Pages Navigation Menu

SHOWFUN - Show & Fun & More!

OnionScan tests ‘dark web’ sites to see if they really are anonymous

The go-to solution for keeping something secret online is to set up a Tor hidden service, often called the dark web. It’s likely most of what’s going on in the dark web is illegal, horrifying, or both, but not all the time. If you’re wondering about the security of a hidden service, security researcher Sarah Jamie Lewis is about to release a tool called OnionScan that lets you scan it automatically for common vulnerabilities and errors that can de-anonymize the owner or users.

When Lewis was first toying with the idea of creating a tool to check hidden services for anonymity, she started by looking at dark web markets where people buy and sell drugs, fake IDs, and other illegal content. The thinking was that these sites have a strong interest in maintaining top-notch security. However, she found many of the same issues on these sites that were prevalent throughout the dark web. To understand the problems, you have to first know a little about how the dark web works.

The dark web is accessible only from within the encrypted Tor network. Tor was originally just an anonymization tool that routed you to different parts of the open internet. When you connect to Tor, your packets are bounced to multiple encrypted relays (also called nodes). Since each relay only knows the IP address of the last hop and the next one, after a few layers your real IP address and location are obscured.

Tor-Encryption

While a hidden service within Tor is not vulnerable in the way a regular website is, the operators often make mistakes. Lewis cites frequent misconfigurations in the servers that leave important administrator pages accessible. This can reveal the tools used to build a site, as well as other services run by the same party. It’s also common to see images that have not been stripped of EXIF data, which can include the device they were taken with and even the location they were taken. That would make it quite easy for someone to identify the owner of such a hidden service, and that could lead to problems for the users.

OnionScan, which Lewis will release this weekend, checks a hidden service for all these potential issues so they can be solved. Lewis does note it’s not exactly a subtle tool — OnionScan will ping a service repeatedly to download various images and files to test.

This isn’t about protecting shady dark web markets, according to Lewis. Privacy is important even if some people use it to do illegal things. There are plenty of private sites and political blogs hosted on the dark web because the owners need that privacy and security.

Leave a Comment

Captcha image