Hacker News new | past | comments | ask | show | jobs | submit login

It is this bug: https://www.owasp.org/index.php/Server_Side_Request_Forgery

Except that with tor, hitting ANY external IP from the "real" IP of your hosting box is bad news (since your service is no longer hidden).

This is a rookie mistake for an operator running a hidden service. What you are supposed to do is a) ensure you are not running crappy software and more importantly b) ensure that your server/container/service (preferably) has no network egress or (if you need that) that egress is transparently proxied at the network level through something suitably anonymous. Whatever scheme you choose should be robust against an attacker who compromises your hidden service any any way, up to having root on the host or vm. This usually means that if you are trying to run a hidden service on a single physical machine, you want multiple VMs or containers, and you really want there to be no guest-to-host escapes. There are multiple ways of skinning that cat but VMs are nicer than containers or jails because you can have actually different network stacks.

The officer's methodology for determining whether the requesting IP was really that of the hidden service was quite sound from a forensics point of view and in fact did not require any "special" network access over and above that which a normal citizen would have.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact