[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails

Subject: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 09 May 2014 15:51:43 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 May 2014 11:52:02 -0400
In-reply-to: <047.a690d9d711ccf914bff19a3bdcc2491b@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.a690d9d711ccf914bff19a3bdcc2491b@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#5463: BridgeDB must GPG-sign outgoing mails
-----------------------------+----------------------------
     Reporter:  rransom      |      Owner:  isis
         Type:  enhancement  |     Status:  needs_review
     Priority:  normal       |  Milestone:
    Component:  BridgeDB     |    Version:
   Resolution:               |   Keywords:  bridgegb-email
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------------

Comment (by rransom):

 Replying to [comment:14 isis]:

 > There still is not a mechanism to include the client's email address in
 the signed portion of the message. I'm not exactly sure what adversarial
 behaviours that was intended to protect against.

 Signing the intended recipient's e-mail address prevents the attacker from
 querying BridgeDB until it receives a signed message containing a
 malicious bridge, and then re-sending that message to one or more targeted
 users.  (If you don't sign the destination e-mail address, there's not
 much point in signing BridgeDB's e-mails at all.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #11776 [Tor bundles/installation]: Could not connect to tor control port
Next by Author: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Previous by thread: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Next by thread: Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
Index(es):
- Author
- Thread