Security researcher Yonathan Klijnsma explained that a simple slip could enable anyone online to map the internet locations of dark web sites using Tor‘s onion service protocol to cloak themselves. His company has already built a searchable database that maps many hidden services to their IP addresses, according to Bleeping Computer.
On the public web, people identify websites domain names (like nakedsecurity.sophos.com) that are easy to read and remember. The internet’s Domain Name System (DNS) – effectively a directory for websites – maps these human readable domain names to the IP addresses that computers use to communicate.
Information about IP addresses is public, and knowing a website’s IP address can unlock lots of information about a website associated with it. It can be used to find the online hosting company that hosts a website, and it provides a target for attack, both of which might be useful if you want to unmask a site operator trying to stay anonymous.
Dark web sites are hidden services, computer services that are only accessible via the anonymous Tor network where their public IP address information is cloaked. This enables website owners to publish information without anyone knowing who they are.
Anonymity relies on the hidden service owner configuring their web server properly, and it is here that Klijnsma discovered what turned out to be a common mistake. The problem is that a website operating as a hidden service is still at heart a web server with an IP address.
Misconfiguring the server can reveal that address.
A hidden service should be configured to only listen for connections via its local IP address (127.0.0.1), known as localhost, where it talks to the Tor daemon. In turn, the Tor daemon binds to the computer’s external IP address and ensures that the website is accessible via the anonymising Tor network.
However, some hidden service operators misconfigure their web servers to listen for connections on external hostnames or IP addresses, which can cause the IP information Tor tries to hide to leak out.
What Klijnsma found was a leak via a very common web server asset: a digital certificate.
Most web servers use SSL certificates when communicating with visitors. These serve two purposes. Firstly, they encrypt traffic so that snoopers can’t intercept and read it. Secondly, they enable the website to prove its identity to the visiting web browser. Imagine an SSL certificate as a notarised envelope from a trusted third party with your name and (web) address on it. If you give it to someone, then they know it’s from you, and that the message inside it is legit.
Many hidden Tor services use SSL certificates, and those certificates list the sites’ .onion addresses in their Common Name fields. This means that any hidden service misconfigured to listen for communication from the internet will send that certificate, along with its anonymous dark web .onion address, to visitors from the public internet.
That gives visitors two pieces of data: a dark web .onion address and the IP address it’s trying to cloak.
That’s enough information to approach a hosting company and find the site operator’s name and address or to get the site taken down. A malicious actor could also target the IP address with a denial of service attack (DoS), or attempt a hack.
This isn’t the first time that dark websites have given themselves away with misconfigured servers. A feature in the Apache web server that provides detailed information about itself to a localhost query can also give up valuable information about a hidden service – including public IP addresses.
Security researchers and law enforcement officials alike use open source intelligence (OSINT) all the time to track down malicious parties online. IP addresses are a prime piece of data in that process. Klijnsma’s technique just gave us all a look at how it can be used on the dark web just as easily as on the public one, and also proved once again that just because you’re using Tor doesn’t necessarily mean you’re safe. There is more than one way to get busted on the dark web.