Opened 3 years ago

Closed 18 months ago

#20104 closed defect (wontfix)

Tor2web should connect to HSDirs over a 3-hop path

Reported by: teor Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, tor2web
Cc: Actual Points:
Parent ID: #17945 Points: 1
Reviewer: Sponsor:

Description

This avoids denial of service by HSDirs.

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by teor

Component: Core Tor/DocTorCore Tor/Tor
Owner: atagar deleted
Status: newassigned

comment:2 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:3 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:4 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:5 Changed 2 years ago by nickm

Status: assignednew

Change the status of all assigned/accepted Tor tickets with owner="" to "new".

comment:6 Changed 2 years ago by teor

And it avoids HSDirs knowing the IP addresses of clients.

This is fixed for HSv3 in #22688.

comment:7 Changed 2 years ago by teor

Parent ID: #17945

comment:8 Changed 18 months ago by dgoulet

Status: newneeds_information

I'm personally very reluctant to touch the Tor2web code because I seriously don't want to encourage anyone running this not now not after, never.

And this is also basically touching code that is *never* tested on our side nor even packaged by distros. So even shipping Tor2web code in tor today is imo border line reckless.

Regardless of my hate of Tor2web ;), I might prefer much more that HSDir defends against that with #24964 so we can avoid a DoS attack.

At least right now, clients fetching descriptor directly from HSDir are putting less load on the network.

Thoughts?

comment:9 Changed 18 months ago by teor

Resolution: wontfix
Status: needs_informationclosed

Tor2web should be formally deprecated.

Note: See TracTickets for help on using tickets.