[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?



> Yes, that is necessary.  I question, however, whether it is sufficient.

Sufficient for what purpose?

It *is* sufficient for the purpose of preventing Subgraph sandboxed
applications from escaping it's sandbox via the Tor control
port. Actually, one of the Subgraph guys figured this out and that's
why they wanted a Tor control port filter.

I can see how our intentions for this tool (roflcoptor) could have
been misleading since we never explicitly/publicly stated the above as
the motivation for tor control port filtration.

I think now that the other "Tor integrated Linux distributions" have more
or less caught up with Subgraph, I feel comfortable telling people how
easy it is to get tor to run arbitrary programs via the control port.

Looks like as per usual Yawning Angel did the exact correct thing and
made the Tor hardened browser bundle filter the control port to
disallow SETCONF.  Further, he mentioned to me on irc that the tor
proc is also sandboxed..  so yeah that sounds thorough and proper.


cheers from Montreal!

David Stainton

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev