A RiskIQ researcher is catching some flak on social media for showing how some people using the dark web are misconfiguring their Tor servers enabling them to be identified.
Bleeping Computer first reported how Yonathan Klijnsma, a RiskIQ threat researcher explained how by using one of his company’s tools that crawls the web searching for SSL certificates and then matching them to its hosted IP address. So Klijnsma used these to find a misconfigured hidden Tor server by using that public IP address.
Klijnsma told Bleeping Computer the primary mistake being made by those configuring the server "is they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address" instead of the safe 127.0.0.1. He then uses the RiskIQ database to search for .onion certificates and checks them against the public IP they are mapped to, Bleeping Computer wrote.
Klijnsma’s efforts to help educate those possibly leaving themselves open to being identified incurred the researcher enough wrath for him to tweet:
For those who are telling me to stop attacking #Tor, I'm not attacking Tor.— Yonathan Klijnsma (@ydklijnsma) August 4, 2018
I'm merely trying to get across the concept that there's a difference between setting up the listening host for your server as 0.0.0.0 or * vs 127.0.0.1. https://t.co/zhY27p8Wrw