[tor-bugs] #14389 [Core Tor/Tor]: little-t-tor: Provide support for better TBB UI of hidden service client authorization

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 26 10:30:05 UTC 2019 

#14389: little-t-tor: Provide support for better TBB UI of hidden service client
authorization
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.2.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs, tbb-usability, ux-team, hs-  |  Actual Points:
  auth                                           |
Parent ID:  #30000                               |         Points:  14-24
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor27-must
-------------------------------------------------+-------------------------

Comment (by asn):

 Replying to [comment:45 mcs]:
 > Replying to [comment:44 asn]:
 > > So, I guess the plan here is to use HTTP CONNECT for this, and define
 a new error code for HTTP CONNECT that says that a destination needs
 client auth. I guess we would need a proposal for that. Who wants to write
 this?
 >
 > To me, the answer is "someone who can also take into account the other
 error scenarios that we will need to address later, e.g., invalid onion
 address and other onion-service related errors." Kathy and I don't think
 we know enough to write a proposal.
 >
 > * We are not sure what to do about other traffic, e.g., FTP.  Our guess
 is that due to the architecture of the Firefox networking stack, HTTP
 CONNECT is only available for HTTP traffic.  It might be difficult to
 ensure that no proxy bypass possibilities are introduced if we switch to
 HTTP CONNECT.
 >

 Thanks for digging into this mcs. From the above issues, only this one
 about proxy bypass seems to be blocker to me. All the others are things
 that can be solved with some moderate engineering efforts IIUC. However,
 if we can't guarantee that we have no proxy bypass we can't really proceed
 with HTTP CONNECT, right? What do you think?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14389#comment:46>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list