<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 10, 2017 at 5:39 PM, David Fifield <span dir="ltr"><<a href="mailto:david@bamsoftware.com" target="_blank">david@bamsoftware.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, Mar 10, 2017 at 12:58:55PM +0100, Massimo La Morgia wrote:<br>
> we are a research group at Sapienza University, Rome, Italy. We do research on<br>
> distributed systems, Tor, and the Dark Web. As part of our work, we have<br>
> developed OnionGatherer, a service that gives up-to-date information about Dark<br>
> Web hidden services to Tor users.<br>
<br>
</span>...and presumably helps you build a crowdsourced list of onion services<br>
that you plan to use for some other research purpose?<br></blockquote><div><br></div><div>yes, of course in this way we are building a crowdsourced list of onion services, but is not really different from onion directories.</div><div>At this time we have no plan for other research that use this crowdsourced list.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you're planning a research project on Tor users, you should write to<br>
the research safety board and get ideas about how ot do it in a way that<br>
minimizes risk.<br>
<a href="https://research.torproject.org/safetyboard.html" rel="noreferrer" target="_blank">https://research.torproject.<wbr>org/safetyboard.html</a><br>
<br></blockquote><div><br></div><div>thank you for the suggestion.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This idea seems, to me, to have a lot of privacy problems. You're asking<br>
people to use Chrome instead of Tor Browser, which means they will be<br>
vulnerable to a lot of fingerprinting and trivial deanonymization<br>
attacks.</blockquote><div><br></div><div>No we are not asking people to use chrome for browsing on tor, but we are offering a service that can help them to know if a onion address is up before start to surf with Tor Browser</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Your extension reports not only the onion domains that it<br>
finds, but also the URL of the page you were browsing at the time:<br>
var onionsJson = JSON.stringify({onions:onions, website: window.location.href});<br>
You need to at least inform your research subjects/users what of their<br>
private data you are storing and what you are doing with it.<br></blockquote><div><br></div><div>As you can see from the source code we are not storing any sensitive data like ip or users information. do you think that only URL page can damage user privacy?</div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
You're using two different regexes for onion URLs that aren't the same.<br>
The one used during replacement doesn't match "https", so I guess it<br>
will fail on URLs like <a href="https://facebookcorewwwi.onion/" rel="noreferrer" target="_blank">https://facebookcorewwwi.<wbr>onion/</a>.<br>
/^(http(s)?:\/\/)?.{16}(\.<wbr>onion)\/?.*$/<br>
/(http:\/\/)?\b[\w\d]{16}\.<wbr>onion(\/[\S]*|)/<br></blockquote><div><br></div><div>Yes, you right, thank you for the feedback.</div></div><br></div></div>