Tor should verify signatures before parsing

Right now Tor parses both consensus documents and router descriptors before verifying their signature. This exposes us to all sorts of potential MITM tampering and code execution bugs, of which we have recently had several. Right now, an adversary who finds a parsing exploit needs only to sign up as a directory mirror, or MITM 0.2.0.x clients that are not using tunnelled directory connections.

Such an adversary can custom-craft payloads based on the fingerprint of the OS of the client that connects to them, and can also target specific clients for precision attacks.

If we verify signatures before parsing, the adversary loses their ability to target specific clients by OS or by IP, and can at best publish a malicious router descriptor signed by them to everyone. This leaves us with a clear audit trail of where the exploit came from, and a record of all such attempts in the descriptor archives. This would be a considerably better position to be in than we are now.

[Automatically added by flyspray2trac: Operating System: All]