[tor-dev] OnionGatherer: evaluating status of hidden services

Evan d'Entremont evan at evandentremont.com
Fri Mar 10 12:28:59 UTC 2017


This is an interesting project, that being said I have a few concerns I'm hoping you can address.

From a security standpoint;

- The instructions for the webservice don't seem to indicate that it is being served as a hidden service, or even with ssl. See <Virtualhost *:80>. This would mean that, even if chrome is configured properly, when the request is made over Tor it basically sends every link on every page you're viewing, in the clear, over the public internet; and to your server, if one was to actually use it.

- Unless you intend to share your onionGatherer service with someone else (you clearly shouldn't) then 'Require All Granted' is unnecessary and inadvisable.

- [if(responseData['onions'][portion.text] == 0)](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[(responseData[](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)['](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[onions](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)['](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[][](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[portion](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[.](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[text](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[] ](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[==](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[ ](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[0](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)[)](https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52)  would return an orange circle if portion.text is undefined or null, perhaps stronger typing would be appropriate.



From a pure code review standpoint;

- ou include the images twice, once in the root, and once in figures.

- [You've implemented an XTHML parser in regex](http:// https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L6 ); Generally this is inadvisable.

- The version of jQuery that was included (2.2.3) is not the most recent (2.2.4)



Evan



Sent with [ProtonMail](https://protonmail.com) Secure Email.


-------- Original Message --------
Subject: [tor-dev] OnionGatherer: evaluating status of hidden services
Local Time: 10 March 2017 7:58 AM
UTC Time: 10 March 2017 11:58
From: lamorgia at di.uniroma1.it
To: tor-dev at lists.torproject.org
Julinda Stefa <stefa at di.uniroma1.it>, simone raponi <raponi.1539620 at studenti.uniroma1.it>, Alessandro Mei <mei at di.uniroma1.it>


Dear members of the Tor community,

we are a research group at Sapienza University, Rome, Italy. We do research on distributed systems, Tor, and the Dark Web. As part of our work, we have developed OnionGatherer, a service that gives up-to-date information about Dark Web hidden services to Tor users.

OnionGatherer is implemented as a Google Chrome extension coupled with a back-end service running on our servers. As the user surfes the Web, OnionGatherer collects all the URLs from the page and adds a green bullet next ot the URL if the hidden service is up and running, an orange one if the system are currently evaluating the address' status or a red one if the hidden service is down. The status of the hidden services is pulled from our servers, which keep track of all the services found by the users and constantly monitor their status. When a new hidden service is found, OnionGatherer checks its status in real time, informs the user accordingly, and adds it to the database.

We believe that OnionGatherer can be very useful to Tor users that are interested in surfing the Dark Web. Indeed, hidden services are born and shut down very frequently, and it is often time consuming and frustrating to check manually which services are still active.

We kindky ask if you can help disseminate our project ---the largest is the number of users of OnionGatherer, the largest the database and the best the service we can provide. Currently the software is in Beta version and released on GitHub at the following link:

client: https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension
server: https://github.com/rfidlabsapienza/onionGatherer-Server

Any feedback or issue are really appreciated.
Thanks in advance. Best regards,

The research group:
A. Mei, J. Stefa, M. La Morgia, S. Raponi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170310/2a9e8f2f/attachment.html>


More information about the tor-dev mailing list