Page MenuHomePhabricator
Create Task
Maniphest T523

document identity correlation attacks and defenses / Removing Apache Recommendation
Closed, ResolvedPublic
Actions

Description

Summary:

Apache includes everything and the kitchen sink. Some of its features are bad for privacy and leaks info about a server's configuration:

https://mascherari.press/why-onionscan-should-worry-you/
https://mascherari.press/thwarting-identity-correlation-attacks/

Alternatives to Apache we can possibly recommend instead: Nginx, reverse proxies in general, anything very simple that's enough for most people.

Related Documentation:

https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserver

ALPaCA defense
https://forums.whonix.org/t/website-fingerprinting-defenses-at-the-application-layer
?

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jul 15 2016, 4:11 PM
Herald added a project: Whonix. · View Herald TranscriptJul 15 2016, 4:11 PM
Herald added subscribers: WhonixQubes, Patrick. · View Herald Transcript
Patrick renamed this task from Removing Apache Recommendation to document identity correlation attacks and defenses / Removing Apache Recommendation.Jul 16 2016, 1:05 PM
Patrick added a project: Whonix 14.
HulaHoop added a comment.Jul 30 2016, 3:03 AM

And more damage from Apache plugins...

Its going to get rough:

https://mascherari.press/100s-of-dark-web-sites-should-now-be-considered-compromised/

https://twitter.com/SarahJamieLewis/status/759095469997826048

Patrick updated the task description. (Show Details)Mar 14 2017, 8:21 PM
HulaHoop added a comment.Apr 13 2017, 8:10 PM

https://www.whonix.org/w/index.php?title=Hidden_Services&diff=prev&oldid=28910

Patrick added a comment.Apr 14 2017, 11:43 AM

Great! Anything else to do here?

HulaHoop closed this task as Resolved.Apr 18 2017, 2:12 PM
HulaHoop claimed this task.

No :)

Patrick reopened this task as Open.Dec 22 2018, 11:01 AM

We still have the warning on https://www.whonix.org/wiki/Onion_Services.

You are better off not using Apache! We do not have a suggestion for a privacy friendly web server yet. That is still TODO. See ticket, document identity correlation attacks and defenses / Removing Apache Recommendation. Help welcome!

HulaHoop added a comment.Dec 28 2018, 7:31 PM

From this size comparison on Debian wiki, I think the best and most secure option is the smallest and most minimal one: micro-httpd

https://wiki.debian.org/WebServers

https://packages.debian.org/stretch/micro-httpd

Once this is added on there, can I remove the banner or at least change the warning content and move it at the beginning of the section.

Patrick added a comment.Jan 2 2019, 12:54 PM

Sounds good!

HulaHoop added a comment.Jan 4 2019, 4:57 PM

Done. You can close this ticket once you agree with edits.

Patrick added a comment.Jan 6 2019, 7:24 AM

https://www.whonix.org/wiki/Onion_Services#Step_1:_Install_Server_Software needs update.

HulaHoop added a comment.Jan 13 2019, 12:56 AM

Done

Patrick closed this task as Resolved.Jan 16 2019, 12:19 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer