[tor-relays] Debian relay Puppet module
Zack Weinberg
zackw at cmu.edu
Wed Jun 18 19:34:12 UTC 2014
On Wed, Jun 18, 2014 at 1:49 PM, Alexander Fortin
<alexander.fortin at gmail.com> wrote:
> On 18. Juni 2014 at 16:26:38, Zack Weinberg (zackw at cmu.edu) wrote:
>> Best practice as I understand it is that you should have an exit
>> notice on all exit relays. What I'm not sure of is whether "DirPort
>> 80 + DirPortFrontPage" is the recommended way to accomplish that. The
>> CMU Tor exit uses a separate lighttpd install, I think primarily
>> because we didn't know about DirPortFrontPage when we set it up. I
>> can make a case either way - less software = less attack surface;
>> separate install = compartmentalization.
>
> I understand the 'less software’ benefit; I’m currently reading
> https://en.wikipedia.org/wiki/Compartmentalization_(information_security)
> but still not sure if I understand correctly the reference to the
> ‘compartmentalization' in this case.
If the process listening on port 80 is the Tor process, then any
vulnerability in the HTTP service it presents to port 80 can be
exploited for a direct attack on the relay itself. If port 80 service
is provided by a separate program (e.g. lighttpd) running under a
different user ID, then an exploit of *that* program may not be able
to affect the relay. That's all I meant. (The Wikipedia article is
talking about a related thing, but not really the same.)
If you turn DirPort on at all, that exposes Tor's built-in HTTP server
to the Internet -- perhaps on a nonstandard port, but still -- so I'm
not sure the compartmentalization is really buying anything in this
case.
zw
More information about the tor-relays
mailing list