Hacker News new | comments | show | ask | jobs | submit login
A New Tor Search Engine (onion.casa)
159 points by jamarukato 111 days ago | hide | past | web | 49 comments | favorite



TOR hidden services is an Internet realm where people go for privacy. A search engine for it with Google Analytics attached looks like a grim irony to me, not to say mockery.


I think most people here fail to realize how correct your comment is. The only security you get from visiting a TOR hidden service is from knowing exactly what is its URL.

You can't trust the URL you see from a web engine.

The reason is that the onion address of a TOR hidden service is actually a hash of its public key. The TLS connection you have with the TOR service is only verified by you knowing the exact URL you've typed in your TOR browser.

Without this you could be visiting a fake onion address which would be man-in-the-middling you and the real onion address you're trying to visit.

Probably this is the real purpose of the advertised search engine.


> I think most people here fail to realize how correct your comment is.

I think you are assuming a lot about what people here thinks.

The author of the comment you are referring to thought that the GA scripts were set up by the search engine, which is not the case. The gateway actually includes GA scripts, and if people want real privacy they don't use a gateway they can't trust (or they would be accessing it over Tor anyway, thus hiding who they really are for the gateway and for GA).

> The only security you get from visiting a TOR hidden service is from knowing exactly what is its URL.

Well, no, that's not the only security you get. There is also encryption and hidden IP address for example. Depending on your threat model it could be totally okay not to know who you are visiting. "Random" example: if you are using a search engine to discover new hidden services, you can't know their names in advance anyway…

> The TLS connection you have with the TOR service

It doesn't really work like that (and it's written "Tor" not "TOR" btw).

> Probably this is the real purpose of the advertised search engine.

Now you are accusing this service of trying to MITM its users based on nothing. Especially since you didn't seem to bother verifying if the GA scripts were actually set up by the search engine (which they aren't).


> Depending on your threat model it could be totally okay not to know who you are visiting. "Random" example: if you are using a search engine to discover new hidden services, you can't know their names in advance anyway…

That's all technically true, but I doubt even HN readers really understand what that means. So let's compare...

If you open up a Google Chromebook and discover new sites by going to the default page which is a search engine also owned by Google, who a) because of the sorry state of CAs has implemented its own open source tool to watch the set of known certificates for any funny business that would signal a break somewhere in all that overly-complicated brittle technology, and b) is Google's bread and butter such that if they started mapping site titles/descriptions (which you've probably heard of out of band) to different URLs would lose their stranglehold on the industry, not to mention such an attempt would be reported widely in the news media... you can't know their names in advance anyway.

vs. an expanded version of the original:

If you are discovering new services via a new search engine released from an entity you've never heard of that maps page titles/descriptions of hidden services you've never heard of to human unreadable strings on an anonymity overlay for which phishing scams, covert site takeovers, and drive-by malware attacks don't make the front page of most news media... you can't know their names in advance anyway.

Edit: remove redundant adjective, clean up confusing sentence


True, but keep in mind that just because these hidden services' true identities aren't known, doesn't mean they can't have a reputation.

If this search engine becomes popular among Tor users for example, and you follow a few news sites which focus on stories related to the dark web, you'll end up in basically the same situation as you are now with Google. (With the search engine losing the trust of its users if it starts behaving maliciously.) Same goes for other hidden services.


> I think you are assuming a lot about what people here thinks.

Or you are

> Well, no > It doesn't really work like that

Don't be pedantic. You got my point.

> Now you are accusing this service of trying to MITM its users based on nothing

I said probably.


It's not about being pedantic, it's about not being plainly incorrect.


Everybody knows the security of TOR doesn't only come from the URL you type on your keyboard. This is called exaggeration not being incorrect.


The claim that Tor hidden services use TLS in order to encrypt their communication seems incorrect to me.


I actually imagined they always would since you would use the url to verify the pubkey. Why would they build hidden services without it?


Public-key cryptography is used by Tor hidden services but it's not based on TLS/SSL certificates. There are a lot of detailed explanations of how this works on the web, but if you just want a quick overview I recently wrote about in the introduction of an article for 2600 (summer 2017 issue https://store.2600.com/collections/2010-2015/products/summer...). You can find a copy of my article here: https://pablo.rauzy.name/outreach/2600/how-to-run-a-tor-hidd...


How are you expected to look for stuff on Tor? How do you get the exact URL if not from a search engine?

Edit: I see I have been down voted. It was a genuine question.


In normal Tor usage, you just visit ordinary web pages. The Tor network hides the user from the server, but it still requires the server to have a known DNS name and IP address to be reachable. Hidden services (which are not a built-in idea, they are an ugly hack and not super secure) let both sides act like a user and connect through a publicly-known intermediary. https://www.torproject.org/docs/hidden-services.html.en

I think the only problem called out here is having Google Analytics scripts running on the page, which try to fingerprint the user's browser even when you're trying to search anonymously.


