[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Hidden service security w. Apache/Win32

Hello Everybody

I am in the process of setting up a hidden service with Apache 2.2 under

I run Apache (Win32) in a virtual machine and Tor in a separate virtual
machine under VMware Workstation.

VM 1 runs Apache and VM 2 runs Tor.

VM 1 is connected to VM 2 through an internal host only network and no
connection to Apache is possible except through the host only network.

Apache runs under a limited user account and I have locked down  all
potentially unsafe modules (PHP, autoindex etc) and I have tested that the
hidden service is connectable from the outside with its .onion address.

So far I haven't found any public info about the possible downsides of
running a hidden service under Windows.

Is running the instances of Tor and Apache in separate locked down virtual
environments more secure than having Apache and Tor listening within the
same machine?

Or is Windows an absolute no when considering running a secure hidden

Another question is whether my setup (VM1=application, VM2=Tor)
ameliorates the problems with proxified applications.

On the Torproject site I read that proxifying applications is often
dangerous because the applications might leak the machine's real IP

But if the proxified aplication runs within a virtual machine, and only
connects to an instance of Tor running within another VM, what info could
leak through the application other than the IP of the VM?

tor-talk mailing list