Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#1786 closed defect (fixed)

Log rend cookie safely

Reported by: Sebastian Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


While looking through fluxe3's info logs, I found a descriptor cookie that isn't safelogged.

Please see branch safelog_rend for a proposed fix. Don't think this warrants a changes file, if people disagree I'll add one.

Child Tickets

Change History (8)

comment:1 Changed 10 years ago by Sebastian

Status: newneeds_review

comment:2 Changed 10 years ago by karsten

Rendezvous cookies aren't that sensitive. They are random values produced for a single hidden service connection. But there's nothing wrong in safelogging them, of course.

Should we safelog all occurrences of rendezvous cookies then, not just the unrecognized ones? See safelog_rend branch in my public repository.

comment:3 Changed 10 years ago by Sebastian

So my reasoning was that when one relay rejects them, they are re-used to connect to another relay, yes? Using that reasoning I safelogged them only in the error case.

comment:4 Changed 10 years ago by karsten

I don't understand your reasoning. Which relay would reject the rendezvous cookie and when? To which other relay would who connect in that case and send what? Why does that mean we should only use safelogging in the error case? What attack or information leakage do you have in mind?

comment:5 Changed 10 years ago by Sebastian

Looks like we just weren't very clear on the behavior in the spec. I have a patch to rend-spec that makes the behavior clearer. Then we don't need any safelogging changes. Branch rend-spec in my repo.

comment:6 Changed 10 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed


comment:7 Changed 8 years ago by nickm

Keywords: tor-relay added

comment:8 Changed 8 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.