[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6396 [Tor Bridge]: Reachability tests for obfuscated bridges



#6396: Reachability tests for obfuscated bridges
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                  
     Type:  task        |         Status:  new             
 Priority:  normal      |      Milestone:  Tor: unspecified
Component:  Tor Bridge  |        Version:                  
 Keywords:  pt          |         Parent:                  
   Points:              |   Actualpoints:                  
------------------------+---------------------------------------------------

Comment(by isis):

 Replying to [comment:4 rransom]:
 > Does âOONIâ (I'm not sure what exactly that refers to) have a stated
 policy specifying which inputs to ooniprobe.py are allowed to be attacker-
 controlled, and which inputs must be received from a trusted source?

 OONI refers to ooniprobe, and all the other included code. We do not yet
 have such a policy, though we should. It is my understanding that
 ooniprobe.py should be able to be run by an unprivileged user, and
 including something which allows arbitrary code execution obviously allow
 a separate local privilege escalation exploit to be run, and then you know
 the rest.

 I could do a check that the SHA1 of the PT binary file is correct for that
 architecture, but that seems extremely bulky and kludgy, and it wouldn't
 scale well as new PTs are developed. I'm leaning towards just commenting
 the PT test option out, with an explanation, so that people who want to
 use it can just go in and uncomment it.

 Do you have any ideas or suggestions?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6396#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs