[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17901 [Tor]: Tor would bind ControlPort to public ip address if it has no localhost interface

Subject: Re: [tor-bugs] #17901 [Tor]: Tor would bind ControlPort to public ip address if it has no localhost interface
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 03 Feb 2016 11:51:21 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 03 Feb 2016 06:51:35 -0500
In-reply-to: <043.b018eeb23aacf1c327b47561602c473f@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.b018eeb23aacf1c327b47561602c473f@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17901: Tor would bind ControlPort to public ip address if it has no localhost
interface
---------------------------------------+-----------------------------------
 Reporter:  s7r                        |          Owner:  teor
     Type:  defect                     |         Status:  needs_information
 Priority:  High                       |      Milestone:  Tor:
Component:  Tor                        |  0.2.8.x-final
 Severity:  Major                      |        Version:  Tor: 0.2.6.10
 Keywords:  027-backport 026-backport  |     Resolution:
Parent ID:                             |  Actual Points:
  Sponsor:                             |         Points:
---------------------------------------+-----------------------------------

Comment (by teor):

 bugzilla raised concerns about this ticket on #17949:

 > In general, localhost is a TLD, and it must be resolved through DNS. In
 one of related tickets stated that 127.0.0.1 can be seamlessly redirected
 to public IP by the system. DNS can return "not found". So, there are
 enough reasons to stop rely on localhost as a security solution.
 > General practice is that services listen on 0 (0.0.0.0 and/or [::]).
 Address filtering is a task of firewall. To handle all tasks by tor
 instance is not a good practice.

 This issue happens only on machines where binding to 127.0.0.1 doesn't
 bind to a loopback interface. This is non-standard OS behaviour /
 configuration. On standards-conformant OSs, binding to 127.0.0.1 reliably
 ensures that the port is not accessible outside the local machine,
 reducing the attack surface considerably. People who configure their OS
 any other way are vulnerable unless they take additional precautions. Tor
 can detect serious security issues like this, close the port, and warn the
 user. So we will do that, because it's more secure by default.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17901#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #17949 [Tor]: Make loopback address search more efficient
Next by Author: Re: [tor-bugs] #18202 [Tor]: Notify user if bridge has changed to regular node
Previous by thread: Re: [tor-bugs] #18225 [Torbutton]: Tor button control parser broken
Next by thread: Re: [tor-bugs] #17901 [Tor]: Tor would bind ControlPort to public ip address if it has no localhost interface
Index(es):
- Author
- Thread