[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [torspec/master] Deprecate COOKIE authentication

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [torspec/master] Deprecate COOKIE authentication
From: nickm@xxxxxxxxxxxxxx
Date: Mon, 26 Mar 2012 18:18:48 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 26 Mar 2012 14:19:02 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: code repository commits <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Robert Ransom <rransom.8774@xxxxxxxxx>
Sender: tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx

commit c402bdfeb08a3aa14d29f340f2fe7b594d27d4c1
Author: Robert Ransom <rransom.8774@xxxxxxxxx>
Date:   Mon Feb 20 08:47:50 2012 -0800

    Deprecate COOKIE authentication
---
 control-spec.txt |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/control-spec.txt b/control-spec.txt
index ed5d2fe..b9ee997 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -983,6 +983,16 @@
   If the METHODS field contains the method "SAFECOOKIE", every
   AuthCookieFile must contain the same authentication cookie.
 
+  The COOKIE authentication method exposes the user running a
+  controller to an unintended information disclosure attack whenever
+  the controller has greater filesystem read access than the process
+  that it has connected to.  (Note that a controller may connect to a
+  process other than Tor.)  It is almost never safe to use, even if
+  the controller's user has explicitly specified which filename to
+  read an authentication cookie from.  For this reason, the COOKIE
+  authentication method has been deprecated and will be removed from
+  Tor before version 0.2.4.1-alpha.
+
   The VERSION line contains the Tor version.
 
   [Unlike other commands besides AUTHENTICATE, PROTOCOLINFO may be used (but



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [torspec/master] Add SAFECOOKIE control-port authentication method
Next by Author: [tor-commits] [torspec/master] Document cookie-based authentication protocols in the right place
Previous by thread: [tor-commits] [torspec/master] Add SAFECOOKIE control-port authentication method
Next by thread: [tor-commits] [torspec/master] Document cookie-based authentication protocols in the right place
Index(es):
- Author
- Thread