According to a recent research, The Onion Router network, which provides anonymity and resistance to identification and tracking, has a new vulnerability that could compromise the anonymity of its users. Already in 2014, Tor issued a security advisory after discovering an attempt to deanonymise users of the browser. Bad actors were modifying cell headers and sending them back to the user. If the entry node was also part of the attack, an attacker could capture the user’s IP address through the attacking relays. This attack is known as Relay Early.
Recently, a new way of understanding the true IP address of a service has been discovered using an HTTP header known as Etag.
Typically, when searching for the source IP address of a site on the dark web, the site’s source code, SSL certificate, response headers, etc. are checked to obtain unique strings and information from scanning services such as Shodan, Censys, and others. In this study, response headers were checked and analysed to identify a source IP address: 188.8.131.52, the IP address of the Tor service owned by the RagnarLocker ransomware group.
This discovery has significant implications for the anonymity of the dark web, as it means that users may not be as anonymous as they once thought. However, there are ways to protect against this discovery, such as disabling Etag on the server or using a proxy to modify Etag in transit.