefix such as cerns that, by having a vanity URL where perhaps people
Facebook’s. Interestingly, only 4/517 survey respondents only look for the Facebook portion and they don’t pay
considered vanity domains economically unfair because attention to what comes after it could potentially make it
wealthy entities can afford to generate longer prefixes easier to exploit unsuspecting users. Send them a link that
such as Facebook. also says Facebook but the numbers after it are different,
Usable links. Ten out of seventeen interviewees saw van- but you just see the Facebook part and go, ‘It’s fine, it’s
ity domains as a significant usability improvement to the Facebook.’ That can be a risk to them.” P5 also shared

USENIX Association 27th USENIX Security Symposium 423

their view on vanity domains: “It seems like it would
encourage more trust on behalf of the user, but then again, Copy/Paste 64.41
maybe make phishing easier too, if phishers are making Bookmarks 52.42
vanity domains themselves. Yeah, that seems like it could Verify Address Bar 45.45
go both ways actually.”
Link on Site 39.85
Check Certificate 36.17
5.2.5 Onion sites are hard to verify as authentic Can’t Tell 28.63
Other 13.15
Verification techniques. We asked our participants about
verifying the authenticity of an onion site. The majority Don’t Check 10.44
of our survey respondents (79%) did want to verify an No Response 0.97
onion service as authentic. Figure 12 gives an overview 0 25 50 75 100
of the strategies that our respondents employ. Most of the Percentage of Participants
respondents (64%) copied and pasted onion links from
trusted sources (e.g., friends or another, trusted website) Figure 12: Determining an onion service’s legitimacy.
or used bookmarks when revisiting onion services (52%).
Many survey respondents also verified the domain in publicly available websites if they could to verify au-
the browser’s address bar (45%), checked if the corre- thenticity. One of the most common approaches in the
sponding website had a link to its onion site (40%), or second group (3/17) was to check and compare URLs to
checked that the onion service has a valid HTTPS cer- see whether they matched to a “clearnet site” (P14), its
tificate (36%).8 Survey respondents reporting checking unencrypted version on the regular Internet. Furthermore,
the corresponding regular website for verification, ver- two interview participants rely on their own experience,
ifying if familiar images were recognized, or checking one on HTTPS certificates, and another one would lower
for HTTPS (9/517). 8/517 only used links if received the security settings in Tor Browser using the security
form a trusted resource or trusted member of a commu- slider to check the website more thoroughly:“Sometimes,
nity or check with their notes (4/517). 5/517 trusted their it worries me, but before that I access, in Tor, I turn off,
perception of a website as verification of authenticity or I always. First, I always turn off the Java service and
Tor or the fact that onion sites are self-certified by design etcetera, to check the website. I think it’s good, then I will
(3/517) or use the fact that they could log into a site as lower the security level in Tor browser, but mostly, I will
verification (5/517). Only a few mentioned using multiple ask anything, maybe, in the Reddit or in the forum—in
sources to verify authenticity (3/517) and at least 9 survey my country forum—of what the service [may be].” (P17).
respondents said that they did not use onion links at all. One interviewee believed that just using Tor is verifica-
When asked how many characters our survey respon- tion in itself and another participant avoided onion sites
dents verify in onion domains, 19% verified thirteen to six- altogether.
teen digits, i.e., (almost) the full domain, while 20% veri- Verification challenges. Indicative of potential security
fied up to nine digits, which is within the realm of brute issues, 29% of survey respondents stated that they some-
force attacks, and 5% verified between nine to twelve dig- times could not tell the difference between an authentic
its. More than half of respondents provided no response service and an impersonation, and 10% never checked a
at all (54%). service’s legitimacy in the first place. Survey participants
For those interviewees (7/17) who did attempt to ensure who selected “Other” (13%) provided a wide variety of
they were visiting an authentic onion site, we observed ad-hoc verification strategies, further highlighting the im-
two strategies: relying on someone else to ensure a link portance of being able to verify a site as being the one
was authentic and trying to work out authenticity using that they were trying to reach. For instance, 13 survey
various techniques on their own. Most interviewees in respondents said there is no good way of verifying onion
the first group stated that they rely on word of mouth services or they do not know how to.
for verification (5/17), followed by assistance from some- We also asked our interview participants how they knew
one else (4/17). P3 explained “[I] let people show me that the site they went to was the one that they wanted to
them. I don’t go there myself.” Two interview partici- visit. Similar to the survey respondents, six interviewees
pants relied on resources they already trusted for onion reported that they did not know how to verify the authen-
links, like friends and other communities and two ac- ticity on an onion site and they were concerned about
cessed onion services by first visiting their corresponding being on an impersonating website because it is easy to
8 DigiCert is issuing EV certificates for onion sites [7], but adoption mistype onion domains and onion domains change fre-
has been slow—presumably in part because EV certificates require the quently if an onion service is short-lived or moves. P1
CA to verify the applicant’s identity and they are not free. summarized the issue as being inherent to the nature of

