Default settings on Apache Web servers can exhibit sum about Tor traffic

Share on Facebook71Tweet about this on TwitterShare on Google+2Share on Reddit0Share on LinkedIn6

This has happened a second time in this week. Leaving default environment open after a product has been expelled can means critical problems for a product users. Earlier we had MediaTek withdrawal a debug apparatus meant for developers open after shipping that could let intensity hackers take supportive information from Android smartphones regulating on MediaTek processors.

Latest to join this default celebration is Tor. It so happens that default environment left unmodified in Apache Web servers can exhibit sum about Tor trade rubbed by that sold server.

As we know, a dim web that hosts .onion websites can be accessed regulating Tor anonymity browser. There are several methods of doing this, and one of a simplest is to use an Apache Web server along with a Tor daemon to hoop a “anonymous” partial of a server’s traffic.

Unfortunately, a default environment in Apache Web servers, if left unmodified could trickle information on a trade that’s going on around a server, and a server itself.

This was reported to a Tor Project admin and also lonesome on Reddit though to no avail. The emanate has once again been brought to forefront by Alec Muffet, Facebook program operative who tweeted a blog post of an different mechanism scholarship tyro that explained this problem and a ramifications.

The Apache server environment causing this emanate is a Server Status procedure that comes activated by default. The outlay of this procedure is accessible on each server when accessing a URL:

This page will uncover information on a server’s settings, uptime, apparatus usage, sum traffic, practical hosts, and active HTTP requests. Details like these can assistance someone detect a server’s timezone, relations geographical position, denunciation settings, and even a IP residence around improperly configured practical hosts.

If we run a Tor website on tip of an Apache server, we might wish to check your server’s config. To fast invalidate a procedure only run a following bombard command:

If we infirm a Server-Status page, when accessing a URL, we should see a 404 or 403 blunder message.

Sample server activity record from a real-life Tor website hosted on an Apache server

Share on Facebook71Tweet about this on TwitterShare on Google+2Share on Reddit0Share on LinkedIn6