Protecting sources from harm should be the top priority of any newsroom. Whistleblowers risk identification when sending confidential files over mainstream email and messaging services. Although there are many secure file-sharing applications, they vary in cost and technical expertise.
OnionShare, a free file-sharing application, makes it easy to send and receive files without revealing your identity, with some caveats. It also allows you to set up private chat rooms and host websites on the Tor network. OnionShare is developed by Micah Lee — a co-founder of Freedom of the Press Foundation (FPF).
There are multiple reasons why security experts recommend OnionShare. First, it is easier for users to install. Although SecureDrop — the dedicated whistleblowing service from FPF — grants superior anonymity, it has file size limitations and is more difficult to run. OnionShare allows journalists to protect the identities of their sources without spending resources on IT infrastructure. You only need an internet connection and a laptop or phone.
But how does it protect transmitted files from being surveilled, or their source from being identified? OnionShare relies on the Tor network to obscure your connection. Before your computer connects to the destination website host, Tor encrypts and routes your traffic through several volunteer-run “relays” — or servers. The connection would appear as coming from a relay instead of your computer.
In most cases, an observer would not be able to identify an individual from thousands of other Tor users. This is called network anonymity. Additionally, this is done without storing your files in third-party data centers; your device directly connects to the other person’s device. This is an advantage for journalists with high-risk sources.
Furthermore, OnionShare is an open source project, allowing its code to be publicly viewable. Security researchers can examine it for potential vulnerabilities and suggest patches. This boosts the trustworthiness of OnionShare, making it an excellent option for your file-sharing needs.
You can use OnionShare on devices running Windows, macOS, Linux, Android, and iOS. Tor Browser is recommended to visit links created by OnionShare.
We are showcasing the macOS version for this guide; however, it is applicable to the Windows and Linux versions.
To start, navigate to the official OnionShare website and download the installer.
After installing the application, you should see the screen below. Enable “Auto-connect to Tor” and then click “Connect to Tor.” If Tor is blocked by your network or country, read this section in the OnionShare documentation.
After connecting to Tor, you should see the main OnionShare page. Here you can send and receive files, organize a chat room, and even host an anonymous website on the Tor network. These websites would end in “.onion” and are only accessible through the Tor Browser.
On OnionShare, you can send files and folders on your device. This takes the form of a downloadable file that is shared with a .onion link and private key — a cryptographic key similar to a password — automatically generated by OnionShare. As long as your computer stays online and runs this service, the files will remain available for download.
To send files, click on “Start Sharing.” You will be prompted to upload your files or folders.
After doing so, you will see a menu containing your uploaded files and a list of options.
Here, you can schedule the file-sharing service, make the link public, write a custom title, and set the link to self-destruct after being sent. We are using the default options for this example.
To generate a sharable link and private key, click on “Start Sharing.”
Now, send this .onion link or QR code to your intended recipient, along with the private key. We recommend doing this over an end-to-end-encrypted service such as Signal. After visiting this link, the recipient must type in the private key to access the files.
If successful, the recipient can now download your files!
OnionShare can also transform a computer into a dropbox, where someone can upload files without repeatedly sending OnionShare links.
For this, go to the main menu. Click on “Start Receiving.”
You should see the screen below, containing a list of options. OnionShare warns you against opening unknown files as they may contain malware. For most people, enabling a private session minimizes such risk since it requires a private key.
Click on “Start Receive Mode.”
After sending the private key and OnionShare address to the recipient, tell them to visit this website. They can upload their files or write a message there. Note that folders cannot be uploaded into a dropbox.
Circling back to your screen, you should see an arrow on the upper right corner of the window. Click on that to expand the sidebar.
Select “Read Message” to find your message. Click on the folder icon beside the uploaded file to download it.
Congratulations, you have just created your first private dropbox!
OnionShare is a powerful tool for anonymous file sharing. However, you should consider these limitations before adopting it.
Not all OnionShare versions have the same features, especially since the iOS and Android applications can only send files rather than receive them. Furthermore, some desktop versions have not been updated to include newer features. Tails, a privacy-oriented Linux distribution that includes OnionShare by default, does not yet support chat room and website hosting.
Transferring large files over the Tor network can also be very slow. This is because Tor routes your connection through a circuit consisting of several relays. Every file shared has to be routed through several servers across the globe, which is a long way for it to travel. If just one of them is taken offline briefly, your computer could disconnect from OnionShare.
Since large files take longer to download or upload, your connection has a higher chance of being interrupted if the same circuit is used for a prolonged time. Instead of sending large files in a single OnionShare session, think about compressing them into an archive or zip file. You could also separate your files and send them in different sessions.
Finally, be careful when receiving files over OnionShare. Certain file types, like those ending in .exe and .pdf, are especially common file types for delivering malware. You can lower this risk by using a separate, stand-alone laptop as your dropbox. Consider using Dangerzone to convert potentially dangerous PDFs into safe files.
If you would like to learn more about other file-sharing methods, contact us for our training options.