The Onion router, also known as Tor, is an internet service that allows users to surf the internet anonymously by bouncing the connection across multiple relays. By doing this, Tor users avoid exposing their IP addresses to the servers they visit. Instead, these servers only see the IP address of one of Tor’s exit nodes. But TOR doesn’t just protect its users when they visit websites like Google.com or Facebook.com.
Another option on the Tor network, for users who want to maintain their anonymity, are Tor hidden services. They can only be accessed using Tor technology and you can recognize them by using the .onion extension. Contrary to popular belief, these websites are not only used for shady activities, but also for legitimate purposes. In fact, many of the websites that you use on a daily basis can also be accessed using a similar hidden service, in order to serve users who value anonymity. For example, you can access the New York Times via https://www.nytimes3xbfgragh.onion or Facebook via https://facebookcorewwwi.onion, as long as you are currently using Tor.
Another advantage, for website owners, is that your users cannot know the real IP of your server. This is a big victory for privacy and makes it difficult to censor or remove a hidden service. In order to run such a service, in addition to adjusting a series of settings for Tor, you also need to configure a web server like Apache or Nginx on the machine where you are going to host your website.
The vulnerability we are discussing, which will allow anyone to discover the real IP of a hidden service, is due to a misconfiguration in the configuration of Tor.
Common error in SSL configuration over Tor
OK, so you are clearly concerned about maintaining anonymity on the Internet if you are using Tor. Suppose you implement TLS / SSL to secure the Tor service. To do this, you need to get your website certificate with the .onion extension signed by a certification authority. Suppose your service URL is examplewwwi.onion. When someone requests the website, the server sends the encryption data and the certificate in the ServerHello response given to the ClientHello request. The Common Name (CN) field in the certificate will indicate your domain, examplewwwi.onion.
Let’s say you are using a web server service like Apache, Nginx or something similar, and you configure it incorrectly to listen for all connections that reach network interfaces (0.0.0.0), instead of the address of loopback (127.0.0.1). This will have a catastrophic impact on the anonymity of your web server. Let’s see why in the next section.
Exposing the public IP address of the Tor service you are using
Anyone trying to reach port 443 from your server’s non-Tor public IP address will see the certificate and .onion domain found in the CN, which is in the ServerHello response given to the ClientHello message.
You might be wondering how people can find your public IP address when using Tor.
What if we assumed that the attackers followed this method to gain access to your personal data:
- They send a request to connect to an IP range (for example 184.108.40.206 – 220.127.116.11) through port 443.
- They send a ClientHello message.
- They extract the CN in the ServerHello message.
- They correspond to IP addresses with .onion domains.
By doing this repeatedly, they can access data from many websites that use the Tor network.
Ensuring your security requires attention and monitoring of new attack methods. According to recent research by Rosselyn Barroyeta, misconfiguration can put you at risk even when using the most secure service. She performed a live demonstration of the impacts a misconfiguration can have and how it leads to exposure of IP addresses.
For more information see IP’s pÃºblicas de Tor son expuestas mediante certificados SSL (Spanish).
*** This is a Syndicated Security Bloggers Network blog by Netsparker, Web Application Security Scanner written by Ziyahan Albeniz. Read the original post on: https://www.netsparker.com/blog/web-security/exposing-public-ips-tor-services-through-ssl-certificates/