[tor-bugs] #20022 [Core Tor/Tor]: Tor should deprecate insecure cookie auth
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 31 00:44:41 UTC 2016
#20022: Tor should deprecate insecure cookie auth
--------------------------+---------------------
Reporter: dkg | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+---------------------
Comment (by yawning):
Replying to [comment:6 teor]:
> It's also worth noting that there are situations where security is
somewhat irrelevant - such as control sockets on tor test networks. Best
we keep some auth methods for that use case.
"some auth methods" like `NULL`, `HASHEDPASSWORD`, and `SAFECOOKIE`? If
your test network tooling only supports `COOKIE` auth, that's a problem
with the tooling.
`SAFECOOKIE` was introduced in 0.2.3.13-alpha. I don't see a compelling
argument to keep `COOKIE` around.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20022#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list