IS Shifts Propaganda Archive to the Dark Web
At 2:05 PM on November 15, two days after the Paris attacks, a Telegram channel disseminating Islamic State (IS) propaganda posted a message discussing the “Isdarat [Releases]” website, which archives IS propaganda and releases from other IS-affiliated groups. The message shared links to a Tor hidden service with a “.onion” address, more commonly known as a website on the “dark web,” for the Isdarat outlet.
The message read:
Due to severe constraints imposed on the #Caliphate_Publications [Isdarat Releases] website, any new domain is deleted after being posted.
We announce the launch of the website for “dark web.”
*It will work for the Tor users and the normal users.
Link for the Tor users: http://isdratetp4donyfy.onion
Link for the normal users: http://isdratetp4donyfy.onion.link
And we promise you that we are continuing to try to get a normal and new domain and we will post it Allah willing when it is obtained besides [as well as] the Tor domain.
The announcement was viewed by 7,629 Telegram users following this IS propaganda channel. While the Isdarat website has been intermittently accessible as a regular website for over a year, those with the anonymizing Tor software installed can now also access the dark web version of the Isdarat at its .onion address.
Tor, the “Dark Web,” and the “Clearnet”
Tor is software used to anonymously access the “dark web,” a network of websites with addresses ending in “.onion,” which are not accessible via standard Internet browsers and not indexed by regular search engines such as Google.
This serves as an alternative to the network used by everyone with standard web browsers to access websites, generally known as the “clearnet”—simply referring to the Internet. Users with the Tor software installed can browse any website privately, whether clearnet or dark web, with their IP address and other personal information obfuscated.
Why would IS set up their Isdarat propaganda archive as a hidden service on Tor?
Websites are hosted as Tor hidden services to protect the identity of the website publisher and keep the website safer from being taken down, something that has frequently affected the Isdarat website in the past, whether by legal action and/or cyber-attacks.
Notably, though the main structure of the Isdarat website is hosted as a Tor hidden service, all media on the site, such as IS propaganda videos, are still provided via clearnet hosts, such as Google Video and Archive.org. Any visitor to the dark web version of the site is directed to a URL from a clearnet host upon clicking any given media post. Viewing these does not directly affect the anonymity of either the publisher or the visitor, but it does mean that all media could be subject to removal by the external clearnet hosts.
Disadvantages of hosting a website via Tor
Tor is slow compared to the regular Internet. The system in which users and publishers are kept anonymous and their locations obfuscated involves routing network traffic through several different points all over the world. Because a user must wait for his/her network requests to go through several different points, instead of connecting directly as they would on the clearnet, connecting to dark websites generally takes much longer.
Because of this, according to the Telegram announcement message for the dark web version of the Isdarat outlet above, the publisher in charge of the website will be attempting to get a clearnet version of the site back online as soon as possible.
OnionLink, Tor2web, and user anonymity
In addition to the .onion address, the Telegram channel also provided a link that allows anyone—including those without Tor software—to access the dark web version of the site, using a service called OnionLink. OnionLink works off of a larger project called Tor2web, which, according to its web page, allows “Internet users [to] access Tor Onion Services without using Tor Browser.”
While [OnionLink] does not grant anonymity to users accessing the site, it keeps the website publisher anonymous via Tor and more widely accessible on the clearnet.
Likewise, OnionLink uses a Tor2web proxy to make .onion addresses accessible through standard web browsers. Instead of the link ending in “.onion” like a normal Tor hidden service, the OnionLink address ends in “.onion.link.” While this method does not grant anonymity to users accessing the site, it keeps the website publisher anonymous via Tor and more widely accessible on the clearnet.
On the OnionLink FAQ page, the service describes its role in regards to anonymity of dark websites:
We see it in the more positive light of increasing the audience for onionsites. Publishers remain anonymous, and with OnionLink they now have the ability to reach more people.
To reinforce precautions of using OnionLink to access dark web sites such as the Isdarat, the service also has a page dedicated to security. It explains that, for those using the service to access the dark web, it “[sacrifices] most of Tor's privacy protections” and that it “provides much less security, anonymity, and confidentiality than using [Tor].”