tor controlport wants authentication even if authentication is switched off
Nick Mathewson
nickm at freehaven.net
Wed Jan 7 19:45:28 UTC 2009
On Wed, Jan 07, 2009 at 07:03:03PM +0100, Sebastian Schmidt wrote:
[...]
> Why does TC tell me authentication is required even if it's switched
> off? Or is this the default reply if a not supported command was
> given to it?
Even if authentication is turned off, the first command on the control
connection needs to be "AUTHENTICATE" (or "PROTOCOLINFO"). This is a
fix for a neat cross-protocol attack where the attacker tricks your
web browser into talking to the control port and generating a string
where most of the lines are ignored, up until the lines the attacker
actually generated.
More information about the tor-talk
mailing list