Onion-Location makes it easy for websites offering onion service access to support automatic discovery in Tor Browser of the random-looking onion address associated with their domain. We provide the first measurement study of how many websites are currently using Onion-Location. We also describe the open-source tools we created to conduct the study. Onion-Location has been criticized elsewhere for its lack of transparency and vulnerability to blocking. Perhaps even more troubling, we show that Onion-Location is vulnerable to very accurate fingerprinting. We present recommended changes to and alternatives to Onion-Location as well as steps towards even more secure onion discovery and association.
@article{onionloc-popets2025,
title = {Onion-Location Measurements and Fingerprinting},
author = {Syverson, Paul and Dahlberg, Rasmus and Pulls, Tobias and Jansen, Rob},
journal = {Proceedings on Privacy Enhancing Technologies},
volume = {2025},
number = {2},
year = {2025},
doi = {10.56553/popets-2025-0074},
}