On Wednesday 11 June 2008 06:17:38 Roger Dingledine wrote: <snip> > > He may also be referring to attacks where a local application (like the > browser, but it doesn't have to be) can be tricked into connecting to > your local Tor control port, like Kyle's attack from last year: > http://archives.seul.org/or/announce/Sep-2007/msg00000.html > This was a great attack, but I think the latest versions of Torbutton > and Vidalia make it a non-issue going forward. I would love to hear if > you think otherwise. > On a default Tor installation from source, i.e. with no authentication mechanism enabled, it is still possible successfully to send commands to the controlport if the 'authenticate' command is not preceded by any garbage. If someone were to develop a browser-based exploit that managed to get the 'authenticate', with no preceding bytes, to the controlport then they're in. I believe this is extremely difficult to do, and if such an attack was the subject of arrakis' and kyle's paper they would have much bigger fish to fry than just Tor. One way of preventing such an attack, however unlikely, would be to mandate a conversation such as: robert@darkstar:~$ telnet localhost 9051 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Challenge is: 0a5f37d2edd284cb 0a5f37d2edd284cb 250 OK authenticate 250 OK In the above sequence the controller has had to inspect the challenge and parrot it back in order to be allowed issue an authenticate command. As far as I'm aware this would defeat a html-form based attack of the sort released last year, since such attacks cannot process feedback from the port they're attacking.
Description: This is a digitally signed message part.