Provide a way to delist onion by owner's request.

[ghost]

I don't know how you got my onion fqdn, but you have no right to scan my onion. I'm using my onion for private use.

I want you to delist(delete + return 404 for googlebots) my onion from onionscan.io and your bot. Besides, you didn't honor "robots.txt". I already stated "robots all denied" in that text.

[ghost]

ping @s-rah

[ghost]

AFAIK scanning other user's network without permission is unlawful activity. You shouldn't crawl other user's tor service without permission.

Looking forward to how you react this argument.

[s-rah]

Hi @githubisstalkingme

I do not run onionscan.io, onionscan.io is not part of the OnionScan project, it is not affiliated with onionscan.org or mascherari.press.

I have already tried to reach out to the owners of onionscan.io to have them remove OnionScan branding, I do not agree with the ethics of their project or publishing the results of scans.

OnionScan is a tool for both site owners and researchers. There is precedent in academic research for the scanning and reporting of networks, including the Tor network, to understand the structure and properties of these systems - sites like shodan.io have long published results of scanned networks.

The OnionScan project itself does not publish reports on individual sites, and we aim to carry out the research ethically with an emphasis on protecting the privacy of everyone.

• We don't set up malicious hidden services directories to harvest new addresses.
• We don't exploit vulnerabilities in the services we scan to gain privileged information (we do check for information leaks)
• We don't store the information we find - each month we start a fresh and only correlate information that we scan from that months run. We don't track changes in status of nodes over time.
• We don't publish, reveal or follow information which may lead to deanonymization past the first hop e.g. We may look up an SSH public key in Shodan, but we will not follow or log any resulting IP Addresses or servers that we find.

One final point, Tor onion addresses, like all domain names should not be considered private information - at least for the time being, they can be revealed in a number of ways - to properly secure your hidden service against this kind of scanning I would recommend setting up an authenticated onion service (https://tor.stackexchange.com/questions/219/how-to-use-hidden-service-authentication)

[Bedrovelsen]

Projects like onion scan are tools that make tor hidden service operators more aware and more likely to make their hidden service set up more hardened to these issues but there is a solution to your private hidden service wants from tor in new tor onion services — “Developers involved with Tor have said "The only people who should know about your hidden service are the people you tell about it. While that’s a pretty simple concept, it’s currently not true."

The next generation of hidden services will use a new method to protect the secrecy of those addresses. Instead of declaring their onion address to hidden service directories, these hidden services will, instead, derive a cryptographic key from the onion address, and THAT derived key will be placed into Tor’s hidden service directories. Then, any Tor user who KNOWS the name of the hidden service they want can perform that same derivation to check the key and route themselves to the correct hidden service.

Since the hidden service directory cannot derive the onion address from the key, only those who know the hidden service's key can discover the hidden service's address.“ — https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions#Howtoconnecttothetesthubfornextgenonionservices

[ghost]

Thanks for clarifying "onionscan.io" is not under your control, @s-rah. Many people will think that domain is owned by your team because of its design. Did you tried to contact their Whois/DomainRegister?

I do not agree with the ethics of their project or publishing the results of scans.

Yes, I really hate they publish my onion's scan result to public. Such information should be available only to the domain owner(and valid researcher).

I probably have to try "authenticated onion service" then. But... does this bot try to bruteforce key? Currently, HidServAuth only have 16 alphabets. It's possible to crack with GPUs.

@Bedrovelsen Yeah I already testing V3 since last week(as a developer's supporter). V3's hostname is very long, and I hope evil directories don't harvest them.

---

How about adding some kind of warning message to https://onionscan.org/ ?

e.g. "onionscan.io is not owned by us. Do not try it - they will collect your onion and publish the result publicly."

(BTW I found onionscan.io when I search my onion domain)

[ghost]

FYI, a similar project I hate is this >> https://www.reddit.com/r/onions/comments/5qiz8d/fresh_onions_crawls_hidden_services_twice_daily/ They publish the result too. And they don't delete any results. I know many people who tried to delete it(incl. me).

I can say your service/website is ethical, because you didn't publish onion scan result indivisually.

Can I ask one more question? If I add HidServAuth to stealth my onion, does your crawler still record it?

[ghost]

onionscan.io's owner(?) https://rehmann.co/blog/

Commented with this github URL.

[Bedrovelsen]

I really like fresh onions as a good if not best starting page to search from that detects clones and filter by non up sites only options and also for their server-status enabled onions list to use for parsing in research on security of onion sites.