commit 7517e1b5d31aada1f594c2594737a231d9d8e116 Author: teor teor@torproject.org Date: Tue Apr 28 21:11:10 2020 +1000

channeltls: Clarify a relay impersonation defence

Clarify the comments in channel_tls_matches_target_method(), and make it clear that the attack is a covert attack. --- src/core/or/channeltls.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/or/channeltls.c b/src/core/or/channeltls.c index 5cedd9fbc..b424d02a5 100644 --- a/src/core/or/channeltls.c +++ b/src/core/or/channeltls.c @@ -739,10 +739,13 @@ channel_tls_matches_target_method(channel_t *chan, * base_.addr is updated by connection_or_init_conn_from_address() * to be the address in the descriptor. It may be tempting to * allow either address to be allowed, but if we did so, it would - * enable someone who steals a relay's keys to impersonate/MITM it + * enable someone who steals a relay's keys to covertly impersonate/MITM it * from anywhere on the Internet! (Because they could make long-lived * TLS connections from anywhere to all relays, and wait for them to * be used for extends). + * + * An adversary who has stolen a relay's keys could also post a fake relay + * descriptor, but that attack is easier to detect. */ return tor_addr_eq(&(tlschan->conn->real_addr), target); }