[tor-bugs] #5011 [Pluggable transport]: Discuss possible designs for an external program that discovers bridge addresses to tell Tor about them
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Mar 13 03:45:33 UTC 2012
#5011: Discuss possible designs for an external program that discovers bridge
addresses to tell Tor about them
---------------------------------+------------------------------------------
Reporter: karsten | Owner: mikeperry
Type: task | Status: new
Priority: normal | Milestone:
Component: Pluggable transport | Version:
Keywords: MikePerry201203 | Parent: #5010
Points: | Actualpoints:
---------------------------------+------------------------------------------
Comment(by nickm):
That sounds initially plausible to me. I wonder about the unauthenticated
aspect of the "dumb IPC" attribute, though. Historically, every security
feature on control ports turned out to be necessary, and then some. If an
attacker can remotely inject hostile bridges, they could use that to
deanonymize a user.
For example, suppose that the the "dumb IPC" accepts line-oriented input,
and rejects lines it doesn't understand, and sets the rest as bridges. If
that's the case, and an attacker can guess what port it's running on (not
too hard; there aren't so many ports), they could use standard XSS
techniques to make the user's web browser post to 127.0.0.1:dumbIPCPort
with a string that looks like
{{{
HTTP/1.1 GET /ha-ha-got-you
...
bridge {evil.ip.here}:6666
}}}
and then the BridgeFinder would reject everything up to the bogus bridge
line, and then add that, and then the attacker would only have to wait for
connections to {evil.ip.here}.
So it's important to make sure that this kind of attack won't work.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5011#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list