Maksim Kabakou - Fotolia

Misconfigured Tor sites leave public IP addresses exposed

The anonymity of Tor is once again under scrutiny, as a researcher finds misconfigured Tor sites can expose the public IP address connected to a dark web site.

The Tor network's degree of anonymity has come under increased questioning over recent years, and new research found public IP addresses can be connected to misconfigured Tor sites.

Yonathan Klijnsma, lead threat researcher at RiskIQ, a cyber threat intelligence company based in San Francisco, said he found out about the misconfigured Tor sites when crawling the web to associate SSL certificates with the host IP address for the site.

Klijnsma found misconfigured Tor servers that were listening to requests on public IP addresses instead of on the localhost IP address, 127.0.0.1, which is the default address for traffic originating on the same system. Tor servers must listen only on localhost in order to preserve the anonymity users expect from the Tor network and to keep anonymized Tor network traffic off of the public internet.

If correctly configured, an SSL certificate for a Tor site would only be associated with the dark web onion address of that site. But if a misconfigured Tor site listens on a public IP address, the certificate will also become associated with that address. However, it is unclear whether the issue is widespread.

Klijnsma did not respond to requests for comment at the time of this post.

Klijnsma began tweeting about the issue in July in order to make Tor administrators and users aware that sites they expected to be anonymous may not be. And he has even gotten pushback on his research.

Klijnsma's research isn't the first to find ways to deanonymize Tor. Researchers previously found that domain-name-system monitoring could be used to identify Tor users. And the FBI notably chose not to disclose a Tor vulnerability it used to find a suspect in a child porn case, leading to the case being dismissed.

Dig Deeper on Application and platform security