Re: [tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor         |        Version:                    
 Keywords:  tor-bridge  |         Parent:  #4773             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 Replying to [comment:6 asn]:
  [...]
 > Sounds like Protocol B will be harder to design, prove and implement.
 Does our threat model include the attacks that it protects against? If
 not, we should probably do Protocol A.

 There are a couple of pieces of the protocols left off here.  To wit: how
 does the proxy learn where to look for the secret file?  I'd lean towards
 "Specify the location of the file in its environment when it's launched."

 In the managed proxy case, since you're getting both the cookie file
 location and the extended ORPort from Tor when it launches the proxy,
 there's not too much risk of connecting to something that isn't really a
 Tor process, and not much risk of reading something that isn't really a
 cookie file.  If you add a header to the file (which seems like an
 obviously correct choice), there's zero risk of reading a non-cookie file.
 So we probably _could_ get away with just a password system for that case.

 In the external proxy case, are we worried about somebody setting up the
 external proxy to point at the wrong extended ORPort for Tor, or at the
 wrong cookie file, or what?

 That said, I am fine with doing an HMAC-based challenge/response thing
 here, on the theory that the assumptions above might turn out to be less
 robust than we thought.

 > Some further questions:
 > + Should it be a text-based or binary-based protocol?

 The rest of the extended ORPort protocol is binary.

 > + Should the protocol be versioned?

 Yes.

 > + Should we let the cookie be of arbitrary size? I'm leaning towards
 'no'. 32 secret bytes hold enough entropy.

 Yes.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs