Delivery-Date: Sat, 20 Feb 2016 19:38:54 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 409001E0BD4;
	Sat, 20 Feb 2016 19:38:52 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 4631D39905;
	Sun, 21 Feb 2016 00:38:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id C408B39868
 for <tor-talk@lists.torproject.org>; Sun, 21 Feb 2016 00:38:43 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dtkoEDnRHsev for <tor-talk@lists.torproject.org>;
 Sun, 21 Feb 2016 00:38:43 +0000 (UTC)
Received: from khazad-dum.seul.org (khazad-dum.csail.mit.edu [128.31.0.47])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "moria.seul.org", Issuer "moria.seul.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id A938139836
 for <tor-talk@lists.torproject.org>; Sun, 21 Feb 2016 00:38:43 +0000 (UTC)
Received: by khazad-dum.seul.org (Postfix, from userid 501)
 id CD5D41E0BFD; Sat, 20 Feb 2016 19:38:40 -0500 (EST)
Date: Sat, 20 Feb 2016 19:38:40 -0500
From: Roger Dingledine <arma@mit.edu>
To: tor-talk@lists.torproject.org
Message-ID: <20160221003840.GC10235@moria.seul.org>
References: <mailman.239.1455936375.3047.tor-talk@lists.torproject.org>
 <20160219214406.0000130f@kmacpher.us> <56C800F2.9020108@gmail.com>
 <0968d98d629bf8ad78497f5719e51c3b@cannon-ciota.info>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <0968d98d629bf8ad78497f5719e51c3b@cannon-ciota.info>
User-Agent: Mutt/1.5.20 (2009-12-10)
Subject: Re: [tor-talk] Large spike in .onion addresses - port scan?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sat, Feb 20, 2016 at 02:28:37AM -0600, CANNON NATHANIEL CIOTA wrote:
> With the large sudden spike in hidden services addresses, any way to
> view what the newly registered .onion addresses are or at least a
> list of hidden services during the suspected time frame?

No, there is no easy way to do this. That's because there is no central
repository of onion addresses. There are services like Ahmia that try to
enumerate what they can, by looking at various sources like the content
on a set of known onion sites. But that only lets you learn about sites
that wanted to let you find out about them.

This is actually a really complicated topic, because there are a wide
variety of ways of learning about onion addresses, each of which has
its own ethical questions around how invasive you have to be. For
example, you can get them by Googling for .onion addresses (probably
fine), or by being Verizon or Comcast and spying on the people who
use your DNS servers (not so fine), or by running Tor relays and spying
on the hidden service descriptors that people upload (not fine).

This complexity is why I picked this topic to illustrate the "guidelines
for doing your Tor research safely" part of our 32c3 talk: see the part
a bit after the 29 minute mark of
https://media.ccc.de/v/32c3-7322-tor_onion_services_more_useful_than_you_think

> If so I would love a copy of the list so I can do a fingerprinting
> and port scan on the .onion addresses to try to determine purpose.

In fact, there appear to be some for-profit startups who are trying
to make money from doing exactly this (and then scaring companies with
"dark web" fud and selling the onion lists to the scared companies).

The long-term answer is some architecture improvements so there are
fewer points in the protocol where attackers can collect things that
users meant to keep private:
https://blog.torproject.org/blog/hidden-services-need-some-love
(see the "Attacks by Hidden Service Directory Servers" section)
https://trac.torproject.org/projects/tor/ticket/8106

--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

