[tor-dev] Proposal 190: Password-based Bridge Client Authorization
Nick Mathewson
nickm at alum.mit.edu
Wed Jan 18 14:25:28 UTC 2012
On Tue, Jan 17, 2012 at 1:28 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> With that hack on top of the v3 protocol, any client able to detect
> that a bridge is not being MITMed can impersonate the bridge through
> the TLS handshake, until after the (honest, victim) client speaks the
> Tor protocol at the fake bridge.
Seems mostly harmless; the only point of a shared secret there is to
keep scanning from working. Anybody who tries the above attack
already know that the bridge is there; all they learn is that the
client knew too, which they probably could have figured out as an
eavesdropper.
--
Nick
More information about the tor-dev
mailing list