[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [or-cvs] [PATCH] Create a sample bridge configuration torrc.

To: or-dev@xxxxxxxxxxxxx
Subject: Re: [or-cvs] [PATCH] Create a sample bridge configuration torrc.
From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
Date: Fri, 11 Jun 2010 17:13:09 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Fri, 11 Jun 2010 17:13:57 -0400
In-reply-to: <20100610160422.GI10664@xxxxxxxxxxxxxx>
Organization: The Tor Project, Inc.
References: <20100607150307.558BE5E159@xxxxxxxxxxxxxxxxxxxxx> <20100610160422.GI10664@xxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

On Thu, 10 Jun 2010 12:04:22 -0400
Roger Dingledine <arma@xxxxxxx> wrote:

> 1) It looks like we're setting ControlPort without setting any other
> control port authentication lines? That is a bad move security-wise:
> any java or flash applet that runs on the same computer and can play a
> cross-domain trick lets you reconfigure our Tor.

As you've seen, this is fixed.  The control port is now commented out
altogether.  I missed a # somehow.

> 2) Vidalia has a nice trick where your ORPort defaults to 443 on
> Windows but 9001 on Unix. That way we have more of our bridges on
> 443, but we don't force you to deal with binding a low-numbered port
> on operating systems that care.
> 
> Speaking of which: if this bridge torrc is designed to be used with
> bundles that include Vidalia, what happens when Vidalia saves a config
> change? Does it clobber the torrc changes, and you silently stop being
> a bridge? Or does Vidalia read in the torrc lines and synchronize its
> internal config to what Tor says it wants to be?

Actually, separate the two topics.  This is a torrc for those that only
want to run Tor without anything else.  If you have vidalia, use
vidalia to configure your bridge.


> 3) Bridges don't need to set DirPort, and they probably shouldn't if
> they want to remain more subtle. No real harm; but another benefit to
> leaving DirPort unset is that people wrestling with their port
> forwarding won't have to wrestle quite as much.

If you are already reconfiguring your router/nat device for one port
forwarding, doing so for another port isn't any more difficult.
However, not running dirport is fine with me too.


-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

References:
- Re: [or-cvs] [PATCH] Create a sample bridge configuration torrc.
  - From: Roger Dingledine

Prev by Author: Re: concurrent circuits for traffic fragmentation
Next by Author: Re: concurrent circuits for traffic fragmentation
Previous by thread: Re: [or-cvs] [PATCH] Create a sample bridge configuration torrc.
Index(es):
- Author
- Thread