
Hello, Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.

On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney@riseup.net wrote 0.3K bytes in 0 lines about: : Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it. What "security concerns" would those be? removed just the same. -- Andrew pgp 0x6B4D6475

Hi Andrew, It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases. On May 3, 2014, at 9:33 PM, Andrew Lewman <andrew@torproject.is> wrote:
On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney@riseup.net wrote 0.3K bytes in 0 lines about: : Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.
What "security concerns" would those be?
removed just the same.
-- Andrew pgp 0x6B4D6475 _______________________________________________ tor-mirrors mailing list tor-mirrors@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors

On Sat, May 03, 2014 at 09:36:01PM -0700, sweeney@riseup.net wrote 0.9K bytes in 0 lines about: : It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases. I'm not sure I understand your concern. It's theoretically possible for something to mitm any connection on the Internet. Are you concerned something is actively modifying the contents of the rsync in transit? -- Andrew pgp 0x6B4D6475

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04.05.2014 16:05, Andrew Lewman wrote:
On Sat, May 03, 2014 at 09:36:01PM -0700, sweeney@riseup.net wrote 0.9K bytes in 0 lines about: : It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
I'm not sure I understand your concern. It's theoretically possible for something to mitm any connection on the Internet. Are you concerned something is actively modifying the contents of the rsync in transit?
I think the concern is that a MitM may intercept the connection and add some PHP code that will then be evaluated as the Webserver user on the server, allowing an attacker to execute arbitrary PHP code on the server hosting the mirror, enabling access to local-only resources like a MySQL server only accepting connections from localhost. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTZknoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeN24P/1DpwuhOZ1R1Ph7NpsnoZ1Cs w2LbYWRpaaNe55UZ+Os990mUgKyI6b7hkByNfWvA3XCDGBO20fsCS7uPNTyn5Xnx qSkZ9ydzZWQsntwBD+OBjU0wvlReRvr/bzxQJp2PAjzcXYrq4sx1l0qHOlHNxFL3 Qv1sUwUv8oELx9CiWciaQ5wZyKXZnGNHPPs0hZbSIZVaWuXpl+Qqo+gbQb9h4FoF RGsVKkPeC+KHAtNlRuF1tZ4qWDEZ0Iron2jIuV3aaN3ndbDrp0EtjO3HDCoBNvkr 8z9P1TokDZKW4MQhVbRDp6/IAad7vsfi1JaEbFithYs49DSQGLy0TPB9p14qqnMA olsDrbDi8ujyVm9vVnKcc+0h0JVYXY5TiRBp1Sw98+7AvbtCftVhtHvbfQmiqTUH 68NXh3d4Lsov8D79Ko3Jq1oJZRPwpkzUdZ5KCMTTFBqukPpLN7hPKTvUZoYcUaqx srVxFXJar3dDB6B9yUOLYnBekHM0D41+/wcDfogTZ9EyEow+8CFkkvY644Jf+VW0 JFVh4lTMnYSJ229FIdX3CtBwBjo+9/KUkILr8OSfVma6eSSdpAeG2wF9H1KoAB3Y AvcOcO6F74vuuvOGPjR9M1u3TeNuzSTLgTQqWiOHq7ws4umxasNzFGXm6Jz2oQL4 jb0agonuiXl1YgPuILd4 =sqHu -----END PGP SIGNATURE-----

Hello John, It sounds like your web server is (mis)configured to blindly execute any script it finds. I'd suggest you configure it to execute only whitelisted scripts in general, or at minimum to just never execute scripts found in the tor mirror directory. If you can't reconfigure the webserver for some reason, you could always just rsync to a temporary directory, run `find /path/to/temp/dir -type f -name '*.php' -print0 | xargs -0 rm` to delete all files your webserver would execute, and then rsync or move that to the proper public directory. I just hate to see someone stop running a mirror just because of a 'security concern' that is so easily remedied. If you have more concerns or configuration questions, just let me know. Thanks!
Hi Andrew,
It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
On May 3, 2014, at 9:33 PM, Andrew Lewman <andrew at torproject.is> wrote:
On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney at riseup.net wrote 0.3K bytes in 0 lines about: : Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.
What "security concerns" would those be?
removed just the same.
-- Andrew pgp 0x6B4D6475 _______________________________________________ tor-mirrors mailing list tor-mirrors at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors
participants (4)
-
Andrew Lewman
-
John Sweeney
-
Max Jakob Maass
-
moparisthebest