What is v3 onion?

tl;dr – v3 = stronger crypto. harder to generate look-a-like urls to stop phishing. no one will ever find or sniff/snoop out your v3 address unless you tell them or post it somewhere.


v2 onion services

They will always be 16 characters long. Each character has 32 possible values. Therefore, there are 3216 == 1,208,925,819,614,629,174,706,176 unique v2 onion addresses.

Example = facebookcorewwwi.onion

  • the address is “the first 80 bits of the SHA-1 of the 1024-bit RSA key”

v3 onion services

They will always be 56 characters long. A v3 address will always end in a d due to the way v3 onion service names are encoded.

Example = vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion

Some reasons for the update to move from v2 onions:

  • The cryptographic building blocks use updated or more secure signature algorithms and hashing methods. For instance, the older SHA1/DH/RSA1024 was swapped with SHA3/ed25519/curve25519.

  • Directory protocol has been improved and now leaks less metadata to directory servers. This is, in part, to avoid attacks where a hidden service can be censored easily based on the descriptor. To prevent predictability Tor uses, different, pseudo random variables. Time period, public keys, shared random values, etc.

  • “Better onion address security against impersonation; more extensible introduction/rendezvous protocol; and a cleaner and more modular codebase.”