[tor-dev] OnionGatherer: evaluating status of hidden services

[David Fifield]

On Fri, Mar 10, 2017 at 12:58:55PM +0100, Massimo La Morgia wrote:
> we are a research group at Sapienza University, Rome, Italy. We do research on
> distributed systems, Tor, and the Dark Web. As part of our work, we have
> developed OnionGatherer, a service that gives up-to-date information about Dark
> Web hidden services to Tor users.

...and presumably helps you build a crowdsourced list of onion services
that you plan to use for some other research purpose?

If you're planning a research project on Tor users, you should write to
the research safety board and get ideas about how ot do it in a way that
minimizes risk.
https://research.torproject.org/safetyboard.html

This idea seems, to me, to have a lot of privacy problems. You're asking
people to use Chrome instead of Tor Browser, which means they will be
vulnerable to a lot of fingerprinting and trivial deanonymization
attacks. Your extension reports not only the onion domains that it
finds, but also the URL of the page you were browsing at the time:
	var onionsJson = JSON.stringify({onions:onions, website: window.location.href});
You need to at least inform your research subjects/users what of their
private data you are storing and what you are doing with it.

You're using two different regexes for onion URLs that aren't the same.
The one used during replacement doesn't match "https", so I guess it
will fail on URLs like https://facebookcorewwwi.onion/.
	/^(http(s)?:\/\/)?.{16}(\.onion)\/?.*$/
	/(http:\/\/)?\b[\w\d]{16}\.onion(\/[\S]*|)/