- Noah Cyrus cries on Instagram after Lil Xan’s baby announcement Today 2:26 PM
- The ‘Well yes, but actually no’ meme is here to help you explain things Today 12:07 PM
- Judge orders Roger Stone to appear in court after his Instagram post Today 11:24 AM
- I worked with the migrant caravan—and Trump is the cause of his national emergency Today 11:09 AM
- How to watch Liverpool vs. Bayern Munich online for free Today 11:08 AM
- ‘Patriot Act’ volume 2 proves Hasan Minhaj is the next big star of the news-comedy genre Today 11:01 AM
- ‘Friends From College’ canceled after 2 seasons at Netflix Today 10:53 AM
- Allow your wallet to be your spirit guide during this rad anime sale Today 10:43 AM
- Man stages fake DUI trial to propose to girlfriend, and people are asking why Today 10:40 AM
- Bernie Sanders’ website full of 404s on launch day Today 10:23 AM
- Pose’s Indya Moore goes viral for arguing trans women have ‘biologically female’ penises Today 10:21 AM
- Howard Schultz pens Medium essay declaring ‘unprecedented appetite’ for Schultz 2020 Today 9:56 AM
- The weirdest movie at the Oscars is ‘Border’ Today 9:22 AM
- Did Elon Musk just host PewDiePie’s meme review? Today 8:53 AM
- Loona stans take over Twitter with praise for the ‘Butterfly’ video Today 7:31 AM
Sensitive information can be revealed from Tor hidden services on Apache
Tor’s developers were aware of the issue last year but decided against sending out an advisory.
The hidden websites on the Tor anonymity network are supposed to be concealed behind a strong veil of technology. But as with any technology, human mistakes can undo almost anything.
A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests.
When an hidden service reveals the HTTP requests, it’s revealing every file—a Web page, picture, movie, .zip, anything at all—that’s fetched by the server.
Tor’s developers were aware of the issue as early as last year but decided against sending out an advisory.
The problem is common enough that even Tor’s own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.
In the case of this particular Tor Project machine, it doesn’t appear that there’s much danger to the users. Instead, the status page reveals a lot of server information but not much sensitive user data.
Alec Muffet from Facebook, which runs its own hidden service, said on Saturday that he’s been sounding the alarm on the problem for six months. Last year, he found a popular hidden service search engine with the same problem exposing active HTTP requests, meaning you could watch the searches being made in real time.
Muffet redacted the “most distasteful” results. Even so, the top search asks “How to get rid of 2 bodys.”
When alerted last year to the issue, Tor developers decided against sending out an advisory. In fact, Apache’s configuration problem has been known even longer than that.
To fix the issue on your own Apache-run hidden service, Muffet advises a one-liner from the shell of your server to disable the whole thing:
$ sudo a2dismod status
Photo via Andrew Stawarz/Flickr (CC BY ND 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.