[Tor-BSD] OpenBSD httpd hidden service

[George Rosamond]

Shawn Webb:
> On Tue, Dec 05, 2017 at 07:28:39PM +1100, teor wrote:
>>
>>> On 5 Dec 2017, at 18:42, hue manatee <huemanatee at riseup.net> wrote:
>>>
>>> So, like any good bsd'er, I consulted 'man tor' and 'man httpd' and, of course, they described pretty clearly how to configure things. Below are the steps I followed. Would be nice to know if this location-hidden service IS indeed configured securely, but I'm not sure how to test.
>>
>> Access the onion address in Tor Browser.
>> If it works, the tor portion is secure.
>>
>> The httpd portion may be insecure, depending on how it is configured.
>>
>> Does httpd:
>> * answer requests for its own config
>> * tell clients information about its own IP address
>> * look up addresses that clients send it in DNS
>>
>> Sarah Jamie Lewis has done some excellent work on fingerprinting onion
>> services - there are probably a few more major vectors I've forgotten.
> 
> If 100% anonymity is important, I would stick the httpd behind a fully
> Tor-ified network. That way, httpd itself doesn't know or even care
> that it's behind Tor. It cannot leak any private info.

So, yeah, that's an approach.

I think for most people, there's two parts:

1. make sure the www server isn't listening publicly, which should be
easiest enough to do by setting the http listening port and reinforcing
by not allowing with host- and network-based firewall, if you're on the
frantic side :)

2. minimizing how much information is leaked by the www server, which
could include the actual IP address, type of www server, etc.

This is worth more discussion IMHO, but thought I'd throw that out there
for now.

g


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171205/a45caf83/attachment.bin>