[tor-dev] Control-port filtering: can it have a reasonable threat model?