[tor-bugs] #2132 [Vidalia]: Vidalia's password prompt is often unhelpful; generates support requests
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Mar 16 23:09:03 UTC 2011
#2132: Vidalia's password prompt is often unhelpful; generates support requests
-------------------------+--------------------------------------------------
Reporter: nickm | Owner: chiiph
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Vidalia | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Comment(by nickm):
I disagree strongly with that.
The main reason that these passwords exist is that we want Cidalia to be
able to control Tor without allowing all other applications that can
connect to localhost also control Tor. (In particular, we are most
worried about the case where a local application is tricked into
connecting to the control port by hostile remote content.)
There are other ways to authenticate Vidalia to Tor that ought to work
just fine:
* There's the cookie authentication method if Vidalia can see Tor's data
directory, or if Tor can be told to store the cookie somewhere with
appropriate protections.
* Vidalia could remember (locally) the last password it used when
setting up tor.
* On Unix, the control port can be a unix domain socket rather than a
TCP port on localhost.
Also, Vidalia could give a useful error message when it fails to connect,
and offer the user the option to automatically take one of the actions
suggested at https://www.torproject.org/docs/faq#VidaliaPassword .
Any of these appraoches is IMO better than forcing the user to set their
own password. Most people, left to their own devices, choose bad
passwords and forget them.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2132#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list