Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

This sentence contradicts itself -- no actually it doesn't. -- Douglas Hofstadter


rocksolid / Tor / Public IP Addresses of Tor Sites Exposed via SSL Certificates

SubjectAuthor
* Public IP Addresses of Tor Sites Exposed via SSL CertificatesAnonUser
`- Re: Public IP Addresses of Tor Sites Exposed via SSL Certificatesanon

1
Subject: Public IP Addresses of Tor Sites Exposed via SSL Certificates
From: AnonUser
Newsgroups: rocksolid.shared.tor
Organization: Rocksolid Light
Date: Thu, 13 Sep 2018 03:08 UTC
Path: rocksolid2!.POSTED.local_inn!not-for-mail
From: AnonU...@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.tor
Subject: Public IP Addresses of Tor Sites Exposed via SSL Certificates
Date: Thu, 13 Sep 2018 03:08:24 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <7a9da654e0e8d9c362aef737dbfac209$1@rslight.novabbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 13 Sep 2018 03:08:24 -0000 (UTC)
Injection-Info: novabbs.com; posting-host="local_inn:10.13.0.7";
logging-data="15501"; mail-complaints-to="usenet@novabbs.com"
View all headers
Surprising that people would make this mistake, but many do. Here's one way a misconfigured Tor hidden service can be found:

https://www.bleepingcomputer.com/news/security/public-ip-addresses-of-tor-sites-exposed-via-ssl-certificates/

Public IP Addresses of Tor Sites Exposed via SSL Certificates
By Lawrence Abrams

    September 4, 2018 09:00 AM 2 *="" height="465" src="https://www.bleepstatic.com/content/hl-images/2017/06/11/TorProject.jpg" width="1104" />

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing how to properly configure a hidden service.

One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.

Yonathan Klijnsma, a threat researcher lead for RiskIQ, has discovered that there are many Tor sites that utilize SSL certificates and also misconfigure a hidden service so that it is accessible via the Internet. As RiskIQ crawls the web and associates any SSL certificate it discovers to it's hosted IP address, it was easy for Klijnsma to map a misconfigured hidden Tor service with its corresponding public IP address.

"The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well," Klijnsma told BleepingComputer. "This is especially true if they don't use a firewall. These servers should be configured to only listen on 127.0.0.1."

When asked how often he sees misconfigured servers that expose their public IP address, he told us that it is quite common.

"Continuously. I'm not even kidding. Some don't listen on http/https, so I don't know what they are, but they have onion addresses and live on both clear and dark web." Klijnsma told BleepingComputer.
SSL certs help ID public IP address of dark web sites

When operators of Tor hidden services add an SSL certificate to their site, they associate the .onion domain with the certificate as shown below.
Tor Site with SSL Certificate
Tor Site with SSL Certificate

If the Tor site is misconfigured so that it listens on a public IP address, this same certificate containing the .onion domain will be used for that IP address as well. As RiskIQ crawls the Internet and catalogs all SSL certificates it finds being used by a site, it will associate this onion certificate with the public IP address it finds it on.

This allows Klijnsma to use the RiskIQ database to easily search for onion certificates and see what public IP address they are mapped to as shown below.
Tor certificate exposed on the public IP address
Tor certificate exposed on the public IP address

You can see how this was illustrated in a tweet by Klijnsma below.
Tor users think Klijnsma is attacking Tor

Some users feel that Klijnsma's research is an attack on Tor, while the researcher says its actually the opposite. Instead of attacking Tor, Klijnsma is trying to bring to light the inherent problems associated with not properly configuring a Tor hidden service.

In order to protect a site from being exposed in this manner, it's quite simple according to the researcher. "They should only listen on 127.0.0.1."

Posted on Rocksolid Light.




Subject: Re: Public IP Addresses of Tor Sites Exposed via SSL Certificates
From: anon
Newsgroups: rocksolid.shared.tor
Organization: def4
Date: Fri, 14 Sep 2018 15:32 UTC
References: 1
Path: rocksolid2!def3!.POSTED.localhost!not-for-mail
From: ano...@anon.com (anon)
Newsgroups: rocksolid.shared.tor
Message-ID: <18d9b51c207b050cbd7fd7e1bcd2b653@def4.com>
Subject: Re: Public IP Addresses of Tor Sites Exposed via SSL Certificates
Date: Fri, 14 Sep 2018 15:32:24+0000
Organization: def4
In-Reply-To: <7a9da654e0e8d9c362aef737dbfac209$1@rslight.novabbs.com>
References: <7a9da654e0e8d9c362aef737dbfac209$1@rslight.novabbs.com>
Lines:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
View all headers
guess you cannot protect anybody from themselves (in this case: their own sloppiness)....
i should know...

Posted on def4.i2p


1
rocksolid light 0.7.2
clearneti2ptor