Skip to content
Articles
Network and cybersecurity: What is a 'Hidden Service'? Part 1

Network and cybersecurity: What is a 'Hidden Service'? Part 1

The term "hidden service" is intimately related to certain technologies like the darknet and the Tor Project. This mechanism is used to provide various security and anonymity features to network users. In the collective consciousness, it is widely accepted that the darknet and hidden services are primarily used by cybercriminals to offer applications accessible through the Internet without revealing the identities of the parties involved. However, in reality, hidden services are often used for much nobler purposes, where the technical advantages they offer are highly appreciated.

Whistleblowers, secure data exchanges, journalistic content publication, and today's widespread and secure remote access with the advent of Zero-Trust Network Access are all ways in which hidden services are used for protection. But what are hidden services, and what do they really offer? Answers in this article.

You mentioned a "service," right?

The term "service" is so generic that it's important to define it in our context. A service is a network application accessible through an enterprise network or a broader network like the Internet. The purpose of a service is to offer users a set of functionalities they can access.

For example, a company may use an application to manage all its documentation. This documentation is accessible online, via the Internet, to all employees or directly from the organization's internal network. If it's a web application, users access it through their web browsers. Other examples of similar services include all the applications necessary for the proper functioning of the company: billing, payroll, leave management, financial documents, strategy, and so on.

Services are not limited to the web. In fact, a wide variety of other types of services can be added to web applications and made accessible over the network. Here is a non-exhaustive list:

  • File sharing systems used for depositing/collecting files within an organization.
  • Server administration protocols (like SSH).
  • Remote desktop sharing protocols (like RDP), often used for server administration but also extensively for sharing applications or resources among users.
  • Security bastions and VPN gateways.
  • Email mailboxes (like IMAP).

In short, a service is made accessible from the network. Technically, it is addressable through an IP address and a port.

And what about hidden services?

The term "hidden services" is used to describe network services that rely on communication protocols that provide specific security features. Any "classic" service can become a hidden service, and the primary feature they offer is...

Anonymity

"Classic" services are identifiable through an IP address and a port. These two pieces of information allow the service to be "located." Depending on the network, they may provide more or less information about the service or the service administrator, including: - On the Internet, an approximation of the geographic location of the server hosting the application. - On a private network, an idea of the network segment and auxiliary applications hosted in the same network zone.

By hiding its service, it is no longer accessible through an IP address but through a cryptographic key that, when used across the network, establishes a connection with the service without revealing its location.

Anonyme

This is the most well-known characteristic, but perhaps not the most interesting. What about the others?

Authentication

Standard communication protocols (like TCP/IP) used to establish a connection with a service do not provide any assurance that the user is actually communicating with the expected service. This is especially true in the general operation of the Internet, with domain name resolution through the DNS protocol and routing methods governing the network. For these reasons, other protocol layers (like TLS) and security mechanisms (like certificates and public key cryptography) are widely used in conjunction with "classic" services.

Clef

By using hidden services and negotiating connections with their public keys, users can be certain that they are communicating with the correct service, not a malicious one. This property is inherent to the protocol and does not require the use of certificates to authenticate the service to the user (though it doesn't preclude it either).

In addition to service authentication, some protocols also offer user authentication via a key, all without compromising the security features provided by the hidden service principle. Thus, services are authenticated to users and vice versa.

10 cyberattacks that exploited the principle of exposure

Exposure Reduction

Dedicated readers of the blog are likely familiar with this property, which we have described in several articles on SI security, such as Information System security: understanding the issue of exposure and 10 cyberattacks that exploited the principle of exposure.

In short, using hidden services helps avoid exposing your service within the network or network zone. It becomes impossible for an attacker (e.g., scanning the network) to discover a service and therefore attack it. Thus, the use of hidden services can protect against a wide range of opportunistic or targeted attacks.

Other characteristics such as micro-segmentation, the elimination of trust in intermediaries, and security through movement are all reasons to pay special attention to hidden services. We will describe these properties in more detail in Part 2 of this article.

Which services in my IT system should I configure as "hidden services"?

In general, it is interesting to configure a service as a hidden service if it meets these two conditions:

  • You can identify a well-defined population of service users. For example, a VPN gateway or a sensitive file-sharing service. Conversely, a institutional website or a mail relay server, which by definition must be "visible" to the entire world to receive email, would not qualify.

  • You have control over the service, meaning you can "cut" off the service's exposure to the Internet or the subnet in which it resides and make the service accessible only through the software agent acting as a relay to the network. For example, an on-premise application or a cloud-based Infrastructure as a Service (IaaS). Conversely, a Software as a Service (SaaS) application for which you cannot define a whitelist of authorized IP addresses would not qualify.

Want to give it a try? Contact us, and we will provide you access to the Chimere network to hide your services: Don't forget to subscribe to the Chimere newsletter so you don't miss future articles.

Header photo : Image by wirestock on Freepik

Nous n'avons pas pu confirmer votre inscription.
Votre inscription est confirmée.

La lettre Chimere

Inscrivez-vous à notre newsletter pour suivre nos actualités.