by Ciphas

(Note: Thanks to Ben Tasker’s Security Blog and traudt.xyz for being references.)

Can you access .onion sites without the Tor Browser? Short answer? Yes, you can – but I don’t recommend it…I cannot stress this enough.

I’ve mentioned Tor2web proxies in a few previous posts, but didn’t elaborate on it much.

In their own words, “Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser.” Tor2web and Web2Tor are reverse proxies which allow clearnet users (such as someone using Chrome, Firefox, etc.) to access Tor hidden services.

The proxy listens on port 80 (or sometimes 443) on a clearnet server, and then proxies requests to the Tor hidden service.

If you’re unfamiliar with proxy servers, Indiana University gives a great definition of one: What is a proxy server? (Psst…I talked about this a little in my earlier post ‘Anonymous’ Proxy List?)

The example they use to illustrate on Tor2web.org is that when you see an onion URL, for example, http://pbfcec3cneb4c422.onion/, if you add “.to,” “.link,” “.cab,” etc. to the end of the URL (e.g. http://pbfcec3cneb4c422.onion.to), and that proxy will connect you to the onion service. Great, right?

Well, no – not great. In spite of its convenience, the problem with using these proxies is that whomever is operating the Tor2web proxy can spy on your web traffic. While this may not sound like a bad thing, if said proxy operator has malicious intent, then you (the user) are basically a sitting duck. Plus, if the point of Tor is being anonymous, and someone can detect your web traffic that defeats the whole purpose!

In fact, even onion.cab themselves – the proxy service, that is – warns users when they first try to access a site this way:

If this doesn’t sound bad, then it should be noted that not only can the operator see your web traffic, but they can also modify it and inject code if they so desire.

Ben Tasker Security Blog has an excellent post about this called Don’t Use Web2Tor/Tor2web (especially Onion.cab) – the example he gives is that some Web2Tor services “have some pretty bad habits, including playing fast and loose with your privacy.”

If you visit https://6zdgh5a5e6zpchdz.onion, but do so through onion.cab instead of through Tor, the proxy service injects piwik analytics code into the page, which looks something like this:

So why should you care? Well, the proxy service who injected the code now knows that your IP address accessed said onion service at a specific time. In addition, they’re also executing code on your browser that the operator of the original site is unaware of.

Within the code, some of the information that it can discover about you is:

The title of the page you’re viewing

An ID for the site

The time that you made the request

The exact URL you were looking at

The page that sent you to that URL

Details of which plugins you have installed

Whether cookies are enabled

Your screen resolution

A unique ID for you

Alternately, this third party operator can inject code into the site that may track you across hidden services – that is, if you’re using the onion.cab proxy.

You can even contract malware via some Tor2web proxies – read this article by Virus Bulletin – Vawtrak uses Tor2web to connect to Tor hidden C&C servers. Granted, this article is over two years old, but it can still give you an idea of what might happen if you rely on these proxies.

Thus, if your concern is privacy, it should be obvious why you don’t want to give this information away. The same goes for any proxy, really, but again, if you’re using Tor for anonymity, then accessing so-called “hidden services” via the clearnet is pointless.

I know that a lot of people who explore the “dark web” for fun just say, “Give me links!” But if you want to explore those links, do so in the right way – use the Tor Browser (from https://www.torproject.org/), and don’t try to do so via the clearnet.

There’s a reason it’s called the “dark web,” after all.