OnionScan: Practical Deanonymization of Hidden Services
Sarah Jamie Lewis, OnionScan
February 2, 2017 3:00pm, in DC 1304
Hidden Services have a reputation for being anonymous & difficult to penetrate due to the cryptography underlying anonymity networks like Tor. However, many web applications are not designed with the anonymity threat model in mind. If these applications are not configured properly they leak information, which can lead to the discovery of connections between hidden services, or deanonymization of the operators or users. This talk presents OnionScan, a project which scans over 10,000 onion domains, reports on the prevalence of vulnerabilities & discovers new methods of extracting information from hidden services. Results from OnionScan demonstrate that nearly a third of all hidden services are trivially vulnerable and at risk of deanonymization.
Sarah Jamie Lewis is an independent security researcher currently living in Vancouver Canada. She has a passion for privacy & anonymity and runs Mascherari Press, an organization dedicated to conducting & promoting privacy research that helps marginalized & at-risk communities empower themselves. She also maintains OnionScan, a large scale dark web scanning project, which currently analyzes over 10,000 dark web sites for deanonymization vulnerabilities.
In the past Sarah worked as a Computer Scientist for the British Government and a Security Engineer at Amazon analyzing threat models and designing defenses to protect against fraud and security risks.