[tor-dev] OnionGatherer: evaluating status of hidden services

Massimo La Morgia lamorgia at di.uniroma1.it
Fri Mar 10 17:25:04 UTC 2017


On Fri, Mar 10, 2017 at 5:39 PM, David Fifield <david at bamsoftware.com>
wrote:

> On Fri, Mar 10, 2017 at 12:58:55PM +0100, Massimo La Morgia wrote:
> > we are a research group at Sapienza University, Rome, Italy. We do
> research on
> > distributed systems, Tor, and the Dark Web. As part of our work, we have
> > developed OnionGatherer, a service that gives up-to-date information
> about Dark
> > Web hidden services to Tor users.
>
> ...and presumably helps you build a crowdsourced list of onion services
> that you plan to use for some other research purpose?
>

yes, of course in this way we are building a crowdsourced list of onion
services, but is not really different from onion directories.
At this time we have no plan for other research that use this crowdsourced
list.


>
> If you're planning a research project on Tor users, you should write to
> the research safety board and get ideas about how ot do it in a way that
> minimizes risk.
> https://research.torproject.org/safetyboard.html
>
>
thank you for the suggestion.


> This idea seems, to me, to have a lot of privacy problems. You're asking
> people to use Chrome instead of Tor Browser, which means they will be
> vulnerable to a lot of fingerprinting and trivial deanonymization
> attacks.


No we are not asking people to use chrome for browsing on tor, but we are
offering a service that can help them to know if a onion address is up
before start to surf with Tor Browser


> Your extension reports not only the onion domains that it
> finds, but also the URL of the page you were browsing at the time:
>         var onionsJson = JSON.stringify({onions:onions, website:
> window.location.href});
> You need to at least inform your research subjects/users what of their
> private data you are storing and what you are doing with it.
>

As you can see from the source code we are not storing any sensitive data
like ip or users information. do you think that only URL page can damage
user privacy?




> You're using two different regexes for onion URLs that aren't the same.
> The one used during replacement doesn't match "https", so I guess it
> will fail on URLs like https://facebookcorewwwi.onion/.
>         /^(http(s)?:\/\/)?.{16}(\.onion)\/?.*$/
>         /(http:\/\/)?\b[\w\d]{16}\.onion(\/[\S]*|)/
>

Yes, you right, thank you for the feedback.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170310/febaa50d/attachment.html>


More information about the tor-dev mailing list