Update documentation to note that ClientAuth is used in place of basic auth, and that legacy mode (v2 onions) no longer is possible

4 files changed, 100 insertions, 108 deletions

diff --git a/docs/source/advanced.rst b/docs/source/advanced.rst
index 5f3e6cd7..96f7141b 100644
--- a/docs/source/advanced.rst
+++ b/docs/source/advanced.rst
@@ -16,23 +16,23 @@ When a tab is saved a purple pin icon appears to the left of its server status.
 .. image:: _static/screenshots/advanced-save-tabs.png
 
 When you quit OnionShare and then open it again, your saved tabs will start opened.
-You'll have to manually start each service, but when you do they will start with the same OnionShare address and password.
+You'll have to manually start each service, but when you do they will start with the same OnionShare address and private key.
 
 If you save a tab, a copy of that tab's onion service secret key will be stored on your computer with your OnionShare settings.
 
-.. _turn_off_passwords:
+.. _turn_off_private_key:
 
-Turn Off Passwords
-------------------
+Turn Off Private Key
+--------------------
 
-By default, all OnionShare services are protected with the username ``onionshare`` and a randomly-generated password.
-If someone takes 20 wrong guesses at the password, your onion service is automatically stopped to prevent a brute force attack against the OnionShare service.
+By default, all OnionShare services are protected with a private key, which Tor calls Client Authentication.
+
+When browsing to an OnionShare service in Tor Browser, Tor Browser will prompt for the private key to be entered.
 
 Sometimes you might want your OnionShare service to be accessible to the public, like if you want to set up an OnionShare receive service so the public can securely and anonymously send you files.
-In this case, it's better to disable the password altogether.
-If you don't do this, someone can force your server to stop just by making 20 wrong guesses of your password, even if they know the correct password.
+In this case, it's better to disable the private key altogether.
 
-To turn off the password for any tab, just check the "Don't use a password" box before starting the server. Then the server will be public and won't have a password.
+To turn off the private key for any tab, check the "This is a public OnionShare service (disables private key)" box before starting the server. Then the server will be public and won't need a private key to view in Tor Browser.
 
 .. _custom_titles:
 
@@ -106,11 +106,14 @@ You can browse the command-line documentation by running ``onionshare --help``::
     │          https://onionshare.org/          │
     ╰───────────────────────────────────────────╯
     
-    usage: onionshare-cli [-h] [--receive] [--website] [--chat] [--local-only] [--connect-timeout SECONDS] [--config FILENAME]
-                          [--persistent FILENAME] [--title TITLE] [--public] [--auto-start-timer SECONDS]
-                          [--auto-stop-timer SECONDS] [--legacy] [--client-auth] [--no-autostop-sharing] [--data-dir data_dir]
-                          [--webhook-url webhook_url] [--disable-text] [--disable-files] [--disable_csp] [-v]
-                          [filename ...]
+    usage: onionshare-cli [-h] [--receive] [--website] [--chat] [--local-only]
+                          [--connect-timeout SECONDS] [--config FILENAME]
+                          [--persistent FILENAME] [--title TITLE] [--public]
+                          [--auto-start-timer SECONDS] [--auto-stop-timer SECONDS]
+                          [--no-autostop-sharing] [--data-dir data_dir]
+                          [--webhook-url webhook_url] [--disable-text]
+                          [--disable-files] [--disable_csp] [-v]
+                          [filename [filename ...]]
     
     positional arguments:
       filename                  List of files or folders to share
@@ -122,44 +125,29 @@ You can browse the command-line documentation by running ``onionshare --help``::
       --chat                    Start chat server
       --local-only              Don't use Tor (only for development)
       --connect-timeout SECONDS
-                                Give up connecting to Tor after a given amount of seconds (default: 120)
+                                Give up connecting to Tor after a given amount of
+                                seconds (default: 120)
       --config FILENAME         Filename of custom global settings
       --persistent FILENAME     Filename of persistent session
       --title TITLE             Set a title
-      --public                  Don't use a password
+      --public                  Don't use a private key
       --auto-start-timer SECONDS
-                                Start onion service at scheduled time (N seconds from now)
+                                Start onion service at scheduled time (N seconds
+                                from now)
       --auto-stop-timer SECONDS
-                                Stop onion service at schedule time (N seconds from now)
-      --legacy                  Use legacy address (v2 onion service, not recommended)
-      --client-auth             Use client authorization (requires --legacy)
-      --no-autostop-sharing     Share files: Continue sharing after files have been sent (default is to stop sharing)
-      --data-dir data_dir       Receive files: Save files received to this directory
+                                Stop onion service at schedule time (N seconds
+                                from now)
+      --no-autostop-sharing     Share files: Continue sharing after files have
+                                been sent (default is to stop sharing)
+      --data-dir data_dir       Receive files: Save files received to this
+                                directory
       --webhook-url webhook_url
-                                Receive files: URL to receive webhook notifications
+                                Receive files: URL to receive webhook
+                                notifications
       --disable-text            Receive files: Disable receiving text messages
       --disable-files           Receive files: Disable receiving files
-      --disable_csp             Publish website: Disable Content Security Policy header (allows your website to use third-party
+      --disable_csp             Publish website: Disable Content Security Policy
+                                header (allows your website to use third-party
                                 resources)
-      -v, --verbose             Log OnionShare errors to stdout, and web errors to disk
-
-Legacy Addresses
-----------------
-
-OnionShare uses v3 Tor onion services by default.
-These are modern onion addresses that have 56 characters, for example::
-
-    uf3wmtpbstcupvrrsetrtct7qcmnqvdcsxqzxthxbx2y7tidatxye7id.onion
-
-OnionShare still has support for v2 onion addresses, the old type of onion addresses that have 16 characters, for example::
-
-    lc7j6u55vhrh45eq.onion
-
-OnionShare calls v2 onion addresses "legacy addresses", and they are not recommended, as v3 onion addresses are more secure.
-
-To use legacy addresses, before starting a server click "Show advanced settings" from its tab and check the "Use a legacy address (v2 onion service, not recommended)" box.
-In legacy mode you can optionally turn on Tor client authentication.
-Once you start a server in legacy mode you cannot remove legacy mode in that tab.
-Instead you must start a separate service in a separate tab.
-
-Tor Project plans to `completely deprecate v2 onion services <https://blog.torproject.org/v2-deprecation-timeline>`_ on October 15, 2021, and legacy onion services will be removed from OnionShare before then.
+      -v, --verbose             Log OnionShare errors to stdout, and web errors to
+                                disk
diff --git a/docs/source/develop.rst b/docs/source/develop.rst
index fc6f0c92..5b08c921 100644
--- a/docs/source/develop.rst
+++ b/docs/source/develop.rst
@@ -63,57 +63,54 @@ This prints a lot of helpful messages to the terminal, such as when certain obje
     │          https://onionshare.org/          │
     ╰───────────────────────────────────────────╯
     
