Many misconfigured Tor sites expose the public IP address via SSL certificates

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost (127.0.0.1) instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well,” 

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on 127.0.0.1.”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on 127.0.0.1.



Pierluigi Paganini

(Security Affairs – SSL certificates, Tor sites)


The post Many misconfigured Tor sites expose the public IP address via SSL certificates appeared first on Security Affairs.



Leave a Reply

Many misconfigured Tor sites expose the public IP address via SSL certificates

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost (127.0.0.1) instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well,” 

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on 127.0.0.1.”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on 127.0.0.1.



Pierluigi Paganini

(Security Affairs – SSL certificates, Tor sites)


The post Many misconfigured Tor sites expose the public IP address via SSL certificates appeared first on Security Affairs.



Leave a Reply