[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: (FWD) Re: Please review new control-spec.txt



On Mon, Jun 20, 2005 at 02:39:19PM -0400, Roger Dingledine wrote:
 [...]
> Oh thank god, I was just struggling with the old spec. One question about the
> old protocol: Where does the authentication come from? I didn't find any
> information about that and I thought that connections from localhost would
> always be authenticated.

Right.  By default, you can send an AUTHENTICATE command before you
send any other command.  Unless you set a password somehow, you can
send any authentication string you want from localhost and it will be
accepted.  You do need to send *SOME* authentication before any
commands, though.

(This is a Sneaky Design Decision to trick to force developers to
admit to themselves that they are doing something ugly when they use a
Just Trust Localhost authentication model.)

-- 
Nick Mathewson

Attachment: pgpK7INIeonHi.pgp
Description: PGP signature