Independent security researcher wants to make creating Tor hidden service versions of websites that much easier.
More mainstream services and websites are moving towards the dark web. In 2014, Facebook launched its own Tor hidden service so people could connect to the social network more securely, and last year independent journalistic outfit ProPublica booted up its dark web site too.
Now, a security researcher is trying to attract even more organizations to Tor hidden services, with a relatively easy-to-use tool that streamlines the site creation process. And as an aside, technically anyone can make a dark web version of whatever site they fancy.
“The goal is to do the heavy lifting of ‘onionification’ of websites, so that if an organization wants to run its own onion site, 90 plus percent of the work is done for them,” Alec Muffett, an independent security researcher who designed the tool, told Motherboard in a Twitter message. Usually setting up a dark web site would require some technical knowledge around hidden services, how to create one properly largely from scratch, and a fair bit of configuration.
“I’m looking for organizations where audiences want/need to reach content but are at risk for doing so—I am thinking maybe BBC World Service, less technical activists and charities, that sort of thing,” he added.
Muffett has designed what he calls The Enterprise Onion Toolkit (EOTK), a selection of scripts that will quickly generate a Tor hidden service address and get your dark web site up and running.
Essentially, the hidden service runs as a middle-point between the visitor and the real site. Ideally, organizations would make their own dark web version of sites they actually control, so they can also use their own valid cryptographic certificate. Without that, users may have to accept a lot of browser errors to get through to the actual site content.
“Cleartext HTTP sites are trivial to onionify, but anything with substantial amounts of SSL will be practically unusable by the average person unless the site owners sanction the onion with an SSL certificate,” Muffett said.
Technically however, anyone can make one of these dark web mirrors, and for any website: in a demonstration video on YouTube. Muffett quickly made a Tor hidden service for CNN.com. However, if a random person is the administrator of the dark web site rather than the organization themselves, remember that they may be able to intercept data sent to the dark web version of the site, such as passwords.
As for why an organization would want a dark web site, there are a few reasons. In his video, Muffett says a malicious Tor exit node may be snooping on people visiting your site, and connecting over a hidden service would stop this. In ProPublica’s case, it wanted to provide visitors a more private way to interact with the publication’s databases, for example. Mike Tigas from ProPublica published a detailed explanation of how they launched the hidden service—he was also a big influence for this EOTK project, Muffett said.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.