[tor-bugs] #20468 [Applications/Tor Browser]: TorBrowser using a secert HASHEDPASSWORD
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 26 00:07:05 UTC 2016
#20468: TorBrowser using a secert HASHEDPASSWORD
------------------------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
For security reasons, I was trying force the TorBrowser to work with it's
own tor instance (and SocksPort) but without allowing it to have access to
the ControlPort.
I don't care for the TorButton New Identity or circuit path display
features.
I tried setting CookieAuthentication to 0 in torrc-defaults. But was
surprised to find that the TorBrowser still managed to authenticate with
the control port and the TorButton was able to display the circuit path.
With the help of the folks on irc, we were able to determine that the
TorLauncher uses it's own secret hashed password if it's unable to find a
cookie or env password.
Protocolinfo says: 250-AUTH METHODS=HASHEDPASSWORD
I think the TorBrowser and TorLauncher should respect the users wishes and
not set a secret password for itself. Instead just work without the
ControlPort.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20468>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list