A team of researchers from a Brazilian University of Campinas in São Paulo, Brazil, has had its Tor relay node banned because it was spotted collecting the .onion addresses of visitors.
Marcus Rodrigues, a junior researcher with the Brazilian University, explained he and his colleagues were working to develop a tool that could identify malicious hidden services.
Below the description published by the researchers in a Tor mailing list post:
“My relay was harvesting .onion addresses and I apologize if that breaks any rule or ethical guideline.
We were conducting some research on malicious Hidden Services to study their behavior and how we could design a tool that could tell malicious and benign Hidden Services apart.
Because we focus mainly on web pages, we use a crawler to get almost all of the data we need. However, there are some statistics (such as the size of the Tor network, how many HSs run HTTP(s) protocol, how many run other protocols and which protocols do they run, etc) which cannot be obtained through a crawler. That’s why we were harvesting .onion addresses.
We would run a simple portscan and download the index page, in case it was running a web server, on a few random addresses we collected. We would also try and determine the average longevity of those few HSs. However, after collecting the data we needed for statistical purposes, the .onion addresses we collected would be deleted and under no circumstances we would disclose the information we collected on a specific .onion address we harvested. In addition, we would never target specific harvested HS, but only a random sample.”
They decided to collect .onion addresses and fetch their content to classify the hidden service.
“My research in particular is about malicious hidden services. I’m developing a method to automatically categorize a malicious hidden service by its content (eg, drug traffic website, malware propagation),” Rodrigues told The Register.
“We would then publish an academic paper containing up-to-date statistics regarding what kind of malicious websites there are on the dark web. We were also going to develop a platform on which the user could verify if a certain .onion website is trustworthy or malicious before entering it.”
The team set up a Tor relay to collect specific data about the hidden services. Rodrigues clarified that data collected could not be used to unmask TOR users or locate a specific server running the hidden service.
“That would provide information about the Hidden Services running at the time, such as their .onion addresses, their popularity and some technical data – none of which would allow me to deanonymize or harm the hidden service in any way,” he explained.
Rodrigues was unable to restore its Tor relay online, he explained that the research will go on in any case, with different techniques.
“I can use other methods to discover the Hidden Services,” he explains, “but none is as informative or as efficient.”
(Security Affairs – Tor, data harvesting)