You can't trust the URL you see from a web engine.
The reason is that the onion address of a TOR hidden service is actually a hash of its public key. The TLS connection you have with the TOR service is only verified by you knowing the exact URL you've typed in your TOR browser.
Without this you could be visiting a fake onion address which would be man-in-the-middling you and the real onion address you're trying to visit.
Probably this is the real purpose of the advertised search engine.
I think you are assuming a lot about what people here thinks.
The author of the comment you are referring to thought that the GA scripts were set up by the search engine, which is not the case. The gateway actually includes GA scripts, and if people want real privacy they don't use a gateway they can't trust (or they would be accessing it over Tor anyway, thus hiding who they really are for the gateway and for GA).
> The only security you get from visiting a TOR hidden service is from knowing exactly what is its URL.
Well, no, that's not the only security you get. There is also encryption and hidden IP address for example. Depending on your threat model it could be totally okay not to know who you are visiting. "Random" example: if you are using a search engine to discover new hidden services, you can't know their names in advance anyway…
> The TLS connection you have with the TOR service
It doesn't really work like that (and it's written "Tor" not "TOR" btw).
> Probably this is the real purpose of the advertised search engine.
Now you are accusing this service of trying to MITM its users based on nothing. Especially since you didn't seem to bother verifying if the GA scripts were actually set up by the search engine (which they aren't).
That's all technically true, but I doubt even HN readers really understand what that means. So let's compare...
If you open up a Google Chromebook and discover new sites by going to the default page which is a search engine also owned by Google, who a) because of the sorry state of CAs has implemented its own open source tool to watch the set of known certificates for any funny business that would signal a break somewhere in all that overly-complicated brittle technology, and b) is Google's bread and butter such that if they started mapping site titles/descriptions (which you've probably heard of out of band) to different URLs would lose their stranglehold on the industry, not to mention such an attempt would be reported widely in the news media... you can't know their names in advance anyway.
vs. an expanded version of the original:
If you are discovering new services via a new search engine released from an entity you've never heard of that maps page titles/descriptions of hidden services you've never heard of to human unreadable strings on an anonymity overlay for which phishing scams, covert site takeovers, and drive-by malware attacks don't make the front page of most news media... you can't know their names in advance anyway.
Edit: remove redundant adjective, clean up confusing sentence
If this search engine becomes popular among Tor users for example, and you follow a few news sites which focus on stories related to the dark web, you'll end up in basically the same situation as you are now with Google. (With the search engine losing the trust of its users if it starts behaving maliciously.) Same goes for other hidden services.
Or you are
> Well, no
> It doesn't really work like that
Don't be pedantic. You got my point.
> Now you are accusing this service of trying to MITM its users based on nothing
I said probably.
Edit: I see I have been down voted. It was a genuine question.
I think the only problem called out here is having Google Analytics scripts running on the page, which try to fingerprint the user's browser even when you're trying to search anonymously.
Thats stuff isn't going to show up in Google searches is it?
It's kind of like real life though, how did you get the URL of your bank? You either trust Google.com to give you the right one because you trust them as a search engine, or you pay a visit to your bank and ask them.
Edit: Downvote me as far as you want, what I said is true.
Seems pretty dangerous, though. I mean, people use tor so that their ISP and others can't find out what websites they are visiting, so what is the point of using a proxy to visit a tor search engine, and then have your ISP see which links you click on. In fact, it wouldn't suprise me if the whole thing is a blackmail scheme.
They better show a warning about gateways.
Also, the "fairy tale timing" may be explained as simply as "Tor stuff were on the news recently so some people got (re)interested in Tor stuff" :).
Edit: For context, the title used to say "Advanced Tor Search Engine"
I notice it isn't supporting https. Isn't that risky when connecting through Tor?
I'm scared in the age of ransomware!
My concern was more of 'Tricking the system?'
You can do a quick analysis but my observation is that stories on the front page during west coast night time are significantly more stale (submitted more hours ago) and/or with less points. Something getting near the top during that time with ~10 points is nothing unusual (especially if the upvotes happen this fast).
Edit: Also moderator intervention is a much more likely hypothesis than 'tricking the system' on average on HN, but this case is well within the norm so I wouldnt suspect that.