-    [May 10 2021 18:24:02] Settings.__init__
-    [May 10 2021 18:24:02] Settings.load
-    [May 10 2021 18:24:02] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=wordlist.txt
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=wordlist.txt, path=/home/user/code/onionshare/cli/onionshare_cli/resources/wordlist.txt
-    [May 10 2021 18:24:02] ModeSettings.load: creating /home/user/.config/onionshare/persistent/tattered-handgun-stress.json
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.title = None
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.public = False
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.autostart_timer = 0
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.autostop_timer = 0
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.legacy = False
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: general.client_auth = False
-    [May 10 2021 18:24:02] ModeSettings.set: updating tattered-handgun-stress: share.autostop_sharing = True
-    [May 10 2021 18:24:02] Web.__init__: is_gui=False, mode=share
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=static
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=static, path=/home/user/code/onionshare/cli/onionshare_cli/resources/static
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=templates
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=templates, path=/home/user/code/onionshare/cli/onionshare_cli/resources/templates
-    [May 10 2021 18:24:02] Web.generate_static_url_path: new static_url_path is /static_4yxrx2mzi5uzkblklpzd46mwke
-    [May 10 2021 18:24:02] ShareModeWeb.init
-    [May 10 2021 18:24:02] Onion.__init__
-    [May 10 2021 18:24:02] Onion.connect
-    [May 10 2021 18:24:02] Settings.__init__
-    [May 10 2021 18:24:02] Settings.load
-    [May 10 2021 18:24:02] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
-    [May 10 2021 18:24:02] Onion.connect: tor_data_directory_name=/home/user/.config/onionshare/tmp/tmpw6u0nz8l
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=torrc_template
-    [May 10 2021 18:24:02] Common.get_resource_path: filename=torrc_template, path=/home/user/code/onionshare/cli/onionshare_cli/resources/torrc_template
+    [Aug 28 2021 10:32:39] Settings.__init__
+    [Aug 28 2021 10:32:39] Settings.load
+    [Aug 28 2021 10:32:39] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=wordlist.txt
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=wordlist.txt, path=/home/user/git/onionshare/cli/onionshare_cli/resources/wordlist.txt
+    [Aug 28 2021 10:32:39] ModeSettings.load: creating /home/user/.config/onionshare/persistent/dreamy-stiffen-moving.json
+    [Aug 28 2021 10:32:39] ModeSettings.set: updating dreamy-stiffen-moving: general.title = None
+    [Aug 28 2021 10:32:39] ModeSettings.set: updating dreamy-stiffen-moving: general.public = False
+    [Aug 28 2021 10:32:39] ModeSettings.set: updating dreamy-stiffen-moving: general.autostart_timer = 0
+    [Aug 28 2021 10:32:39] ModeSettings.set: updating dreamy-stiffen-moving: general.autostop_timer = 0
+    [Aug 28 2021 10:32:39] ModeSettings.set: updating dreamy-stiffen-moving: share.autostop_sharing = True
+    [Aug 28 2021 10:32:39] Web.__init__: is_gui=False, mode=share
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=static
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=static, path=/home/user/git/onionshare/cli/onionshare_cli/resources/static
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=templates
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=templates, path=/home/user/git/onionshare/cli/onionshare_cli/resources/templates
