[tor-bugs] #20022 [Core Tor/Tor]: Tor should deprecate insecure cookie auth
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 30 04:43:05 UTC 2016
#20022: Tor should deprecate insecure cookie auth
--------------------------+---------------------
Reporter: dkg | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+---------------------
Comment (by yawning):
For what it's worth `bulb` (the Go controller library) doesn't support
`COOKIE` at all, under the assumption that `"COOKIE" authentication
exists, but anything modern supports "SAFECOOKIE".`.
Any project that finds `SAFECOOKIE` hard to implement either should use
library code that does it for them or be the target of merciless mockery.
Somewhat orthogonal to this, the browser code's treatment of controller
auth in general could be improved (eg: #16017).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20022#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list