OK so if I want to search for a newer equivalent of Silk Road, how do I go about it?

Thats stuff isn't going to show up in Google searches is it?


It does, you will find a few websites talking about it and you will have to choose to trust the URL they give you.

It's kind of like real life though, how did you get the URL of your bank? You either trust Google.com to give you the right one because you trust them as a search engine, or you pay a visit to your bank and ask them.


You are ranting about a clear-web gateway, not the search engine in question.

Edit: Downvote me as far as you want, what I said is true.


You're right, the title is misleading. This is a gateway, not a search engine.


Oops, I was wrong. You type in a word and you get search results.

Seems pretty dangerous, though. I mean, people use tor so that their ISP and others can't find out what websites they are visiting, so what is the point of using a proxy to visit a tor search engine, and then have your ISP see which links you click on. In fact, it wouldn't suprise me if the whole thing is a blackmail scheme.


I guess the GA script is attached by onion.casa, not by the search engine itself.


I can confirm that. The GA scripts are installed by the gateway, I don't have them when directly connecting to the .onion.


Even so, this may get people in trouble. I've just tattooed some nonsense over keyboard and got search results related to CP. Thanks God it haven't shown me image previews!

They better show a warning about gateways.


Hopefully, users who care about Tor's privacy benefits will have ensured that their client environment lacks connectivity to anything but the Tor network.


if you expect flawless anonymity from Tor then js should be deactivated in the first place.


This one stinks. Top 2 drug market disappear and a new search engine with fairy tale like timing shows up, with google analytics included, SSL by GlobalSign? Nope nope nope


The GA scripts are not installed by the search engine but by the onion.casa gateway. Idem for the ssl certificate.

Also, the "fairy tale timing" may be explained as simply as "Tor stuff were on the news recently so some people got (re)interested in Tor stuff" :).


Yeah. That would be "implied security". The default go-to for intelligence people. It would be stupidly naive to think we can beat them at the meta game. Eternal vigilance; disregarding any foreign information influencers safeguards you better against being subverted.


How does it work? What's advanced about it?


Yeah, it seems like a normal search engine to me. But with more scams and fringe stuff in the results.

Edit: For context, the title used to say "Advanced Tor Search Engine"


It appends additional .casa when I click on the links from the search, like <some_onion_link>.casa.casa so it does not work without removing one manually.


You can use it directly via Tor Browser - http://abikogailmonxlzl.onion


Good to know.

I notice it isn't supporting https. Isn't that risky when connecting through Tor?


No. Traffic to .onion domains is encrypted end-to-end, with the server's public key hashing to the domain name.


Both of you know it already, but it might be useful to remind the casual reader that while this is indeed not needed for tor hidden services, you still need https for regular web services accessed through tor (in some way even more than when not using tor). This interactive explanation by the EFF is worth a thousand words: https://www.eff.org/fr/pages/tor-and-https


It wasn't able to find my homepage. I guess it crawls a finite list of hidden services. There doesn't seem to be a way to submit an url however.


It didn't find mine either


Read more links are 404 on your dark blog. Same if you click the header. Seem they forget the /blog/ part of the path.


Uh oh, thanks for letting me know. I will try and rectify this.


It adds '.casa' to each link, maybe that's the problem?


Hahaha, the dark background and the picture with your eyes hidden just next to your name written in big is awesome :D.


I've installed Tor just to check it... was not disappointed :)


Glad you enjoyed it :)


How did it just directly topped the HN Frontpage? - with no comments and just 8 points, submitted 12 minutes ago?

I'm scared in the age of ransomware!


By getting 8 points in 12 minutes during a quiet time..


I think the definition of quiet time might be something do with Timezone bias and I don't know if HN has peak times and Quiet times - writing this from IST 4:29PM.

My concern was more of 'Tricking the system?'


Night time in the US (especially California) has always been a quieter time. I live in Europe and when I am regularly checking HN I can often tell when it's start of working time in the Bay based on the front page.

You can do a quick analysis but my observation is that stories on the front page during west coast night time are significantly more stale (submitted more hours ago) and/or with less points. Something getting near the top during that time with ~10 points is nothing unusual (especially if the upvotes happen this fast).

Edit: Also moderator intervention is a much more likely hypothesis than 'tricking the system' on average on HN, but this case is well within the norm so I wouldnt suspect that.


If it helps any it was posted just before lunch UK time (which is why I'm here, hello!)


bon appétit


The major quiet time is about 8am - 14am UTC. The difference is very pronounced


https://abikogailmonxlzl.onion.link seems to work better...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: