Vulnerability Etag: the anonymity of Tor at risk

Tor is known for providing a higher level of anonymity online, making it difficult for users to be identified and tracked. However, a recent discovery has exposed a possible vulnerability. This comes from the use of an HTTP header called Etag, which can potentially reveal the true IP address of a service.

Etag functionality and vulnerability

The Etag is a unique identifier generated by a server when a client requests a specific resource. The client uses it to check whether the requested resource is up-to-date or not, thus saving traffic and speeding up downloads. However, the Etag may contain information about the server, such as the IP address, the time, or a hash. This can become a tracking tool when you request the same resource from different Tor hidden services on the same server.

The Etag and the RagnarLocker case

A recent study identified the RagnarLocker ransomware group exploiting this vulnerability . Using curl and torsocks tools to compare Etags, the researchers were able to reveal the IP address of RagnarLocker's Tor service. They found that all Etags were identical and contained a hash of the server's IP address. This made it possible to determine the real address and location of the server. The revealed IP address was later linked to a RagnarLocker attack on video game company Capcom.

Implications and countermeasures

This method could be used both by malicious actors to de-anonymize Tor users and hidden service providers, and by law enforcement agencies to combat illegal activity. However, it must be considered that there are ways to mitigate this vulnerability. For example, one can disable the Etag on the server or use a proxy to change the Etag in transit, thus increasing the protection of anonymity.