[tor-bugs] #2751 [Tor Directory Authority]: Don't give remotely exploitable relays the HSDir flag
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Mar 14 09:27:58 UTC 2011
#2751: Don't give remotely exploitable relays the HSDir flag
-------------------------------------+--------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Directory Authority | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------------------+--------------------------------------
Comment(by rransom):
Replying to [comment:1 Sebastian]:
> I don't think I agree here. If we believe those relays can't store
hsdirs they surely can't handle client traffic either, in which case we
should cut them out of the network entirely, or we decide they are ok to
keep and we keep them hsdirs too
It's much easier to crash those buggy relays than to run arbitrary code on
them. Some attackers have greater incentive to crash HSDir relays (in
order to censor certain hidden service descriptors) or to crash Guard
relays (in order to force a particular client whose guard nodes are known
to choose another Guard node) than to crash arbitrary other relays.
If someone publishes or demonstrates a code-exec exploit for one of the
heap-corruption bugs, we should drop all vulnerable relays from the
consensus, but until then, we only need to take away the flags (Guard and
HSDir) that make crashing a relay particularly harmful to the Tor network
(and/or beneficial to an attacker).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2751#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list