[tor-bugs] #20022 [Core Tor/Tor]: Tor should deprecate insecure cookie auth

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 30 04:43:05 UTC 2016


#20022: Tor should deprecate insecure cookie auth
--------------------------+---------------------
 Reporter:  dkg           |          Owner:
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+---------------------

Comment (by yawning):

 For what it's worth `bulb` (the Go controller library) doesn't support
 `COOKIE` at all, under the assumption that `"COOKIE" authentication
 exists, but anything modern supports "SAFECOOKIE".`.

 Any project that finds `SAFECOOKIE` hard to implement either should use
 library code that does it for them or be the target of merciless mockery.

 Somewhat orthogonal to this, the browser code's treatment of controller
 auth in general could be improved (eg: #16017).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20022#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list