Setting Up Anonymous .onion Sites for Journalism and Source Protection

The strategic case for journalism onion sites goes beyond technical privacy protection. An onion address explicitly signals to potential sources that contacting the organization through this channel is safer than clearnet email or web forms. Sources in authoritarian environments who need to contact journalists face surveillance at both ends: their traffic to the clearnet site and the journalist's traffic patterns around their inbox. Onion service contact removes both surveillance surfaces simultaneously.

Readers in countries that block independent journalism access censored news through Tor. Without an onion address, Tor users must route through exit nodes to access the clearnet site, which exposes the request to exit node monitoring. A direct .onion address eliminates exit node exposure entirely and provides faster connections by removing the clearnet routing step.

Major news organizations that currently operate onion sites include the New York Times (nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion), the BBC (bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion), and ProPublica (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqg2te7ycbexnxid.onion). These deployments demonstrate the technical feasibility and strategic value for any serious journalism organization.

The typical journalism onion architecture mirrors the clearnet site through a reverse proxy. The .onion address points to the same content management system that powers the clearnet site, eliminating the need to maintain a separate content pipeline. A reverse proxy server (nginx, Caddy, or HAProxy) intercepts the hidden service connection and forwards it to the CMS backend.

URL rewriting is essential. Internal links, embedded resources, and canonical tags in the clearnet site typically reference the clearnet domain. When served through the onion address, these references cause Tor Browser to make clearnet requests that exit through Tor's exit nodes, partially defeating the purpose of the onion site. The reverse proxy must rewrite all internal URLs from the clearnet domain to the onion domain on the fly.

The Onion-Location HTTP header advertises the onion address to Tor Browser automatically. When a Tor Browser user visits the clearnet site, the browser detects this header and offers to upgrade to the onion version. This seamlessly converts clearnet visitors who are already using Tor to the more secure onion channel without requiring them to know the address in advance.

Journalists and editors should be able to publish content to the onion site through the same workflow as the clearnet site. If the onion site is a proxy for the same CMS, this happens automatically. If the onion site runs a separate system, establish a content synchronization process to prevent drift between the two versions.

Embargo and timed publication features need careful review. If the CMS publishes at a specified time, verify that the onion proxy respects this timing and does not expose pre-published content before the embargo lifts. Test embargo handling explicitly in a staging environment before publishing high-profile investigations.

Monitor the onion site separately from the clearnet site in your uptime tracking. A clearnet site can be healthy while the hidden service configuration has a problem. Include the onion address in your regular synthetic monitoring checks using Tor Browser automation in a controlled test environment.

A source contact form on the onion site is the highest-value feature for investigative journalism organizations. Sources can submit tips, documents, and messages without clearnet exposure. The technical requirements go beyond a simple contact form: all submissions must be encrypted end-to-end so even a server compromise does not expose source content.

SecureDrop is the most robust solution but has significant operational overhead. A lighter alternative is a signal-based contact system where sources are instructed to create a throwaway Signal account and contact a published journalist Signal handle, all within a Tor session. This approach requires less infrastructure than SecureDrop but provides weaker metadata protection because Signal requires a phone number for account registration.

For organizations not ready for full SecureDrop deployment, a GPG-encrypted email form hosted on the onion site provides reasonable protection. Source documents are encrypted to the journalist's public GPG key before transmission, so even if the server is compromised, the documents remain encrypted. Publish the GPG public key prominently on the onion site and include fingerprint verification instructions.