Public IP Addresses of Tor Sites Can Be Exposed Through SSL Certificates

To maintain anonymity, administrators should configure their servers to listen only on localhost (127.0.0.1).

Security researcher Yonathan Klijnsma from RiskIQ has discovered a quick way to identify the public IP addresses of misconfigured darknet servers. The main reason for creating a site accessible only through Tor is the owner’s desire to hide their identity. However, to preserve anonymity, the administrator must set the server to listen only on localhost (127.0.0.1), not on a public IP address accessible from the internet.

Despite this, Klijnsma found many Tor sites using SSL and hidden services with improper configurations that are accessible from the internet. Since RiskIQ scans the web and matches any SSL certificate with its corresponding IP address, the researcher was able to easily find misconfigured Tor hidden services with their associated public IP addresses.

As Klijnsma explained, the problem is that site administrators have configured their local Apache or Nginx servers to listen on all IP addresses (* or 0.0.0.0). While connections through Tor will work, the server will also be accessible from the external internet, especially if firewalls are not used.

“These servers should be configured to listen only on 127.0.0.1,” the researcher told Bleeping Computer.

When site operators use SSL certificates, they link the .onion domain to the certificate. If the server is misconfigured and listens on public IP addresses, the certificate containing the .onion domain will also be used for those addresses, exposing the hidden service.