[tor-talk] Tor Double HiddenService w/ Server Level Intercepting Request and Content Anonymization

Manfred Ackermann yo at acki.es
Sat Oct 26 09:11:54 UTC 2013 

I've just finished successfully a Proof-of-Concept to implement
anonymization at server level. I would be please if you guys can review
this approach and extend it and/or show me the caveats ;-)

The rough picture is assuming someone somehow injected bad code into a
seized site to get hands on visitor infos collected out of HTTP
Request/Response (visitor not capable of setting up privoxy the right way
or even socksing directly into tor).

To protect I've:
- setup one HiddenService (aaaVisible.onion) that connects to intercepting
privoxy (IPr)
- setup 2nd HiddenService (bbbDblHidden.onion) only accepting from (IPr)
- setup IPr to rewrite aaaVisible.onion to bbbDblHidden.onion removing bad
stuff from Req./Resp.

This makes the Service double Hidden, more difficult to hack into it,
redirect-able and protects dump visitors against revealing information
(fingerprints).

Client <-> Tor <-> Tor:HS <-> Privoxy <-> Tor <-> Tor:HS <-> (STunnel <->)
Service

The STunnel is used to move the IPv4 Service away from the HiddenService
declaration and optional but recommended. Also Service is only allowed to
"speak" to STunnel and has no Internet access.

To check-out this on a single server w/o STunnel do this (named onion-links
ARE AN EXAMPLE ONLY):

Get Tor and Privoxy up'n'running like a normal Tor-Entry-Point.

Modify /etc/tor/torrc:

HiddenServiceDir /var/lib/tor/onion_relay/
HiddenServicePort 80 127.0.0.1:8118

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80 <http://127.0.0.1/>

Do on the shell

/etc/init.d/tor restart

or in arm do x x to sighup tor.

As AN EXAMPLE this gives

mr2t4bnopbqy2ql7.onion => "Onion-Relay"
cmt6wblsm36iuoqn.onion => "HiddenService"

Prepare the Service (here Apache2):

Create /etc/apache/sites-available/tor

<VirtualHost *:80>
ServerAdmin root at cmt6wblsm36iuoqn.onion
ServerName cmt6wblsm36iuoqn.onion
DocumentRoot /var/www/tor
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/tor>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
                SetEnvIf X-Onion-Relay-Passphrase
JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs ONION_RELAY_AUTH
Order Deny,Allow
Deny from All
Allow from env=ONION_RELAY_AUTH
</Directory>
ErrorLog ${APACHE_LOG_DIR}/tor-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/tor-access.log combined
</VirtualHost>

Do on the shell

mkdir /var/www/tor
echo '<html><body><h1>cmt6wblsm36iuoqn.onion</h1> \
      <img src="http://cmt6wblsm36iuoqn.onion/x.jpg"></body></html>' \
      > /var/www/tor/index.html
cp some-nice-jpg-file.jpg /var/www/tor/x.jpg
cd /etc/apache/sites-enabled
ln -s ../sites-available/tor 001-tor
/etc/init.d/apache2 restart

Prepare Privoxy

In /etc/privoxy/config:
accept-intercepted-requests 1

In /etc/privoxy/user.action:
{ \
+hide-user-agent{Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0 (Tor Browser Bundle)} \
+hide-accept-language{en-us,en;q=0,5} \
}
/

{ \
+server-header-filter{server-ident-rewrite} \
+client-header-filter{onion-request-rewrite} \
+filter{onion-response-rewrite} \
+add-header{X-Onion-Relay-Passphrase: JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs} \
}
mr2t4bnopbqy2ql7.onion

In /etc/privoxy/user.filter:
SERVER-HEADER-FILTER: server-ident-rewrite Replace Server Ident String
s@^(Server:)\s*.*$@$1 Http/1.1 at i
CLIENT-HEADER-FILTER: onion-request-rewrite Replace x.onion with y.onion
s@^(Host:)\s*mr2t4bnopbqy2ql7.onion$@$1 cmt6wblsm36iuoqn.onion at i
FILTER: onion-response-rewrite Replace y.onion with x.onion
s/cmt6wblsm36iuoqn\.onion/mr2t4bnopbqy2ql7.onion/ig

Do on the shell

/etc/init.d/privoxy restart

Try in the browser:

HiddenService direct: cmt6wblsm36iuoqn.onion => 403 Forbidden
HiddenService indirect by privory onion-rewrite: mr2t4bnopbqy2ql7.onion =>
the Result from cmt6wblsm36iuoqn.onion

Have a look on the Response Headers (e.g. Firefox Plugin WebDeveloper =>
Information => Response Header) and you see Server: Apache/2.2.22
(Ubuntu) is replaced by Server: Http/1.1. Also do modify index-file in
web-root to show Request-Vars like user-agent and accept-language ... here
for example response content can be removed to prevent 3rd party JavaScript
or Flash injection to the visitor.
---
Regards,
Manfred Ackermann
PGP 0xED5E5F28

More information about the tor-talk mailing list