Attention! The v2 onion services in Tor browser will become inactive soon.

Attention, Tor users! On October 15th, 2021, this browser will deactivate its onion service v2. After this deadline, all v2 onion addresses will become invalid. The new v3 standard will be introduced to ensure better security. Read this article till the end to get to know about the reasons and the potential consequences of the changes.

A Brief Background

In July 2020, the Tor Project shared a timeline for the deprecation of Tor V2 Onion support and services (The Onion Router Version 3 services). The team behind the browser did so in order to integrate the more secure Version 3 or V3 of the onion services. Back then, the developers announced that the V2 services (that is, Tor’s brief encrypted services), will no longer be functional by the 16th of October 2021.

The subscribers of the Tor mailing list received a statement from David Goulet, one of the developers. David reminded them of the fact that the onion service v2 used RSA1024 and 80 bit SHA1 (truncated) addresses. Plus, it relied on the TAP handshake which had been entirely removed from the browser for many years — except v2 services. The outdated TAP handshake made Tor prone to enumeration and location-prediction attacks due to its simplistic directory system. HSDir relays could get enough power to enumerate or even block v2 services. As David said, v2 services will not be developed nor maintained anymore to address the most severe Tor security issues.

What to Do and What to Beware of

The essence of the innovation consists in the following: the v3 standard will replace SHA1/DH/RSA1024 with SHA3/ed25519/curve25519, providing better cryptographic algorithms.

Tor users will need to make sure that they use v3 onion addresses for all the sites that they visit. You’ll effortlessly spot the difference even if you lack profound technical knowledge. The new v3 onion domains will have 56 characters while their outdated v2 counterparts consist of only 16.

Most likely, hackers will try to fool users by creating phishing links for new domains. For this reason, you should get the new v3 addresses for the sites that you use only from trusted sources – preferably, directly from the administrations of these sites.

To stay up to date with the news, keep checking the official blog of the Tor project and their mailing list. Don’t wait until the deadline! Feel free to start using the v3 addresses right now!