[tor-bugs] #27896 [Core Tor/Tor]: base32 padding inconsistency between client and server in HS v3 client auth preview
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Oct 20 10:27:39 UTC 2018
#27896: base32 padding inconsistency between client and server in HS v3 client auth
preview
-----------------------------+------------------------------------
Reporter: jchevali | Owner: (none)
Type: defect | Status: needs_information
Priority: Medium | Milestone: Tor: unspecified
Component: Core Tor/Tor | Version: Tor: 0.3.5.1-alpha
Severity: Normal | Resolution:
Keywords: tor-hs, hs-auth | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------+------------------------------------
Comment (by jchevali):
I think I'm starting to question the wisdom of rend-spec-v3.txt, para
6.1.2, "Tor SHOULD ignore lines it does not recognize."
Probably the procedure should be, if there aren't otherwise any valid
lines, unless all invalid lines are comments, assume if there's an invalid
entry in an .auth file a valid entry was meant and a mistake was made, and
access should be denied by default instead of being granted by default.
Because presumably if there were other valid entries access would be
denied except to those, and failure to parse a further entry would not
result in unrestricted access. But where there's only one entry, or a
bunch of unparseable entries, a failure to parse in this case in practice
would result in unrestricted access, which perhaps wasn't what was meant.
In this case probably failure to parse should mean no one gets in, until
those are corrected.
On the principle that failure to access a service would be noticed and
probably soon corrected, but failure to set up security might not get
noticed, and as a result overall security compromised.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27896#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list