Tor browser showing wrong IP

I am using Debian with Tor 13.5 and when I go to the Reddit onion site it reports an IP address which does not match the circuit IP. I have tried several circuits using meek-azure bridge and the reddit onion site keeps reporting the same IP address.

Here is the image

@compis

So this is actually kind of an interesting bit of confusing UI here and also most likely a problem with reddit’s onion service configuration. The key point here is that the circuit display here does not show Reddit’s half of the circuit (since we are not privy to the specifics of that information)

So first let me walk us through a few scenarios with hypothetical ‘circuit displays’ to give an overview of the different possible ways to access reddit.

Clearnet

  • Your Browser
  • Reddit

In this scenario, reddit would be potentially complaining about your actual public IP.

Clearnet Site via Tor

  • Your Browser
  • Tor daemon
  • Guard Relay or Bridge (obfs4, meek-lite, snowflake, etc)
  • Middle Relay
  • Exit Relay
  • Reddit

In this scenario reddit would be complaining about the Exit Relay’s public IP address.

Onion Service via Tor

  • Your Browser
  • Tor Daemon
  • Guard Relay or Bridge (etc)
  • Middle Relay
  • Rendezvous Relay
  • Middle Relay 2 (this doesn’t seem to have a better name)
  • Middle Relay 1
  • Guard Relay
  • Tor Daemon
  • Reddit

So, presumably in this case, reddit’s internal spam detection infra is detecting a large number of connections coming from its own tor daemon? The IP in your screenshot ( 54.85.65.228 ) is allegedly an amazon IP according to whois. According to dns records reddit.com does have some AWS ips, so maybe we’re inadvertantly learning some info about Reddit’s internal inra configuration here :smiley:

Most likely reddit’s onion is a single-hop since it doesn’t need the anonymity properties onion services provide. However, this type of info leak is similar to various issues onion scan warned us about. Simply slapping an onion-service in front of a clearnet site does nothing to protect your sites anonymity if you leave debug or configuration pages available that expose your site’s actual ip address.

For more information and details about how onion service circuits are built, do see: Tor Project | How do Onion Services work?

EDIT @atari’s post was actually made before mine here and it includes a nifty graphic!

2 Likes

You usually won’t know the IP that is accessing the hidden service:


[source]

The IP (54.85.65.228) reddit shows you is not even a Tor node: https://metrics.torproject.org/rs.html#search/54.85.65.228

So most likely the hidden service is not build properly and it is basically just a proxy service accessing reddit via clearnet. The IP (54.85.65.228) probably is the one which the ‘hidden service’ is using for network communication to reddit.

3 Likes