Re: tor controlport wants authentication even if authentication is switched off

[Nick Mathewson <nickm@xxxxxxxxxxxxx>]

On Wed, Jan 07, 2009 at 07:03:03PM +0100, Sebastian Schmidt wrote:
 [...] 
> Why does TC tell me authentication is required even if it's switched
> off? Or is this the default reply if a not supported command was
> given to it?

Even if authentication is turned off, the first command on the control
connection needs to be "AUTHENTICATE" (or "PROTOCOLINFO").  This is a
fix for a neat cross-protocol attack where the attacker tricks your
web browser into talking to the control port and generating a string
where most of the lines are ignored, up until the lines the attacker
actually generated.

From control-spec.txt:

  Before the client has authenticated, no command other than
  PROTOCOLINFO, AUTHENTICATE, or QUIT is valid.  If the controller
  sends any other command, or sends a malformed command, or sends an
  unsuccessful AUTHENTICATE command, or sends PROTOCOLINFO more than
  once, Tor sends an error reply and closes the connection.

-- 
Nick