[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #1859 [Tor Client]: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and client



#1859: Using 'mytorexitnode.exit' request when mytorexitnode is both exit and
client
------------------------+---------------------------------------------------
 Reporter:  mwenge      |       Owner:  mwenge             
     Type:  defect      |      Status:  assigned           
 Priority:  minor       |   Milestone:  Tor: 0.2.2.x-final 
Component:  Tor Client  |     Version:  Tor: 0.2.2.12-alpha
 Keywords:              |      Parent:                     
------------------------+---------------------------------------------------

Comment(by mwenge):

 (Summary of all of the above)

 There are two problems in this bug:

 1. When an OP makes a .exit request specifying itself as the exit, and the
 exit is not yet listed, Tor gets all the routerinfos needed for the
 circuit but discovers in circuit_is_acceptable() that its own routerinfo
 is not in the routerdigest list and cannot be used. Tor then gets locked
 in a cycle of repeating these two steps. When gathering the routerinfos
 for a circuit, specifically when the exit has been chosen by .exit
 notation, Tor needs to apply the same rules it uses later on when deciding
 if it can build a circuit with those routerinfos.

 2. A different bug arises in the above situation when the Tor instance's
 routerinfo *is* listed in the  routerlist, it shares its nickname with a
 number of other Tor nodes, and it does not have 'Named' rights to its
 nickname.
    So for example, if (i) there are five nodes named Bob in the network,
 (ii) I am running one of them but am flagged as 'Unnamed' because someone
 else claimed the 'Bob' nickname first, and (iii) I run my Tor as both
 client and exit the following can happen to me:
      - I go to www.evil.com
      - I click on a link www.evil.com.bob.exit
      - My request will exit through my own Tor node rather than the
 'Named' node Bob or any of the others.
      - www.evil.com now knows I am actually browsing from the same
 computer that is running my 'Bob' node

 As yetonetime points out all this nastiness happens because of:

 {{{
 if (server_mode(get_options()) &&
       !strcasecmp(nickname, get_options()->Nickname))
     return router_get_my_routerinfo();
 }}}

 in router_get_by_nickname().

 So to solve both issues we need to ensure:

 - When fulfilling a .exit request we only choose a routerinfo if it exists
 in the routerlist, even when that routerinfo is ours.
 - When getting a router by nickname we only return our own router
 information if it is not going to be used for building a circuit.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1859#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs