[tor-talk] Hidden service security w. Apache/Win32
Fred Toben
redguy at tormail.net
Sun Feb 19 12:50:47 UTC 2012
Hello Everybody
I am in the process of setting up a hidden service with Apache 2.2 under
Windows.
I run Apache (Win32) in a virtual machine and Tor in a separate virtual
machine under VMware Workstation.
VM 1 runs Apache and VM 2 runs Tor.
VM 1 is connected to VM 2 through an internal host only network and no
connection to Apache is possible except through the host only network.
Apache runs under a limited user account and I have locked down all
potentially unsafe modules (PHP, autoindex etc) and I have tested that the
hidden service is connectable from the outside with its .onion address.
So far I haven't found any public info about the possible downsides of
running a hidden service under Windows.
Is running the instances of Tor and Apache in separate locked down virtual
environments more secure than having Apache and Tor listening within the
same machine?
Or is Windows an absolute no when considering running a secure hidden
service?
Another question is whether my setup (VM1=application, VM2=Tor)
ameliorates the problems with proxified applications.
On the Torproject site I read that proxifying applications is often
dangerous because the applications might leak the machine's real IP
address.
But if the proxified aplication runs within a virtual machine, and only
connects to an instance of Tor running within another VM, what info could
leak through the application other than the IP of the VM?
More information about the tor-talk
mailing list