Many misconfigured Tor sites expose the public IP address via SSL certificates
6.9.18 securityaffairs Safety

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.
Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost (127.0.0.1) instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well,”

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on 127.0.0.1.”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

Yonathan Klijnsma

@ydklijnsma
Another #Tor hidden service exposed through an incorrect configuration of the listening server. Hiding your private forum on the deep dark (and still very public) web. Certificate can be found here (host is still live!): https://community.riskiq.com/search/certificate/sha1/ec14a4bc60fa9088ff59b28f094c1876388e6f94 …

7:31 PM - Aug 4, 18
264
159 people are talking about this
Twitter Ads info and privacy
The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on 127.0.0.1.