[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Secure Hidden Service

On 06/26/2014 12:50 AM, Tor Talker wrote:
> On 25 Jun 2014, at 11:09 PM, Mirimir <mirimir@xxxxxxxxxx> wrote:
>> ... any Tor user can host a hidden service. But few people, even
>> experienced web engineers, know enough to do it securely enough.
>> Also, hidden services are far more vulnerable than Tor users,
>> simply because they serve stuff.
> OK, I'll bite.
> Are you saying that experienced web engineers are not capable of
> designing systems with security and anonymity in mind, or that that
> there are generally hidden risks in setting up the Tor rendezvous
> connection to a local server?  We can agree not to trust random
> software architects/implementors, but I can say with confidence that
> my team is very competent and security minded (though new to
> publishing Tor hidden services).
> More to the point, do you have specific concerns regarding the
> Linux/Tor/Apache/Perl stack we are using?  We do sanitize error
> messages to prevent Apache from leaking system information, but
> that's really the only special effort other than maintaining good
> overall system security.
> What sort of vulnerabilities would you expect to see?

Well, this Tor Blog entry[1] is a good place to start.

There's also a fundamental bind. Unless you physically control your
servers, they aren't really your servers. And so you want to avoid using
cloud services or hosted servers. But if you do physically control your
servers, you're directly associated with them. And you are betting the
farm that they won't be found (or on your lawyers).

Resolve that, and you have a great business plan :)

[1] https://blog.torproject.org/category/tags/hidden-services
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to