[tor-dev] Proposal 193: Safe cookie authentication

Sebastian Hahn hahn.seb at web.de
Fri Mar 16 06:57:32 UTC 2012

On Feb 10, 2012, at 12:02 AM, Robert Ransom wrote:
> The sole exception to ‘non-safe cookie authentication must die’ is
> when a controller knows that it is connected to a server process with
> equal or greater access to the same filesystem it has access to.  In
> practice, this means ‘only if you're completely sure that Tor is
> running in the same user account as the controller, and you're
> completely sure that you're connected to Tor’, and no controller is
> sure of either of those.

Why is it so hard to do this? Can't we tell controllers to do a
check of permissions, and only if they can't be sure refuse to use the
requested path by default unless a config whitelist or user prompt
allows it? I think that's a lot easier to implement for controllers, and
I just don't really see the huge threat here. If you have malicious
system-wide software on your host, you lost anyway.

More information about the tor-dev mailing list