[tor-talk] Secure Hidden Service

Dedalo Galdos seguridadblanca at gmail.com
Thu Jun 26 12:14:12 UTC 2014


Hi, I made a very basic python script to help people setup their hidden
service. Maybe this could be useful for some people.

https://github.com/Dedal0/Tosc
 El jun 26, 2014 3:12 AM, "Mirimir" <mirimir at riseup.net> escribió:

> On 06/26/2014 12:50 AM, Tor Talker wrote:
> > On 25 Jun 2014, at 11:09 PM, Mirimir <mirimir at riseup.net> wrote:
> >
> >> ... any Tor user can host a hidden service. But few people, even
> >> experienced web engineers, know enough to do it securely enough.
> >> Also, hidden services are far more vulnerable than Tor users,
> >> simply because they serve stuff.
> >
> > OK, I'll bite.
> >
> > Are you saying that experienced web engineers are not capable of
> > designing systems with security and anonymity in mind, or that that
> > there are generally hidden risks in setting up the Tor rendezvous
> > connection to a local server?  We can agree not to trust random
> > software architects/implementors, but I can say with confidence that
> > my team is very competent and security minded (though new to
> > publishing Tor hidden services).
> >
> > More to the point, do you have specific concerns regarding the
> > Linux/Tor/Apache/Perl stack we are using?  We do sanitize error
> > messages to prevent Apache from leaking system information, but
> > that's really the only special effort other than maintaining good
> > overall system security.
> >
> > What sort of vulnerabilities would you expect to see?
>
> Well, this Tor Blog entry[1] is a good place to start.
>
> There's also a fundamental bind. Unless you physically control your
> servers, they aren't really your servers. And so you want to avoid using
> cloud services or hosted servers. But if you do physically control your
> servers, you're directly associated with them. And you are betting the
> farm that they won't be found (or on your lawyers).
>
> Resolve that, and you have a great business plan :)
>
> [1] https://blog.torproject.org/category/tags/hidden-services
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list