2017-03-10 13:28 GMT+01:00 Evan d'Entremont evan@evandentremont.com:
This is an interesting project, that being said I have a few concerns I'm hoping you can address.
From a security standpoint;
- The instructions for the webservice don't seem to indicate that it
is being served as a hidden service, or even with ssl. See <Virtualhost *:80>. This would mean that, even if chrome is configured properly, when the request is made over Tor it basically sends every link on every page you're viewing, in the clear, over the public internet; and to your server, if one was to actually use it.
No, the webservice is not served as hidden service, but it runs with ssl and requests on port 80 are redirected on port 443 of this URL : https://lamorgiam.redi.uniroma1.it/onionGatherer. The configuration reported with <Virtualhost *:80> on the MD file is for a generic setup of the server.
- Unless you intend to share your onionGatherer service with someone
else (you clearly shouldn't) then 'Require All Granted' is unnecessary and inadvisable.
- if(responseData['onions'][portion.text] == 0)
https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 (responseData[ https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 ' https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 onions https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 ' https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 ][ https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 portion https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 . https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 text https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52]
https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52
https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 0 https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 ) https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52 would return an orange circle if portion.text is undefined or null, perhaps stronger typing would be appropriate.
From a pure code review standpoint;
- ou include the images twice, once in the root, and once in figures.
- You've implemented an XTHML parser in regex
http://%C2%A0https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L6; Generally this is inadvisable.
- The version of jQuery that was included (2.2.3) is not the most
recent (2.2.4)
Thank you for your feedback. Your advices are really appreciated. we will
try to fix asap
Evan
Sent with ProtonMail https://protonmail.com Secure Email.
-------- Original Message -------- Subject: [tor-dev] OnionGatherer: evaluating status of hidden services Local Time: 10 March 2017 7:58 AM UTC Time: 10 March 2017 11:58 From: lamorgia@di.uniroma1.it To: tor-dev@lists.torproject.org Julinda Stefa stefa@di.uniroma1.it, simone raponi < raponi.1539620@studenti.uniroma1.it>, Alessandro Mei mei@di.uniroma1.it
Dear members of the Tor community,
we are a research group at Sapienza University, Rome, Italy. We do research on distributed systems, Tor, and the Dark Web. As part of our work, we have developed OnionGatherer, a service that gives up-to-date information about Dark Web hidden services to Tor users.
OnionGatherer is implemented as a Google Chrome extension coupled with a back-end service running on our servers. As the user surfes the Web, OnionGatherer collects all the URLs from the page and adds a green bullet next ot the URL if the hidden service is up and running, an orange one if the system are currently evaluating the address' status or a red one if the hidden service is down. The status of the hidden services is pulled from our servers, which keep track of all the services found by the users and constantly monitor their status. When a new hidden service is found, OnionGatherer checks its status in real time, informs the user accordingly, and adds it to the database.
We believe that OnionGatherer can be very useful to Tor users that are interested in surfing the Dark Web. Indeed, hidden services are born and shut down very frequently, and it is often time consuming and frustrating to check manually which services are still active.
We kindky ask if you can help disseminate our project ---the largest is the number of users of OnionGatherer, the largest the database and the best the service we can provide. Currently the software is in Beta version and released on GitHub at the following link:
client: https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension server: https://github.com/rfidlabsapienza/onionGatherer-Server
Any feedback or issue are really appreciated. Thanks in advance. Best regards,
The research group: A. Mei, J. Stefa, M. La Morgia, S. Raponi
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev