[tor-bugs] #5220 [Tor Client]: Intelligently use capabilities/privileges and drop what we don't need for Debian Gnu/Linux
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Mar 4 02:29:22 UTC 2012
#5220: Intelligently use capabilities/privileges and drop what we don't need for
Debian Gnu/Linux
-------------------------+--------------------------------------------------
Reporter: ioerror | Owner:
Type: enhancement | Status: needs_information
Priority: major | Milestone: Tor: unspecified
Component: Tor Client | Version: Tor: unspecified
Keywords: security | Parent: #5219
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by cypherpunks):
>Please explain in more detail so that someone can break this part.
I'm not familiar with the code base. But as I said, I have my doubts as
well whether this strategy would work at all, except for the pluggable
transport:
>A pluggable transport server has access to clients' IP addresses, can log
the times, sizes, and directions of traffic burts, and can redirect all
connections from new clients to an attacker-controlled relay for circuit-
level traffic logging.
Isn't that the same capabilities as the ISP already has? None of that,
even combined necessarily breaks the user's security expectations. But
they are broken if the transport server can be remotely exploited to phone
home through a circuit as opposed to directly sending malformed packets as
a neighboring node. Still, it "rises the bar". That's all we can hope for,
till Tor is completely formally verified.
I think far more fruitful than introducing a multi-process architecture
now is compiler hardening and thinking about the TorBrowser security
architecture...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5220#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list