[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort
#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-bridge | Parent: #4773
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by asn):
Replying to [comment:7 nickm]:
> Replying to [comment:6 asn]:
> [...]
> > Sounds like Protocol B will be harder to design, prove and implement.
Does our threat model include the attacks that it protects against? If
not, we should probably do Protocol A.
>
> There are a couple of pieces of the protocols left off here. To wit:
how does the proxy learn where to look for the secret file? I'd lean
towards "Specify the location of the file in its environment when it's
launched."
>
Sounds reasonable.
How do you think this should be done in the protocol?
Should we increase the managed-proxy protocol version and add a new
mandatory env var (`TOR_PT_AUTH_COOKIE`), or should we add an optional env
var on the current protocol version, or should we add the path to the
already existing `TOR_PT_EXTENDED_SERVER_PORT` env. var?
I'm leaning towards adding an optional new env var. What do you think?
> In the managed proxy case, since you're getting both the cookie file
location and the extended ORPort from Tor when it launches the proxy,
there's not too much risk of connecting to something that isn't really a
Tor process, and not much risk of reading something that isn't really a
cookie file. If you add a header to the file (which seems like an
obviously correct choice), there's zero risk of reading a non-cookie file.
So we probably _could_ get away with just a password system for that case.
>
> In the external proxy case, are we worried about somebody setting up the
external proxy to point at the wrong extended ORPort for Tor, or at the
wrong cookie file, or what?
>
Yes, something like that. I don't really think these are realistic
adversarial attacks.
> That said, I am fine with doing an HMAC-based challenge/response thing
here, on the theory that the assumptions above might turn out to be less
robust than we thought.
>
I think I'm going to go with the HMAC-based challenge/response protocol
too. I will also make the protocol flexible enough to support other
authentication types.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs