[tor-commits] [torspec/master] Deprecate COOKIE authentication
nickm at torproject.org
nickm at torproject.org
Mon Mar 26 18:18:48 UTC 2012
commit c402bdfeb08a3aa14d29f340f2fe7b594d27d4c1
Author: Robert Ransom <rransom.8774 at gmail.com>
Date: Mon Feb 20 08:47:50 2012 -0800
Deprecate COOKIE authentication
---
control-spec.txt | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/control-spec.txt b/control-spec.txt
index ed5d2fe..b9ee997 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -983,6 +983,16 @@
If the METHODS field contains the method "SAFECOOKIE", every
AuthCookieFile must contain the same authentication cookie.
+ The COOKIE authentication method exposes the user running a
+ controller to an unintended information disclosure attack whenever
+ the controller has greater filesystem read access than the process
+ that it has connected to. (Note that a controller may connect to a
+ process other than Tor.) It is almost never safe to use, even if
+ the controller's user has explicitly specified which filename to
+ read an authentication cookie from. For this reason, the COOKIE
+ authentication method has been deprecated and will be removed from
+ Tor before version 0.2.4.1-alpha.
+
The VERSION line contains the Tor version.
[Unlike other commands besides AUTHENTICATE, PROTOCOLINFO may be used (but
More information about the tor-commits
mailing list