+    [Aug 28 2021 10:32:39] Web.generate_static_url_path: new static_url_path is /static_3tix3w3s5feuzlhii3zwqb2gpq
+    [Aug 28 2021 10:32:39] ShareModeWeb.init
+    [Aug 28 2021 10:32:39] Onion.__init__
+    [Aug 28 2021 10:32:39] Onion.connect
+    [Aug 28 2021 10:32:39] Settings.__init__
+    [Aug 28 2021 10:32:39] Settings.load
+    [Aug 28 2021 10:32:39] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
+    [Aug 28 2021 10:32:39] Onion.connect: tor_data_directory_name=/home/user/.config/onionshare/tmp/tmppb7kvf4k
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=torrc_template
+    [Aug 28 2021 10:32:39] Common.get_resource_path: filename=torrc_template, path=/home/user/git/onionshare/cli/onionshare_cli/resources/torrc_template
     Connecting to the Tor network: 100% - Done
-    [May 10 2021 18:24:10] Onion.connect: Connected to tor 0.4.5.7
-    [May 10 2021 18:24:10] Settings.load
-    [May 10 2021 18:24:10] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
-    [May 10 2021 18:24:10] Web.generate_password: saved_password=None
-    [May 10 2021 18:24:10] Common.get_resource_path: filename=wordlist.txt
-    [May 10 2021 18:24:10] Common.get_resource_path: filename=wordlist.txt, path=/home/user/code/onionshare/cli/onionshare_cli/resources/wordlist.txt
-    [May 10 2021 18:24:10] Web.generate_password: built random password: "tipping-colonize"
-    [May 10 2021 18:24:10] OnionShare.__init__
-    [May 10 2021 18:24:10] OnionShare.start_onion_service
-    [May 10 2021 18:24:10] Onion.start_onion_service: port=17645
-    [May 10 2021 18:24:10] Onion.start_onion_service: key_type=NEW, key_content=ED25519-V3
-    [May 10 2021 18:24:14] ModeSettings.set: updating tattered-handgun-stress: general.service_id = omxjamkys6diqxov7lxru2upromdprxjuq3czdhen6hrshzd4sll2iyd
-    [May 10 2021 18:24:14] ModeSettings.set: updating tattered-handgun-stress: onion.private_key = 6PhomJCjlWicmOyAAe0wnQoEM3vcyHBivrRGDy0hzm900fW5ITDJ6iv2+tluLoueYj81MhmnYeTOHDm8UGOfhg==
+    [Aug 28 2021 10:32:56] Onion.connect: Connected to tor 0.4.6.7
+    [Aug 28 2021 10:32:56] Settings.load
+    [Aug 28 2021 10:32:56] Settings.load: Trying to load /home/user/.config/onionshare/onionshare.json
+    [Aug 28 2021 10:32:56] OnionShare.__init__
+    [Aug 28 2021 10:32:56] OnionShare.start_onion_service
+    [Aug 28 2021 10:32:56] Onion.start_onion_service: port=17609
+    [Aug 28 2021 10:32:56] Onion.start_onion_service: key_type=NEW, key_content=ED25519-V3
+    [Aug 28 2021 10:33:03] ModeSettings.set: updating dreamy-stiffen-moving: general.service_id = sobp4rklarkz34mcog3pqtkb4t5bvyxv3dazvsqmfyhw4imqj446ffqd
+    [Aug 28 2021 10:33:03] ModeSettings.set: updating dreamy-stiffen-moving: onion.private_key = sFiznwaPWJdKmFXumdDLkJGdUUdjI/0TWo+l/QEZiE/XoVogjK9INNoz2Tf8vmpe66ssa85En+5w6F2kKyTstA==
+    [Aug 28 2021 10:33:03] ModeSettings.set: updating dreamy-stiffen-moving: onion.client_auth_priv_key = YL6YIEMZS6J537Y5ZKEA2Z6IIQEWFK2CMGTWK5G3DGGUREHJSJNQ
+    [Aug 28 2021 10:33:03] ModeSettings.set: updating dreamy-stiffen-moving: onion.client_auth_pub_key = 5HUL6RCPQ5VEFDOHCSRAHPFIB74EHVFJO6JJHDP76EDWVRJE2RJQ
     Compressing files.
-    [May 10 2021 18:24:14] ShareModeWeb.init
-    [May 10 2021 18:24:14] ShareModeWeb.set_file_info_custom
-    [May 10 2021 18:24:14] ShareModeWeb.build_zipfile_list
-    [May 10 2021 18:24:14] Web.start: port=17645
-    * Running on http://127.0.0.1:17645/ (Press CTRL+C to quit)
+    [Aug 28 2021 10:33:03] ShareModeWeb.init
+    [Aug 28 2021 10:33:03] ShareModeWeb.set_file_info_custom
+    [Aug 28 2021 10:33:03] ShareModeWeb.build_zipfile_list
+    [Aug 28 2021 10:33:03] Web.start: port=17609
+     * Running on http://127.0.0.1:17609/ (Press CTRL+C to quit)
     
