Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday October 21 2016, @09:43AM   Printer-friendly
from the doh! dept.

... I present the case of Mr. [redacted] a European application developer who has taken it upon himself to sell drugs on the side.

... for what ever reason, he hosts the site for his newly founded application development business on the same server as his drug business.

This means the server-status leak not only exposes the location of the server hosting the drug advertisement. It also points directly to the identity of the man behind it all.

Now that might seem obvious, but do you know why it is dangerous?

Server status pages are generated by the Apache web server's mod_status module to help people understand how their sites are performing. Leaks occur when the pages are inadvertently made available to the rest of us. On an ordinary website, a server-status page will expose any private data that's contained in the URLs that its users are visiting, bypassing the protection of HTTPS. On rare occasions, that private data can even include users' session IDs and passwords.

On Dark Web sites things get far more serious. If you run a Dark Web site and a regular website on the same server, as "Mr. [redacted]" and many others do, then both addresses will appear in that server's server-status page, like this image.

Thanks to a quirk in the Apache server configuration, leaky server-status pages are actually much more common on Dark Web sites than they are on regular sites. By default, Apache server-status pages are kept away from prying eyes and are only visible to users on the localhost machine – the machine the server is actually running on. Exposing a server-status page on the regular web therefore takes some effort – you actually have to get into the configuration and screw it up. On the Dark Web the opposite is true – your server-status page is exposed unless you get into the configuration and fix it. That's because the Tor daemon (the software that makes your website 'Dark'), runs on localhost so your website receives all of its traffic as if it's coming from localhost, affording everyone the privilege of being able to view your server-status page.

The article finishes with some sound advice: "If you're running a .onion site and you and your users are expecting to be anonymous then you probably owe it to everyone to read the manual".

https://nakedsecurity.sophos.com/2016/10/18/simple-mistake-exposes-businessmans-secret-dark-web-drug-store/
https://web.archive.org/web/20161019200609/https://nakedsecurity.sophos.com/2016/10/18/simple-mistake-exposes-businessmans-secret-dark-web-drug-store/
https://archive.is/chRaa

[1] https://twitter.com/SarahJamieLewis
[2] https://github.com/s-rah/onionscan


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Friday October 21 2016, @10:42AM

    by Anonymous Coward on Friday October 21 2016, @10:42AM (#417185)

    I member.

    Starting Score:    0  points
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  

    Total Score:   1