[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort
#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-bridge | Parent: #4773
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
Replying to [comment:2 rransom]:
> If you can use e.g. a 64-byte file with a 32-byte constant header for
your protocols, you can use something a little simpler and nicer (perhaps
using the 32-byte secret from the file as the HMAC key, and putting the
protocol-identifying and âclient-to-serverâ-versus-âserver-to-clientâ
static string(s) in the HMAC message).
On actual thought, if you put a header in your cookie file, you can just
use it as a plain client-to-server password. You wouldn't have to worry
about breaking other systems that happen to use 32-byte secret keys, and
the âsafe cookieâ protocol doesn't defend against MITMs anyway.
Someone should figure out and specify what security properties these
protocols actually need.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs