[tor-commits] [torspec/master] tor-spec: Do the same extend checks as tor
teor at torproject.org
teor at torproject.org
Tue Apr 28 11:09:08 UTC 2020
commit b43b9156614596e73df63be69ee439be93444802
Author: teor <teor at torproject.org>
Date: Tue Apr 28 21:07:24 2020 +1000
tor-spec: Do the same extend checks as tor
Update the extend checks to match tor's implementation, particularly
the comments in channel_tls_matches_target_method().
---
tor-spec.txt | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tor-spec.txt b/tor-spec.txt
index 7f0256e..df0ca38 100644
--- a/tor-spec.txt
+++ b/tor-spec.txt
@@ -1378,8 +1378,10 @@ see tor-design.pdf.
- The IP matches the requested IP.
- The OR knows that the IP of the connection it's using is canonical
because it was listed in the NETINFO cell.
- - The OR knows that the IP of the connection it's using is canonical
- because it was listed in the server descriptor.
+
+ ORs SHOULD NOT check the IPs that are listed in the server descriptor.
+ Trusting server IPs makes it easier to covertly impersonate a relay, after
+ stealing its keys.
5.4. Tearing down circuits
More information about the tor-commits
mailing list