I have set up and configured Tor on my build server to make this site accessible as a hidden service on the Tor network. You can click here or copy the onion address below:


If you’re using the Tor Browser, all the pages have the http-equiv="Onion-Location" meta tag which should get picked up and prompt you to switch to the onion site. I’ve also added a link in the footer of every page.


Running a hidden service is the sort of thing I’d thought of doing with my build server last year, but never got round to it because networking is complicated, and I’m probably out of my depth when it comes to cryptography. I understand the outline of how the Tor network operates, I just don’t know how it actually works in detail. Setting up an onion site does seem straightforward, although when things just… don’t work, it’s not easy to troubleshoot and there’s not a huge amount of helpful documentation out there.1

There are some big privacy advantages to using the hidden service. Even without actively tracking visitors, I learn a lot about my audience from the server logs. If I was totally committed to (your) privacy I wouldn’t look at the logs, but the information is just there, of course I’m curious.

If you load this site over Tor, I can’t know anything about you. I can’t find out your IP address, or guess your location from nearest CDN server, I can’t fingerprint your browser, it’s all anonymous.2 Even better, nobody else snooping on your connection can identify you either. As it should be.

Unless you’re personally being targeted by the US state security agencies (unlikely), the main threat to privacy I see is everyday corporate surveillance. If you want to opt out of being passively tracked and watched online, you should use Tor.

The distributed web

I also had a go at running an IPFS node here, and the IPNS hash is:


It works, in a very wobbly kind of way. All the links on this site are still absolute and they work if you’re viewing the site from a local cache, but not through a gateway.

Something was evidently hammering the server last night, the CPU was sitting at 80-90% usage for several hours. It definitely seems intensive processor use is an issue. For now I’m treating it all as very experimental, it’s not fast, it’s not super convenient, and I’m not sure my node is still online.

Still, I see this as much closer to the radical vision of the internet, a real peer-to-peer network, breaking out of the client-server model. Everyone on the network both downloading and uploading files, everyone participating in the swarm.

Along those principles I am keen to try out Geminispace. I’m all behind the idea of a simpler internet; no web apps, no advertising, just text. Every web page is a document; the internet is a library.

Why not

Setting up a site on the dark web sounds a little scary, although there’s nothing actually wrong with encouraging a diversity of protocols and networks. When you think of networks with built-in anonymity (Tor), or resistance to censorship (IPFS), your mind probably jumps to noble dissidents against the state. It’s cool that the Catalan government was able to use IPFS to stage an illegal election. I’m glad that things like wikileaks can dodge the efforts to shut it down. These are good things!

On the other hand, Alessandro Segala put into question whether you really want the decentralised web to be a huge success. If we encourage a more ‘free’ internet, are we just creating an opportunity for organised crime, suicide cults, porn, nazis, and other morally murky stuff?

One answer is to reframe the freedom of speech issue as freedom to listen. You have the freedom to ignore all the things you don’t want to see online. For example, it’s pretty reasonable that people want to block out abuse or harassment, and the big social media silos have a bad track record of dealing with the worst tendencies. Facebook won’t deal with the nazis on their site, but that doesn’t mean you have to put up with it.

  1. In my case I was missing the SocksPort: auto setting in torrc. If you’re having problems, check this! 

  2. One simple trick to ensure full GDPR compliance, just don’t collect any personal data.