[tor-bugs] #8117 [Tor]: Tor SOCKS handshake makes SOCKS circuit isolation non-functional for many apps

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jan 31 15:37:28 UTC 2013


#8117: Tor SOCKS handshake makes SOCKS circuit isolation non-functional for many
apps
----------------------------------+-----------------------------------------
 Reporter:  cypherpunks           |          Owner:                    
     Type:  defect                |         Status:  needs_review      
 Priority:  major                 |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor                   |        Version:  Tor: 0.2.3.25     
 Keywords:  tor-client isolation  |         Parent:                    
   Points:                        |   Actualpoints:                    
----------------------------------+-----------------------------------------
Changes (by nickm):

  * keywords:  => tor-client isolation
  * status:  new => needs_review


Comment:

 Agreed wrt priority and backportability.

 It looks easy enough to fix at first glance: answer "username/password" if
 the client offers it; otherwise answer "no auth".  I'm attaching a patch
 to do that.

 I'm a little worried that there could be a failure mode here where a
 user's application offers username/password authentication even though it
 doesn't know a username/password combination, and then responds to Tor's
 selecting username/password authentication by asking the user for a
 username and password.  If there are many apps like that, we'll need
 another fix here.

 This patch needs testing: first to ensure that username/password isolation
 is working with programs that behave like pidgin. And second, to make sure
 that the failure mode above doesn't occur when no username and password
 are configured.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8117#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list