New research traces the relationships between a load of Tor hidden services, and shows that many dark web sites are more intimately intertwined than commonly thought.
This graph contains ~50 percent of all scanned sites. Green is hyperlinks between sites; blue is relationships with SSH keys; FTP banners are pink, and server status leaks are red. Image: Sarah Jamie Lewis
What does the dark web actually look like? Well, new research maps out the relationships between a load of Tor hidden services, and shows that many dark web sites, rather than being isolated entities, are perhaps more intimately intertwined than commonly thought.
"The dark web is highly connected," reads the latest OnionScan report published on Sunday. Made by security researcher Sarah Jamie Lewis, OnionScan is a tool for probing Tor hidden services for vulnerabilities and issues that might reveal identifying information about the site.
This latest scan focuses especially on shared SSH keys—encryption keys used for remotely logging into a web server—hyperlinks between sites, exposed server status pages, and FTP banners, or the messages someone connecting to the site may see.
By scanning around 5,600 Tor hidden services throughout June, OnionScan found that 23 percent shared a single, unique SSH key, linking them all to the same hosting service: Freedom Hosting II. Another 9 clusters (or 2.5 percent) of sites were pooled together through their SSH keys, the report continues.
Sixty sites shared an identical FTP banner, which linked them to another hosting provider. Then through exposed server status pages, which may display what other sites are being run by the same person, OnionScan found 10 clusters of sites sharing infrastructure.
Pooling all of this data together, the report claims that 21 infrastructure setups account for over a quarter, or around 1,500, of all the Tor hidden services surveyed. (It's worth caveatting there is a chance that not all onion sites up and running in June were discovered and scanned as part of this test).
Regardless, "this lack of diversity in hosting infrastructure is concerning—it places the future of a large proportion of Onion Services in the hands of a limited number of groups," the report notes.
OnionScan also searched for hyperlinks on dark web sites leading to other Tor hidden services, but excluded large repositories of links such as Hidden Wikis or hidden service lists, which would skew any results.
One group of 19 nodes only linked to each other, according to the report. "When the links to and from an onion service [are] closed off to the larger web, the sites, ironically, stand out," it continues.
"When we examine the connections between Onion Services we find that most of the services we scan are actually connected to a large proportion of the rest of the service we scan."