424 27th USENIX Security Symposium USENIX Association

onion services “I wouldn’t know how to do that, no. Isn’t Onion 1 # Onion 2 # J-W
that the whole point of onion services? That people can 57g7spgrzlojinas 1,621 57g7spgrziojinas 14 0.989
run anonymous things without being to find out who owns xxlvbrloxvriy2c5 1,593 xxlvbrioxvriy2c5 4 0.949
and operates them?” Two interviewees even believed gx7ekbenv2riucmf 1,476 gm7ekbenv2riucmf 4 0.973
mischapuk6hyrn72 1,062 mischa5xyir2mrhd 8 0.902
onion site authentication to be impossible. For this rea- petya3jxfp2f7g3i 1,061 petya3jxfb2f7g3i 8 0.997
son, some interviewees also proposed that onion domain petya3jxfp2f7g3i 1,061 petya37h5tbhyvki 58 0.907
formats without numbers or with a stable patterns of let- mischa5xyix2mrhd 786 mischa5xyir2mrhd 8 0.999
ters and numbers could potentially make sites easier to hydraruzxpnew4af 529 hydraruzxpnew1af 2 0.999
hydraruzxpnew4af 529 hydraruehfq5poj5 2 0.927
reach and verify for authenticity. hydraruzxpnew4af 529 hydraruzxpnew3af 2 0.999
3g2upl4pq6kufc4m 472 tg2upl4pq6kufc4m 2 0.971
3g2upl4pq6kufc4m 472 3g2upl4t5houfo4y 2 0.924
5.2.6 Onion lookups suggest typos or phishing 3g2upl4pq6kufc4m 472 3g2upl4oq6kuc4mm 2 0.954
3g2upl4pq6kufc4m 472 3g2upl4pe3kcf24d 2 0.973
Phishing remains an issue despite onion services’ extra zqktlwi4fecvo6ri 410 zqktlwipcfe3siu2 2 0.931
anonymity and security properties. Past work has docu- zqktlwi4fecvo6ri 410 zqktlwi4i34kbat3 12 0.946
mented phishing onion sites that transparently rewrote Bit-
Table 3: The Jaro-Winkler similarity score for frequently visited
coin addresses to hijack Bitcoin transactions [19, 23, 38]. onion domains in the DNS root dataset.
Key to this attack is the difficulty of telling apart an au-
thentic onion domain from an impersonation. For con- that Facebook’s onion site (facebookcorewwwi.onion)
ventional domains we rely on EV certificates, browser has a similarity score of 0.953 with another onion
protections, search results, and long-lived reputation, but domain that was looked up facebookizqekmhz.onion,
none of these methods have matured for onion services. which only appeared in our dataset twice (in compari-
Does the nature of onion services facilitate phishing at- son to the 101 instances of facebookcorewwwi.onion).
tacks? If so, what can we do to mitigate the issue? Another frequently looked up onion domain is
Most interview participants (9/17) agreed that phish- blockchainbdgpzk.onion, which is a popular Bitcoin
ing constitutes a serious risk, one of them explained the wallet; it was extremely similar to blockchatvqztbll.onion
phenomenon this way: “the two approaches I know from (similarity score 0.949). These cases of similar domains
the normal Web still apply here, which is typo-squatting, could be a potential indicator of phishing sites for popular
registering an onion [domain] that’s only a slight vari- domains.
ation away, or bit-squatting, which is slightly different, We next explored the top 20 most frequently requested
but it involves a single or a few bit flips within an onion onion domains dataset by checking: whether they are ex-
address, so that it looks relatively similar” (P6), while an- tremely similar to another onion domain in our dataset,
other interview participant presented their solution to this and whether there is a large difference in frequency of the
problem: “If you’re manually typing it in I suppose they two similar domains. Of the top 20 onion domains, 16
could be a problem, but I primarily cut and paste” (P16). had a Jaro-Winkler similarity score > 0.90 with at least
We evaluated how often lookups to two different onion one other onion domain in the data. Table 3 shows the
domains are extremely similar to one another, which can characteristics of these domains. Many of the domains
shed light on how often an onion domain may be phished, in the table under “Onion 1” are associated with either
since it is unlikely for distinct onion services to have the WannaCry Ransomware, the Mischa Ransomware,
extremely similar strings for onion domains. or the Petya Ransomware. The remaining domains in
To do so, we computed the Jaro-Winkler similarity that column are real onion domains that returned search
metric between each unique pair of correctly formatted results when used as input to https://ahmia.fi; these
onion domains, which is the edit distance between two include a Russian Market (hydraruzxpnew4af.onion),
strings that gives more weight to strings with common DuckDuckGo (3g2upl4pq6kufc4m.onion), and The Hid-
prefixes. We used this metric because people tend to den Wiki (zqktlwi4fecvo6ri.onion).
check the first part of the domain. Values range between
[0, 1], where 0 represents completely different strings 5.3 Areas for Improvement
and 1 represents matching strings, to each unique do-
main pair. We find that 0.007% (8,672) of all unique When we asked about areas for improvement in the survey
domain pairs (119,668,185) have an extremely high sim- and interviews, participants told us that onion services
ilarity (> .90); for example, bitfog2jzic5tnh7.onion could be enhanced technically and performance-wise, and
and bitfog2y7y2pfv75.onion have a Jaro-Winkler simi- that privacy and security, educational resources on, and
larity of 0.917. methods for discovering onion content could be improved.
We first analyzed the results of the similarity met- Technical Improvements. In our open ended question on
ric for any well-known vanity domains. We found improvements to onion services, 43/517 did not provide

USENIX Association 27th USENIX Security Symposium 425

an answer and 36/517 expressed their gratitude for Tor to the lack of proper education as “cultural mysticism.”
and Torproject and were satisfied with the service overall. Uneducated users often misunderstand concepts, as P10
However, many respondents spoke of possible enhance- explained: “The perception that these are hardcore se-
ments. The majority of survey respondents (59/517) men- curity tools sometimes signals to ordinary users that they
tioned technical improvements they would like to see for are also difficult or badly designed or complicated to use,
onion services such as improving support for Javascript, and that’s not really the case with Tor.” Even if knowl-
making onion services available in other browsers, and edge was not an issue, fear of consequences may deter
having more support for mobile devices. 17/517 wanted users otherwise, as P8 mentioned before: “Because it’s
a better user interface and user experience with onion ser- also super scary. You think you’re playing with this spy
vices in general. Our interviewees also mentioned various thing . . . Sometimes it’s actually a really simple technical
technical improvements they would like to see in onion thing that’s not terrifying. And to demystify those things
services. Two wanted a secure bookmarking tool and an- would be really nice.”
other interviewee wanted CAPTCHAs to be gone (these Improved Search. 15/517 survey respondents wanted
are triggered more often with onion services). Only four onion services to be more accessible, such as via a good
talked about wanting to see influential websites or even search engine or organized database. At least four in-
all websites set up corresponding onion sites. terviewees also desired improved search engines. As an
Performance Concerns. At least 48 survey respondents example of this sentiment, S116 wrote: ‘Ask someone
had performance concerns about onion services. For ex- to develop a really good search engine so that sites may
ample, one survey user stated, “I would always prefer be found. I am sure that the dark net has to be more
the onion site but for video sites like YouTube I would than a few illicit sites that are selling stolen credit cards,
likely often use the normal site to be able to get a higher and running Bitcoin scams. I feel like when I browse
quality stream due to higher bandwidth.” (S435) Three the dark net, I am floating in space waiting for another
interview participants similarly raised the “slowness” of planet to suddenly appear. Whatever content is out there
onion services. needs to be discovered, lest people will make misinformed
judgments about the dark net. The dark net should be
Privacy and Security. 34 survey participants expressed understood to be preeminently about privacy, not crimi-
concern about anonymity and security issues and would nality.’ In addition, many survey respondents expressed
like to feel and be safer over the Tor network more gen- frustration about the difficulty of finding out if a particu-
erally. For instance, S70 wrote: ‘I hear a lot of social lar public website has a corresponding onion service. A
media questions from casual or unsophisticated users, common wish was to have a website list its onion service
and the single biggest problem is that they don’t have the prominently in a footer or on the corresponding Internet
slightest idea of exactly what’s being protected and what site (3/517). Ironically, some survey respondents were
isn’t. Vague pronouncements that "doing X is safer" don’t surprised that torproject.org has a corresponding onion
help. Tor needs to stop being muddy in explaining what site—they could not find it on the website.
it protects, and stop promoting itself to people who don’t
understand what it can and can’t do for them.’ 11/517
complained about lack of anonymity protection specifi- 6 Future Directions
cally from government, big companies or even Federal
Bureau of Investigation (FBI). 8/517 wanted to verify Our work highlights several opportunities for improve-
onion services as legitimate or live and only 2/517 spoke ments to current onion services.
about not wanting the dark net to contain criminal content.
Security indicators for onion services. First, many of
Education and Resources. 24 survey respondents be- our participants had an incomplete mental model of how
lieved that there was a “‘knowledge” issue with not onion services work and trusted them less than other Tor
enough resources and documentation for newcomers to services, which suggests that a better indicator of the
Tor and onion services. Many of our interviewees felt protections an onion service offers should be made vis-
similarly (7/17). Interviewees lamented about a lack of ible to onion service users. Currently, The Tor Project
documentation or resources that would allow newcom- is working on a security indicator for onion services [1].
ers to learn more about onion services. P8, for example, Figure 2b illustrates that Tor Browser currently, in ver-
wanted to know how to use onion services correctly and sion 7.0.10, displays an onion service connection as an
stop being uncertain about its properties: “Really clear insecure HTTP connection, thus greatly “under-selling”
user education in the installation process would be great the security and privacy that an onion service connection
for people like me . . . who are like ‘Okay, this is a thing I provides. The design process for such indicators should
can use, why am I using it again? What am I using it for? evaluate whether users understand the meaning of the in-
What does it do?” Three of our interviewees also referred dicator, as well as how it differs from an HTTPS indicator.

426 27th USENIX Security Symposium USENIX Association

 resorted to memorizing links to avoid security issues with
storing onion links. This problem suggests the need for
a privacy-preserving bookmarking tool that allows users
to bookmark sites without leaving a trail in their browser
storage or elsewhere on their system.

7 Conclusion
Onion services resemble the 1990s web: Pages load
Figure 13: A click on the onion icon reveals the Tor relays that slowly, user interfaces are clumsy, and search engines
constitute the circuit that was used to fetch the current page. As are inadequate. Users appreciate the extra security, pri-
of February 2018, the user interface is subject to a redesign [2]. vacy, and NAT punching properties of onion services,
which gives rise to a variety of use cases. Yet, users are
(Felt et al. found the subtleties that one must consider confronted with a variety of privacy, security and usability
when designing similar security indicators [8].) concerns that should be addressed in future generations of
The Tor Browser’s circuit display interface is also being onion services. For example, users are concerned about
redesigned (see Figure 13) [2]. As with an onion service the susceptibility of onion domains to phishing attacks,
indicator, an evaluation of the circuit display could reveal and the onion domains that are leaked to the public In-
user misunderstandings that may improve perceptions of ternet illustrate that this threat is real—and unaddressed.
and trust in onion services. For example, we found that Users have limited ways of discovering the existence of
some users are not familiar with the concept of guard onion services, let alone navigating to them.
relays and incorrectly expect each relay in their circuit to A range of design improvements, from better discovery
change, which suggests the need for an improved inter- mechanisms to automatic “upgrading” to a correspond-
face. Users also found it difficult to verify the authenticity ing onion service when it is available are initial steps to
of an onion site; while certificates do help, many sites still improve usability. Some of these desired features have
do not have them, and some may never have them. clear analogs in the public Internet, such as the padlock
Automatic detection of phishing onion domains. Our icon as a security indicator for HTTPS, and HTTP Strict
findings that some onion domains in the root DNS data Transport Security (HSTS) to automatically upgrade an
have small edit distance to popular onion domains sug- HTTP connection to HTTPS. We expect that many of the
gests that users may fall victim typos to phishing attacks; usability design lessons from the public Internet may in
on the other hand, because the number of popular onion some cases also apply to onion services.
domains is still relatively small and (through our analysis
and previous work [18, 33]) relatively well-known, the Acknowledgments
Tor Browser could raise an alert when the user attempts
to access an onion domain that has a small edit distance This research was supported by the National Science
to a popular onion domain. Foundation Awards CNS-1540066, CNS-1602399, and
Opt-in publishing of onion sites. Our participants often CNS-1664786. We thank George Kadianakis for helpful
wanted more services to be available as onion services feedback on our survey questions, Katherine Haenschen
and did not often know if an onion service for a popular for helping us improve our method, Mark Martinez for
website existed. Participants found it difficult to discover conducting interviews, Stephanie Whited for helping us
new onion services, which suggests the need for better disseminate our survey, and Antonela Debiasi for inform-
ways to find active onion services. While search engines ing us about current user experience efforts around the
and curated lists do exist, they do not generally allow Tor Browser. We thank Roya Ensafi, Will Scott, Jens
users to locate an onion service of interest without also Kubiziel, and Vasilis Ververis for pre-testing our survey,
stumbling upon unwanted content. One possibility is an and USC’s Information Sciences Institute for access to
opt-in public log, whereby users can learn about new the DNS B root data. We also thank the Tor community
onion domains as they are added. Many participants for helpful feedback, for volunteering for our interviews,
also expressed interest in a browser feature that could and for taking our survey.
automatically “upgrade” from a regular web site to its
corresponding onion service. (The Tor Project is currently References
investigating this problem space [13].)
[1] I. Bagueros. Communicating security expectations for .onion:
Privacy-preserving onion bookmarking. Participants what to say about different padlock states for .onion services.
found it difficult to track and save onion links; they often https://bugs.torproject.org/23247.

