Hello,
Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.
On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney@riseup.net wrote 0.3K bytes in 0 lines about: : Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.
What "security concerns" would those be?
removed just the same.
Hi Andrew,
It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
On May 3, 2014, at 9:33 PM, Andrew Lewman andrew@torproject.is wrote:
On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney@riseup.net wrote 0.3K bytes in 0 lines about: : Do to security concerns with the rsync not being encrypted, I have taken down my mirror otivpn.com. Please remove it.
What "security concerns" would those be?
removed just the same.
-- Andrew pgp 0x6B4D6475 _______________________________________________ tor-mirrors mailing list tor-mirrors@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors
On Sat, May 03, 2014 at 09:36:01PM -0700, sweeney@riseup.net wrote 0.9K bytes in 0 lines about: : It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
I'm not sure I understand your concern. It's theoretically possible for something to mitm any connection on the Internet. Are you concerned something is actively modifying the contents of the rsync in transit?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 04.05.2014 16:05, Andrew Lewman wrote:
On Sat, May 03, 2014 at 09:36:01PM -0700, sweeney@riseup.net wrote 0.9K bytes in 0 lines about: : It is theoretically possible for someone in between my server and Tor to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
I'm not sure I understand your concern. It's theoretically possible for something to mitm any connection on the Internet. Are you concerned something is actively modifying the contents of the rsync in transit?
I think the concern is that a MitM may intercept the connection and add some PHP code that will then be evaluated as the Webserver user on the server, allowing an attacker to execute arbitrary PHP code on the server hosting the mirror, enabling access to local-only resources like a MySQL server only accepting connections from localhost.
Hello John,
It sounds like your web server is (mis)configured to blindly execute any script it finds. I'd suggest you configure it to execute only whitelisted scripts in general, or at minimum to just never execute scripts found in the tor mirror directory. If you can't reconfigure the webserver for some reason, you could always just rsync to a temporary directory, run `find /path/to/temp/dir -type f -name '*.php' -print0 | xargs -0 rm` to delete all files your webserver would execute, and then rsync or move that to the proper public directory.
I just hate to see someone stop running a mirror just because of a 'security concern' that is so easily remedied. If you have more concerns or configuration questions, just let me know.
Thanks!
Hi Andrew,
It is theoretically possible for someone in between my server and Tor
to modify the request to run various PHP and other scripts and connect directly to the MySQL databases.
On May 3, 2014, at 9:33 PM, Andrew Lewman <andrew at torproject.is> wrote:
On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney at riseup.net wrote
0.3K bytes in 0 lines about:
: Do to security concerns with the rsync not being encrypted, I have
taken down my mirror otivpn.com. Please remove it.
What "security concerns" would those be?
removed just the same.
-- Andrew pgp 0x6B4D6475 _______________________________________________ tor-mirrors mailing list tor-mirrors at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors
tor-mirrors@lists.torproject.org
-
Andrew Lewman -
John Sweeney -
Max Jakob Maass -
moparisthebest