[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4773 [Tor Bridge]: Implement Extended OR port (part of proposal 180)

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #4773 [Tor Bridge]: Implement Extended OR port (part of proposal 180)
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Thu, 26 Jan 2012 15:26:58 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 26 Jan 2012 10:27:09 -0500
In-reply-to: <043.00d8773812a9c28142835fccc4fd610a@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.00d8773812a9c28142835fccc4fd610a@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#4773: Implement Extended OR port (part of proposal 180)
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor Bridge  |        Version:                    
 Keywords:              |         Parent:  #4685             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 Let's talk a bit about our security threat model.

 The current (180) Extended ORPort design allows a local "attacker" to
 connect to the Extended ORPort, spoof an arbitrary external address (using
 USERADDR), and send Tor data. Furthermore, if we do the "the Extended
 ORPort provides an identifier to be used in another port for
 metadata/configuration transfer between tor and the proxy" idea, a local
 "attacker" will be able to connect to the Extended ORPort, get an
 identifier, connect to the other port, and configure the transport proxy
 (for example, tweak its rate-limiting setup).

 Would it be worth it to add some sort of authentication, so that only
 pluggable transport proxies can use the Extended ORPort? A silly way of
 doing it would be to add a key in a TOR_PT_* environment variable, but I'm
 not sure if that would be secure in a cross-platform fashion [0].
 That would also kill external proxies from using the Extended ORPort.

 Would a file that can only be read by the Tor user, containing a cookie,
 be better?

 Are these "attacks" within our threat model?

 [0]:
 a related not-so-enlightening blog post
 https://patternbuffer.wordpress.com/2008/05/05/unix-environment-variable-
 scopesecurity/
 We also assume that if the local attacker has root, the game is lost.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4773#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #4831 [BridgeDB]: advertise ipv6 bridge address on bridges.tp.o
Next by Author: Re: [tor-bugs] #4911 [Tor bundles/installation]: Unable to install Vidalia Bundle 0.2.2.35 on Windows
Previous by thread: Re: [tor-bugs] #4773 [Tor Bridge]: Implement Extended OR port (part of proposal 180)
Next by thread: Re: [tor-bugs] #3242 [Website]: Research moving the website from svn to git
Index(es):
- Author
- Thread