Re: [tor-talk] Question regarding forum software for use as a hidden service

[Jude Young <jude@xxxxxxxxxxxx>]

On 03/14/2012 03:05 PM, Commence Without Illusions wrote:
> Your best option is to run your forum software, server, and everything
> else except Tor in a virtual machine and then direct all that machine's
> traffic through Tor. Anything with scripting, PHP, or even web forms is
> going to be a significant risk. Even without it, you're assuming the web
> server will never be vulnerable which is a pretty unrealistic expectation.
>
> Commence
>
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
What he said.  PHP is a huge risk.
I've worked with it before, even just trying to force SSL its a hassle.

At the very least consider running the webserver (AND all of the 
server-side scripts!) in a chrooted environment...

There is a very informative tutorial for lighttpd and fastcgi inside a 
chroot on 
(http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html).  
It's for php4, but it ALMOST works out of the box for php5.  And they 
definitely give you the tools to troubleshoot that one thing that 
doesn't quite work.

If you need a little hand, or you are stuck, feel free to drop me a line.
Also, This forum seems to be pretty popular.
http://en.wikipedia.org/wiki/PhpBB
The smaller the better.  It's easier to audit a tiny package for leaks 
than it is a larger one.


I hope I said something interesting, and wasn't merely rambling.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk