[tor-bugs] #29338 [Core Tor/Tor]: restore HiddenServiceAuthorizeClient in v3
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 5 13:36:07 UTC 2019
#29338: restore HiddenServiceAuthorizeClient in v3
------------------------------------------------+--------------------------
Reporter: Alan | Owner: (none)
Type: defect | Status: new
Priority: Medium | Component: Core
| Tor/Tor
Version: Tor: 0.3.5.7 | Severity: Normal
Keywords: tor-hs, hs-auth, client-auth, hsv3 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------------------+--------------------------
According to the manual, for v3 hidden services, if the contents of
<HiddenServiceDir>/authorized_clients/ cannot be loaded, then the Hidden
Service is enabled and is accessible to anyone with the onion address.
This is a security hole. It opens the possibility that the user intended
for the service to require authorization, but due to files being moved or
deleted or inaccessible or other file system problem, the hidden service
incorrectly becomes accessible to anyone.
Please restore the configuration option HiddenServiceAuthorizeClient for
v3 services. If it is set to "basic", then authentication should be
required for the service regardless of whether
<HiddenServiceDir>/authorized_clients/ can be read, or alternately, if the
authorized users cannot be read, tor should not start up or should not
enable the hidden service.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29338>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list