[tor-bugs] #10887 [Obfsproxy]: ScrambleSuit should make it easy for bridge admins to learn password

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 8 21:43:52 UTC 2014 

#10887: ScrambleSuit should make it easy for bridge admins to learn password
-------------------------+-------------------------------------------------
     Reporter:  phw      |      Owner:  phw
         Type:           |     Status:  needs_revision
  enhancement            |  Milestone:
     Priority:  normal   |    Version:
    Component:           |   Keywords:  scramblesuit, password, shared
  Obfsproxy              |  secret
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by yawning):

 Replying to [comment:11 asn]:
 > I fixed the above errors and another one (I caught `b32decode()`
 exceptions) and it can be found in `bug10887` in my repo.

 `ec61559` ACK.
 `aa3a99c` NACK for now. See discussion below.
 `9840bac` ACK the change.  Commit message should reflect what's being
 changed though.

 > Unfortunately, it still doesn't work perfectly:
 > {{{
 > # cat pt_state/scramblesuit/server_descriptor
 > Bridge scramblesuit 0.0.0.0:33647
 password=S5JY6IRCLLNEGTWBWZMYVIXHFWTITZBE
 > }}}
 > That's because the bindaddr that is passed from Tor is `0.0.0.0`
 (`IPADDR_ANY`):
 > {{{
 >  'config': {'ORPort': ('127.0.0.1', 42331),
 >             'allTransportsEnabled': False,
 >             'authCookieFile': None,
 >             'extendedORPort': None,
 >             'managedTransportVer': ['1'],
 >             'serverBindAddr': {'obfs3': ('0.0.0.0', 40674),
 >                                'scramblesuit': ('0.0.0.0', 33647)},
 >             'serverTransportOptions': None,
 >             'stateLocation': '/usr/local/var/lib/tor2/data/pt_state/',
 >             'transports': ['obfs3', 'scramblesuit']},
 > }}}
 >
 > However, I'm still tempted to merge this since it's the only way for
 people to get their automatically-generated passwords. However, maybe we
 should remove the whole Bridge line and just leave the password bit, so
 that we don't give users the illusion that that bridge line would actually
 work.

 I would rather see the bridge line changed to only contain the password
 before merging (the generated bridge line also neglects to include a
 bridge fingerprint since the information is unavailable to the PT
 currently).  Only including a password line is better than having a bridge
 line that is wrong and incomplete.

 > Also, on my way to fixing the above, I set the default state directory
 in external mode to be the current working directory. Is this a very bad
 idea that will open us to race conditions/symlink attacks etc.? Probably
 better than setting it to `/tmp/`.

 It's better than `/tmp` but not by much.  I would rather standalone
 servers failed to start without a user provided state directory, mostly so
 it doesn't put it's state in surpising locations when invoked from
 incorrect init scripts etc.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10887#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list