Delivery-Date: Thu, 26 Jun 2014 03:12:00 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 570921E0D69
	for <archiver@seul.org>; Thu, 26 Jun 2014 03:11:58 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D58CF2F945;
	Thu, 26 Jun 2014 07:11:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 51DA62F696
 for <tor-talk@lists.torproject.org>; Thu, 26 Jun 2014 06:57:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id uKGcdcNT6iJv for <tor-talk@lists.torproject.org>;
 Thu, 26 Jun 2014 06:57:14 +0000 (UTC)
X-Greylist: delayed 401 seconds by postgrey-1.34 at eugeni;
 Thu, 26 Jun 2014 06:57:14 UTC
Received: from magic03.frii.com (magicmail03.frii.com [216.17.135.172])
 by eugeni.torproject.org (Postfix) with SMTP id 06C872F64F
 for <tor-talk@lists.torproject.org>; Thu, 26 Jun 2014 06:57:13 +0000 (UTC)
Received: (qmail 6251 invoked from network); 26 Jun 2014 06:50:30 -0000
Received: from 71-218-62-72.hlrn.qwest.net (HELO [192.168.101.125])
 (cline@frii.com@71.218.62.72)
 by magic03.frii.com with (AES128-SHA encrypted) SMTP
 (292972f0-fcfe-11e3-bcff-e3494f7bc4af); Thu, 26 Jun 2014 00:50:30 -0600
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Tor Talker <tortalker@hidemeta.com>
In-Reply-To: <53ABAAFA.1040406@riseup.net>
Date: Thu, 26 Jun 2014 00:50:29 -0600
Message-Id: <C21E9389-F7C9-47E7-B475-A3D23C8C4F14@hidemeta.com>
References: <DUB121-W32E5B8525EB5756FB0DD73C8190@phx.gbl>, ,
 <53AB3C75.4020105@gmx.com>, <DUB121-W401DDF2EB0B4F36357ADA2C8190@phx.gbl>,
 <53AB742E.5000400@riseup.net> <DUB121-W1602424B2673FF14097129C8180@phx.gbl>
 <53ABAAFA.1040406@riseup.net>
To: tor-talk@lists.torproject.org
X-Mailer: Apple Mail (2.1878.2)
X-MagicMail-UUID: 292972f0-fcfe-11e3-bcff-e3494f7bc4af
X-MagicMail-Authenticated: cline@frii.com
X-MagicMail-SourceIP: 71.218.62.72
X-MagicMail-EnvelopeFrom: <tortalker@hidemeta.com>
Subject: [tor-talk] Secure Hidden Service (was: Re: ... Illegal Activity As
	A Metric ...)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 25 Jun 2014, at 11:09 PM, Mirimir <mirimir@riseup.net> wrote:

> ... any Tor user can host a
> hidden service. But few people, even experienced web engineers, know
> enough to do it securely enough. Also, hidden services are far more
> vulnerable than Tor users, simply because they serve stuff.

OK, I'll bite.

Are you saying that experienced web engineers are not capable of designing systems with security and anonymity in mind, or that that there are generally hidden risks in setting up the Tor rendezvous connection to a local server?  We can agree not to trust random software architects/implementors, but I can say with confidence that my team is very competent and security minded (though new to publishing Tor hidden services).

More to the point, do you have specific concerns regarding the Linux/Tor/Apache/Perl stack we are using?  We do sanitize error messages to prevent Apache from leaking system information, but that's really the only special effort other than maintaining good overall system security.

What sort of vulnerabilities would you expect to see?


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

