[tor-bugs] #14389 [Tor]: Improve TBB UI of hidden service client authorization

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 25 18:45:15 UTC 2015


#14389: Improve TBB UI of hidden service client authorization
------------------------+--------------------------
     Reporter:  asn     |      Owner:
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:  Tor: 0.2.???
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+--------------------------

Comment (by meejah):

 special and I were chatting on IRC, and thought that should be captured
 somewhere. That somewhere is here. I've removed some things from the below
 "log" to make it more clear.


 {{{
 13:52 < meejah> one thing tor-launcher lacks is a way to give it cookies
 for basic/stealth auth'd hidden-services
 13:53 < meejah> ...would teaching it to understand
 http://thecookie@blarglyfoo.onion be a terrible idea? (obvious "con" is:
 people would probably copy/paste that and reveal their
                 seekrit)
 13:54 < special> this would be ambiguous with standard HTTP
 authentication, for one
 13:58 < special> I wonder how hard it would be to have the browser prompt
 for HS auth credentials..
 13:58 < special> probably hard
 13:59 < meejah> maybe just a static http://auth@blarglyfoo.onion could
 trigger popping a dialog for the cookie? pretty hacky though
 13:59 < special> well, I think a tor client can request the descriptor and
 know that it needs credentials to use it
 13:59 < special> it could, theoretically, ask for those credentials over
 the control port
 14:00 < meejah> yeah. right now you have to SETCONF on HidServAuth ...
 which is fragile (as it's easy to destroy any other auths you might have
 set up manually)
 14:01 < special> yes. I also mean that it could ask after requesting the
 descriptor, without knowing beforehand that credentials would be required
 14:01 < special> just like visiting a website with HTTP auth enabled; you
 get a popup dialog
 14:01 < meejah> true, that would be cool -- but unprecedented i think?
 (Are there any commands that do a request from tor->controller?)
 14:03 < special> meejah: __LeaveStreamsUnattached works that way, I
 suppose.
 14:04 < meejah> special: ah! yes, that's true!
 14:04 < meejah> for consistency one probably needs
 "__QueryDescriptorCookies=1" or something ;)
 14:05 < special> hmm
 14:06 < special> meejah: if we're well behaved developers, we should
 summarize this conversation on a ticket somewhere. It sounds vaguely
 useful.
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14389#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list