The best way to run a hidden service: one or two computers?

Jimmy Dioxin jimmydioxin22 at gmx.com
Tue Sep 14 01:26:30 UTC 2010 

There's a good guide for this which was written around a year ago
available at:

http://www.olyhackbloc.org/hidsec.pdf

The original post seems to be found here:
http://www.mail-archive.com/or-talk@freehaven.net/msg11575.html

As for virtual machines, if an adversary is able to break through a
fully virtualized machine, another level of protection won't do you much.

If you're worried about an attacker with those kind of skills, you're
better setting up a "drop box" which contains a hidden service server
that you can drop in any area that isn't connected to you. Be creative ; )

Jimmy Dioxin


On 09/13/2010 03:45 PM, Robert Ransom wrote:
> On Mon, 13 Sep 2010 14:12:35 -0400
> hikki at Safe-mail.net wrote:
> 
>> When running a hidden service, obviously hidden so no one can find the 
>> true source and IP of the web server because lives may be depended on 
>> that, I've heard that the best and safest way is to use a dedicated 
>> server computer with two operating systems and the server being inside a 
>> virtual machine. So if the web server should get cracked, the cracker 
>> will be locked inside the virtual machine and cannot do side-channel 
>> attacks or any other clever methods to reveal the true source.
>>
>> Then I read somewhere that theres even a more secure way, and that is by 
>> using two dedicated computers. One computer with the web server running,
>>
>> being connected with a LAN cable to the second computer which works as a 
>> firewalled router with Tor running on it with the hidden service keys. 
>> Again, if a cracker cracks the server machine, he will be physically 
>> trapped inside the server and cannot access the second computer nor the 
>> internet directly.
> 
> He *would* be able to access the Ethernet card in the
> Internet-connected gateway box, and I have seen reports of at least one
> Ethernet card with an unauthenticated remote-update backdoor which
> could be used to take over the entire computer through DMA.  At the
> very least, virtual network adapters are unlikely to have intentional
> backdoors hidden in them.
> 
>> What are your opinions on this?
>> What should be done and what should be avoided while setting up such 
>> systems?
> 
> * First, operate the hidden service using software with no security
>   holes, and on a (physical) computer that does not operate any
>   Internet-visible services (especially not a Tor relay).  Putting your
>   hidden service in a virtual machine won't protect you from the
>   side-channel attack described in “Hot or Not”.
> 
> * Second, if you must use software with security holes to operate your
>   hidden service, keep that software in a virtual machine, and do not
>   let it communicate with a real network adapter.  (The ‘host-only
>   network’ option in VirtualBox should be safe enough, for example.)  I
>   don't see a big reason to run Tor in a VM, unless you need to set up
>   transparent proxying and don't want to mess up your main OS
>   installation.
> 
> 
> Robert Ransom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100913/8afbfaad/attachment.pgp>

More information about the tor-talk mailing list