Sensitive Information Can Be Revealed From Tor Hidden Services On Apache

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.

Re:How is this in any way surprising?

[JustAnotherOldGuy]

The only way that three people can keep a secret is if two of them are dead - and even then ....

Even this is no longer true. :(

-

Experience has shown time and time again that there will never be perfect secrecy - just "good enough for now" is the best we can hope for.

Worse yet is that what is secret today will be exposed tomorrow, or the next day, or the day after that. All that stuff people have encrypted or hidden will eventually be decrypted or dragged out into the light. "You can bet your ass it'll come to pass", as they say. And it will.

So you're using SuperUber-Blowfish-SupperDish crypto with a 40 garjillion-bit key? Yeah, that'll be good for a while, but not forever. Quantum-computing may in fact herald an end to meaningful encryption, we just don't know how much it'll change things but the smart money is on major upheavals in supposedly "secure" communication.

During WWII the Allies kept reams of intercepted communications from the German and the Japanese (and everyone else) even though it was encrypted and unreadable....because they knew that someday they'd be able to decrypt it and see what was being said. It has enormous potential military and political value even if you can't read it today.

The NSA is, or course, doing the same thing right this minute, archiving everything they can get their sticky little fingers on. They may not be able to decrypt it today, but eventually they'll be able to.