[Tor-BSD] OpenBSD httpd hidden service

teor teor2345 at gmail.com
Tue Dec 5 03:28:39 EST 2017


> On 5 Dec 2017, at 18:42, hue manatee <huemanatee at riseup.net> wrote:
> 
> So, like any good bsd'er, I consulted 'man tor' and 'man httpd' and, of course, they described pretty clearly how to configure things. Below are the steps I followed. Would be nice to know if this location-hidden service IS indeed configured securely, but I'm not sure how to test.

Access the onion address in Tor Browser.
If it works, the tor portion is secure.

The httpd portion may be insecure, depending on how it is configured.

Does httpd:
* answer requests for its own config
* tell clients information about its own IP address
* look up addresses that clients send it in DNS

Sarah Jamie Lewis has done some excellent work on fingerprinting onion
services - there are probably a few more major vectors I've forgotten.

> There is no ssl cert, not sure of this impact.

Certificates are irrelevant for most use cases: the traffic is end-to-end
encrypted and authenticated to the address by the onion service protocol.

Certificates are only useful to modify browser behaviour, or authenticate
your service as belonging to a CA-certified DNS domain / organisation.

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171205/06c9a2a2/attachment.bin>


More information about the Tor-BSD mailing list