Sensitive Information Can Be Revealed From Tor Hidden Services On Apache

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.

Re:If you take 3 different steps to conf it public

[Sun]

I think that a hidden service sees incoming traffic as originating from itself, as that's where the TOR node is that unwraps this traffic.

On my server, it was turned on despite me not turning it on (but, of course, not open to the outside). I don't know why, BTW.

Shachar

Localhost

[SlayerofGods]

I always thought it seemed kind of foolish to run the web service and the tor node on the same system. Seems like it would be better to run the tor node on its own system and act as a gateway for the web server (with all appropriate firewall rules to prevent server from talking to anyone besides tor node) This would not only prevent this kind of attack where local host traffic is semi trusted. But perhaps more significantly it would prevent the webserver from ever leaking it's public address as it can't know what it is. My 2 cents