On Wed, Jun 18, 2014 at 1:49 PM, Alexander Fortin <[email protected]> wrote: > On 18. Juni 2014 at 16:26:38, Zack Weinberg ([email protected]) wrote: >> Best practice as I understand it is that you should have an exit >> notice on all exit relays. What I'm not sure of is whether "DirPort >> 80 + DirPortFrontPage" is the recommended way to accomplish that. The >> CMU Tor exit uses a separate lighttpd install, I think primarily >> because we didn't know about DirPortFrontPage when we set it up. I >> can make a case either way - less software = less attack surface; >> separate install = compartmentalization. > > I understand the 'less software’ benefit; I’m currently reading > https://en.wikipedia.org/wiki/Compartmentalization_(information_security) > but still not sure if I understand correctly the reference to the > ‘compartmentalization' in this case.
If the process listening on port 80 is the Tor process, then any vulnerability in the HTTP service it presents to port 80 can be exploited for a direct attack on the relay itself. If port 80 service is provided by a separate program (e.g. lighttpd) running under a different user ID, then an exploit of *that* program may not be able to affect the relay. That's all I meant. (The Wikipedia article is talking about a related thing, but not really the same.) If you turn DirPort on at all, that exposes Tor's built-in HTTP server to the Internet -- perhaps on a nonstandard port, but still -- so I'm not sure the compartmentalization is really buying anything in this case. zw _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
