[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Hidden service security w. Apache/Win32

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Hidden service security w. Apache/Win32
From: "Fred Toben" <redguy@xxxxxxxxxxx>
Date: Sun, 19 Feb 2012 12:50:47 -0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 19 Feb 2012 07:51:41 -0500
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tormail.net; s=tm; h=Message-Id:X-TorMail-User:Content-Transfer-Encoding:Content-Type:MIME-Version:To:From:Subject:Date; bh=kofV6KGFYWr+3XcS4vQKyWtZsUHBr5kxx/+tO8jIX/o=; b=TI9C2oSaYslsMm3FhORHKrOQrBuFMWNV3ufP/E8+WUKGchBdbn+GXc/WRPg7gc/ICsUnLCKRBqOtjnEHBZBPke283XYJdJiigRkJOaO9xp41ROxt1HSfo427qychzwTDT9caYJxQTtzCPxzVHkVXOEoA5kzy52jYdkfK4HCK8jU=;
Importance: Normal
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Hello Everybody

I am in the process of setting up a hidden service with Apache 2.2 under
Windows.

I run Apache (Win32) in a virtual machine and Tor in a separate virtual
machine under VMware Workstation.

VM 1 runs Apache and VM 2 runs Tor.

VM 1 is connected to VM 2 through an internal host only network and no
connection to Apache is possible except through the host only network.

Apache runs under a limited user account and I have locked down  all
potentially unsafe modules (PHP, autoindex etc) and I have tested that the
hidden service is connectable from the outside with its .onion address.

So far I haven't found any public info about the possible downsides of
running a hidden service under Windows.

Is running the instances of Tor and Apache in separate locked down virtual
environments more secure than having Apache and Tor listening within the
same machine?

Or is Windows an absolute no when considering running a secure hidden
service?

Another question is whether my setup (VM1=application, VM2=Tor)
ameliorates the problems with proxified applications.

On the Torproject site I read that proxifying applications is often
dangerous because the applications might leak the machine's real IP
address.

But if the proxified aplication runs within a virtual machine, and only
connects to an instance of Tor running within another VM, what info could
leak through the application other than the IP of the VM?


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Hidden service security w. Apache/Win32
  - From: Gozu-san
- Re: [tor-talk] Hidden service security w. Apache/Win32
  - From: Karl Hakmller

Prev by Author: [tor-talk] take me off
Next by Author: Re: [tor-talk] Hidden service security w. Apache/Win32
Previous by thread: [tor-talk] Is setting family an improvement to user safety?
Next by thread: Re: [tor-talk] Hidden service security w. Apache/Win32
Index(es):
- Author
- Thread