One of the main goals of the Tor architecture is to protect the identity of users. But what if someone wants to protect a destination on the internet as well, such as a web service? Tor also provides a solution for that, which is called Hidden Service.
The technical explanation of hidden services is complex, but its logic relies on distributing rendezvous points on the Tor network. Instead of using a destination server address and directly connecting to the server, clients use an identifier to find the server. That identifier is a 16 character name derived from the service’s public key (such as xyz. onion). Once found, client and server meet at a rendezvous point without knowing each other’s real location. This provides privacy for both parties, client and server. The main goals behind hidden services are access-control protection, the robustness of servers, and hiding the true identities of hidden service administrators.
From the security perspective, there is one more detail about Tor hidden services. While accessing regular web services, Tor traffic leaves the Tor network at exit nodes. With hidden services, Tor traffic stays inside and does not leave. This might prevent security issues like traffic monitoring using exit nodes.