Well you actually may very well download parts of it to your hard drive depending on your exact browser configuration, but you certainly download it and have it in memory. It can still be used to exploit you, but it requires a lot more skill on the part of the attacker to pwn you through a website than it does to pwn you by getting you to run their malicious program , especially if it is not severely restricted in what it is allowed to do on your system (such as javascript is). In short, going to an pwnt website is probably a lot safer than running malicious.exe (or even .py) (even though it doesn't necessarily have to be, but I think for the sake of pragmatism we can assume that most people here are not using air gaps or properly implemented process isolation). It definitely does touch your machine and can be used to exploit vulnerabilities in your system (likely but not necessarily browser) to take over your system. Well strictly speaking the php code doesn't but what it produces does. Even HTML can be used to pwn people, if there is a remote code execution vulnerability in the browsers HTML engine (as has happened before. In fact even images have had exploits embedded in them for pwning image viewing software that views them....even GPG signatures have had exploits contained in them). Unfortunately I do not know the finer details of how such advanced hacking is carried out, but it is possible. These attacks are extremely rare and vulnerabilities like this are few and far between, although it was not that long ago I remember reading about a html based exploit against firefox. And they would probably find some. SR should have his code professionally audited too, he is clearly not a security expert. He does know what linux is and what Tor and GPG and bitcoins are though, so he has probably done a less than horrible job at configuring SR, although I wonder how much php experience he has and how much experience he has hardening servers. Someone with no experience hardening servers is extremely likely to make a much easier target than someone who has extensive knowledge on hardening servers, although the OS used will add some level of 'built in' security. Ubuntu is definitely not the best choice he could have gone with, for someone with his apparent level of server hardening I would certainly have suggested that he went with OpenBSD as it is hardened by default and contains preconfigured security solutions with less focus on requiring the person running the server to know how to do a lot of different specialized configurations to lock things down. I also am not sure but I wonder if Apace is default compiled as a position independent executable on Ubuntu....or if he would know how to manually specify it during compile time if it is not, or if he knows what a position independent executable is and how compiling apache as one would benefit security or the hardware requirements to take full advantage of it etc.....