How does connecting to a hidden service over tor work?


I’ve heard it explained a million times but it never clicked. Perhaps it’s the cryptography part im struggling with. It’s pretty easy for me to get overwhelmed by the technical terms.

To be clear, im talking about how a client running the tor browser manages to anonymously connect to a .onion webserver.

In: 34

Okay lets just say brackets mean you encrypt something. Only the correct receiver has the key to unlock it.

Regular encryption would then be

“adress (message)”

You encrypt what you’re saying, but you can’t encrypt who you talk to (because the ISP needs to know to route the message correctly)

Tor simply routes through multiple relay points. So the message you send looks like


From the outside it looks like you send an encrypted message to adress 1. But that isn’t the final destination. Relay server 1 opens the first layer of encryption and finds an adress, so it sends the remaining encrypted message to adress 2, who has the key to open the second layer of encryption. And so on.

In the end noone in the chain knows who the final destination is. So even if one of the servers gets hacked/raided they only see a bunch of encrypted messages getting forwarded, without any idea if the adress is just another relay or the actual receiver. (And also no information who the original sender is, they can only see one step in the chain)

Think of a Russian doll that has a bunch of smaller dolls stacked inside. Now, let’s say you want to send a message to Dave. You write your message on a piece of paper, place it inside the smallest doll and lock it with a special lock that only Dave has the key for.

Then you decide that Dave will get this doll from Charlie. So, you place the locked doll inside the next doll, along with a note that says “Please deliver to Dave”. Then you lock that doll with a special lock that only Charlie has the key for.

Then you decide that Charlie will get his doll from Bob, so you place it inside the next one with another note and lock it with Bob’s key, and then you do the whole thing once more for Alice.

The message is now ready to be sent. Because each recepient can only open one layer of the doll, none of them can know how many layers are left, or how many layers have already been peeled off. Therefore, when you pass the doll to Alice, she has no way of knowing if you are the original sender, or if you are simply passing on the doll just like everyone else.

Accessing normal web sites over tor takes your traffic through three hops so it’s hard to track you. A .onion server chooses a number of intermediary tor nodes as middlemen and connects to those over three hops. In total it then takes six hops to connect from a tor client to a .onion server through one of the intermediary nodes keeping both sides anonymous.

It’s a bit difficult to ELI5 the tor hidden service protocol but I will summarize assuming we already understand how tor makes a tor connections anonymous.


In summary, a service needs to advertise itself to a client but does not want to give out it’s IP. To achieve this it:

1/ sets up several long lived tor connections by asking a number of tor relay nodes to act as the services Introduction Points

2/ publish these nodes to a database held within the tor network related to the services onion address (Distributed Hash Table, DHT)

3/ a client wanting the service searches the DHT using the onion address to get the service description.

4/ client then request a random tor relay node act as it’s rendezvous point.

5/ it sends a message through the rendezvous node to one of the service’s Introduction nodes.

6/ finally the service responds & the connection is made.

The connection now consists of at least 6 tor nodes, 3 or more picked by the client & 3 or more picked by the service. This way neither the service nore the client reveals their IP address or the middle rendezvous node or each other.

I feel like I should point out that TOR was developed by the military for espionage purposes. A significant number of the nodes are almost certainly still run by people with ties to military and intelligence. I would be very surprised if they were not able to unmask everything went through the network. They’re not going to bust you for buying MDMA from Antwerp or whatever, because it only works as an espionage tool if there are non spies using it, but just be safe and aware that theres no such thing as an anonymous network.