Background: V2 vs V3 Onion Addresses
For most of its history, the Tor network supported "V2" hidden services — .onion addresses that were 16 characters long (10 bytes, base32 encoded). While functional, V2 addresses had well-documented security limitations: they used 1024-bit RSA keys, were generated by brute-force, and were vulnerable to enumeration attacks that allowed adversaries to discover hidden services without ever connecting to them.
V3 onion addresses, introduced in Tor 0.3.2 (2017) and made the default in Tor 0.4.x, address all of these problems simultaneously. V3 addresses are 56 characters long, use ed25519 elliptic-curve cryptography providing 256-bit security, and are self-authenticating — the address itself is derived from the public key, making address forgery cryptographically impossible.
What the TorZon V3 Migration Delivers
The migration to V3 .onion addresses provides TorZon users with several concrete security improvements. First, the substantially stronger cryptographic foundation (256-bit vs 80-bit effective security) makes brute-force attacks against the hidden service identity computationally infeasible with current technology. Second, the self-authenticating nature of V3 addresses means that a valid V3 address cannot be spoofed — connecting to the correct address guarantees you are connecting to the genuine service.
Third, V3 addresses resist the enumeration attacks that troubled V2 services. These attacks, which were documented by researchers and reportedly used by law enforcement, allowed adversaries to discover .onion addresses without ever connecting to them. V3's new introduction protocol prevents this class of attack entirely.
How to Update Your Access
If you were previously using V2 TorZon addresses (16-character), these are no longer functional as Tor has deprecated V2 support entirely since October 2021. All current TorZon access requires the verified V3 addresses published on our access page. The V3 addresses are 56 characters long and should be carefully bookmarked after verification.
TorZon currently operates three V3 mirrors to provide redundancy against DDoS attacks. The mirrors serve identical content — if one is unreachable, the others remain accessible. All three addresses are signed by the official TorZon PGP key, which is published on the access page for verification.
OPSEC Implications
The move to V3 onion addresses does not change the fundamental OPSEC requirements for TorZon users. You still need Tor Browser from torproject.org, should consider Tails OS for maximum anonymity, must use XMR or properly anonymised BTC for transactions, and should enable PGP 2FA on your account. However, the stronger cryptographic foundation does meaningfully reduce certain categories of network-level risk.
One practical note: because V3 addresses are longer (56 characters vs 16), the importance of bookmarking rather than manually typing is higher. A single character error in a V3 address will simply fail to connect — it cannot accidentally connect to a different hidden service. But phishing addresses are still a concern, which is why bookmarking from a verified source remains essential.