[tor-bugs] #8117 [Tor]: Tor SOCKS handshake makes SOCKS circuit isolation non-functional for many apps
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 31 15:37:28 UTC 2013
#8117: Tor SOCKS handshake makes SOCKS circuit isolation non-functional for many
apps
----------------------------------+-----------------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor | Version: Tor: 0.2.3.25
Keywords: tor-client isolation | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Changes (by nickm):
* keywords: => tor-client isolation
* status: new => needs_review
Comment:
Agreed wrt priority and backportability.
It looks easy enough to fix at first glance: answer "username/password" if
the client offers it; otherwise answer "no auth". I'm attaching a patch
to do that.
I'm a little worried that there could be a failure mode here where a
user's application offers username/password authentication even though it
doesn't know a username/password combination, and then responds to Tor's
selecting username/password authentication by asking the user for a
username and password. If there are many apps like that, we'll need
another fix here.
This patch needs testing: first to ensure that username/password isolation
is working with programs that behave like pidgin. And second, to make sure
that the failure mode above doesn't occur when no username and password
are configured.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8117#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list