Building a Serverless Darknet Mesh with Tor Gossip

Earlier I released tor_hidden_service, giving Flutter developers the power to host .onion sites directly from Android devices. That was step one: Existence.

But existence is lonely if you can't communicate.

Today, we are dropping the second piece of the puzzle: tor_gossip. This is a pure Dart library that implements an epidemic gossip protocol over the Tor network. It allows you to build chat apps, social networks, or data sync tools that have no central server, no master node, and no single point of failure.

Get the code: 👉 https://github.com/SarahRoseLives/tor_gossip

The Problem: The "Hub and Spoke" Weakness

Most "secure" messengers (Signal, Telegram, WhatsApp) still rely on a central server to route messages. If that server goes down, or if the company decides to ban your IP, the conversation is over.

We wanted a system where every phone is a node. If Alice wants to talk to the network, she doesn't tell a server; she tells a random subset of peers, who tell their peers, until the message infects the entire network.

Introducing Tor Gossip

tor_gossip is a layer that sits on top of your Tor connection. It handles the complexity of peer discovery, cryptography, and message propagation.

Here is how the architecture looks under the hood:

  1. Transport: Uses tor_hidden_service to create an ephemeral .onion address.
  2. Server: Spins up a local shelf HTTP server (bound to 0.0.0.0) to receive incoming whispers.
  3. Logic: Manages a "Known Peers" list and handles the random fanout of messages.

The "Gossip" Algorithm

When you publish a message, the library doesn't broadcast it to everyone (which would be slow and obvious). Instead, it picks a random subset of peers (default is 3) and pushes the message to them.

Those peers receive the message, check their DedupManager (Deduplication Manager) to ensure they haven't seen it before, and then repeat the process. This ensures messages propagate exponentially fast across the network without flooding it.

Security: Trust No One

In a decentralized network, how do you know a message actually came from Alice and wasn't forged by a malicious relay?

We built a robust CryptoManager into the core. Every message is wrapped in a GossipEnvelope.

class GossipEnvelope {
  final String id;        // UUID v4
  final String origin;    // The sender's .onion address
  final String payload;   // The actual content
  final String senderPub; // Ed25519 Public Key
  final String signature; // Ed25519 Signature
}

Before the node even passes the message to your UI, it performs a cryptographic verification. If the signature doesn't match the payload and the public key, the message is dropped immediately.

Building a Darknet Chat App in 3 Steps

The beauty of this library is the abstraction. You don't need to know how Tor circuits work to use it.

1. Start the Node

This boots up the Tor binary, generates your keys, and starts the HTTP listener.

final node = TorGossipNode();
await node.start();
print("I am listening at: ${node.onionAddress}");

2. Connect to a Peer

You need at least one entry point into the network. In the example app provided in the repo, we use QR codes to scan a friend's onion address physically—the ultimate secure handshake.

// Connects to a peer and sends a handshake
await node.pingPeer('http://k7s5...xyz.onion');

3. Shout into the Void

Send a message. The node handles the signing and the network propagation.

await node.publish('general', 'The eagle has landed.');

The Example App: Physical Handshakes

Included in the repo is a fully functional Flutter example app. It demonstrates a cool concept: Physical-First Networking.

Since Tor addresses are long and complex, the app generates a QR code of your .onion address. To join a chat, you don't search a central directory; you scan your friend's screen.

This creates a "Web of Trust" model where your network grows organically based on people you (or your peers) have physically interacted with.

Why use this?

  • Resilience: You can shut down 50% of the nodes, and the message will still find a path to the destination.
  • Anonymity: All traffic stays inside the Tor network. It never touches the public internet (Clearnet).
  • Simplicity: It turns complex cryptography and networking into node.publish().

The decentralized web is waiting to be built. Stop renting servers. Start running nodes.

👉 Star the Repo: SarahRoseLives/tor_gossip