[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec/master] Deprecate COOKIE authentication



commit c402bdfeb08a3aa14d29f340f2fe7b594d27d4c1
Author: Robert Ransom <rransom.8774@xxxxxxxxx>
Date:   Mon Feb 20 08:47:50 2012 -0800

    Deprecate COOKIE authentication
---
 control-spec.txt |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/control-spec.txt b/control-spec.txt
index ed5d2fe..b9ee997 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -983,6 +983,16 @@
   If the METHODS field contains the method "SAFECOOKIE", every
   AuthCookieFile must contain the same authentication cookie.
 
+  The COOKIE authentication method exposes the user running a
+  controller to an unintended information disclosure attack whenever
+  the controller has greater filesystem read access than the process
+  that it has connected to.  (Note that a controller may connect to a
+  process other than Tor.)  It is almost never safe to use, even if
+  the controller's user has explicitly specified which filename to
+  read an authentication cookie from.  For this reason, the COOKIE
+  authentication method has been deprecated and will be removed from
+  Tor before version 0.2.4.1-alpha.
+
   The VERSION line contains the Tor version.
 
   [Unlike other commands besides AUTHENTICATE, PROTOCOLINFO may be used (but



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits