This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
The Onion Router, also known as Tor, is an internet service that provides anonymous internet surfing to users by bouncing the connection on several relays. By doing this Tor users avoid exposing their IP addresses to the servers they visit. Instead, these servers see only the IP address of one of Tor's exit nodes. But TOR doesn't only protect its users when they visit websites like Google.com or Facebook.com.
Another option on the Tor network, for users who wish to preserve their anonymity, are the Tor hidden services. They can only be reached using the Tor technology and you can recognize them by their use of the .onion extension. Contrary to popular belief, these websites aren’t only used for shady activity, but also for legitimate purposes. In fact, many websites that you use on a daily basis can also be accessed using a similar, hidden service, in order to serve users who value anonymity. For example, you can access The New York Times through https://www.nytimes3xbfgragh.onion or Facebook through https://facebookcorewwwi.onion, as long as you are currently using Tor.
Another advantage, for website owners, is that your users cannot find out the real IP of your server. This is a big win for privacy and makes it hard to censor or take down a hidden service. In order to run such a service, besides adjusting a series of settings for Tor, you also need to set up a web server like Apache or Nginx on the machine you’ll host your website on.
The vulnerability that we discuss, that will allow anyone to find out the real IP of a hidden service, arises due to a misconfiguration in Tor setup.
Common Mistake in SSL Setup on Tor
OK, so you’re clearly concerned to maintain anonymity on the internet if you’re using Tor. Let’s assume that you implement TLS/SSL to secure the Tor service. To do so, you have to get the certificate for your website with the .onion extension signed by a certificate authority. Let’s assume that your service URL is examplewwwi.onion. When someone requests the website, the server sends the encryption data and the certificate in the ServerHello response given to the ClientHello request. The Common Name (CN) area in the certificate will state your domain, examplewwwi.onion.
Let’s say you’re using a web server service such as Apache, Nginx or something similar, and you misconfigure it to listen to all the connections that reach the network interfaces (0.0.0.0), instead of the loopback address (127.0.0.1). This will have a catastrophic impact on your web server's anonymity. Let's look at why in the following section.
Exposure of the Public IP of the Tor Service You’re Using
Anyone who tries to reach port 443 from your server’s public, non-Tor IP address will see the certificate and the .onion domain found in the CN, which is in the ServerHello response given to the ClientHello message.
You might wonder how people can find out your public IP when you’re using Tor.
What if we assume that attackers followed this method to reach your personal data:
- They send a connection request to an IP range (e.g. 126.96.36.199 - 188.8.131.52) through port 443.
- They send a ClientHello message.
- They extract the CN in the ServerHello message.
- They match the IPs with the .onion domains.
By doing so repeatedly, they are able to access the data of many websites using the Tor network.
Ensuring your safety requires attention and keeping an eye on new attack methods. According to recent research by Rosselyn Barroyeta, a misconfiguration can leave you exposed, even when using the most secure service. She conducted a live demonstration of the impacts misconfiguration may have and how it results in IP address exposure.
For further information, see IP’s públicas de Tor son expuestas mediante certificados SSL (Spanish).