Page MenuHomePhabricator

document identity correlation attacks and defenses / Removing Apache Recommendation
Closed, ResolvedPublic

Description

Summary:

Apache includes everything and the kitchen sink. Some of its features are bad for privacy and leaks info about a server's configuration:

https://mascherari.press/why-onionscan-should-worry-you/
https://mascherari.press/thwarting-identity-correlation-attacks/

Alternatives to Apache we can possibly recommend instead: Nginx, reverse proxies in general, anything very simple that's enough for most people.

Related Documentation:

https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserver

ALPaCA defense
https://forums.whonix.org/t/website-fingerprinting-defenses-at-the-application-layer
?

Details

Impact
Normal

Event Timeline

Patrick renamed this task from Removing Apache Recommendation to document identity correlation attacks and defenses / Removing Apache Recommendation.Jul 16 2016, 3:05 PM
Patrick added a project: Whonix 14.

Great! Anything else to do here?

HulaHoop claimed this task.

No :)

We still have the warning on https://www.whonix.org/wiki/Onion_Services.

You are better off not using Apache! We do not have a suggestion for a privacy friendly web server yet. That is still TODO. See ticket, document identity correlation attacks and defenses / Removing Apache Recommendation. Help welcome!

From this size comparison on Debian wiki, I think the best and most secure option is the smallest and most minimal one: micro-httpd

https://wiki.debian.org/WebServers

https://packages.debian.org/stretch/micro-httpd

Once this is added on there, can I remove the banner or at least change the warning content and move it at the beginning of the section.

Done. You can close this ticket once you agree with edits.