[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: tor controlport wants authentication even if authentication is switched off
On Wed, Jan 07, 2009 at 07:03:03PM +0100, Sebastian Schmidt wrote:
> Why does TC tell me authentication is required even if it's switched
> off? Or is this the default reply if a not supported command was
> given to it?
Even if authentication is turned off, the first command on the control
connection needs to be "AUTHENTICATE" (or "PROTOCOLINFO"). This is a
fix for a neat cross-protocol attack where the attacker tricks your
web browser into talking to the control port and generating a string
where most of the lines are ignored, up until the lines the attacker
Before the client has authenticated, no command other than
PROTOCOLINFO, AUTHENTICATE, or QUIT is valid. If the controller
sends any other command, or sends a malformed command, or sends an
unsuccessful AUTHENTICATE command, or sends PROTOCOLINFO more than
once, Tor sends an error reply and closes the connection.