Dark web sites could be exposed by routine slip-up | Cyber Security

Latest breaking news on


Operators of on the might not be as anonymous as they think. A simple misconfiguration could expose their server’s IP address, warned a security researcher this week.

Security researcher Yonathan Klijnsma explained that a simple slip could enable anyone online to map the internet locations of dark web sites using Tor‘s onion service protocol to cloak themselves. His company has already built a searchable database that maps many hidden services to their IP addresses, according to Bleeping Computer.

On the public web, people identify websites domain names (like nakedsecurity.sophos.com) that are easy to read and remember. The internet’s Domain Name System (DNS) – effectively a directory for websites – maps these human readable domain names to the IP addresses that computers use to communicate.

Information about IP addresses is public, and knowing a website’s IP address can unlock lots of information about a website associated with it. It can be used to find the online hosting company that hosts a website, and it provides a target for attack, both of which might be useful if you want to unmask a site operator trying to stay anonymous.

Dark web sites are hidden services, computer services that are only accessible via the anonymous Tor network where their public IP address information is cloaked. This enables website owners to publish information without anyone knowing who they are.

Misconfigured servers

Anonymity relies on the hidden service owner configuring their web server properly, and it is here that Klijnsma discovered what turned out to be a common mistake. The problem is that a website operating as a hidden service is still at heart a web server with an IP address.

Misconfiguring the server can reveal that address.

A hidden service should be configured to only listen for connections via its local IP address (127.0.0.1), known as localhost, where it talks to the Tor daemon. In turn, the Tor daemon binds to the computer’s external IP address and ensures that the website is accessible via the anonymising Tor network.

However, some hidden service operators misconfigure their web servers to listen for connections on external hostnames or IP addresses, which can cause the IP information Tor tries to hide to leak out.

What Klijnsma found was a leak via a very common web server asset: a digital certificate.

Most web servers use SSL certificates when communicating with visitors. These serve two purposes. Firstly, they encrypt traffic so that snoopers can’t intercept and read it. Secondly, they enable the website to prove its identity to the visiting web browser. Imagine an SSL certificate as a notarised envelope from a trusted third party with your name and (web) address on it. If you give it to someone, then they know it’s from you, and that the message inside it is legit.