[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [or-cvs] make connection_tls_finish_handshake() more plausible.
On Wed, Jul 21, 2004 at 02:14:55AM -0400, Roger Dingledine wrote:
> [ For context, the cvs commit message is here:
> http://archives.seul.org/or/cvs/Jul-2004/msg00087.html ]
>
> On Tue, Jul 20, 2004 at 11:32:12PM -0400, Paul Syverson wrote:
> > If we're going to accept connections from unknown routers, then
> > there should probably be a policy choice setting for that, possibly
> > a bound on how many rather than just a yes/no. Yes? No?
>
> Is accepting connections from unknown routers a security risk? We still
> choose paths the same way we did before (that is, from the list of
> verified routers in one of the directories).
>
> The only changes here are:
>
> - OPs can now provide an SSL certificate (signed by some identity key)
> when they're doing the TLS handshake with you, and you won't freak out
> and hang up on them.
> - If somebody happens to send you an extend cell that asks you to extend
> to this identity key, then you'll notice you're already connected,
> so you won't have to launch a new connection.
>
> So I think this particular change is safe enough.
>
I guess I was thinking about resource depletion either by design or
accident and maybe related things. Obviously there are potential
anonymity advantages if an OR can't be sure whether it is dealing with
a client or a relay node, but like everything else, this is a
two-edged sword. More significantly, with this change (automatic and
without a policy setting), someone who thinks he is running just an
intermediate node (accepting only local connections to other ORs or
relaying between other ORs in the directory) can find himself
effectively running an entrance node for others. Maybe he doesn't
want to do that.
-Paul