A configuration issue on some darkweb Web servers can reveal the true IP address of a website even if it is set up to use Tor to hide its identity. That’s according to reports that began circulating a few days ago.
The issue is not new. It has been known for a long time among experienced website administrators. But it was only in late January that it came to prominent light within the Tor community as the result of a blog post that reported the problem.
The vulnerability affects Apache, a very popular open source Web server platform that is currently used for about half of the world’s websites. It’s not a bug, but a deliberate part of the Apache server design.
By default, Apache enables a server module called mod_status. The module, as its name implies, provides information about the server’s current status. In some cases, that includes data like time zone and active connections. This information is accessible to anyone who visits a certain page (specifically, <root>/server-status) on the website.
Having this module enabled can lead to privacy leaks on darkweb servers are designed to use Tor to prevent visitors from tracing the true location of the server.
As the blogger who reported the issue noted, some darkweb sites fail to disable the module even though the privacy implications should be clear to anyone who reads the Apache documentation. “Toward the end of 2015, I found a popular .onion search engine that had failed to disable the status module,” the blogger warned.
Fortunately, the fix is simple. Website administrators just have to disable the status module with a simple command on the Web server: “a2dismod status”
To be clear, this issue does not mean that the identity of a visitor to an affected site could be revealed. It only affects privacy information about the server itself. Still, it’s notable as a problem that seems to impact many darkweb servers that use Tor to try to keep information private. It’s a reminder that Tor is not a one-click privacy solution. It’s only effective when you take the time to configure it properly.