Re: [tor-bugs] #1299 [Tor Client]: Tor should verify signatures before parsing

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#1299: Tor should verify signatures before parsing
------------------------------+---------------------------------------------
 Reporter:  mikeperry         |         Type:  defect    
   Status:  new               |     Priority:  normal    
Milestone:  Tor: unspecified  |    Component:  Tor Client
  Version:  0.2.1.24          |   Resolution:  None      
 Keywords:                    |       Parent:            
------------------------------+---------------------------------------------
Changes (by nickm):

  * priority:  major => normal
  * milestone:  => Tor: unspecified


Old description:

> Right now Tor parses both consensus documents and router descriptors
> before verifying their
> signature. This exposes us to all sorts of potential MITM tampering and
> code execution bugs, of which
> we have recently had several. Right now, an adversary who finds a parsing
> exploit needs only to
> sign up as a directory mirror, or MITM 0.2.0.x clients that are not using
> tunnelled directory connections.
>
> Such an adversary can custom-craft payloads based on the fingerprint of
> the OS of the client that
> connects to them, and can also target specific clients for precision
> attacks.
>
> If we verify signatures before parsing, the adversary loses their ability
> to target specific clients
> by OS or by IP, and can at best publish a malicious router descriptor
> signed by them to everyone.
> This leaves us with a clear audit trail of where the exploit came from,
> and a record of all such
> attempts in the descriptor archives. This would be a considerably better
> position to be in than
> we are now.
>
> [Automatically added by flyspray2trac: Operating System: All]

New description:

 Right now Tor parses both consensus documents and router descriptors
 before verifying their
 signature. This exposes us to all sorts of potential MITM tampering and
 code execution bugs, of which
 we have recently had several. Right now, an adversary who finds a parsing
 exploit needs only to
 sign up as a directory mirror, or MITM 0.2.0.x clients that are not using
 tunnelled directory connections.

 Such an adversary can custom-craft payloads based on the fingerprint of
 the OS of the client that
 connects to them, and can also target specific clients for precision
 attacks.

 If we verify signatures before parsing, the adversary loses their ability
 to target specific clients
 by OS or by IP, and can at best publish a malicious router descriptor
 signed by them to everyone.
 This leaves us with a clear audit trail of where the exploit came from,
 and a record of all such
 attempts in the descriptor archives. This would be a considerably better
 position to be in than
 we are now.

 [Automatically added by flyspray2trac: Operating System: All]

--

Comment:

 Moving to "unspecified" milestone.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1299#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs