[Tor-BSD] OpenBSD httpd hidden service

[Jean-Philippe Ouellet]

On Tue, Dec 5, 2017 at 9:45 AM, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
> On Tue, Dec 05, 2017 at 07:28:39PM +1100, teor wrote:
>>
>> > On 5 Dec 2017, at 18:42, hue manatee <huemanatee at riseup.net> wrote:
>> >
>> > So, like any good bsd'er, I consulted 'man tor' and 'man httpd' and, of course, they described pretty clearly how to configure things. Below are the steps I followed. Would be nice to know if this location-hidden service IS indeed configured securely, but I'm not sure how to test.
>>
>> Access the onion address in Tor Browser.
>> If it works, the tor portion is secure.
>>
>> The httpd portion may be insecure, depending on how it is configured.
>>
>> Does httpd:
>> * answer requests for its own config
>> * tell clients information about its own IP address
>> * look up addresses that clients send it in DNS
>>
>> Sarah Jamie Lewis has done some excellent work on fingerprinting onion
>> services - there are probably a few more major vectors I've forgotten.
>
> If 100% anonymity is important, I would stick the httpd behind a fully
> Tor-ified network. That way, httpd itself doesn't know or even care
> that it's behind Tor. It cannot leak any private info.

+1 for this approach

If you're confined to a single physical machine for real-world
reasons, running httpd inside vmm and transparently torrifying all
traffic of its only interface sounds like an approach more resistant
to inadvertent information disclosures, especially if you're concerned
about people exploiting some webapp you're running and (pretty
trivially) leaking from there.

Remember that pf also has the ability to filter by user/group [1],
which you may find useful if you wish to forbid outbound traffic
originating from httpd/slowcgi/whatever.

Cheers,
Jean-Philippe

[1]: https://man.openbsd.org/pf.conf#user