Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #1299
Closed (moved) (moved)
Open
Created Mar 11, 2010 by Mike Perry@mikeperry

Tor should verify signatures before parsing

Right now Tor parses both consensus documents and router descriptors before verifying their signature. This exposes us to all sorts of potential MITM tampering and code execution bugs, of which we have recently had several. Right now, an adversary who finds a parsing exploit needs only to sign up as a directory mirror, or MITM 0.2.0.x clients that are not using tunnelled directory connections.

Such an adversary can custom-craft payloads based on the fingerprint of the OS of the client that connects to them, and can also target specific clients for precision attacks.

If we verify signatures before parsing, the adversary loses their ability to target specific clients by OS or by IP, and can at best publish a malicious router descriptor signed by them to everyone. This leaves us with a clear audit trail of where the exploit came from, and a record of all such attempts in the descriptor archives. This would be a considerably better position to be in than we are now.

[Automatically added by flyspray2trac: Operating System: All]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking