24 539 070

unique deep web pages in the database
Ways To Expose Users Of Distributed Anonymous Networks
1 day ago

Ways To Expose Users Of Distributed Anonymous Networks

Users of anonymous networks and browsers probably use them to visit mostly blocked or secure sites. However, not all of them expect the fact of this visit to remain anonymous. If anonymity while surfing deepweb doesn't bother you, you probably won't be interested in the rest of this article.

We will not go into the intricacies of the functioning of these networks and try to hack them. As you know, even the most perfect security feature has a human bottleneck. Therefore, we will talk about the methods that bypass distributed protocols, exploit common mistakes made by darknet and deepweb users, as well as mistakes in the settings or vulnerabilities of the software itself.

By deanonymization we will will mean the disclosure of a user's real IP address.


If a user uses the same browser to surf both the normal and the "anonymous" network, he can be easily identified via a fingerprint. The fingerprint is stored from the "anonymous" browser session, and then it is stored in databases of fingerprints stored by billions by Google, Facebook and other, including public, institutions of different countries.

There are many ways to remove fingerprints, and they are all known, so I will not enumerate them here. It is worth using a separate browser to surf the "closed" Internet. And, even there, it is desirable to erase the history after each use.

The Ability To Access Normal Network

Let's suppose you use a separate browser to surf a anonymous network. But, if from this browser it is still possible to access the regular Internet, bypassing the protected network, then the site from the onion/i2p domain can use this possibility for your de-anonymization by sending a special request. This can be done via HTTP, DNS,WebRTC, etc.

To avoid this, - at least prohibit all incoming and outgoing connections for this browser to all IPs except localhost and the port your anonimizing proxy is running on.

You can't do that if your anonymizer is built into your browser and works with it in the same process.

Besides, you have to somehow make sure that your browser, under no circumstances, will not use the API of the operating system to resolve DNS names, etc.. You can check the latter by making a query via the address bar and looking at the traffic via wireshark or tcpdump.

Non-standard Protocols

Besides http:// and https:// there are other protocols which can have their own vulnerabilities. For example file:// and smb://, which can try to make your browser/OS send a request to the right address. All protocols other than http:// https:// should be disabled in your browser by default.

Browser Vulnerabilities

This is quite an obvious thing, but oddly enough many people forget about it. Browsers need to be updated regularly. But, and this will not really save you. Sooner or later a new vulnerability will appear - you must be prepared for this.

Browser Plugins

Yes. Be careful with browser plugins. They may contain vulnerabilities. They can see everything you do and, in some cases, can send data to third parties.


Your antivirus can also expose you. How? A site of an onion/i2p domain will simply let you download a unique page/file. Your browser will save it on the disk. Your antivirus, before scanning your file for the "billion" viruses existing, will first look for the hash of the file in the databases of the antivirus company, or of the distributed network of all the users. In this way, you will be deanonymized.

OS Telemetry

Yes. Perhaps your OS has built-in antivirus or telemetry which also collects and sends hashes of your files to the clouds.

Cameras/Microphones In Range

Cameras are an obvious enough thing. Hopefully, no one is going to browse prohibited sites with a camera. As for microphones on other devices, it's not quite that obvious.

When you type a message to a "secure" site - that site (or a script inserted there) can measure the intervals between keystrokes on the keyboard.

Interestingly, this information can even be extracted from a secure/encrypted TCP/HTTPS user session by measuring the intervals between IP packets.

A microphone (e.g. in your cell phone) in range can do the same. On the basis of this you can make a special index, which, by analogy with the service determining the name of the music playing in the background, can determine that it is you who is typing the message.

Disabling JS partly helps, but, mouse clicks while navigating pages do not disappear, so, keep microphones away from your workplace.

No comments. Your review will be the first!