[tor-bugs] #3064 [Vidalia]: Vidalia stores ControlPassword as plaintext
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun May 1 22:12:13 UTC 2011
#3064: Vidalia stores ControlPassword as plaintext
--------------------------+-------------------------------------------------
Reporter: tornewbie | Owner: chiiph
Type: defect | Status: reopened
Priority: normal | Milestone:
Component: Vidalia | Version:
Resolution: | Keywords:
Parent: | Points:
Actualpoints: |
--------------------------+-------------------------------------------------
Comment(by arma):
Replying to [comment:7 tornewbie]:
> When tor starts and the ControlPort is set into torrc, it warns about
setting a password.
If you set controlport but don't set any authentication mechanism, you're
using it insecurely.
> Probably I am wrong but setting a random password could be a really bad
idea just in case someone is using Vidalia to access his/her own remote
relay : this could permit to others bad things like , for example,
changing exit policy at runtime.
The ControlPort listens to 127.0.0.1 and we don't let you configure that.
So if you're using Vidalia to control a remote relay, you would need to
set up a stunnel or some other thing to make it work -- and in that case
it's the remote connection that you should be focusing on securing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3064#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list