
A New Tor Search Engine - jamarukato
https://abikogailmonxlzl.onion.casa/
======
ComodoHacker
TOR hidden services is an Internet realm where people go for privacy. A search
engine for it with Google Analytics attached looks like a grim irony to me,
not to say mockery.

~~~
baby
I think most people here fail to realize how correct your comment is. The only
security you get from visiting a TOR hidden service is from knowing exactly
what is its URL.

You can't trust the URL you see from a web engine.

The reason is that the onion address of a TOR hidden service is actually a
hash of its public key. The TLS connection you have with the TOR service is
only verified by you knowing the exact URL you've typed in your TOR browser.

Without this you could be visiting a fake onion address which would be man-in-
the-middling you and the real onion address you're trying to visit.

Probably this is the real purpose of the advertised search engine.

~~~
p4bl0
> I think most people here fail to realize how correct your comment is.

I think you are assuming a lot about what people here thinks.

The author of the comment you are referring to thought that the GA scripts
were set up by the search engine, which is not the case. The gateway actually
includes GA scripts, and if people want real privacy they don't use a gateway
they can't trust (or they would be accessing it over Tor anyway, thus hiding
who they really are for the gateway and for GA).

> The only security you get from visiting a TOR hidden service is from knowing
> exactly what is its URL.

Well, no, that's not the _only_ security you get. There is also encryption and
hidden IP address for example. Depending on your threat model it could be
totally okay not to know who you are visiting. "Random" example: if you are
using a search engine to discover new hidden services, you can't know their
names in advance anyway…

> The TLS connection you have with the TOR service

It doesn't really work like that (and it's written "Tor" not "TOR" btw).

> Probably this is the real purpose of the advertised search engine.

Now you are accusing this service of trying to MITM its users based on
nothing. Especially since you didn't seem to bother verifying if the GA
scripts were actually set up by the search engine (which they aren't).

~~~
jancsika
> Depending on your threat model it could be totally okay not to know who you
> are visiting. "Random" example: if you are using a search engine to discover
> new hidden services, you can't know their names in advance anyway…

That's all technically true, but I doubt even HN readers really understand
what that means. So let's compare...

If you open up a Google Chromebook and discover new sites by going to the
default page which is a search engine also owned by Google, who a) because of
the sorry state of CAs has implemented its own open source tool to watch the
set of known certificates for any funny business that would signal a break
somewhere in all that overly-complicated brittle technology, and b) is
Google's bread and butter such that if they started mapping site
titles/descriptions (which you've probably heard of out of band) to different
URLs would lose their stranglehold on the industry, not to mention such an
attempt would be reported widely in the news media... you can't know their
names in advance anyway.

vs. an expanded version of the original:

If you are discovering new services via a new search engine released from an
entity you've never heard of that maps page titles/descriptions of hidden
services you've never heard of to human unreadable strings on an anonymity
overlay for which phishing scams, covert site takeovers, and drive-by malware
attacks don't make the front page of most news media... you can't know their
names in advance anyway.

Edit: remove redundant adjective, clean up confusing sentence

~~~
Ajedi32
True, but keep in mind that just because these hidden services' true
identities aren't known, doesn't mean they can't have a reputation.

If this search engine becomes popular among Tor users for example, and you
follow a few news sites which focus on stories related to the dark web, you'll
end up in basically the same situation as you are now with Google. (With the
search engine losing the trust of its users if it starts behaving
maliciously.) Same goes for other hidden services.

------
silur
This one stinks. Top 2 drug market disappear and a new search engine with
fairy tale like timing shows up, with google analytics included, SSL by
GlobalSign? Nope nope nope

~~~
p4bl0
The GA scripts are not installed by the search engine but by the onion.casa
gateway. Idem for the ssl certificate.

Also, the "fairy tale timing" may be explained as simply as "Tor stuff were on
the news recently so some people got (re)interested in Tor stuff" :).

~~~
coretx
Yeah. That would be "implied security". The default go-to for intelligence
people. It would be stupidly naive to think we can beat them at the meta game.
Eternal vigilance; disregarding any foreign information influencers safeguards
you better against being subverted.

------
Cakez0r
How does it work? What's advanced about it?

~~~
wybiral
Yeah, it seems like a normal search engine to me. But with more scams and
fringe stuff in the results.

Edit: For context, the title used to say "Advanced Tor Search Engine"

------
ssijak
It appends additional .casa when I click on the links from the search, like
<some_onion_link>.casa.casa so it does not work without removing one manually.

~~~
jamarukato
You can use it directly via Tor Browser -
[http://abikogailmonxlzl.onion](http://abikogailmonxlzl.onion)

~~~
etiam
Good to know.

I notice it isn't supporting https. Isn't that risky when connecting through
Tor?

~~~
heinrich5991
No. Traffic to .onion domains is encrypted end-to-end, with the server's
public key hashing to the domain name.

~~~
Arkanosis
Both of you know it already, but it might be useful to remind the casual
reader that while this is indeed not needed for tor hidden services, you still
need https for regular web services accessed through tor (in some way even
more than when not using tor). This interactive explanation by the EFF is
worth a thousand words: [https://www.eff.org/fr/pages/tor-and-
https](https://www.eff.org/fr/pages/tor-and-https)

------
p4bl0
It wasn't able to find my homepage. I guess it crawls a finite list of hidden
services. There doesn't seem to be a way to submit an url however.

~~~
jstanley
It didn't find mine either

~~~
INTPenis
Read more links are 404 on your dark blog. Same if you click the header. Seem
they forget the /blog/ part of the path.

~~~
jstanley
Uh oh, thanks for letting me know. I will try and rectify this.

------
amrrs
How did it just directly topped the HN Frontpage? - with no comments and just
8 points, submitted 12 minutes ago?

I'm scared in the age of ransomware!

~~~
Tenoke
By getting 8 points in 12 minutes during a quiet time..

~~~
amrrs
I think the definition of quiet time might be something do with Timezone bias
and I don't know if HN has peak times and Quiet times - writing this from IST
4:29PM.

My concern was more of 'Tricking the system?'

~~~
corobo
If it helps any it was posted just before lunch UK time (which is why I'm
here, hello!)

~~~
column
bon appétit

------
jamarukato
[https://abikogailmonxlzl.onion.link](https://abikogailmonxlzl.onion.link)
seems to work better...

