[tor-talk] Question regarding forum software for use as a hidden service

Jude Young jude at 10equals2.me
Thu Mar 15 00:37:48 UTC 2012

On 03/14/2012 03:05 PM, Commence Without Illusions wrote:
> Your best option is to run your forum software, server, and everything
> else except Tor in a virtual machine and then direct all that machine's
> traffic through Tor. Anything with scripting, PHP, or even web forms is
> going to be a significant risk. Even without it, you're assuming the web
> server will never be vulnerable which is a pretty unrealistic expectation.
> Commence
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
What he said.  PHP is a huge risk.
I've worked with it before, even just trying to force SSL its a hassle.

At the very least consider running the webserver (AND all of the 
server-side scripts!) in a chrooted environment...

There is a very informative tutorial for lighttpd and fastcgi inside a 
chroot on 
It's for php4, but it ALMOST works out of the box for php5.  And they 
definitely give you the tools to troubleshoot that one thing that 
doesn't quite work.

If you need a little hand, or you are stuck, feel free to drop me a line.
Also, This forum seems to be pretty popular.
The smaller the better.  It's easier to audit a tiny package for leaks 
than it is a larger one.

I hope I said something interesting, and wasn't merely rambling.

More information about the tor-talk mailing list