Posted on September 11, 2018 at 9:54 AM
Tor prides itself as a browser that keeps users’ IP addresses secret and private. However, security research has revealed that identifying the IP addresses of users is now pretty easy. Researchers say all that needs to be done to achieve this is to configure servers belonging to Dark Web wrongly.
A security researcher, Yonathan Klijnsma, working with RisKIQ has alerted Tor users to the possibility of knowing their IP addresses. The researcher noted that this is so because servers belonging to Dark Web has been misconfigured.
The common narrative before now is to say that Klijnsma is only trying to de-market Tor and other related services. However, this perception is hardly true. The researcher is merely calling the attention of Tor users to their vulnerability when using Tor. Perhaps, the alarm should be seen by the developers as a wake-up call too.
In Klijnsma’s submission, it is the Tor sites which have been misconfigured and which operate with SSL certificate that is responsible for IP exposure. And a lot of such sites exist according to his findings.
How a Normal Tor Server Works
Normally, if servers are configured correctly, Tor is not supposed to listen to other IP address except its local host. This local host is 127.0.01. But in the case of misconfigured servers, it was discovered that apart from listening to its local host, the Nginx or Apache server is capable of listening to other IP addresses. Such can include 0.0.0.0 or *
Another #Tor hidden service exposed through an incorrect configuration of the listening server. Hiding your private forum on the deep dark (and still very public) web. Certificate can be found here (host is still live!): https://t.co/KEqN6hfyFb pic.twitter.com/cwHOuUdwmk
— Yonathan Klijnsma (@ydklijnsma) August 4, 2018
Proceeding in his explanation, Klijnsma says that things like this happen when a firewall is not used correctly. Nevertheless, the researcher says that such misconfigured servers are not difficult to identify.
Klijnsma was able to identify these erroneous servers by studying the internet and associating SSL certificates to their respective IP addresses. With this approach, he could determine which Tor services have been misconfigured and the associated IP addresses. In his own words, he told Bleeping Computer that “(It) means Tor connections will work obviously, but also external connections will as well.”
Tor Sites Have Been Leaking Addresses for Long
Each time SSL certificates become added to a website with an anonymous server, Klijnsma says .onion is usually added to the common name of the SSL certificates. And so, in the case of a misconfigured server, the SSL certificate is used.
From various indications, Tor may have been exposing the IP addresses of its users for long. Before now, another report on Tor’s vulnerability has revealed that many IP addresses of its browsers are not anonymous after all.
This vulnerability is explained thus: once a file://link link is clicked by a user, the user is normally re-directed to another webpage where they would be urged to create another link. This link allows Tor’s security architecture to be set aside.