Sharing files can be a hassle. Even when in the same room as the person you want to share files with, the easiest option is often to share them with a USB stick.
But when you’re hundreds or thousands of miles away from each other, a USB stick is not always a viable option. Services like Dropbox and Google Drive have made file sharing between individuals easier, but they are also hugely invasive and require a large amount of trust in the provider.
[Get more privacy tips. Subscribe to the ExpressVPN Blog Newsletter.]
Can you trust the big file-share services?
When handing your files to a third party, you allow them to see the contents of your files and give them knowledge about who you share these files with. Additionally, there is no guarantee that the files are deleted when the user requests them to be deleted. The files might remain accessible to the operators of the site and an unknown number of governments or hackers.
Other alternatives don’t fare well either. FTP servers are hard to set up in an anonymous way, especially if a specific server is repeatedly used. They also cost money. Emails are an option, but an anonymous email provider can be difficult to come by and might also cost quite a bit of money. Sharing files through messenger apps has become more feasible, but when you need to protect your own identity, or that of your contact, they are an absolute no-go.
Luckily, there is a free and easy-to-use tool you can use to securely and anonymously share files with others—as long as you are all online at the same time. OnionShare makes use of the Tor network and its hidden services, and allows you to both receive and send files. OnionShare can also be run on a server and act as a kind of anonymous drop box.
In fact, the ExpressVPN Digital Security Lab has launched a secure info drop using OnionShare, enabling anyone to provide tips on privacy and security issues that we might pursue as investigations.
OnionShare protects your sources
As all connections are made through the Tor network, it is possible to use OnionShare in a way that protects both your identity and that of your contacts. Neither party should be able to find out where the other party is located, or what their IP address is.
In practice of course this also depends heavily on how you and your source communicate with each other outside of OnionShare—such as how you share the onion URLs.
“OnionShare works entirely using Tor onion services, which protects the person using OnionShare (there’s no way to tell the IP address of the onion site) as well as the people who connect to it with Tor Browser,” Lee told ExpressVPN. “Because OnionShare is built on top of onion services, it gets all of the anonymity and end-to-end encryption that’s guaranteed by Tor.”
Of course, this doesn’t apply to actually sending the OnionShare link, Lee warns. “If a source sends a journalist an OnionShare link in a Facebook message, for example, they won’t be all that anonymous. But if they send a journalist a link using a disposable email service, they will.”
How to run OnionShare
You can download OnionShare from its website. It is available for Mac, Windows, and Linux. Simply install it like any other program.
When opening OnionShare, you will be asked about how to connect to the Tor network. We recommend to go with the default option and use the built-in mechanism.
Using tabs, you’ll be able to share different files with different people, or host multiple websites.
Only one party will need to run OnionShare. Everyone else will only need to run the Tor browser to send, receive, chat or browse.
How to use OnionShare
Share files on OnionShare
To share files, click on “Share Files” and drop the files you want to share into the window. You can also select them from your computer using the “Add” button. You are also given a few options:
- Stop sharing files after they are sent. This allows you to make sure you share files only with one person. If your files are not receivable by the other party with this setting, that might be an indication somebody is eavesdropping on your communications.
- Save this tab. When closing and re-opening OnionShare, the same files will be available via the same URL. This can be handy when making information accessible to a large group of people, and you don’t want to risk having to re-share the URL if you have to reboot your computer.
- Don’t use a password. When selecting this, anybody with the link will be able to retrieve the files you share.
- Advanced settings. Using these settings, you can also schedule when to start or stop sharing or use a (shorter and less secure) Version 2 onion address.
To start sharing, click “Start sharing” and wait for the onion URL to appear. You can now send this URL (including the password) to your contact or audience. They will be able to view this URL with the Tor browser and retrieve the files. You can stop sharing anytime by clicking the “Stop sharing” button.
Receive files on OnionShare
To receive files, select the option in a new tab or at startup. You will be asked to select a directory where the files you receive will be saved. There are other options, too, similar to those above.
Once you select “Start Receive,” you will be given another onion URL. You can share it with your contact and the world, but be careful to only open files from people who you trust directly on your computer. All other files are best opened in a virtual machine or something like TAILS.
Anybody with access to the onion link and password will be able to now send files to you using the Tor browser. You can try it out by opening the site in the Tor browser yourself first.
Host a website on OnionShare
Using OnionShare we can very easily host a simple website in the Tor network. All we need is a simple website, or even just the index.html file. Getting started with a simple Jekyll site, for example by cloning one of the many showcases, can be fun!
Chat anonymously on OnionShare
To start chatting, open a new tab and select the chatting option. Once you start the chat server, an onion address will be given to you that you can share with whoever you want to chat with.