On Sun, May 03, 2015 at 03:31:01PM -0700, Tom van der Woerdt wrote:
Matthew Finkel schreef op 03/05/15 om 14:47:
On Sun, May 03, 2015 at 08:20:54PM +0000, Matthew Finkel wrote:
On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
What if we add the commands to the t-shirt[0] website? Again, this isn't a great solution, but we already have documentation which requires running commands with elevated privileges on there, and it's slightly better than sending it in an email. These commands are still more complex than I'd like, but if beside providing an executable or verifiable shell script, I'm running low on solutions.
[0] https://www.torproject.org/getinvolved/tshirt
Thanks, Matt
Hi Matt,
How about :
- Primarily using ContactInfo for the verification
- If you cannot match the ContactInfo, ask people to set it on their relays
Sounds good.
- If they are unwilling/unable to do so, ask them to sign their mail
address using their secret Tor key
How? For the short-term, do you think asking the operator to run the proposed command is not a crazy idea?
- Implement a --sign option for Tor 0.2.7
- Starting a year from now, just ask everyone to sign the request
We'd need more than a year for this, likely four years, at the earliest because Jessie only has 0.2.6.
Proving ownership of a Tor relay can be relevant for more applications than just Weather, so a simple --sign option can be good to have. That doesn't address the immediate concerns though, it's more of a long-term solution.
I think this may be a good idea, especially if CAs being issuing certs for onion sites. Implementing it will not be too difficult, unfortunately its usability may be a little tricky.