On Sun, May 24, 2009 at 09:59:28PM -0400, Ringo wrote: > I'll be working on improving hidden service security and usability this > summer (starting in about three weeks). I'm currently attending the > Evergreen State College in Olympia, WA
Based on your location, there are two nearby events that might interest you: http://toorcamp.org/ (Moses Lake, WA; July 2-5) http://petsymposium.org/2009/ (Seattle, WA; August 5-7) Quite a few Tor developers will be present at each (especially PETS). > Specifically, I will be creating a how-to guide for securing standard > LAMP servers as well as a script that will help Linux users set them up. > I have a few ideas for locking down apache, php, etc. but I would > appreciate any other ideas admins of hidden services have as well as > suggestions on how to implement them. Interesting. I've always been conflicted about whether it's possible to distill enough how-to advice that novices can actually safely set up a complex (i.e. more than just static html) website. That's why my walk-through at https://www.torproject.org/docs/tor-hidden-service#one suggests thttpd -- it doesn't have all the edge cases that apache / php / etc would have. Note that Vidalia has an interface for configuring a hidden service in Tor. It would be neat to eventually have a Thandy component which is a website. Then in the Thandy interface when you're choosing which components to track, you could click "hidden service" and it would fetch and install a thttpd for you. Or heck, a more complex webserver if we think we can secure it effectively. --Roger
