Re: [tor-relays] Debian relay Puppet module

[Zack Weinberg <zackw@xxxxxxx>]

On Wed, Jun 18, 2014 at 1:49 PM, Alexander Fortin
<alexander.fortin@xxxxxxxxx> wrote:
> On 18. Juni 2014 at 16:26:38, Zack Weinberg (zackw@xxxxxxx) wrote:
>> Best practice as I understand it is that you should have an exit
>> notice on all exit relays. What I'm not sure of is whether "DirPort
>> 80 + DirPortFrontPage" is the recommended way to accomplish that. The
>> CMU Tor exit uses a separate lighttpd install, I think primarily
>> because we didn't know about DirPortFrontPage when we set it up. I
>> can make a case either way - less software = less attack surface;
>> separate install = compartmentalization.
>
> I understand the 'less softwareâ benefit; Iâm currently reading
> https://en.wikipedia.org/wiki/Compartmentalization_(information_security)
> but still not sure if I understand correctly the reference to the
> âcompartmentalization' in this case.

If the process listening on port 80 is the Tor process, then any
vulnerability in the HTTP service it presents to port 80 can be
exploited for a direct attack on the relay itself.  If port 80 service
is provided by a separate program (e.g. lighttpd) running under a
different user ID, then an exploit of *that* program may not be able
to affect the relay.  That's all I meant.  (The Wikipedia article is
talking about a related thing, but not really the same.)

If you turn DirPort on at all, that exposes Tor's built-in HTTP server
to the Internet -- perhaps on a nonstandard port, but still -- so I'm
not sure the compartmentalization is really buying anything in this
case.

zw
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays