[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Question about the vulnerability



On 8/11/07, force44@xxxxxxxxxxxxx <force44@xxxxxxxxxxxxx> wrote:
> ...
> I  am already using the last releases for both Tor (0.2.0.4-alpha) and
> Vidalia (0.0.13).

great; you're now protected against this type of attack. (but may have
some risk for other types...)


> So WHY am I still getting this warning in the Vidalia log? :(
>
> ("Aug   10   11:41:05.468   [Warning]  ControlPort  is  open,  but  no
> authentication method has been configured. This means that any program
> on  your  computer  can  reconfigure  your Tor. That's bad! You should
> upgrade your Tor controller as soon as possible.")

ideally you would have some kind of authentication associated with the
control port.  note that the way Tor behaves even without
authentication configured will protect you if you are using a recent
version like 0.2.0.4-alpha.

if you want to configure authentication you can do so, however, this
may break vidalia (?).  either the HashedControlPassword or
CookieAuthentication method can be used.

if you use "CookieAuthentication 1" in the config, a
control_auth_cookie file will be created in your DataDirectory.  the
contents of this file is needed for authentication.

you can create a hashed control password via "tor --hash-password
password" and set the resulting digest in the HashedControlPassword
setting.

best regards,