[tor-dev] Onion Client Auth on v3 descriptor via Control port

Miguel Jacq mig at mig5.net
Wed Jun 17 09:53:19 UTC 2020

Hi George,

On Wed, Jun 17, 2020 at 12:37:18PM +0300, George Kadianakis wrote:
> Hmm, this is a bit embarassing for both of us, but if I'm not mistaken
> ONION_CLIENT_AUTH_ADD only controls the client-side of client auth
> credentials. This is not obvious at all by the command name, and it only
> becomes a bit clearer by reading the control-spec.txt...
> We added that control port command so that the browser could present a
> UX for client authorization.

Ahahahah. Riiight, thanks for that clarification. This whole time I indeed thought this was a novel way for adding Client Auth for v3 onions via the control port.

I had been reading the rend-spec-v3 https://github.com/torproject/torspec/blob/master/rend-spec-v3.txt 

G.2.1 'Service side' says '[XXX figure out control port command format]' and I figured it just hadn't been updated to reflect the new command. I hadn't even thought to read the control spec..

> AFAIK there is no control port command for adding service-side client
> auth credentials. You will need to do this using the filesystem by using
> the '<HiddenServiceDir>/authorized_clients/' directory as displayed by
> the "CLIENT AUTHORIZATION" section of the manual... Or you will need to
> implement the control port commands in tor :/
> Sorry for the sad news here....... :/

Okay, thanks for all the clarification. Indeed, OnionShare uses purely ephemeral onions, so the standard filesystem method won't work (unless we switch to that).

A shame it can't be as easy as the basic_auth method for v2 onions! But it's not the same auth, so I understand :)

> PS: All this confusion stems from the name of this feature being "client
>     authorization". The fact that the name includes the string "client"
>     makes it confusing to specify whether functionality is client-side
>     or service-side... We should rename that feature, but making it
>     simply "authorization" is weird because then people are gonna wonder
>     whether onion services offer no authentication by default. Perhaps
>     we need to find a cooler name for this feature...

OnionShare called v2 client auth 'Stealth Mode'. But that was really just because it was understood that v2 descriptors were discoverable.

On the other hand, OnionShare now uses HTTP basic auth for both v2 and v3 onions, so it's not all bad.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200617/10982465/attachment.sig>

More information about the tor-dev mailing list