Hi All, The Recent talk about an exit nodes ability to inject/modify traffic got me thinking that this might actually pose a security risk not just for users but possibly for the tor network in general. My thinking went along the lines that it would be fairly trivial for someone experienced in Java or other scripting languages to inject a script that would internally scan the receiving computer for an open Tor control port (read open and non-authenticated) once that was found the script could easily and completely hose up the security of that node by messing with the routing/exitnodes/ControlListenAddress/etc. Bad enough if it is a client tor installation, Tragic is it is an entry/middle/exit node as well. I think the simple solution would be to require authentication if the Tor control port is open. Now just to make a few things clear. I do understand that allowing any scripting when using Tor is hideously bad, but judging from all the clear text passwords going through others may not. I most certainly am not a Java/Java Script wizard and so could be way off on the triviality of such a program. My intent in posting this was not to criticize but to stimulate intelligent conversation on what I perceive as a possible risk to the Tor network. ------ Freemor <freemor@xxxxxxxx> Freemor <freemor@xxxxxxxxxx> This e-mail has been digitally signed with GnuPG
Attachment:
signature.asc
Description: This is a digitally signed message part