Tor is a browser known to keep the IP addresses of its users private and confidential due to which users can surf the web anonymously. However, according to RiskIQ’s threat researcher Yonathan Klijnsma, it is possible to identify the IP addresses of Tor users. Klijnsma states that misconfigured Dark Web servers are mainly responsible for exposing IP addresses.
It is a common perception that Klijnsma is trying to attack Tor and similar services. However, he actually is pointing out the flaws that a well-known service inhabits and which may lead to grave consequences for those using Tor regularly. According to Klijnsma, those misconfigured Tor sites that use SSL certificate are causing the exposure of IP addresses. There are multiple such sites that can expose public IP addresses of underlying servers.
What happens is that appropriately configured servers that host Tor only need to listen on the local host, 127.0.0.1, and not any other public IP address. On the other hand, misconfigured servers have their local Apache or Nginx server listen to another IP address, either * or 0.0.0.0.
For those who are telling me to stop attacking #Tor, I'm not attacking Tor.
I'm merely trying to get across the concept that there's a difference between setting up the listening host for your server as 0.0.0.0 or * vs 127.0.0.1. https://t.co/zhY27p8Wrw
— Yonathan Klijnsma (@ydklijnsma) August 4, 2018
It mandatorily happens when a firewall isn’t being used otherwise in normal circumstances servers should listen to 127.0.0.1. Klijnsma also explained that these misconfigured servers can be easily identified. He discovered these servers by examining the internet and linking SSL certificates to their hosted IP addresses, he could identify the misconfigured Tor services and their corresponding IP addresses.
“[This] means Tor connections will work obviously, but also external connections will as well,” Klijnsma told Bleeping Computer.
Whenever an SSL certificate is added to a website by any hidden service administrator, .onion domain is added to the certificate after the certificate’s Common Name (CN) field reports the .onion address of the anonymity service. When a server is misconfigured to listen on a public IP address the SSL certificate associated with the website will be used for that address.
“Continuously. I’m not even kidding. Some don’t listen on http/https, so I don’t know what they are, but they have onion addresses and live on both clear and dark web” Klijnsma stated.
This is not the first time when Tor browser has been found leaking IP addresses. Previously, a critical vulnerability in Tor browser exposed real IP addresses of its users. The vulnerability worked in such a way that when a user clicks on a specially developed file:// link, he/she is redirected to a webpage for creating a direct link between the computer and remote host after bypassing the security of Tor browser.
Therefore, if you are a Tor user do not depend on it since 100% security and privacy is a myth. Stay safe online.