[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3064 [Vidalia]: Vidalia stores ControlPassword as plaintext

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #3064 [Vidalia]: Vidalia stores ControlPassword as plaintext
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Mon, 02 May 2011 01:19:19 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 01 May 2011 21:19:30 -0400
In-reply-to: <049.32d3ec12cbf8f32f71d3b53de8f171e5@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.32d3ec12cbf8f32f71d3b53de8f171e5@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#3064: Vidalia stores ControlPassword as plaintext
--------------------------+-------------------------------------------------
    Reporter:  tornewbie  |       Owner:  chiiph  
        Type:  defect     |      Status:  reopened
    Priority:  normal     |   Milestone:          
   Component:  Vidalia    |     Version:          
  Resolution:             |    Keywords:          
      Parent:             |      Points:          
Actualpoints:             |  
--------------------------+-------------------------------------------------

Comment(by atagar):

 Shouldn't we be expecting the user to remember the password if they
 manually set it? Saving the password this way means that password auth ==
 cookie auth which makes it pointless.

 Cookie auth relies on file readability while a manual password should
 (imho) prompt the user and never store the password on disk unhashed.

 On a side note, using a random password makes the control port unusable to
 other controllers. This isn't often an issue, but it does make random
 passwords a no-go in some use cases. For instance, when I use TBB I also
 attach arm so I edit the MaxCircuitDirtiness attribute and keep a closer
 eye on my circuits.

 Cheers! -Damian

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3064#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #3064 [Vidalia]: Vidalia stores ControlPassword as plaintext
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3066 [Torbutton]: Document Torbutton release process
Next by Author: [tor-bugs] #3067 [- Select a component]: Income Protection Insurance
Previous by thread: Re: [tor-bugs] #3064 [Vidalia]: Vidalia stores ControlPassword as plaintext
Next by thread: Re: [tor-bugs] #2581 [Vidalia]: Add easiers ways to copy bridge information
Index(es):
- Author
- Thread