Is Tor by default redirect request to Hidden Service from http://sha256domain.onion/private_key to 403 Forbidden?
Why the private key is stored in the public accessible directory, but /var/lib/tor?
- Could somebody who understands this question please rewrite it? By default in Linux, the hidden service directory is in /usr/var/lib/tor. I don't understand why anyone would ever put their private key in /var/www or whatever, and depend on webserver rules to deny access. Is the question perhaps: "Why is the public key stored in HiddenServiceDirectory (aka DataDirectory/[hidden-service-name] aka /usr/var/lib/tor/[hidden-service-name] in Linux) rather than a publicly-accessible directory? Why not put it in /var/www and just configure the webserver to deny access?"mirimir– mirimir2013-10-20 07:18:58 +00:00Commented Oct 20, 2013 at 7:18
Add a comment |
2 Answers
The key is not in a public accessible directory by default. Assume the hidden service is in the directory hidden_service. This has the following permissions:
> stat /var/lib/tor/hidden_service File: `/var/lib/tor/hidden_service' … Access: (2700/drwx--S---) Uid: ( 117/debian-tor) Gid: ( 128/debian-tor) So the directory is only accessible by the user debian-tor.
When talking about a hidden website you need to configure a webserver. Usually the webserver should not access the hidden service directory. Instead it should have an own root directory with all needed files.
So in neither case the private key is publicly accessible.
As Jens Kubieziel notes in his answer, /var/lib/tor/hidden_service "is only accessible by the user debian-tor."
For greater security, one can use full-disk encryption using dm-crypt with LUKS, and enable unattended reboot using a Mandos server. One can also keep /var/lib/tor in a TrueCrypt volume, and decrypt after boot. It might also be possible to secure /var/lib/tor from rights escalation attacks through advanced Linux foo.
