[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Question regarding forum software for use as a hidden service



On 03/14/2012 03:05 PM, Commence Without Illusions wrote:
Your best option is to run your forum software, server, and everything
else except Tor in a virtual machine and then direct all that machine's
traffic through Tor. Anything with scripting, PHP, or even web forms is
going to be a significant risk. Even without it, you're assuming the web
server will never be vulnerable which is a pretty unrealistic expectation.

Commence

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
What he said.  PHP is a huge risk.
I've worked with it before, even just trying to force SSL its a hassle.

At the very least consider running the webserver (AND all of the server-side scripts!) in a chrooted environment...

There is a very informative tutorial for lighttpd and fastcgi inside a chroot on (http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html). It's for php4, but it ALMOST works out of the box for php5. And they definitely give you the tools to troubleshoot that one thing that doesn't quite work.

If you need a little hand, or you are stuck, feel free to drop me a line.
Also, This forum seems to be pretty popular.
http://en.wikipedia.org/wiki/PhpBB
The smaller the better. It's easier to audit a tiny package for leaks than it is a larger one.


I hope I said something interesting, and wasn't merely rambling.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk