[tor-mirrors] Tor Mirror Security

Taylor Hornby havoc at defuse.ca
Fri Mar 28 01:42:12 UTC 2014


I just set up an experimental Tor mirror here:


(Please don't include it in any mirror lists yet.)

I'm a little worried about security, though. The 'Configuring a Mirror'
page [1] has me cloning the Tor website via rsync, which isn't a secure
protocol. There are two specific risks here:

1. To the user of the mirror: A network attacker between my server and
   Tor could have replaced the Tor binaries with a malicious copy.

2. To the host of the mirror: A network attacker, or an evil sysadmin at
   Tor, could insert PHP scripts (or other things that Apache will
   execute) into my system, then execute by making a web request.

I worked around (2) by adding "php_flag engine off" to the Directory
entry in my Apache configuration, but I'm not certain that's good
enough. Can the .htaccess in the Tor mirror override it? Are there other
things that Apache will execute that I'm not aware of?

To solve (1), how about letting users submit an SSH public key so they
can rsync over SSH, or just have an account with a stupid password like
"tormirror", then publish the SSH fingerprint on torproject.org?

A Git repository with signed tags could be another solution.

[1] https://www.torproject.org/docs/running-a-mirror.html.en

Taylor Hornby

More information about the tor-mirrors mailing list