Improving the Performance and Security of Tor's Onion Services
Authors: Arushi Arora (Purdue University), Christina Garman (Purdue University)
Volume: 2025
Issue: 1
Pages: 531–552
DOI: https://doi.org/10.56553/popets-2025-0029
Abstract: Tor is one of the most widely used anonymous communication networks today. A popular feature of Tor is its onion services, anonymous network services that can only be accessed via the Tor network. This enables users to both host and access such services anonymously, protecting onion services from censorship and take-down. According to Tor Metrics, over 150,000 onion services collectively serve traffic at a rate of nearly 4 Gbps, with applications ranging from news services to chat to whistleblowing. Unfortunately, onion services also suffer from a variety of performance and security concerns. Latency can be extremely high, and many services face denial of service and deanonymization attacks due to the content and types of services that they host. In this work we seek to help address these concerns without making any changes to Tor, thus making our improvements immediately useful and deployable. To do this, we leverage a recent advance in programmable anonymity networks, which allows one to deploy user-written functions on willing Tor relays. We use this architecture to design the first Content Delivery Network (CDN) for onion services, which we call CenTor. CenTor allows onion services to take advantage of many traditional CDN benefits, such as replication and load balancing and bringing content (geographically) closer to the client. These techniques and applications raise an interesting trade-off between performance and anonymity for users, which we rigorously explore and quantify. We implement, deploy, and evaluate our architecture on the Tor network, demonstrating how these techniques are immediately able to extend and improve the capabilities, performance, and defenses of onion services, without any changes to the Tor protocol.
Keywords: Tor, Onion Services, CDN
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
