Genuine, Not Just Reachable
A status badge answers one question: did the endpoint respond? It cannot answer the more important one: is the address you are about to paste actually ours? Those are separate checks. This page is the second one — how to confirm a Torzon onion address is authentic before you ever rely on a green reading.
Reachability (what we measure)
Our probes show whether an endpoint answered. Useful for "is it up?", but an imposter address can answer too. Reachability alone is never proof of authenticity.
Authenticity (what you must check)
A signature proves an address came from us. This is the check that protects you when phishing pressure spikes — which is exactly when a mirror has just gone down.
The Authenticity Checklist
Four checks, in order. They take under a minute once the key is imported, and they are the difference between a real endpoint and a credential trap.
Copy onion addresses only from the status table on this site, and bookmark it. The moment a block rolls out, search results, paste sites and chat groups fill with replacement addresses — many reachable, some hostile.
A v3 onion address is exactly 56 base32 characters before .onion. A 16-character v2 address is deprecated and should be treated as hostile. Length is a fast first filter, though not sufficient on its own.
Apply the published key to the signed manifest: gpg --verify torzon-mirrors.txt.asc must report a good signature from the fingerprint below. A valid signature is the only authoritative proof an address is ours.
Before pasting, confirm the full address matches one in the signed manifest byte-for-byte. Look-alike addresses differ by only a handful of characters in the middle, where the eye skips.
Manifest signing fingerprint
This fingerprint signs the address manifest that the status table is built from. It is reproduced on the Mirror Status page. If a copy you find anywhere does not match this exact value, treat the source as hostile.
Setting Up Signature Checking Once
Install a verifier a single time and you can confirm every future address yourself, no trust in this page required.
Windows: Gpg4win · macOS: GPG Suite · Linux: usually preinstalled (gpg --version).
Save the key to torzon-status.asc, then gpg --import torzon-status.asc.
gpg --fingerprint <keyid> must print A1F4 9D27 5B0E 8C36 71A2 E4D9 6F58 03B1 C9E7 2D40. Any mismatch means re-fetch the key.
gpg --verify torzon-mirrors.txt.asc torzon-mirrors.txt — use the addresses only if it reports a good signature from the fingerprint above.
How Phishing Exploits Downtime
Imposters time their campaigns to outages. When a mirror reads down and users go looking for a "new link", that is the high-value moment for a credential trap.
- "Fresh working link" posts in help chatrooms — reachable addresses that route to a credential-skimming clone
- Look-alike domains using swapped characters or a different TLD to imitate a known status or reference site
- Addresses shared without any signature, on the assumption a panicked user will not check
- Unsolicited private messages offering a "one-click" import file for a bridge or address
The defence is the same every time: when a mirror is down, do not chase a replacement address from an untrusted source. Return to the status table, read which endpoint is reachable, and verify its signature before you use it. A status page exists precisely so you never have to trust a stranger's "new link".
REACHABLE, THEN VERIFIED
Use the status table to find an endpoint that is up, then this page to confirm it is genuine. Both checks, every session.