Detect Tor2Web client side



Published: 2021-12-28 12:04:47 +0000
Categories: Javascript,

Language

Javascript

Description

Tor2Web (and Web2Tor) are reverse proxies giving access to Tor Onion Services (previously known as Hidden Services) via the public internet. The problem with this, is that they act as a trusted middleman, often putting unwitting user's privacy and security at risk.

Some Tor2Web operators do the right thing and include a request header to tell the Onion service that the request is from a Tor2web node. Those that do can be detected and blocked in Nginx.

However, many don't.

This snippet provides some Javascript to check if the page currently being viewed appears to be being loaded via a Tor2Web domain, if it seems that it is, it'll inject a warning banner into the top of the page - the basic idea being that the function should be called on every page load

Unlike the JS example provided on the Nginx snippet, this snippet is genericised - there's no need to update it with a list of authorised domains.

Snippet

function doFakeOnionThing(){
    d = document.createElement('div');
    d.innerHTML = "Warning: you appear to be browsing a <code>.onion</code> via Tor2Web. This is potentially dangerous.<p>See <a href='https://www.bentasker.co.uk/posts/blog/security/346-don-t-use-web2tor.html'>Don't use Web2Tor</a> for more information.</p>"
    d.setAttribute('style','padding: 10px;font-weight: bold;margin-bottom: 50px;margin-top: 50px;border: 1.5px solid;');
    document.body.insertBefore(d, document.body.childNodes[0]);
}

function detecttor2w() {
    hn = document.location.hostname.toLowerCase();
    if (hn.includes(".onion")){
        s = hn.split(".")
        if (!hn.endsWith(".onion") && (s.at(-2) == "onion" || s.at(-3) == "onion")){
            doFakeOnionThing();
        }
    }
}

Usage Example

detecttor2w();

License

BSD-3-Clause

Keywords

Tor2Web, Web2Tor, Blocking, detection, Onions, howto, client side, javascript,

Latest Posts


Copyright © 2021 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk and http://phecoopwm6x7azx26ctuqcp6673bbqkrqfeoiz2wwk36sady5tqbdpqd.onion