In an effort to cut down on the use of phishing links and to simplify the verification of mirror addresses for darkweb marketplaces, Dark.fail issued new listing guidelines detailing the requirements for a verified status on Dark.fail. The new guidelines give markets one month to comply.
DarkDotFail, the administrator of dark.fail, contacted appropriate parties (and posted publicly on Dread and on dark.fail) with a list of changes required for a “verified” status on dark.fail. Dark.fail, one of the most popular darkweb resources since the seizure of DeepDotWeb, hosts the most popular list of onion service addresses as well as the service’s mirrors when applicable.
A standard such as the one proposed by DarkDotFail will ultimately increase overall security for the end user. Very few market admins will willingly let their market sit in the “unverified” section of the list. And the requirements, known as the Onion Mirror Guidelines, will force the use of a regularly updated and publicly accessible warrant canary alongside the mirror and PGP key verification.
The message posted on Dread is below. A signed and formatted version is available at this link. Another copy is available on dark.fail.
To reduce the impact of phishing and to ease automatic PGP verification of mirrors, dark.fail is now defining the Onion Mirror Guidelines. (“OMG”) Admins that implement this standard show a commitment to user safety by proving ownership of all URLs associated with their site, and by committing to regularly prove control of their PGP key.
Sites which do not implement these guidelines by Dec 1, 2019 will be marked as “unverified” on dark.fail and listed below all other sites.
Onion Mirror Guidelines (“OMG”)
You must host these text files at all of your .onion URLs:
/pgp.txt - Required - HTTP 200 text/plain
- A list of all PGP public keys allowed to announce your official mirrors.
- May contain multiple PGP keys.
- All keys must be ASCII armored.
- Do not list a key here unless it is trusted to sign official .onion URLs.
- Example: http://darkfailllnkf4vf.onion/pgp.txt
/mirrors.txt - Required - HTTP 200 text/plain
- PGP SIGNED list of all official mirrors of your site.
- Mirrors must be signed by a PGP key which is in /pgp.txt hosted at all of your URLs.
- Any line in this file which begins with “http://“ or “https://“ is an official mirror of your site.
- Mirrors must all host the same content. No related forums, no link lists. Place forums, other sites in /related.txt instead.
- All valid mirrors must only contain a scheme and domain name, no ports or paths.
- /pgp.txt and /mirrors.txt must have the same content on all of your URLs.
- Text which is not intended to be parsed as an official mirror must be commented out with a “#” as the first character on the line.
- Example: http://darkfailllnkf4vf.onion/mirrors.txt
/canary.txt - Required - HTTP 200 text/plain
- PGP SIGNED message MUST be updated every 14 days.
- Can be signed by any key specified in /pgp.txt
- The message must contain the latest Bitcoin block hash and the current date in YYYY-MM-DD format, with string “I am in control of my PGP key.” and must also include the string “I will update this canary within 14 days.”
- If you cannot do this you should not be running a darknet market.
- Example: http://darkfailllnkf4vf.onion/canary.txt
/related.txt - Optional - HTTP 200 text/plain
- PGP SIGNED list of all .onion sites related to your site.
- This is where you list forums, link lists, related services.
- Follow the same rules as /mirrors.txt
The Dread Post - “Admins: Implement the Onion Mirror Guidelines to remain listed on dark.fail.”