[tor-talk] Tor Double HiddenService w/ Server Level Intercepting Request and Content Anonymization

Manfred Ackermann yo at acki.es
Tue Oct 29 16:14:40 UTC 2013


Now I feel relieved :-) I already started to think that I was just to
hammered when I had the idea ...

The text is mostly the changes that have to be made to implement this
approach.

Basicly its getting a request out of the tor network, intercepting it,
putting it back into tor to another destination and getting the also
intercepted response back to the original requester.

Thanks for your reply.
Am 29.10.2013 14:42 schrieb "adrelanos" <adrelanos at riseup.net>:

> Hi Manfred,
>
> I find it's a very interesting idea! Just never got to actually study
> your message. It's still marked unread in my inbox so I will be reminded
> to read it when time comes.
>
> Not sure why no one else answered. Perhaps because it looks at first
> sight like a lot text and quite difficult.
>
> Cheers,
> adrelanos
>
> Manfred Ackermann:
> > Hi List.
> >
> > Sorry to push this up, just wondering if this approach is such stupid
> that
> > it's not even worth leaving a related comment to it ;-) Or is it just of
> no
> > interest?
> >
> > Any comments apriciated.
> >
> > Greetings, Manfred
> > Am 26.10.2013 01:09 schrieb "Manfred Ackermann" <
> manfred.ackermann at gmail.com
> >> :
> >
> >> I've just finished successfully a Proof-of-Concept to implement
> >> anonymization at server level. I would be please if you guys can review
> >> this approach and extend it and/or show me the caveats ;-)
> >>
> >> The rough picture is assuming someone somehow injected bad code into a
> >> seized site to get hands on visitor infos collected out of HTTP
> >> Request/Response (visitor not capable of setting up privoxy the right
> way
> >> or even socksing directly into tor).
> >>
> >> To protect I've:
> >> - setup one HiddenService (aaaVisible.onion) that connects to
> intercepting
> >> privoxy (IPr)
> >> - setup 2nd HiddenService (bbbDblHidden.onion) only accepting from (IPr)
> >> - setup IPr to rewrite aaaVisible.onion to bbbDblHidden.onion removing
> bad
> >> stuff from Req./Resp.
> >>
> >> This makes the Service double Hidden, more difficult to hack into it,
> >> redirect-able and protects dump visitors against revealing information
> >> (fingerprints).
> >>
> >> Client <-> Tor <-> Tor:HS <-> Privoxy <-> Tor <-> Tor:HS <-> (STunnel
> <->)
> >> Service
> >>
> >> The STunnel is used to move the IPv4 Service away from the HiddenService
> >> declaration and optional but recommended. Also Service is only allowed
> to
> >> "speak" to STunnel and has no Internet access.
> >>
> >> To check-out this on a single server w/o STunnel do this (named
> >> onion-links ARE AN EXAMPLE ONLY):
> >>
> >> Get Tor and Privoxy up'n'running like a normal Tor-Entry-Point.
> >>
> >> Modify /etc/tor/torrc:
> >>
> >> HiddenServiceDir /var/lib/tor/onion_relay/
> >> HiddenServicePort 80 127.0.0.1:8118
> >>
> >> HiddenServiceDir /var/lib/tor/hidden_service/
> >> HiddenServicePort 80 127.0.0.1:80
> >>
> >> Do on the shell
> >>
> >> /etc/init.d/tor restart
> >>
> >> or in arm do x x to sighup tor.
> >>
> >> As AN EXAMPLE this gives
> >>
> >> mr2t4bnopbqy2ql7.onion => "Onion-Relay"
> >> cmt6wblsm36iuoqn.onion => "HiddenService"
> >>
> >> Prepare the Service (here Apache2):
> >>
> >> Create /etc/apache/sites-available/tor
> >>
> >> <VirtualHost *:80>
> >> ServerAdmin root at cmt6wblsm36iuoqn.onion
> >>  ServerName cmt6wblsm36iuoqn.onion
> >> DocumentRoot /var/www/tor
> >> <Directory />
> >>  Options FollowSymLinks
> >> AllowOverride None
> >> </Directory>
> >>  <Directory /var/www/tor>
> >> Options Indexes FollowSymLinks MultiViews
> >> AllowOverride None
> >>                 SetEnvIf X-Onion-Relay-Passphrase
> >> JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs ONION_RELAY_AUTH
> >> Order Deny,Allow
> >> Deny from All
> >>  Allow from env=ONION_RELAY_AUTH
> >> </Directory>
> >> ErrorLog ${APACHE_LOG_DIR}/tor-error.log
> >>  LogLevel warn
> >> CustomLog ${APACHE_LOG_DIR}/tor-access.log combined
> >> </VirtualHost>
> >>
> >> Do on the shell
> >>
> >> mkdir /var/www/tor
> >> echo '<html><body><h1>cmt6wblsm36iuoqn.onion</h1> \
> >>       <img src="http://cmt6wblsm36iuoqn.onion/x.jpg"></body></html>' \
> >>       > /var/www/tor/index.html
> >> cp some-nice-jpg-file.jpg /var/www/tor/x.jpg
> >> cd /etc/apache/sites-enabled
> >> ln -s ../sites-available/tor 001-tor
> >> /etc/init.d/apache2 restart
> >>
> >> Prepare Privoxy
> >>
> >> In /etc/privoxy/config:
> >> accept-intercepted-requests 1
> >>
> >> In /etc/privoxy/user.action:
> >> { \
> >> +hide-user-agent{Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
> >> Firefox/17.0 (Tor Browser Bundle)} \
> >> +hide-accept-language{en-us,en;q=0,5} \
> >> }
> >> /
> >>
> >> { \
> >> +server-header-filter{server-ident-rewrite} \
> >> +client-header-filter{onion-request-rewrite} \
> >> +filter{onion-response-rewrite} \
> >> +add-header{X-Onion-Relay-Passphrase: JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs}
> \
> >> }
> >> mr2t4bnopbqy2ql7.onion
> >>
> >> In /etc/privoxy/user.filter:
> >> SERVER-HEADER-FILTER: server-ident-rewrite Replace Server Ident String
> >> s@^(Server:)\s*.*$@$1 Http/1.1 at i
> >> CLIENT-HEADER-FILTER: onion-request-rewrite Replace x.onion with y.onion
> >> s@^(Host:)\s*mr2t4bnopbqy2ql7.onion$@$1 cmt6wblsm36iuoqn.onion at i
> >> FILTER: onion-response-rewrite Replace y.onion with x.onion
> >> s/cmt6wblsm36iuoqn\.onion/mr2t4bnopbqy2ql7.onion/ig
> >>
> >> Do on the shell
> >>
> >> /etc/init.d/privoxy restart
> >>
> >> Try in the browser:
> >>
> >> HiddenService direct: cmt6wblsm36iuoqn.onion => 403 Forbidden
> >> HiddenService indirect by privory onion-rewrite: mr2t4bnopbqy2ql7.onion
> =>
> >> the Result from cmt6wblsm36iuoqn.onion
> >>
> >> Have a look on the Response Headers (e.g. Firefox Plugin WebDeveloper =>
> >> Information => Response Header) and you see Server: Apache/2.2.22
> >> (Ubuntu) is replaced by Server: Http/1.1. Also do modify index-file in
> >> web-root to show Request-Vars like user-agent and accept-language ...
> here
> >> for example response content can be removed to prevent 3rd party
> JavaScript
> >> or Flash injection to the visitor.
> >> ---
> >> Regards,
> >> Manfred Ackermann
> >> PGP 0xED5E5F28
> >>
> >>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list