Advice from x0rz: Securing a Web Hidden Service

One of my friends referred me to the excellent Just another infosec blog type of thing earlier today, specifically the article Securing a Web Hidden Service, and I was immediately intrigued.

The post discusses the fact that many Tor hidden services (.onion sites) are poorly configured, and in the process, can leak their clearnet IP address (which defeats the purpose of having an onion site in the first place, does it not?).

While I don’t want to steal his thunder, one of his pieces of advice is that you shouldn’t let your hidden service be accessible via the clearnet. As x0rz states:

The reasons why you shouldn’t be accessible on clearnet are scanners. Scanners from Shodan or Censys (or even Google) are constantly scanning all the IPv4 public space (what we can call and will scan and index your server as well. You’ll be easily uncloaked if scanners find matching HTML content of your website, or even matching HTTP headers…

I’m fully aware that there are lots of onion sites that have this issue, not only because of improper configuration but also because of proxies like Tor2Web, for instance, which enables some Tor hidden services to be accessed via the clearnet. As a matter of fact, a second ago I came across some Tor2Web sites by complete accident.

One of the sites that x0rz mentions is http://vdshopj52jdlpp5a.onion, which he basically “exposes” on Twitter – ouch.

For the curious, here’s the data that Shodan picked up:

Other pieces of advice he offers are:

  1. Disabling directory listing
  2. Disabling verbose signature and error reporting
  3. Fixing security flaws
  4. Routing only Tor traffic

I strongly suggest that you read the rest of his post, in particular, if you’re running a Tor hidden service (or plan on it). Even if you aren’t doing anything illegal, there’s still a strong chance that your site will fall victim to an attack.

Oh, and please check out his blog as well; it’s chock-full of valuable advice.

P.S. Just for fun, let’s see one more of these sites, http://gearbankbaesqqv7.onion:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.