2017-03-10 13:28 GMT+01:00 Evan d'Entremont <[email protected]>:
> This is an interesting project, that being said I have a few concerns I'm > hoping you can address. > > From a security standpoint; > > - The instructions for the webservice don't seem to indicate that it > is being served as a hidden service, or even with ssl. See <Virtualhost > *:80>. This would mean that, even if chrome is configured properly, when > the request is made over Tor it basically sends every link on every page > you're viewing, in the clear, over the public internet; and to your server, > if one was to actually use it. > > No, the webservice is not served as hidden service, but it runs with ssl and requests on port 80 are redirected on port 443 of this URL : https://lamorgiam.redi.uniroma1.it/onionGatherer. The configuration reported with <Virtualhost *:80> on the MD file is for a generic setup of the server. > > - > - Unless you intend to share your onionGatherer service with someone > else (you clearly shouldn't) then 'Require All Granted' is unnecessary and > inadvisable. > - if(responseData['onions'][portion.text] == 0) > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > (responseData[ > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > ' > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > onions > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > ' > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > ][ > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > portion > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > . > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > text > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52>] > > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > == > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > 0 > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > ) > > <https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L52> > would return an orange circle if portion.text is undefined or null, > perhaps stronger typing would be appropriate. > > > From a pure code review standpoint; > > - ou include the images twice, once in the root, and once in figures. > - You've implemented an XTHML parser in regex > > <http://%C2%A0https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension/blob/master/OnionGatherer.js#L6>; > Generally this is inadvisable. > - The version of jQuery that was included (2.2.3) is not the most > recent (2.2.4) > > > Thank you for your feedback. Your advices are really appreciated. we will try to fix asap > Evan > > > Sent with ProtonMail <https://protonmail.com> Secure Email. > > -------- Original Message -------- > Subject: [tor-dev] OnionGatherer: evaluating status of hidden services > Local Time: 10 March 2017 7:58 AM > UTC Time: 10 March 2017 11:58 > From: [email protected] > To: [email protected] > Julinda Stefa <[email protected]>, simone raponi < > [email protected]>, Alessandro Mei <[email protected]> > > Dear members of the Tor community, > > we are a research group at Sapienza University, Rome, Italy. We do > research on distributed systems, Tor, and the Dark Web. As part of our > work, we have developed OnionGatherer, a service that gives up-to-date > information about Dark Web hidden services to Tor users. > > OnionGatherer is implemented as a Google Chrome extension coupled with a > back-end service running on our servers. As the user surfes the Web, > OnionGatherer collects all the URLs from the page and adds a green bullet > next ot the URL if the hidden service is up and running, an orange one if > the system are currently evaluating the address' status or a red one if the > hidden service is down. The status of the hidden services is pulled from > our servers, which keep track of all the services found by the users and > constantly monitor their status. When a new hidden service is found, > OnionGatherer checks its status in real time, informs the user accordingly, > and adds it to the database. > > We believe that OnionGatherer can be very useful to Tor users that are > interested in surfing the Dark Web. Indeed, hidden services are born and > shut down very frequently, and it is often time consuming and frustrating > to check manually which services are still active. > > We kindky ask if you can help disseminate our project ---the largest is > the number of users of OnionGatherer, the largest the database and the > best the service we can provide. Currently the software is in Beta version > and released on GitHub at the following link: > > client: https://github.com/rfidlabsapienza/onionGatherer-ChromeExtension > server: https://github.com/rfidlabsapienza/onionGatherer-Server > > Any feedback or issue are really appreciated. > Thanks in advance. Best regards, > > The research group: > A. Mei, J. Stefa, M. La Morgia, S. Raponi > > > > _______________________________________________ > tor-dev mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > >
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
