CrySP Speaker Series on Privacy

This speaker series is made possible by an anonymous charitable donation in memory of cypherpunks and privacy advocates Len Sassaman, Hugh Daniel, Hal Finney, and Caspar Bowden.

View the list of past and upcoming speakers

OnionScan: Practical Deanonymization of Hidden Services

Sarah Jamie Lewis, OnionScan

[Download (MP4)] [View on Youtube]

February 2, 2017 3:00pm, in DC 1304


Hidden Services have a reputation for being anonymous & difficult to penetrate due to the cryptography underlying anonymity networks like Tor. However, many web applications are not designed with the anonymity threat model in mind. If these applications are not configured properly they leak information, which can lead to the discovery of connections between hidden services, or deanonymization of the operators or users. This talk presents OnionScan, a project which scans over 10,000 onion domains, reports on the prevalence of vulnerabilities & discovers new methods of extracting information from hidden services. Results from OnionScan demonstrate that nearly a third of all hidden services are trivially vulnerable and at risk of deanonymization.


Sarah Jamie Lewis is an independent security researcher currently living in Vancouver Canada. She has a passion for privacy & anonymity and runs Mascherari Press, an organization dedicated to conducting & promoting privacy research that helps marginalized & at-risk communities empower themselves. She also maintains OnionScan, a large scale dark web scanning project, which currently analyzes over 10,000 dark web sites for deanonymization vulnerabilities.

In the past Sarah worked as a Computer Scientist for the British Government and a Security Engineer at Amazon analyzing threat models and designing defenses to protect against fraud and security risks.