-    Give this address to the recipient:
-    http://onionshare:tipping-colonize@omxjamkys6diqxov7lxru2upromdprxjuq3czdhen6hrshzd4sll2iyd.onion
+    Give this address and private key to the recipient:
+    http://sobp4rklarkz34mcog3pqtkb4t5bvyxv3dazvsqmfyhw4imqj446ffqd.onion
+    Private key: YL6YIEMZS6J537Y5ZKEA2Z6IIQEWFK2CMGTWK5G3DGGUREHJSJNQ
     
     Press Ctrl+C to stop the server
 
@@ -153,18 +150,19 @@ You can do this with the ``--local-only`` flag. For example::
     │          https://onionshare.org/          │
     ╰───────────────────────────────────────────╯
     
-    * Running on http://127.0.0.1:17617/ (Press CTRL+C to quit)
+     * Running on http://127.0.0.1:17621/ (Press CTRL+C to quit)
     
     Files sent to you appear in this folder: /home/user/OnionShare
     
     Warning: Receive mode lets people upload files to your computer. Some files can potentially take control of your computer if you open them. Only open things from people you trust, or if you know what you are doing.
     
-    Give this address to the sender:
-    http://onionshare:ended-blah@127.0.0.1:17617
+    Give this address and private key to the sender:
+    http://127.0.0.1:17621
+    Private key: E2GOT5LTUTP3OAMRCRXO4GSH6VKJEUOXZQUC336SRKAHTTT5OVSA
     
     Press Ctrl+C to stop the server
 
-In this case, you load the URL ``http://onionshare:train-system@127.0.0.1:17635`` in a normal web-browser like Firefox, instead of using the Tor Browser.
+In this case, you load the URL ``http://127.0.0.1:17621`` in a normal web-browser like Firefox, instead of using the Tor Browser. The Private key is not actually needed in local-only mode, so you can ignore it.
 
 Contributing Translations
 -------------------------
@@ -186,4 +184,4 @@ Status of Translations
 Here is the current translation status.
 If you want start a translation in a language not yet started, please write to the mailing list: onionshare-dev@lists.riseup.net
 
-.. image:: https://hosted.weblate.org/widgets/onionshare/-/translations/multi-auto.svg
\ No newline at end of file
+.. image:: https://hosted.weblate.org/widgets/onionshare/-/translations/multi-auto.svg
diff --git a/docs/source/features.rst b/docs/source/features.rst
index 7c3368f9..0c72809b 100644
--- a/docs/source/features.rst
+++ b/docs/source/features.rst
@@ -5,14 +5,20 @@ How OnionShare Works
 
 Web servers are started locally on your computer and made accessible to other people as `Tor <https://www.torproject.org/>`_ `onion services <https://community.torproject.org/onion-services/>`_.
 
-By default, OnionShare web addresses are protected with a random password. A typical OnionShare address might look something like this::
+By default, OnionShare web addresses are protected with a private key (Client Authentication). A typical OnionShare address might look something like this::
 
-    http://onionshare:constrict-purity@by4im3ir5nsvygprmjq74xwplrkdgt44qmeapxawwikxacmr3dqzyjad.onion
+    http://by4im3ir5nsvygprmjq74xwplrkdgt44qmeapxawwikxacmr3dqzyjad.onion
 
-You're responsible for securely sharing that URL using a communication channel of your choice like in an encrypted chat message, or using something less secure like unencrypted e-mail, depending on your `threat model <https://ssd.eff.org/module/your-security-plan>`_.
+And the Private key might look something like this::
+
+    EM6UK3LFM7PFLX63DVZIUQQPW5JV5KO6PB3TP3YNA4OLB3OH7AQA
+
+You're responsible for securely sharing that URL, and the private key, using a communication channel of your choice like in an encrypted chat message, or using something less secure like unencrypted e-mail, depending on your `threat model <https://ssd.eff.org/module/your-security-plan>`_.
 
 The people you send the URL to then copy and paste it into their `Tor Browser <https://www.torproject.org/>`_ to access the OnionShare service.
 
+Tor Browser will then prompt for the private key in an authentication dialog, which the person can also then copy and paste in.
+
 If you run OnionShare on your laptop to send someone files, and then suspend it before the files are sent, the service will not be available until your laptop is unsuspended and on the Internet again. OnionShare works best when working with people in real-time.
 
 Because your own computer is the web server, *no third party can access anything that happens in OnionShare*, not even the developers of OnionShare. It's completely private. And because OnionShare is based on Tor onion services too, it also protects your anonymity. See the :doc:`security design </security>` for more info.
@@ -39,7 +45,7 @@ When you're ready to share, click the "Start sharing" button. You can always cli
 
 Now that you have a OnionShare, copy the address and send it to the person you want to receive the files. If the files need to stay secure, or the person is otherwise exposed to danger, use an encrypted messaging app.
 
-That person then must load the address in Tor Browser. After logging in with the random password included in the web address, the files can be downloaded directly from your computer by clicking the "Download Files" link in the corner.
+That person then must load the address in Tor Browser. After logging in with the private key, the files can be downloaded directly from your computer by clicking the "Download Files" link in the corner.
 
