[tor-onions] Privacy Audits for Onion Services

Tom Ritter tom at ritter.vg
Thu Aug 30 15:51:22 UTC 2018 

That's an excellent question. I think we should make a wiki page on
trac about this, if we don't have one already...

Off the top of my head, I'd suggest the following (specific to HTTP(S) servers):
- Ensure your clock is correct and is corrected automatically once or
twice a day to reduce time skews
- If your server is exposed to the internet, ensure that one cannot
hit your onionsite by specifying it in the host header on the
clearnet. Ensure the onionsite is only listening on the internal IP.
- Similarly, ensure that your external website(s)are only listening on
external ip addresses, and one cannot hit them over the onionsite by
specifying them in the Host header
- Best case: run your service on a machine that _has_ no external IP
address and only internal IP addresses
- Check your SSL configuration and ensure your onionsite isnt sending
a cert for external websites
- Don't run a relay and a hidden service on the same tor instance

Then there are a ton of advice items for individual
languages/frameworks.  For example for PHP, don't expose phpinfo() or
$_SERVER. Don't expose error messages.

There is a class of web attack called 'SSRF' or Server Side Request
Forgery. The toehold of this attack is that you can induce the
_server_ to perform a connection. This could be through a DNS lookup,
a XML DTD fetch, or other types of vulnerabilities. If an attacker can
do this on your onionsite, they can trigger you to connect to their
server and learn your server address.  You can mitigate this by strict
egress firewalling.

-tom

On 30 August 2018 at 10:33, Jason S. Evans <jason.s.evans at protonmail.com> wrote:
> Hi all,
>
> How can I best audit an onion service to make sure that my IP can not easily
> be compromised? Is there a list of things to do to try to hack my own site
> to try to find the IP?
>
> Thanks!
> Jason
>
>
>
>
> _______________________________________________
> tor-onions mailing list
> tor-onions at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
>

More information about the tor-onions mailing list