Tor users vulnerable with Apache default setting

By on
Tor users vulnerable with Apache default setting

A default configuration used by the Apache http server has been discovered as vulnerable to uncovering the identity of Tor users.

The Apache server's mod_status page displays uptime, resource usage, and active HTTP requests statistics – and is only accessible from localhost. This settling was selected to enhance the security of mod_status, but Tor relay uses localhost as a web proxy to ensure that users' location information remains private.

Tor users who do not disable the Apache mod_status configuration could have their server-status exposed, which would allow an attacker to surveil sensitive requests, and could be used to determine the IP address of Tor users.

The configuration has been known to experienced Tor users as the Tor Project message board showed, but was highlighted in a recent blog post by an anonymous computer science student.

Last month, Facebook integrated Orbot, a proxy application that helps mobile users access the Tor network on Android phones, into its release of Facebook Android. Orbot was created by the Guardian Project, an open-source software project. The Tor Browser's lead developer Mike Perry said in December that the Tor Project will launch a bug bounty program in 2016.

The Apache Software Foundation and Tor network did not reply to requests from SCMagazine.com seeking comment about the default configuration.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

What does your business want for Christmas?
Skilled people who'll take Elves' wages
A stocking full of good leads
Please, Santa, drop some cash down the chimney!
All status indicators green like misteltoe, none red like Rudolph's nose
A peaceful, relaxing time for the team and our clients, and all their families
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?