Page MenuHomePhabricator

document identity correlation attacks and defenses / Removing Apache Recommendation
Closed, ResolvedPublic

Description

Summary:

Apache includes everything and the kitchen sink. Some of its features are bad for privacy and leaks info about a server's configuration:

https://mascherari.press/why-onionscan-should-worry-you/
https://mascherari.press/thwarting-identity-correlation-attacks/

Alternatives to Apache we can possibly recommend instead: Nginx, reverse proxies in general, anything very simple that's enough for most people.

Related Documentation:

https://www.whonix.org/wiki/Hidden_Services#Hidden_Webserver

ALPaCA defense
https://forums.whonix.org/t/website-fingerprinting-defenses-at-the-application-layer
?

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jul 15 2016, 6:11 PM
Patrick renamed this task from Removing Apache Recommendation to document identity correlation attacks and defenses / Removing Apache Recommendation.Jul 16 2016, 3:05 PM
Patrick added a project: Whonix 14.
Patrick updated the task description. (Show Details)Mar 14 2017, 9:21 PM

Great! Anything else to do here?

HulaHoop closed this task as Resolved.Apr 18 2017, 4:12 PM
HulaHoop claimed this task.

No :)

Patrick reopened this task as Open.Dec 22 2018, 12:01 PM

We still have the warning on https://www.whonix.org/wiki/Onion_Services.

You are better off not using Apache! We do not have a suggestion for a privacy friendly web server yet. That is still TODO. See ticket, document identity correlation attacks and defenses / Removing Apache Recommendation. Help welcome!

From this size comparison on Debian wiki, I think the best and most secure option is the smallest and most minimal one: micro-httpd

https://wiki.debian.org/WebServers

https://packages.debian.org/stretch/micro-httpd

Once this is added on there, can I remove the banner or at least change the warning content and move it at the beginning of the section.

Sounds good!

Done. You can close this ticket once you agree with edits.

Patrick closed this task as Resolved.Jan 16 2019, 1:19 PM