Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Bug Encryption Network Networking Security The Internet Apache

Sensitive Information Can Be Revealed From Tor Hidden Services On Apache ( 37

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.
This discussion has been archived. No new comments can be posted.

Sensitive Information Can Be Revealed From Tor Hidden Services On Apache

Comments Filter:
  • The only way that three people can keep a secret is if two of them are dead - and even then ....

    Experience has shown time and time again that there will never be perfect secrecy - just "good enough for now" is the best we can hope for.

    • Re: (Score:2, Interesting)

      The only way that three people can keep a secret is if two of them are dead - and even then ....

      Even this is no longer true. :(


      Experience has shown time and time again that there will never be perfect secrecy - just "good enough for now" is the best we can hope for.

      Worse yet is that what is secret today will be exposed tomorrow, or the next day, or the day after that. All that stuff people have encrypted or hidden will eventually be decrypted or dragged out into the light. "You can bet your ass it'll come to pass", as they say. And it will.

      So you're using SuperUber-Blowfish-SupperDish crypto with a 40 garjillion-bit key? Yeah, that'll be good for a while, but not forever. Quantum-computing may in fact herald an end to meaningful encrypt

      • by Anonymous Coward

        If you have AES-256 encrypted information on a cold drive, nothing short of a successful cryptanalysis or your nation's favorite Enhanced Torture Techniques will reveal that information.
        Quantum computing is not magic, and defeatism will get you nowhere. Grow some fucking willpower.

        • For now. Algorithms that seemed great at one point eventually become broken or successfully analyzed.

          DES stood up for a while, but computing resources overwhelmed it.

          MD5 was great until people learned it was flawed.

          same thing is happening now for SHA-1.

          True, the later two are for hashing rather than encrypting, but something that seems utterly unbreakable today could be economically broken tomorrow, if an unthought of technique is discovered.

          That's not defeatism, it's just being clear that everything *event

  • This is simply server misconfiguration. I can't comment on other distributions but Debian at least restricts /server-status URL access to localhost by default. You'd have to explicitly change this to allow from anywhere else.
    • Literally, because exactly this is the problem here,

      As a person visiting a web-site your communication with the webserver is actually comming from the localhost, leaving no way to distinguish for the webserver between a sysadmin and a normal visitor.

      • ..vice, your communication is actually comming from localhost ..

        • Ah, I did wonder if this was a case of "exiting from a TOR tunnel means the traffic is coming from".

          To be honest that means TOR is breaking a lot of expectations about localhost. Really they ought to use some RFC1918 address space for that final hop.

          Still, as-is, you could reconfigure /server-status to only be allowed from your actual local IP (and any other safe IPs), and not include localhost in the list.

          • by Hizonner ( 38491 )

            Actually, when you configure a hidden service on Tor, you have a choice of where the traffic coming out of the tunnel will go. You can send it to any address on the host, or even to another host.

            But it's easy to forget that isn't necessarily the best choice. And, worse, the Tor project's example configuration uses it.

            It's actually usually better to run the server on a separate machine from the Tor process, anyway, for a lot of reasons.

  • Summaries for Nerds (Score:5, Informative)

    by bill_mcgonigle ( 4333 ) * on Saturday January 30, 2016 @01:51PM (#51404225) Homepage Journal

    disable or restrict access to mod_status if you run a tor hidden service on Apache because mod_status is often enabled by default and serves to localhost; tor connects from localhost. mod_status shows some details of current requests which could leak info on other users.

  • by Anonymous Coward

    I only trust Microsoft IIS and ASP.Net for my web hosting needs.

  • When your looking at an story, Ctrl + enlarges the text making it easier to spot typos.
  • FTA:
    $ sudo a2dismod status


    Apparently some distros turn stuff on by default [].

    That's why I'm a huge fan of the "secure by default []" philosophy.

  • by Anonymous Coward

    Don't setup hidden services if you aren't a competent sysadmin. Really. If you don't know what you are doing and how to disable various headers etc etc, you'll be fucked. Crap like that was how silk road got taken down too(not by server status, but another page or something that showed some real IPs)

    You really need to check everything that your server sends out and make damn sure there are no information leaks. No real hostnames, IP addresses etc etc.


  • Localhost (Score:4, Insightful)

    by SlayerofGods ( 682938 ) on Saturday January 30, 2016 @04:00PM (#51404947)
    I always thought it seemed kind of foolish to run the web service and the tor node on the same system. Seems like it would be better to run the tor node on its own system and act as a gateway for the web server (with all appropriate firewall rules to prevent server from talking to anyone besides tor node) This would not only prevent this kind of attack where local host traffic is semi trusted. But perhaps more significantly it would prevent the webserver from ever leaking it's public address as it can't know what it is. My 2 cents
  • Everybody who configures a webserver decides if he wants a status page. Normally you disable it in production and with tor you disable EVERY feature you do not ABSOLUTELY NEED. Thats just common sense.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky