[Tor-BSD] OpenBSD httpd hidden service

Shawn Webb shawn.webb at hardenedbsd.org
Tue Dec 5 09:45:47 EST 2017

On Tue, Dec 05, 2017 at 07:28:39PM +1100, teor wrote:
> > On 5 Dec 2017, at 18:42, hue manatee <huemanatee at riseup.net> wrote:
> > 
> > So, like any good bsd'er, I consulted 'man tor' and 'man httpd' and, of course, they described pretty clearly how to configure things. Below are the steps I followed. Would be nice to know if this location-hidden service IS indeed configured securely, but I'm not sure how to test.
> Access the onion address in Tor Browser.
> If it works, the tor portion is secure.
> The httpd portion may be insecure, depending on how it is configured.
> Does httpd:
> * answer requests for its own config
> * tell clients information about its own IP address
> * look up addresses that clients send it in DNS
> Sarah Jamie Lewis has done some excellent work on fingerprinting onion
> services - there are probably a few more major vectors I've forgotten.

If 100% anonymity is important, I would stick the httpd behind a fully
Tor-ified network. That way, httpd itself doesn't know or even care
that it's behind Tor. It cannot leak any private info.


Shawn Webb
Cofounder and Security Engineer

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171205/92136d18/attachment.bin>

More information about the Tor-BSD mailing list