Getting an Onion Name for Your SecureDrop

  1. What are onion names?
  2. How do onion names work?
  3. Will onion names continue to work years from now?
  4. How do I get an onion name?
  5. If I register an onion name, can I still use the full-length .onion address?
  6. How do I update the .onion address associated with an onion name?
  7. Would Freedom of the Press Foundation ever revoke my organization's onion name?
  8. How do I contact the SecureDrop team?

What are onion names?

Onion names are short, memorable addresses that visitors can use to access an onion service (e.g., a news organization's SecureDrop) using Tor Browser. Imagine a SecureDrop instance for a new organization called The New York World with a .onion address like this:

sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion

An onion name for this SecureDrop instance could be:

nyworld.securedrop.tor.onion

The general format for a SecureDrop onion name is:

<organization>.securedrop.tor.onion

Back to Top

How do onion names work?

Onion names are supported in the desktop version of Tor Browser (introduced in version 9.5). The mapping between onion names and the full-length .onion addresses is managed via the HTTPSEverywhere browser extension, using a custom, signed ruleset for SecureDrop instances maintained by Freedom of the Press Foundation. The ruleset is updated automatically by Tor Browser, and no information is sent to third party servers when contacting a SecureDrop using an onion name.

Onion names are currently not supported by the mobile version of Tor Browser, or by any other browser. (SecureDrop strongly recommends the use of the desktop version of Tor browser.)

Back to Top

Will onion names continue to work years from now?

The Tor project has committed to continued support of the onion name feature in some form. The underlying implementation and the address format may change in future iterations of this feature. To the extent that any changes are required, we will reach out to coordinate them with you.

Back to Top

How do I get an onion name?

Freedom of the Press Foundation maintains onion names for SecureDrop instances which:

We will generally approve onion names that meaningfully correspond to your name or that of your organization. Please note that, to disambiguate organizations in different countries with the same name, we may request the addition of a country code (e.g. "<organization>.<country code>.securedrop.tor.onion"). We will only add one onion name per SecureDrop instance.

If your SecureDrop instance is not part of the directory yet, you can submit an entry here. In order to be eligible for inclusion, your SecureDrop and its associated clearnet landing page must be set up consistent with the best practices recommended in our documentation.

If you are already part of the SecureDrop directory, you can contact us.

Back to Top

If I register an onion name, can I still use the full-length .onion address?

Yes. The onion name is only a human-friendly name for the full-length address. We recommend listing both on your landing page, to allow sources to compare them against your directory listing.

Back to Top

How do I update the .onion address associated with an onion name?

Contact the SecureDrop team. If you are planning to retire or update your .onion address for any reason, we recommend that you contact us ahead of time if possible, so we can schedule the update on the same day. In any event, we will attempt to respond to any update request within 2 business days.

Back to Top

Would Freedom of the Press Foundation ever revoke my organization's onion name?

Onion names are tied to inclusion in the SecureDrop Directory. We may remove SecureDrop instances from the directory at our discretion for reasons including but not limited to:

  • an instance is stuck on an old software version, and can no longer be considered secure;
  • an instance is unreachable for extended periods of time;
  • the configuration of an instance or the associated landing page differs substantially from our security recommendations in a manner that may put sources at risk.

Unless the removal is an emergency, we will attempt to offer a substantial grace period prior to the revocation of an onion name, to ensure you can inform your sources about the change to your .onion address.

Back to Top

How do I contact the SecureDrop team?

You can contact us:

  • Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
  • Via securedrop@freedom.press (GPG encrypted).

For questions that are not sensitive, you can also post to the public SecureDrop forum.

Back to Top