Skip to content

Option to limit information Tor's control port discloses

Currently getinfo address spills the external IP address, which could jeopardize the user's anonymity in certain use cases.

Please add add an option to torrc (ControlLockdown or so) to leave such requests unanswered if activated.

Use cases:

  • One goal of a Transparent Proxy (Isolating Middlebox) or an Isolating Proxy is to strengthen proxy obedience. In essence the idea of is, that the operating system is not aware of it's own external IP address and can therefore not spill it, because Tor is running on a separate machine. At the moment such setups have the disadvantage, that they must forbid access to Tor's control port - because the control port could spill the IP. Users can therefore not use the "New identity" feature of TorButton and will in future be unable to use other improvements such as #3059 (moved) ("Adapt browser time based on tor's notion of clock skew...").
  • Building a Bridge Firewall is impossible because of lack of this lock down feature.

There may be other features similar to "getinfo address" in the Tor control protocol, which could be potentially harmful. I haven't looked yet. If this feature get's accepted (as in "we could imagine to add such an option"), we (and I of course as well) could look for other things in the control protocol, which are potentially harmful for anonymity.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information