Complete Anonymous Communications Stack on Tor Hidden Services

A complete secure communications infrastructure should separate each service into distinct Tor hidden services - each with its own .onion address, key pair, and resource limits. This isolation means a compromise of one service (e.g., the file sharing system) does not automatically expose others (e.g., the messaging system). Recommended service separation: (1) Anonymous document submission (SecureDrop or custom) on its own .onion with dedicated resources, (2) Real-time messaging (Prosody XMPP or Matrix Synapse) on a separate .onion, (3) File sharing (OnionShare-compatible server or Nextcloud .onion) on a third .onion, (4) Voice/video (Jitsi Meet or Mumble) on a fourth .onion. Each service runs in its own Docker network. Cross-service communication uses authenticated APIs over the internal network, never through the Tor circuit.

SecureDrop is the gold standard for secure anonymous document submission, used by over 80 major news organizations. It consists of two physically separate systems: the Source Server (accessible to anonymous submitters via Tor Browser) and the Journalist Workstation (air-gapped, running Tails OS). The Source Server runs as a Tor hidden service where sources upload documents and receive replies without revealing their identity. For organizations that cannot deploy full SecureDrop infrastructure, simplified alternatives include: GlobaLeaks (lighter SecureDrop alternative, single server deployment), custom OnionShare-based submission flows, and encrypted email to a PGP key published on a .onion. The key requirements for any submission system: no IP logging, no JavaScript fingerprinting, document metadata stripping, and air-gapped journalist interface.

Voice over Tor is technically challenging due to Tor's TCP-only architecture and latency characteristics. Mumble (a low-latency voice chat application) can be deployed as a Tor hidden service for persistent voice channels. Mumble uses a client-server model where the server handles mixing and relay - over Tor, latency is typically 200-500ms which is acceptable for voice but not ideal. Configure Mumble server (murmur) listening only on localhost, with Tor mapping port 64738. Clients configure Mumble to connect through SOCKS5 proxy. For high-security voice calls, consider Briar (P2P over Tor) or Cwtch (P2P, group messaging, designed for Tor). Matrix with Jitsi integration can provide WebRTC voice over Tor but with higher latency. For critical calls, an encrypted phone using Signal (with phone number accepted) or Briar remain practical choices.

OnionShare (versions 2.5+) supports persistent anonymous file hosting and receive modes. In server mode, OnionShare creates a .onion address for file download or upload and runs until stopped. For persistent document collaboration, Nextcloud deployed as a .onion hidden service provides a full document editing, sharing, and collaboration platform. Configure Nextcloud to listen on 127.0.0.1:8080, map through Tor to port 80 on the .onion, and disable all external integration features (maps, preview generation using external services, etc.) that could leak the server's identity. Cryptpad (an end-to-end encrypted collaborative editor) is another option requiring less server configuration than Nextcloud. For ephemeral, self-destructing document sharing, deploy PrivateBin configured as a zero-knowledge paste service on a .onion.

The technical stack is only as secure as its operational procedures. Critical operational rules: (1) Access admin interfaces only from Tor Browser or a Tails OS session, never from a browser with cookies that could leak identity. (2) Use separate accounts for administration and regular use - admin keys and credentials in hardware security keys (YubiKey). (3) Deploy configuration management (Ansible) and test changes in a staging environment before applying to production. (4) Monitor for unexpected outbound connections from each service container - the only expected connections are to Tor's SOCKS port. (5) Establish an incident response procedure: what to do if one service appears compromised (isolate, preserve logs, assess blast radius, rebuild from clean backups). (6) Rotate .onion addresses annually or when staff with address knowledge departs. Inform trusted parties of new addresses through authenticated channels.