Re: SoC Project: Improving Hidden Service Security and Usability

[Roger Dingledine <arma@xxxxxxx>]

On Sun, May 24, 2009 at 09:59:28PM -0400, Ringo wrote:
> I'll be working on improving hidden service security and usability this
> summer (starting in about three weeks). I'm currently attending the
> Evergreen State College in Olympia, WA

Based on your location, there are two nearby events that might interest
you:

http://toorcamp.org/ (Moses Lake, WA; July 2-5)
http://petsymposium.org/2009/ (Seattle, WA; August 5-7)

Quite a few Tor developers will be present at each (especially PETS).

> Specifically, I will be creating a how-to guide for securing standard
> LAMP servers as well as a script that will help Linux users set them up.
> I have a few ideas for locking down apache, php, etc. but I would
> appreciate any other ideas admins of hidden services have as well as
> suggestions on how to implement them.

Interesting. I've always been conflicted about whether it's possible to
distill enough how-to advice that novices can actually safely set up a
complex (i.e. more than just static html) website.

That's why my walk-through at
https://www.torproject.org/docs/tor-hidden-service#one
suggests thttpd -- it doesn't have all the edge cases that apache /
php / etc would have.

Note that Vidalia has an interface for configuring a hidden service in
Tor.

It would be neat to eventually have a Thandy component which is
a website. Then in the Thandy interface when you're choosing which
components to track, you could click "hidden service" and it would fetch
and install a thttpd for you. Or heck, a more complex webserver if we
think we can secure it effectively.

--Roger