[tor-talk] Hidden service security w. Apache/Win32

proper at tormail.net proper at tormail.net
Sun Feb 19 16:05:52 UTC 2012

> So far I haven't found any public info about the possible downsides of
running a hidden service under Windows.

Let's assume a fresh, clean windows installation. Have you found a list
and description of all outgoing network connections, that will be made by
that windows installation? I haven't found any documentation. Information
is spread all over the web. So far I discovered Windows Update, WGA and
time sync.

I am collecting all that information including source. [1]

There are still open questions. Is the time sync authenticated or can it
be spoofed by the Tor exit? How safe is it, to rely on Microsoft time sync
servers? (just one server, single point of failure)

Microsoft didn't always use automatic updates just for security updates.
They installed WGA without asking, which is spyware and no security
update. Or they installed a Firefox addon (net framework), which was a new
"feature", but not a security update for net framework.

How legal is Guantanamo, how much does the state following it's own laws?
Imagine Microsoft would push a backdoor over automatic updates, to bust cp
or a botnet. A small outcry through the geekzone, the masses would't
notice or care and continue to use Windows. How can we assume the state
has inhibitions to force Microsoft do to that, if Guantanamo is not even
an open secret?

> Is running the instances of Tor and Apache in separate locked down virtual
environments more secure than having Apache and Tor listening within the
same machine?

I think yes and I am very interested in it. That's why I wrote TorBOX,
it's very similar to what you do. [2] There is also a section about hidden
services. [3]

But different opinions are possible. One could argue that a more
complicated setup and more code is involved, therefore even less secure.
It's probable a question what you think, what is/will be more probable
exploited? The VM (introducing more code) or the web server?

I'd be interested to read Tor developers opinion.

> Or is Windows an absolute no when considering running a secure hidden

I think we agree that this virtual machine should only be used for the
hidden service, don't we? Since Windows costs money and is closed source
and while Linux/BSD is Free Software, and all common server software runs
also under *nix, so why not use it?

> But if the proxified aplication runs within a virtual machine, and only
connects to an instance of Tor running within another VM, what info could
leak through the application other than the IP of the VM?

application level leaks, examples
- irc clients, if not well configured, leak your time zone, your current
time, your irc client version, maybe the name of your user account (some
clients, user account name = ident)
- browser fingerprinting [4]
- some webservers (in standard configuration) leak your operating system
- other (server) software has not yet been researched so thoroughly like
Firefox for fingerprinting and application level leaks (Thunderbird in
VM-1 would be unwise, it's very similar to Firefox fingerprinting)

Server software name and version can be potentially used to exploit the
server, once the VM is infected, it might break out of the VM and report
your real IP. If you can afford using real hardware, instant of VMs, that
would be more secure.

[1] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks
[2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
[4] https://www.torproject.org/projects/torbrowser/design/

More information about the tor-talk mailing list