[tor-dev] OnionGatherer: evaluating status of hidden services
ansijax at gmail.com
ansijax at gmail.com
Fri Mar 10 17:52:47 UTC 2017
2017-03-10 13:28 GMT+01:00 Evan d'Entremont <evan at evandentremont.com>:
> This is an interesting project, that being said I have a few concerns I'm
> hoping you can address.
>
> From a security standpoint;
>
> - The instructions for the webservice don't seem to indicate that it
> is being served as a hidden service, or even with ssl. See <Virtualhost
> *:80>. This would mean that, even if chrome is configured properly, when
> the request is made over Tor it basically sends every link on every page
> you're viewing, in the clear, over the public internet; and to your server,
> if one was to actually use it.
>
>
No, the webservice is not served as hidden service, but it runs with ssl
and requests on port 80 are redirected on port 443 of this URL :
https://lamorgiam.redi.uniroma1.it/onionGatherer.
The configuration reported with <Virtualhost *:80> on the MD file is for a
generic setup of the server.
>
> -
> - Unless you intend to share your onionGatherer service with someone
> else (you clearly shouldn't) then 'Require All Granted' is unnecessary and
> inadvisable.
> - if(responseData['onions'][portion.text] == 0)
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> (responseData[
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> '
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> onions
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> '
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> ][
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> portion
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> .
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> text
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>]
>
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> ==
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> 0
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> )
> <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>
> would return an orange circle if portion.text is undefined or null,
> perhaps stronger typing would be appropriate.
>
>
> From a pure code review standpoint;
>
> - ou include the images twice, once in the root, and once in figures.
> - You've implemented an XTHML parser in regex
> <http://%C2%A0https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L6>;
> Generally this is inadvisable.
> - The version of jQuery that was included (2.2.3) is not the most
> recent (2.2.4)
>
>
> Thank you for your feedback. Your advices are really appreciated. we will
try to fix asap
> Evan
>
>
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>
> -------- Original Message --------
> Subject: [tor-dev] OnionGatherer: evaluating status of hidden services
> Local Time: 10 March 2017 7:58 AM
> UTC Time: 10 March 2017 11:58
> From: lamorgia at di.uniroma1.it
> To: tor-dev at lists.torproject.org
> Julinda Stefa <stefa at di.uniroma1.it>, simone raponi <
> raponi.1539620 at studenti.uniroma1.it>, Alessandro Mei <mei at di.uniroma1.it>
>
> Dear members of the Tor community,
>
> we are a research group at Sapienza University, Rome, Italy. We do
> research on distributed systems, Tor, and the Dark Web. As part of our
> work, we have developed OnionGatherer, a service that gives up-to-date
> information about Dark Web hidden services to Tor users.
>
> OnionGatherer is implemented as a Google Chrome extension coupled with a
> back-end service running on our servers. As the user surfes the Web,
> OnionGatherer collects all the URLs from the page and adds a green bullet
> next ot the URL if the hidden service is up and running, an orange one if
> the system are currently evaluating the address' status or a red one if the
> hidden service is down. The status of the hidden services is pulled from
> our servers, which keep track of all the services found by the users and
> constantly monitor their status. When a new hidden service is found,
> OnionGatherer checks its status in real time, informs the user accordingly,
> and adds it to the database.
>
> We believe that OnionGatherer can be very useful to Tor users that are
> interested in surfing the Dark Web. Indeed, hidden services are born and
> shut down very frequently, and it is often time consuming and frustrating
> to check manually which services are still active.
>
> We kindky ask if you can help disseminate our project ---the largest is
> the number of users of OnionGatherer, the largest the database and the
> best the service we can provide. Currently the software is in Beta version
> and released on GitHub at the following link:
>
> client: https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension
> server: https://github.com/rfidlabsapienza/onionGatherer-Server
>
> Any feedback or issue are really appreciated.
> Thanks in advance. Best regards,
>
> The research group:
> A. Mei, J. Stefa, M. La Morgia, S. Raponi
>
>
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170310/f593d8fe/attachment-0001.html>
More information about the tor-dev
mailing list