On Wed, Jun 25, 2014 at 11:50 PM, Tor Talker <tortal...@hidemeta.com> wrote: > .... > More to the point, do you have specific concerns regarding the > Linux/Tor/Apache/Perl stack we are using? We do sanitize error messages to > prevent Apache from leaking system information, but that's really the only > special effort other than maintaining good overall system security.
i never use apache, php, perl. i use custom built nginx against custom built dependencies to front custom python/c++ web services. these hidden services have never been compromised, but they're also not designed like most web services. (i have used bounties in the past to attract scrutiny, but to be fair "never been compromised" is also a pretty poor metric for security or privacy. this is more a sanity check.) > What sort of vulnerabilities would you expect to see? i've seen vulnerabilities in configuration, where insecure options enabled by default allow local execution and privilege escalation. i've seen vulnerabilities in implementation, where poor coding implies errors around authorization or authentication. i've seen vulnerabilities in database communication, where failure to sanitize inputs leads to complete compromise. the list goes on, and on, ... building secure systems is hard. Tor is pretty hard, but the things people run across it much less so; double for hidden services. trying to remain anonymous while hosting an average site on a hidden service? this is difficult. trying to remain anonymous while posting and chatting and otherwise practicing horrible opsec? this is near impossible. last but not least, the entire premise of this thread is around blatant, public illegal behavior brazenly displayed being discover-able through search and publication - the sites that practice good privacy aren't spamming their links everywhere. by definition, the original survey is collecting only the worst run sites. too much thought wasted on this thread already. best regards, -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk