Update documentation to note that ClientAuth is used in place of basic auth, and that legacy mode (v2 onions) no longer is possible

1 files changed, 3 insertions, 3 deletions

diff --git a/docs/source/security.rst b/docs/source/security.rst
index b56c7ff8..93ed3bce 100644
--- a/docs/source/security.rst
+++ b/docs/source/security.rst
@@ -14,11 +14,11 @@ What OnionShare protects against
 
 **Anonymity of OnionShare users are protected by Tor.** OnionShare and Tor Browser protect the anonymity of the users. As long as the OnionShare user anonymously communicates the OnionShare address with the Tor Browser users, the Tor Browser users and eavesdroppers can't learn the identity of the OnionShare user.
 
-**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate onion services allowed the attacker to discover private .onion addresses. If an attack discovers a private OnionShare address, a password will be prevent them from accessing it (unless the OnionShare user chooses to turn it off and make it public). The password is generated by choosing two random words from a list of 6800 words, making 6800², or about 46 million possible passwords. Only 20 wrong guesses can be made before OnionShare stops the server, preventing brute force attacks against the password.
+**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate onion services allowed the attacker to discover private .onion addresses. If an attack discovers a private OnionShare address, but not the private key used for Client Authentication, they will be prevented from accessing it (unless the OnionShare user chooses to turn off the private key and make it public - see :ref:`turn_off_private_key`).
 
 What OnionShare doesn't protect against
 ---------------------------------------
 
-**Communicating the OnionShare address might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an email message monitored by an attacker), an eavesdropper can tell that OnionShare is being used. If the eavesdropper loads the address in Tor Browser while the service is still up, they can access it. To avoid this, the address must be communicateed securely, via encrypted text message (probably with disappearing messages enabled), encrypted email, or in person. This isn't necessary when using OnionShare for something that isn't secret.
+**Communicating the OnionShare address and private key might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an email message monitored by an attacker), an eavesdropper can tell that OnionShare is being used. If the eavesdropper loads the address in Tor Browser while the service is still up, they can access it. To avoid this, the address must be communicateed securely, via encrypted text message (probably with disappearing messages enabled), encrypted email, or in person. This isn't necessary when using OnionShare for something that isn't secret.
 
-**Communicating the OnionShare address might not be anonymous.** Extra precautions must be taken to ensure the OnionShare address is communicated anonymously. A new email or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is a goal.
+**Communicating the OnionShare address and private key might not be anonymous.** Extra precautions must be taken to ensure the OnionShare address is communicated anonymously. A new email or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is a goal.