Softpedia >News >Security >Server related
Softpedia Homepage   

Misconfigured Apache Servers Leak Details About Tor Traffic

It's not that bad, but it's not something you could ignore

Jan 30, 2016 22:35 GMT  ·  By
Some Tor traffic can be viewed on misconfigured Apache servers
2 photos
   Some Tor traffic can be viewed on misconfigured Apache servers

A default setting left unmodified in Apache Web servers can reveal details about Tor traffic handled through that particular server.

The Dark Web is a hidden area of the Internet which can only be accessed via special services like TOR or I2P. This portion of the Web is just like its bigger brother, only restricted and anonymized.

But as with any part of the Web, the .onion websites everyone accesses need to be hosted on a Web server. There are various methods of doing this, and one of the simplest is to use an Apache Web server along with a Tor daemon to handle the "anonymous" part of the server's traffic.

Unfortunately, a default setting in Apache Web servers, if left unmodified, could leak information on the traffic that's going on via the server, and the server itself.

One-year-old problem plaguing many .onion sites

This issue is not a new one, being already reported on Reddit and to the Tor Project, but was brought into the limelight once again after Alec Muffet, a well-known security guru and current Facebook software engineer, tweeted the blog post of an unknown computer science student that explained this problem and its ramifications.

The Apache server setting causing this issue is the Server Status module which comes activated by default. The output of this module is available on every server when accessing the URL: http://website.com/server-status/

This page will show data on a server's settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests. Details like these can help someone detect the server's timezone, relative geographical position, language settings, and even its IP address via improperly configured virtual hosts.

This issue is not a theory, it was used to sniff on a Tor website's traffic

In one example, the student that recently came across this issue discovered an active Server Status page for a Dark Web search engine.

Looking at the server's active HTTP requests, he was able to view what people were searching on that particular service. While some of the queries were adult-related, the student did take a screenshot of a case where a user searched for "How to get rid of 2 bodies." But let's not open the Tor-bad/Tor-good topic right now.

If you run a Tor website on top of an Apache server, you may want to check your server's config. To quickly disable the module just run the following shell command:

code
sudo ap2dismod status
Don't be scared, "ap2" stands for Apache 2.x, the latest Apache stable branch, "dis" means disable, "mod" is module, and "status" refers to the Server Status module.

If you disabled the Server-Status page, when accessing its URL, you should see a 404 or 403 error message.

Sample server activity log from a real-life Tor website hosted on an Apache server
Sample server activity log from a real-life Tor website hosted on an Apache server

Photo Gallery (2 Images)

Some Tor traffic can be viewed on misconfigured Apache servers
Sample server activity log from a real-life Tor website hosted on an Apache server
Open gallery