Updated exploration of the Tor network: advertising, availability and protocols of onion services

Abstract

AbstractThe Tor network is known for its opaque characteristics and involvement in illicit activities, motivating to shed light on the exposure, lifetime, and functionalities of onion services. This study focuses on the appearance of Tor links in online advertising and monitors the connectivity status and protocols of the collected onion domains through the Tor network over 105 days. Out of 54,602 onion addresses gathered, it was found that 38% of Tor links were advertised only once, 43% between two and five times, and 19% more than five times. Furthermore, 50% of the addresses were exclusively advertised on the surface web, 6% on the dark web, and 44% on both portions. The temporal analysis revealed that 67% of the addresses were predominantly active, 7% were intermittent, and 26% were mostly inactive. The study examined fifteen protocols used by onion services, concluding that 94% employed a single protocol, while 6% utilized between two and eight protocols. Among active sites, HTTP was present in 99.75% of cases, followed by SSH (4.95%) and HTTPS (0.64%). Additionally, onion services without web services often deploy cryptocurrency or instant messaging servers. This study offers a comprehensive and current understanding of the dark web, surpassing previous research in its scope.