SoC Project: Improving Hidden Service Security and Usability

Juliusz Chroboczek Juliusz.Chroboczek at
Mon Jun 1 18:57:54 UTC 2009

>> Specifically, I will be creating a how-to guide for securing standard
>> LAMP servers as well as a script that will help Linux users set them up.
>> I have a few ideas for locking down apache, php, etc. but I would
>> appreciate any other ideas admins of hidden services have as well as
>> suggestions on how to implement them.

> Interesting. I've always been conflicted about whether it's possible to
> distill enough how-to advice that novices can actually safely set up a
> complex (i.e. more than just static html) website.

Not to get into a « my Emacs is better than your vi » discussion, but
I've had excellent experiences with Lighttpd.  I've also found the code
to be much cleaner than that of thttpd.

Whatever the web server, PHP is a security disaster, and I wouldn't
dream of putting it on a hidden service.


P.S. « PHP is a minor evil perpetrated and created by incompetent amateurs,
       whereas Perl is a great and insidious evil, perpetrated by skilled
       but perverted professionals. » — Jon Ribbens

More information about the tor-talk mailing list