USENIX Association 27th USENIX Security Symposium 427

 [2] I. Bagueros. Improve how circuits are displayed to the user. https: [21] G. Norcie, J. Blythe, K. Caine, and L. J. Camp. Why Johnny
//bugs.torproject.org/24309. can’t blow the whistle: Identifying and reducing usability issues
[3] A. J. Berinsky, M. F. Margolis, and M. W. Sances. Separating the in anonymity systems. In USENIX. Internet Society, 2014. https:
shirkers from the workers? Making sure respondents pay attention //www.freehaven.net/anonbib/cache/usableTor.pdf.
on self-administered surveys. American Journal of Political Sci- [22] J. Nurmi. Ahmia – search Tor hidden services. https://ahmia.
ence, 58(3), 2014. http://web.mit.edu/berinsky/www/files/ fi.
shirkers1.pdf.
[23] J. Nurmi. Warning: 255 fake and booby trapped onion sites, June
[4] J. Brooks. Ricochet. https://ricochet.im. 2015. https://lists.torproject.org/pipermail/tor-talk/
[5] J. Clark, P. C. V. Oorschot, and C. Adams. Usability of anonymous 2015-June/038295.html.
web browsing: An examination of Tor interfaces and deployability. [24] M. Perry, E. Clark, S. Murdoch, and G. Koppen. The design and
In SOUPS. ACM, 2007. https://www.freehaven.net/anonbib/ implementation of the Tor Browser, Mar. 2017. https://www.
cache/tor-soups07.pdf.
torproject.org/projects/torbrowser/design/.
[6] D. Collins. Pretesting survey instruments: An overview
[25] E. S. Poole, M. Chetty, R. E. Grinter, and W. K. Edwards. More
of cognitive methods. Quality of Life Research, 12(3),
than meets the eye: Transforming the user experience of home
2003. https://link.springer.com/content/pdf/10.1023%
network management. In Proceedings of the 7th ACM Conference
2FA%3A1023254226592.pdf.
on Designing Interactive Systems, DIS ’08, pages 455–464, New
[7] DigiCert. Ordering a .onion certificate from Dig- York, NY, USA, 2008. ACM. http://doi.acm.org.proxy-um.
iCert, Dec. 2015. https://www.digicert.com/blog/ researchport.umd.edu/10.1145/1394445.1394494.
ordering-a-onion-certificate-from-digicert/.
[26] Sai and A. Fink. Mnemonic .onion URLs, Feb. 2012.
[8] A. P. Felt, R. W. Reeder, A. Ainslie, H. Harris, M. Walker, https://gitweb.torproject.org/torspec.git/tree/
C. Thompson, M. E. Acer, E. Morant, and S. Consolvo. Re- proposals/194-mnemonic-urls.txt.
thinking connection security indicators. In SOUPS. USENIX,
2016. https://www.usenix.org/system/files/conference/ [27] Y. Sawaya, M. Sharif, N. Christin, A. Kubota, A. Nakarai,
soups2016/soups2016-paper-porter-felt.pdf. and A. Yamada. Self-confidence trumps knowledge: A
cross-cultural study of security behavior. In CHI. ACM,
[9] A. Forte, N. Andalibi, and R. Greenstadt. Privacy, anonymity, and
2017. https://users.ece.cmu.edu/~mahmoods/publications/
perceived risk in open collaboration: A study of Tor users and
chi17-cross-cultural-study.pdf.
Wikipedians. In CSCW. ACM, 2017. http://andreaforte.net/
ForteCSCW17-Anonymity.pdf. [28] M. Schanzenbach. The GNU name system, 2012. https://
gnunet.org/gns.
[10] K. Gallagher, S. Patil, and N. Memon. New me:
Understanding expert and non-expert perceptions and us- [29] I. Seidman. Interviewing As Qualitative Research: A Guide for Re-
age of the Tor anonymity network. In SOUPS. ACM, searchers in Education and the Social Sciences. Teachers college
