On Mon, Jun 20, 2005 at 02:39:19PM -0400, Roger Dingledine wrote: [...] > Oh thank god, I was just struggling with the old spec. One question about the > old protocol: Where does the authentication come from? I didn't find any > information about that and I thought that connections from localhost would > always be authenticated. Right. By default, you can send an AUTHENTICATE command before you send any other command. Unless you set a password somehow, you can send any authentication string you want from localhost and it will be accepted. You do need to send *SOME* authentication before any commands, though. (This is a Sneaky Design Decision to trick to force developers to admit to themselves that they are doing something ugly when they use a Just Trust Localhost authentication model.) -- Nick Mathewson
Attachment:
pgpK7INIeonHi.pgp
Description: PGP signature