[tor-bugs] #29620 [Core Tor/Tor]: bridge: Make tor sign the networkstatus-bridges document
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 28 20:43:41 UTC 2019
#29620: bridge: Make tor sign the networkstatus-bridges document
------------------------------+---------------------------------
Reporter: dgoulet | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone: Tor: unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: bridgedb, authority
Actual Points: | Parent ID:
Points: 0.1 | Reviewer:
Sponsor: |
------------------------------+---------------------------------
Turns out that `networkstatus-bridges` document, when dumped on disk on
the Bridge Authority side, is not signed.
This means that when it is pushed to BridgeDB, the only trust anchor we
have is the SSH key thus making BridgeDB unable to verify the received
document signature that it was indeed signed by the authority.
For now, it is "OK" that we do that because the configured SSH key between
the authority and BridgeDB has a pinned IP address to it so an attacker
would need to steal that key _and_ push descriptors from that IP which is
somehow already a lot.
Regardless, adding the signature is something quite cheap that tor can do
which would allow BridgeDB an extra validation there instead of relying
solely on the SSH tunnel.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29620>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list