<!DOCTYPE html><html><head> <meta charset="utf-8" /> <meta http-

1.  
2. <!DOCTYPE html>
3. <html>
4. <head>
5. <meta charset="utf-8" />
6. <meta http-equiv="X-UA-Compatible" content="IE=edge" />
7. <title>Killing Tor2Web once and for all - detect &amp; deny Tor2Web-users</title>
8. <meta name="description" content="" />
9. <meta name="HandheldFriendly" content="True" />
10. <meta name="viewport" content="width=device-width, initial-scale=1.0" />
11. <link rel="shortcut icon" href="/favicon.ico">
12. <link rel="stylesheet" type="text/css" href="/assets/css/screen.css?v=ea56150a18" />
13. <link rel="stylesheet" type="text/css" href="/assets/css/fonts.css?v=ea56150a18" />
14. <link rel="canonical" href="https://chloe.re/2016/05/20/killing-tor2web-once-and-for-all/" />
15. <meta name="referrer" content="origin" />
16. <meta name="generator" content="Ghost 0.7" />
17. <link rel="alternate" type="application/rss+xml" title="chloe chloenlpvlemmmmd.onion" href="https://chloe.re/rss/" />
18. </head>
19. <body class="post-template nav-closed">
20. <div class="nav">
21. <h3 class="nav-title">Menu</h3>
22. <a href="#" class="nav-close">
23. <span class="hidden">Close</span>
24. </a>
25. <ul>
26. <li class="nav-home" role="presentation"><a href="https://chloe.re/">Home</a></li>
27. <li class="nav-posts-in-english" role="presentation"><a href="https://chloe.re/tag/english/">Posts in English</a></li>
28. <li class="nav-posts-in-swedish" role="presentation"><a href="https://chloe.re/tag/swedish">Posts in Swedish</a></li>
29. </ul>
30. <a class="subscribe-button icon-feed" href="https://chloe.re/rss/">Subscribe</a>
31. </div>
32. <span class="nav-cover"></span>
33.  
34. <div class="site-wrapper">
35.  
36.  
37.  
38. <header class="main-header post-head no-cover">
39. <nav class="main-nav clearfix">
40.  
41. <a class="menu-button icon-menu" href="#"><span class="word">Menu</span></a>
42. </nav>
43. </header>
44.  
45. <main class="content" role="main">
46. <article class="post featured">
47.  
48. <header class="post-header">
49. <h1 class="post-title">Killing Tor2Web once and for all - detect &amp; deny Tor2Web-users</h1>
50. <section class="post-meta">
51. <time class="post-date" datetime="2016-05-20">20 May 2016</time>
52. </section>
53. </header>
54.  
55. <section class="post-content">
56. <p>I don't like Tor2Web. There I said it. I don't like Tor2Web because it simply destroys the purpose with having an onion. I believe that users that use my onion are anonymous to a certain degree, but if a user is using Tor2Web all this anonymity is gone. I can't offer the anonymity that my onion is supposed to offer. </p>
57.  
58. <p>So let's kill Tor2Web once and for all. However, this was harder than I even could have imagine because some instances of Tor2Web are transparent so it's very hard to detect them. </p>
59.  
60. <p>I will share with you my journey on how I worked to detect Tor2Web-users and why I picked up this battle in the first place. </p>
61.  
62. <hr />
63.  
64. <h4 id="whatstheproblemwithtor2web">What's the problem with Tor2Web?</h4>
65.  
66. <p>The problem is that it's not anonymous. Of course Tor2Web states this several times and a user can clearly don't miss it. The problem is that users don't care and an onion is not meant to be used via a clear net proxy, but with Tor.</p>
67.  
68. <p>A user is talking to a clear net website instead of the onion so in theory the proxy can read all the information you're sending and getting from the onion. Also, you are far from anonymous because the Tor2Web-gateway sees your IP. </p>
69.  
70. <p>Another problem is that if the Tor2Web-gateway now would be sniffing and modifying traffic, the <a href="https://globe.torproject.org/#/search/query=&amp;filters%5Bflag%5D=Authority">authority dirs</a> have absolute no power to close the Tor2Web-gateway down. </p>
71.  
72. <p>According to some rumors there have been instances where Tor2Web-gateways actually rewrite Bitcoin-addresses in hope that users send money to the adress. I don't know if this is true but it's highly possible. </p>
73.  
74. <p>So to conclude; Tor2Web-gateways reads data that is supposed to be end-to-end and anonymous. </p>
75.  
76. <p>Also, Facebook agrees with me: <br />
77. <img src="https://i.imgur.com/EZaCLfn.png" alt="" /></p>
78.  
79. <p></br> <p></p>
80.  
81. <p>But why is it hard to detect Tor2Web? Here's why:</p>
82.  
83. <ul>
84. <li>We can't ban via IP; it has 127.0.0.1</li>
85. <li>Tor2Web can modify traffic. Rely on Js is stupid </li>
86. <li>Tor2Web can be totally transparent </li>
87. </ul>
88.  
89. <hr />
90.  
91. <h4 id="detectingtor2webuserstheeasyway">Detecting Tor2Web-users the easy way</h4>
92.  
93. <p>The good thing about most of the public Tor2Web-gateways is that they are easy to detect. </p>
94.  
95. <p>First I created a script that checks if the user is on our domains. These domains are base64-encoded because otherwise it could be possible for the Tor2Web-gateway to rewrite them (adding .to, .link or .cab). </p>
96.  
97. <p>Here's the script and how it would look in action:</p>
98.  
99. <script src="https://gist.github.com/intchloe/2fb90cac49cba4e438a772c223ec5cac.js"></script>
100.  
101. <p><img src="https://i.imgur.com/hL2RFcv.png" alt="" /></p>
102.  
103. <p>But there're two major problems with this method:</p>
104.  
105. <ol>
106. <li>The user must have Javascript activated. </li>
107. <li>The Tor2Web-gateway can still remove/change the script. </li>
108. </ol>
109.  
110. <p>However, this method works in most cases. But I want to go even further. </p>
111.  
112. <hr />
113.  
114. <h4 id="detectingtor2webuserstheharderway">Detecting Tor2Web-users the harder way</h4>
115.  
116. <p>Okay, let's say a user does not have Javascript. How can we then detect that the user is using Tor2Web? Well, we could check the users HTTP-header. Let's see if we see something that stands out. </p>
117.  
118. <p><strong>onion.link</strong> has the header <em>HTTP_X_TOR2WEB</em> so that's fantastic news! We can detect this Tor2Web-gateway on our server side!</p>
119.  
120. <p><strong>onion.to</strong> also uses the <em>HTTP_X_TOR2WEB</em> header!</p>
121.  
122. <p><strong>onion.cab</strong> does not use this header and the headers are pretty much totally transparent. Damn... </p>
123.  
124. <p>Alright, so now this is rather a mission to detect transparent Tor2Web-gateways because it's fun. Why stop here? Let's see how far we can go.</p>
125.  
126. <hr />
127.  
128. <h4 id="diggingdowntherabbithole">Digging down the rabbit hole</h4>
129.  
130. <p>The first thing I wanted to know was how Tor2Web (and onion.cab) actually rewrites onion-URL's. Does it uses regexp? Does it look for HTML-tags? </p>
131.  
132. <p>So I sat up the <a href="https://github.com/cure53/HTTPLeaks">Cure53 HTTP-leak</a> document on my onion and tried to visit it over <strong>onion.cab</strong>. To my surprise there were actually 55 tags that was not rewritten. You can see the complete list <a href="https://gist.githubusercontent.com/intchloe/fda9fe8871f6a718215a9ea39cc54d41/raw/650e372878a55baa2592b38da840af451b456110/onion.cab%2520bypasses">here</a>. Note that <strong>onion.to</strong> and <strong>onion.link</strong> both rewrote all the links correctly. </p>
133.  
134. <p>So that's pretty interesting. We can use some HTML-tags that <strong>onion.cab</strong> will not be handling correctly. So we could use any of these tags to force the user to make a request, and if the request was not successful we will know that the user does not use a direct Tor-connection (and therefore uses Tor2Web). </p>
135.  
136. <p>On <strong>onion.to/link</strong> I found that adding a backslash after the scheme actually does not get rewritten as you can see here: <br />
137. <img src="https://i.imgur.com/evA9XZt.png" alt="" /></p>
138.  
139. <p>But this is just one of <strong>many many</strong> "bypasses" I've found. The bypasses are not important, but rather how you use them. Read below!</p>
140.  
141. <hr />
142.  
143. <h4 id="exploitingthebugsbyprotectinglogins">Exploiting the bugs by protecting logins</h4>
144.  
145. <p>So we've found ways that we can construct URL's so Tor2Web won't rewrite them. So let's use this trick by simply forcing the user to POST data to an onion instead of via Tor2Web. With this trick, we will "save" the user so its credentials never goes through the Tor2Web-gateway. </p>
146.  
147. <video width="700" height="700" controls>
148. <source src="https://nup.pw/Y6veai.webm" type="video/mp4">
149. </video>
150.  
151. <video width="700" height="700" controls>
152. <source src="https://nup.pw/HxKwfU.webm" type="video/mp4">
153. </video>
154.  
155. <hr />
156.  
157. <h4 id="summaryandfinalwords">Summary and final words</h4>
158.  
159. <p>In this article I have shown you how we can use Javascript to detect if a user aren't using our domains and also how to detect Tor2Web via HTTP-headers. I've also shown you how you can [mis]use the bugs that Tor2Web has to protect POST-forms such as logins. </p>
160.  
161. <p>I highly recommend that you all stay away from Tor2Web as a user. You deserve privacy. As for you webmasters out there I highly recommend that you also have some sort of protection or notification that tells your users that they should not use Tor2Web. </p>
162.  
163. <p>Last but not least I created a small PHP-script that can detect Tor2Web-users based on headers, UA and via Js:</p>
164.  
165. <script src="https://gist.github.com/intchloe/82c6de46cd1f878d0dc0a9597a5c90dd.js"></script>
166. </section>
167.  
168. <footer class="post-footer">
169.  
170.  
171. <figure class="author-image">
172. <a class="img" href="/author/chloe/" style="background-image: url(/content/images/2016/04/49.png)"><span class="hidden">chloe's Picture</span></a>
173. </figure>
174.  
175. <section class="author">
176. <h4><a href="/author/chloe/">chloe</a></h4>
177.  
178. <p>I really love privacy and I will fight for your right to it! </p>
179. <div class="author-meta">
180. <span class="author-location icon-location">Sweden</span>
181. <span class="author-link icon-link"><a href="https://chloe.website/">https://chloe.website/</a></span>
182. </div>
183. </section>
184.  
185.  
186. <section class="share">
187. <h4>Share this post</h4>
188. <a class="icon-twitter" href="https://twitter.com/intent/tweet?text=Killing%20Tor2Web%20once%20and%20for%20all%20-%20detect%20%26%20deny%20Tor2Web-users&amp;url=https://chloe.re/2016/05/20/killing-tor2web-once-and-for-all/">
189. <span class="hidden">Twitter</span>
190. </a>
191. <a class="icon-facebook" href="https://www.facebook.com/sharer/sharer.php?u=https://chloe.re/2016/05/20/killing-tor2web-once-and-for-all/">
192. <span class="hidden">Facebook</span>
193. </a>
194. <a class="icon-google-plus" href="https://plus.google.com/share?url=https://chloe.re/2016/05/20/killing-tor2web-once-and-for-all/">
195. <span class="hidden">Google+</span>
196. </a>
197. </section>
198.  
199. </footer>
200.  
201. </article>
202. </main>
203.  
204. <aside class="read-next">
205. <a class="read-next-story prev no-cover" href="/2016/05/15/the-problem-with-writing-to-dev-null/">
206. <section class="post">
207. <h2>The problem with writing to /dev/null</h2>
208. <p>If you are like me that take privacy very seriously you most definitely already write logs or other metadata&hellip;</p>
209. </section>
210. </a>
211. </aside>
212.  
213.  
214. <footer class="site-footer clearfix">
215. <section class="copyright"><a href="https://chloe.re">chloe.re</a> &copy; 2016</section>
216. </footer>
217. </div>
218.  
219. <script type="text/javascript" src="/assets/js/jquery-1.11.3.min.js?v=ea56150a18"></script>
220. <script type="text/javascript" src="/assets/js/jquery.fitvids.js?v=ea56150a18"></script>
221.  
222. <script type="text/javascript" src="/assets/js/index.js?v=ea56150a18"></script>
223. </body>
224. </html>