[tor-talk] Question regarding forum software for use as a hidden service
Jude Young
jude at 10equals2.me
Thu Mar 15 00:37:48 UTC 2012
On 03/14/2012 03:05 PM, Commence Without Illusions wrote:
> Your best option is to run your forum software, server, and everything
> else except Tor in a virtual machine and then direct all that machine's
> traffic through Tor. Anything with scripting, PHP, or even web forms is
> going to be a significant risk. Even without it, you're assuming the web
> server will never be vulnerable which is a pretty unrealistic expectation.
>
> Commence
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
What he said. PHP is a huge risk.
I've worked with it before, even just trying to force SSL its a hassle.
At the very least consider running the webserver (AND all of the
server-side scripts!) in a chrooted environment...
There is a very informative tutorial for lighttpd and fastcgi inside a
chroot on
(http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html).
It's for php4, but it ALMOST works out of the box for php5. And they
definitely give you the tools to troubleshoot that one thing that
doesn't quite work.
If you need a little hand, or you are stuck, feel free to drop me a line.
Also, This forum seems to be pretty popular.
http://en.wikipedia.org/wiki/PhpBB
The smaller the better. It's easier to audit a tiny package for leaks
than it is a larger one.
I hope I said something interesting, and wasn't merely rambling.
More information about the tor-talk
mailing list