<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2017-03-10 13:28 GMT+01:00 Evan d'Entremont <span dir="ltr"><<a href="mailto:evan@evandentremont.com" target="_blank">evan@evandentremont.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>This is an interesting project, that being said I have a few concerns I'm hoping you can address.<br><br>From a security standpoint;<br></div><ul><li>The instructions for the webservice don't seem to indicate that it is being served as a hidden service, or even with ssl. See <Virtualhost *:80>. This would mean that, even if chrome is configured properly, when the request is made over Tor it basically sends every link on every page you're viewing, in the clear, over the public internet; and to your server, if one was to actually use it.<span class="gmail-m_-8951951510522046151colour" style="color:rgb(167,29,93)">
</span></li></ul></blockquote><div><br></div><div><br></div><div>No, the webservice is not served as hidden service, but it runs with ssl  and requests on port 80 are redirected on port 443 of this URL : <a href="https://lamorgiam.redi.uniroma1.it/onionGatherer" style="box-sizing:border-box;color:rgb(3,102,214);outline-width:0px;font-family:-apple-system,blinkmacsystemfont,"segoe ui",helvetica,arial,sans-serif,"apple color emoji","segoe ui emoji","segoe ui symbol";font-size:16px">https://lamorgiam.redi.uniroma1.it/onionGatherer</a>.</div><div>The configuration reported with <Virtualhost *:80> on the MD file is for a generic setup of the server. </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><ul><li><br></li><li>Unless you intend to share your onionGatherer service with someone else (you clearly shouldn't) then 'Require All Granted' is unnecessary and inadvisable.<br></li><li><span class="gmail-m_-8951951510522046151highlight" style="background-color:rgb(255,255,255)"><span class="gmail-m_-8951951510522046151colour" style="color:rgb(167,29,93)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">if(responseData['onions'][<wbr>portion.text] == 0)</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">(responseData[</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(24,54,145)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><span class="gmail-m_-8951951510522046151colour" style="color:rgb(24,54,145)"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">'</a></span><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">onions</a><span class="gmail-m_-8951951510522046151colour" style="color:rgb(24,54,145)"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">'</a></span></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">][</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(51,51,51)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">port<wbr>ion</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">.</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(0,134,179)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">text</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">] </a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(167,29,93)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">==</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank"> </a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(0,134,179)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">0</a></span></span></span><span class="gmail-m_-8951951510522046151colour" style="color:rgb(36,41,46)"><span class="gmail-m_-8951951510522046151font" style="font-family:sfmono-regular,consolas,"liberation mono",menlo,courier,monospace"><span class="gmail-m_-8951951510522046151size" style="font-size:12px"><a href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52" title="if(responseData['onions'][portion.text] == 0)" rel="nofollow" target="_blank">)</a> </span></span></span></span> would return an orange circle if portion.text is undefined or null, perhaps stronger typing would be appropriate. <br></li></ul><div><br></div><div>From a pure code review standpoint;<br></div><ul><li>ou include the images twice, once in the root, and once in figures.<br></li><li><a href="http://%C2%A0https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L6" title="You've implemented an XTHML parser in regex." rel="nofollow" target="_blank">You've implemented an XTHML parser in regex</a>; Generally this is inadvisable. <br></li><li>The version of jQuery that was included (2.2.3) is not the most recent (2.2.4)<br></li></ul><div><br></div></blockquote><div>Thank you for your feedback. Your advices are really appreciated. we will try to fix asap</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div></div><div>Evan<br></div><div><br></div><div class="gmail-m_-8951951510522046151protonmail_signature_block"><div class="gmail-m_-8951951510522046151protonmail_signature_block-user gmail-m_-8951951510522046151protonmail_signature_block-empty"><br></div><div class="gmail-m_-8951951510522046151protonmail_signature_block-proton">Sent with <a href="https://protonmail.com" target="_blank">ProtonMail</a> Secure Email.<br></div></div><div class="gmail-HOEnZb"><div class="gmail-h5"><div><br></div><blockquote type="cite" class="gmail-m_-8951951510522046151protonmail_quote"><div>-------- Original Message --------<br></div><div>Subject: [tor-dev] OnionGatherer: evaluating status of hidden services<br></div><div>Local Time: 10 March 2017 7:58 AM<br></div><div>UTC Time: 10 March 2017 11:58<br></div><div>From: <a href="mailto:lamorgia@di.uniroma1.it" target="_blank">lamorgia@di.uniroma1.it</a><br></div><div>To: <a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br></div><div>Julinda Stefa <<a href="mailto:stefa@di.uniroma1.it" target="_blank">stefa@di.uniroma1.it</a>>, simone raponi <<a href="mailto:raponi.1539620@studenti.uniroma1.it" target="_blank">raponi.1539620@studenti.<wbr>uniroma1.it</a>>, Alessandro Mei <<a href="mailto:mei@di.uniroma1.it" target="_blank">mei@di.uniroma1.it</a>><br></div><div><br></div><div dir="ltr"><div style="font-size:12.8px">Dear members of the Tor community,<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">we are a research group at Sapienza University, Rome, Italy. We do research on distributed systems, Tor, and the Dark Web. As part of our work, we have developed OnionGatherer, a service that gives up-to-date information about Dark Web hidden services to Tor users.<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">OnionGatherer is implemented as a Google Chrome extension coupled with a back-end service running on our servers. As the user surfes the Web, OnionGatherer collects all the URLs from the page and adds a green bullet next ot the URL if the hidden service is up and running, an orange one if the system are currently evaluating the address' status or a red one if the hidden service is down. The status of the hidden services is pulled from our servers, which keep track of all the services found by the users and constantly monitor their status. When a new hidden service is found, OnionGatherer checks its status in real time, informs the user accordingly, and adds it to the database.<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">We believe that OnionGatherer can be very useful to Tor users that are interested in surfing the Dark Web. Indeed, hidden services are born and shut down very frequently, and it is often time consuming and frustrating to check manually which services are still active.<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">We kindky ask if you can help disseminate our project ---the largest is the number of users of  OnionGatherer, the largest the database and the best the service we can provide. Currently the software is in Beta version and released on GitHub at the following link:<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">client: <a rel="noreferrer nofollow noopener" href="https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension" target="_blank">https://github.com/rfi<wbr>dlabsapienza/onionGatherer-Chr<wbr>omeExtension</a><br></div><div style="font-size:12.8px">server: <a rel="noreferrer nofollow noopener" href="https://github.com/rfidlabsapienza/onionGatherer-Server" target="_blank">https://github.com/rfi<wbr>dlabsapienza/onionGatherer-Ser<wbr>ver</a><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Any feedback or issue are really appreciated.<br></div><div style="font-size:12.8px">Thanks in advance. Best regards,<br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">The research group:<br></div><div style="font-size:12.8px">A. Mei, J. Stefa, M. La Morgia, S. Raponi<br></div></div></blockquote><div><br></div></div></div><br>______________________________<wbr>_________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>dev</a><br>
<br></blockquote></div><br></div></div>