Journalists usually resort to cloud services to share sensitive files, which presents security risks especially in authoritarian countries. In this article, Reporters Without Borders (RSF) introduces OnionShare, an open-source tool journalists can use to share and receive files both anonymously and securely.
Sharing documents and files with colleagues or sources is part of the day-to-day job of a journalist. Typically, this is done using cloud services such as Dropbox, WeTransfer, Google Drive, or messaging apps like Signal, WhatsApp, and Telegram. However, managing and sharing sensitive files through cloud services poses a significant security risk, particularly when reporting in authoritarian countries. A compromised account, or credentials leaked, could lead to the journalists’ investigations and sources to be exposed, with potentially dire consequences. OnionShare, a free and open-source tool, offers a solution for sharing files anonymously and securely over the Tor network, without leaving any metadata or using third-party services.
Easy to use, more secure than the cloud
OnionShare uses the software Tor to make file sharing easy and secure for journalists. Available for both desktop and mobile platforms (iOS and Android), this service is very easy to use; to share a file, one just needs to drag and drop the file into the OnionShare platform. After the sharing process has started, users can copy and send their created onion address to colleagues over a secure messaging app. The receiver does not require OnionShare to access this address, just a browser capable of opening Tor onion services, like Tor Browser.
According to journalists’ technical skills, they can adjust the settings in OnionShare: making the address ephemeral or static, adding or removing extra passwords, and setting download limits.
Unlike cloud services, OnionShare does not upload files to the cloud, but rather facilitates the transfer from one’s computer to another computer over the Tor network. This transfer is completely end-to-end encrypted and it does not use Tor exit nodes. While there is no file size limit, transfers may be slow due to potential congestion on the Tor network or due to Tor protocol performance.
Powered by Tor onion services
Onion services are only accessed by programmes that can “speak” the Tor protocol, a technology built into Tor-powered apps, such as Tor Browser and OnionShare. An onion service address is distinguishable by its lengthy 56 random characters and its special domain “.onion” (example here). It is important to note that browsers and other programmes lacking Tor integration cannot open onion addresses.
Due to their secure implementation, onion services offer location hiding and user anonymity (users cannot discover where the service is hosted, and the service does not know who is visiting it because the user is also connecting over Tor); end-to-end encryption (the traffic between client and onion service is encrypted); and end-to-end authentication (each onion address is unique).
OnionShare’s benefits
- Anonymous dropbox: OnionShare can send files, but it can also receive them. The “Receiving” mode in OnionShare enables journalists to receive files anonymously. To use this feature, one simply needs to click on “Start Receiving” in OnionShare and share the onion address privately with a source, or publicly to receive anonymous tips. However, it is very important to be cautious with this mode, as OnionShare does not verify whether a file contains malware.
- Saving files remotely from high-risk areas. The “Receiving” mode can also be used by journalists when working in authoritarian regimes with the potential risk of having their devices seized. A journalist might set OnionShare to “Receiving” mode. This allows the journalist to upload the files, such as videos, audios and pictures, from the field device and transfer them back to a secure location such as their home computer, thus ensuring the safety and integrity of sensitive information.
- More than file sharing. With the release of version 2.3, OnionShare introduced more features like chat rooms, hosting a simple blog, and the simultaneous running of services, for example, the receiving and sharing of files.
OnionShare’s limitations
- Simultaneous connection. Both devices must be online at the same time for OnionShare transfers to successfully take place. If one of the devices is turned off or disconnected, the transfer will stop immediately, requiring the transfer to restart from the beginning. When conducting the transfer from a high-risk zone, the journalist must first leave their computer turned on or coordinate with a trusted colleague or friend to have theirs on.
- Potential leak of service address. Additionally, while OnionShare secures the file transfer process, it cannot prevent the accidental sharing or leaking of the OnionShare address, after which others could access the files. However, users can mitigate this by generating a new onion address if needed or just stop the transferring service.
- Beware of malware. The files transferred could contain malware, thus journalists should carefully use OnionShare and always ensure that they have up-to-date digital security tools on their devices, such as antivirus malware protections.
- Platform limitations. OnionShare addresses can only be opened on Tor-powered apps like Tor Browser, Onion Browser, and Brave, all of which must be installed beforehand. Tor Browser for Android is still unable to access OnionShare links with password protection. By default, OnionShare generates onion addresses with a random password as an extra protection, which is incorporated into the address itself. However, if access on mobile devices is required, this password can be disabled without losing its security properties.
- Detailed information. For more information about OnionShare limitations and security design, check out OnionShare user documentation.