2017. https://www.usenix.org/system/files/conference/ press, 2013.
soups2017/soups2017-gallagher.pdf.
[30] E. Swanson. Scallion: GPU-based onion hash generator. https:
[11] A. Johnson. A proposal to change hidden service terminol- //github.com/lachesis/scallion.
ogy, Feb. 2015. https://lists.torproject.org/pipermail/
[31] P. Syverson. Onion routing: Brief selected history, 2005. https:
tor-dev/2015-February/008256.html.
//www.onion-router.net/History.html.
[12] G. Kadianakis, Y. Angel, and D. Goulet. A name system API
for Tor onion services, 2016. https://gitweb.torproject.org/ [32] P. Syverson and G. Boyce. Genuine onion: Simple, fast, flex-
torspec.git/tree/proposals/279-naming-layer-api.txt.
ible, and cheap website authentication. In Web 2.0 Security
& Privacy. IEEE, 2015. https://www.ieee-security.org/TC/
[13] L. Lee. .onion everywhere?: increasing the use of onion ser- SPW2015/W2SP/papers/W2SP_2015_submission_27.pdf.
vices through automatic redirects and aliasing. https://bugs.
torproject.org/21952. [33] M. Thomas and A. Mohaisen. Measuring the leakage of onion
at the root: A measurement of Tor’s .onion pseudo-TLD in the
[14] L. Lee, D. Fifield, N. Malkin, G. Iyer, S. Egelman, and
global domain name system. In Proceedings of the 13th Workshop
D. Wagner. A usability evaluation of Tor launcher. PoPETS,
on Privacy in the Electronic Society, pages 173–180. ACM, 2014.
2017(3), 2017. https://petsymposium.org/2017/papers/
issue3/paper2-2017-3-source.pdf. [34] University of Southern California—Information Sciences Institute.
B root traffic for DITL, 2017. https://impactcybertrust.org/
[15] M. Lee. OnionShare. https://onionshare.org.
dataset_view?idDataset=814.
[16] N. Mathewson. Next-generation hidden services in Tor,
2013. https://gitweb.torproject.org/torspec.git/tree/ [35] J. Victors, M. Li, and X. Fu. The Onion Name System. PoPETS,
proposals/224-rend-spec-ng.txt. 2017(1), 2017. https://www.degruyter.com/downloadpdf/
j/popets.2017.2017.issue-1/popets-2017-0003/
[17] S. Matic, P. Kotzias, and J. Caballero. Caronte: Detecting lo- popets-2017-0003.pdf.
cation leaks for deanonymizing Tor hidden services. In CCS.
ACM, 2015. https://software.imdea.org/~juanca/papers/ [36] S. P. Weber. mnemonicode, 2017. https://github.com/
caronte_ccs15.pdf. singpolyma/mnemonicode.

[18] A. Mohaisen and K. Ren. Leakage of .onion at the DNS Root: [37] P. Winter. Take part in a study to help improve
Measurements, Causes, and Countermeasures. IEEE/ACM Trans- onion services. https://blog.torproject.org/
actions on Networking, 25(5):3059–3072, 2017. take-part-study-help-improve-onion-services.

[19] C. Monteiro. Intercepting drug deals, charity, and [38] P. Winter, R. Ensafi, K. Loesing, and N. Feamster. Identifying
onionland, Oct. 2016. https://pirate.london/ and characterizing Sybils in the Tor network. In USENIX Secu-
intercepting-drug-deals-charity-and-onionland-a2f9bb306b04. rity. USENIX, 2016. https://nymity.ch/sybilhunting/pdf/
[20] A. Muffett. 1 million people use Facebook over Tor, Apr. 2016. sybilhunting-sec16.pdf.
https://www.facebook.com/notes/facebook-over-tor/
1-million-people-use-facebook-over-tor/
865624066877648/.

428 27th USENIX Security Symposium USENIX Association