On Wed, Jun 18, 2014 at 1:49 PM, Alexander Fortin alexander.fortin@gmail.com wrote:
On 18. Juni 2014 at 16:26:38, Zack Weinberg (zackw@cmu.edu) wrote:
Best practice as I understand it is that you should have an exit notice on all exit relays. What I'm not sure of is whether "DirPort 80 + DirPortFrontPage" is the recommended way to accomplish that. The CMU Tor exit uses a separate lighttpd install, I think primarily because we didn't know about DirPortFrontPage when we set it up. I can make a case either way - less software = less attack surface; separate install = compartmentalization.
I understand the 'less software’ benefit; I’m currently reading https://en.wikipedia.org/wiki/Compartmentalization_(information_security) but still not sure if I understand correctly the reference to the ‘compartmentalization' in this case.
If the process listening on port 80 is the Tor process, then any vulnerability in the HTTP service it presents to port 80 can be exploited for a direct attack on the relay itself. If port 80 service is provided by a separate program (e.g. lighttpd) running under a different user ID, then an exploit of *that* program may not be able to affect the relay. That's all I meant. (The Wikipedia article is talking about a related thing, but not really the same.)
If you turn DirPort on at all, that exposes Tor's built-in HTTP server to the Internet -- perhaps on a nonstandard port, but still -- so I'm not sure the compartmentalization is really buying anything in this case.
zw