[tor-onions] Privacy Audits for Onion Services

Tom Ritter tom at ritter.vg
Fri Aug 31 17:04:48 UTC 2018


On 31 August 2018 at 08:58,  <dylan at fdylan.co.uk> wrote:
>>ensure that your external website(s)are only listening on external ip addresses"
> I believe you mean that the website host (Apache/nginx) listen only on localhost, and NOT on external at all. Otherwise, shodan will find it, and your code will leak the IP.

No, I meant that.  I'm assuming one is running a webserver that is
hosting both clearnet websites and onion websites through vhosts. For
example, my own tomritterbassljd.onion and ritter.vg (obviously this
is not trying to be a hidden service, just an onion service so I'm
using it as my example.) There are two attack vectors there:

Sending a Host: ritter.vg to my onion site (over tor of course) and
retrieving the website for ritter.vg.
Sending a Host: tomritterbassljd.onion to my clearnet site (not
through Tor) and retrieving the Hidden Service.

So to mitigate this you need to make sure that your onionsites are
listening only on local addresses and your clearnet sites are
listening only on external addresses.

Alternately (and this is what I do) you can set up your onionsite on a
local address and non-standard port (e.g. 88), and ensure that only
the onionsite is accessible on that port and the clearnet sites are
not.  Then you can have your clearnet sites listen on both the
external IP(s) and 127.0.0.1:80/443 like normal.

-tom


More information about the tor-onions mailing list