[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Question regarding forum software for use as a hidden service
On 03/14/2012 03:05 PM, Commence Without Illusions wrote:
Your best option is to run your forum software, server, and everything
else except Tor in a virtual machine and then direct all that machine's
traffic through Tor. Anything with scripting, PHP, or even web forms is
going to be a significant risk. Even without it, you're assuming the web
server will never be vulnerable which is a pretty unrealistic expectation.
Commence
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
What he said. PHP is a huge risk.
I've worked with it before, even just trying to force SSL its a hassle.
At the very least consider running the webserver (AND all of the
server-side scripts!) in a chrooted environment...
There is a very informative tutorial for lighttpd and fastcgi inside a
chroot on
(http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html).
It's for php4, but it ALMOST works out of the box for php5. And they
definitely give you the tools to troubleshoot that one thing that
doesn't quite work.
If you need a little hand, or you are stuck, feel free to drop me a line.
Also, This forum seems to be pretty popular.
http://en.wikipedia.org/wiki/PhpBB
The smaller the better. It's easier to audit a tiny package for leaks
than it is a larger one.
I hope I said something interesting, and wasn't merely rambling.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk