All Tor hidden services (any website that's accessed through a .onion domain) are automatically end-to-end encrypted.
In the case of OnionShare, the crypto key lives in /tmp/onionshare_XXX/private_key. The .onion URL address itself is a fingerprint of the key, which lets the Tor network look up the public key and start an encrypted session. So as long as you transmit the OnionShare URL successfully, the recipient who loads it in Tor Browser gets an end-to-end encrypted session with the server. Using HTTPS on top of this could be an option too actually, but the certificates would all have to be self-signed so users would have to click through the error. And the encryption would be redundant (though not necessarily a bad idea -- defense in depth, in case Tor gets badly broken in ways we can't foresee or something). -- Micah Lee -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
