[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #20468 [Applications/Tor Browser]: TorBrowser using a secert HASHEDPASSWORD

Subject: [tor-bugs] #20468 [Applications/Tor Browser]: TorBrowser using a secert HASHEDPASSWORD
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 26 Oct 2016 00:07:05 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 25 Oct 2016 20:07:20 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#20468: TorBrowser using a secert HASHEDPASSWORD
------------------------------------------+----------------------
     Reporter:  cypherpunks               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 For security reasons, I was trying force the TorBrowser to work with it's
 own tor instance (and SocksPort) but without allowing it to have access to
 the ControlPort.

 I don't care for the TorButton New Identity or circuit path display
 features.

 I tried setting CookieAuthentication to 0 in torrc-defaults. But was
 surprised to find that the TorBrowser still managed to authenticate with
 the control port and the TorButton was able to display the circuit path.

 With the help of the folks on irc, we were able to determine that the
 TorLauncher uses it's own secret hashed password if it's unable to find a
 cookie or env password.

 Protocolinfo says: 250-AUTH METHODS=HASHEDPASSWORD

 I think the TorBrowser and TorLauncher should respect the users wishes and
 not set a secret password for itself. Instead just work without the
 ControlPort.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20468>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #20468 [Applications/Tor Launcher]: TorBrowser using a secert HASHEDPASSWORD
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #20468 [Applications/Tor Launcher]: TorBrowser using a secert HASHEDPASSWORD
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #20468 [Applications/Tor Launcher]: TorBrowser using a secert HASHEDPASSWORD
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #20468 [Applications/Tor Browser]: TorBrowser using a secert HASHEDPASSWORD
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #20510 [Metrics/Metrics website]: Use metrics-lib's getHidserv* methods in Metrics' hidserv module
Next by Author: [tor-bugs] #20462 [Core Tor/Tor]: Make test failures/bugs on Raspberry Pi 3
Previous by thread: [tor-bugs] #20467 [Metrics/Torflow]: bwauth aggregator divides by zero if a node class is missing
Next by thread: Re: [tor-bugs] #20468 [Applications/Tor Browser]: TorBrowser using a secert HASHEDPASSWORD
Index(es):
- Author
- Thread