 .. image:: _static/screenshots/share-torbrowser.png
 
@@ -88,7 +94,7 @@ Tips for running a receive service
 
 If you want to host your own anonymous dropbox using OnionShare, it's recommended you do so on a separate, dedicated computer always powered on and connected to the Internet, and not on the one you use on a regular basis.
 
-If you intend to put the OnionShare address on your website or social media profiles, save the tab (see :ref:`save_tabs`) and run it as a public service (see :ref:`turn_off_passwords`). It's also a good idea to give it a custom title (see :ref:`custom_titles`).
+If you intend to put the OnionShare address on your website or social media profiles, save the tab (see :ref:`save_tabs`) and run it as a public service (see :ref:`turn_off_private_key`). It's also a good idea to give it a custom title (see :ref:`custom_titles`).
 
 Host a Website
 --------------
@@ -118,7 +124,7 @@ Tips for running a website service
 If you want to host a long-term website using OnionShare (meaning not something to quickly show someone something), it's recommended you do it on a separate, dedicated computer always powered on and connected to the Internet, and not on the one you use on a regular basis.
 Save the tab (see :ref:`save_tabs`) so you can resume the website with the same address if you close OnionShare and re-open it later.
 
-If your website is intended for the public, you should run it as a public service (see :ref:`turn_off_passwords`).
+If your website is intended for the public, you should run it as a public service (see :ref:`turn_off_private_key`).
 
 Chat Anonymously
 ----------------
diff --git a/docs/source/security.rst b/docs/source/security.rst
index b56c7ff8..93ed3bce 100644
--- a/docs/source/security.rst
+++ b/docs/source/security.rst
@@ -14,11 +14,11 @@ What OnionShare protects against
 
 **Anonymity of OnionShare users are protected by Tor.** OnionShare and Tor Browser protect the anonymity of the users. As long as the OnionShare user anonymously communicates the OnionShare address with the Tor Browser users, the Tor Browser users and eavesdroppers can't learn the identity of the OnionShare user.
 
-**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate onion services allowed the attacker to discover private .onion addresses. If an attack discovers a private OnionShare address, a password will be prevent them from accessing it (unless the OnionShare user chooses to turn it off and make it public). The password is generated by choosing two random words from a list of 6800 words, making 6800², or about 46 million possible passwords. Only 20 wrong guesses can be made before OnionShare stops the server, preventing brute force attacks against the password.
+**If an attacker learns about the onion service, it still can't access anything.** Prior attacks against the Tor network to enumerate onion services allowed the attacker to discover private .onion addresses. If an attack discovers a private OnionShare address, but not the private key used for Client Authentication, they will be prevented from accessing it (unless the OnionShare user chooses to turn off the private key and make it public - see :ref:`turn_off_private_key`).
 
 What OnionShare doesn't protect against
 ---------------------------------------
 
-**Communicating the OnionShare address might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an email message monitored by an attacker), an eavesdropper can tell that OnionShare is being used. If the eavesdropper loads the address in Tor Browser while the service is still up, they can access it. To avoid this, the address must be communicateed securely, via encrypted text message (probably with disappearing messages enabled), encrypted email, or in person. This isn't necessary when using OnionShare for something that isn't secret.
+**Communicating the OnionShare address and private key might not be secure.** Communicating the OnionShare address to people is the responsibility of the OnionShare user. If sent insecurely (such as through an email message monitored by an attacker), an eavesdropper can tell that OnionShare is being used. If the eavesdropper loads the address in Tor Browser while the service is still up, they can access it. To avoid this, the address must be communicateed securely, via encrypted text message (probably with disappearing messages enabled), encrypted email, or in person. This isn't necessary when using OnionShare for something that isn't secret.
 
-**Communicating the OnionShare address might not be anonymous.** Extra precautions must be taken to ensure the OnionShare address is communicated anonymously. A new email or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is a goal.
+**Communicating the OnionShare address and private key might not be anonymous.** Extra precautions must be taken to ensure the OnionShare address is communicated anonymously. A new email or chat account, only accessed over Tor, can be used to share the address. This isn't necessary unless anonymity is a goal.