[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Large spike in .onion addresses - port scan?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Large spike in .onion addresses - port scan?
From: Roger Dingledine <arma@xxxxxxx>
Date: Sat, 20 Feb 2016 19:38:40 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 20 Feb 2016 19:38:54 -0500
In-reply-to: <0968d98d629bf8ad78497f5719e51c3b@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <mailman.239.1455936375.3047.tor-talk@xxxxxxxxxxxxxxxxxxxx> <20160219214406.0000130f@xxxxxxxxxxx> <56C800F2.9020108@xxxxxxxxx> <0968d98d629bf8ad78497f5719e51c3b@xxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-12-10)

On Sat, Feb 20, 2016 at 02:28:37AM -0600, CANNON NATHANIEL CIOTA wrote:
> With the large sudden spike in hidden services addresses, any way to
> view what the newly registered .onion addresses are or at least a
> list of hidden services during the suspected time frame?

No, there is no easy way to do this. That's because there is no central
repository of onion addresses. There are services like Ahmia that try to
enumerate what they can, by looking at various sources like the content
on a set of known onion sites. But that only lets you learn about sites
that wanted to let you find out about them.

This is actually a really complicated topic, because there are a wide
variety of ways of learning about onion addresses, each of which has
its own ethical questions around how invasive you have to be. For
example, you can get them by Googling for .onion addresses (probably
fine), or by being Verizon or Comcast and spying on the people who
use your DNS servers (not so fine), or by running Tor relays and spying
on the hidden service descriptors that people upload (not fine).

This complexity is why I picked this topic to illustrate the "guidelines
for doing your Tor research safely" part of our 32c3 talk: see the part
a bit after the 29 minute mark of
https://media.ccc.de/v/32c3-7322-tor_onion_services_more_useful_than_you_think

> If so I would love a copy of the list so I can do a fingerprinting
> and port scan on the .onion addresses to try to determine purpose.

In fact, there appear to be some for-profit startups who are trying
to make money from doing exactly this (and then scaring companies with
"dark web" fud and selling the onion lists to the scared companies).

The long-term answer is some architecture improvements so there are
fewer points in the protocol where attackers can collect things that
users meant to keep private:
https://blog.torproject.org/blog/hidden-services-need-some-love
(see the "Attacks by Hidden Service Directory Servers" section)
https://trac.torproject.org/projects/tor/ticket/8106

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Large spike in .onion addresses - port scan?
  - From: RenÃ Ladan

References:
- [tor-talk] Tracking blocker
  - From: Paul A. Crable
- Re: [tor-talk] Tracking blocker
  - From: Jeremy Rand
- [tor-talk] Large spike in .onion addresses - port scan?
  - From: CANNON NATHANIEL CIOTA

Prev by Author: Re: [tor-talk] large increase in .onion domains
Next by Author: Re: [tor-talk] Thoughts on Tor router hardware
Previous by thread: Re: [tor-talk] Large spike in .onion addresses - port scan?
Next by thread: Re: [tor-talk] Large spike in .onion addresses - port scan?
Index(es):
- Author
- Thread