Hi all,
How can I best audit an onion service to make sure that my IP can not easily be
compromised? Is there a list of things to do to try to hack my own site to try
to find the IP?
Thanks!
Jason
publickey - jason.s.evans@protonmail.com - 0x3C141928.asc
Description: application/pgp-keys
That's an excellent question. I think we should make a wiki page on
trac about this, if we don't have one already...
Off the top of my head, I'd suggest the following (specific to HTTP(S) servers):
- Ensure your clock is correct and is corrected automatically once or
twice a day to reduce time
Not to put too fine a point on it: I would start by running an onion server
on a dedicated machine in a network enclave behind NAT and with
intentionally invalid hostnames, so that any/all metadata that might leak
in (say) Apache headers, is mostly useless; the NAT-internal network would
be