Opened 13 months ago

#26928 new defect

Taint untrusted link authentication keys

Reported by: teor Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should taint untrusted link auth keys, and then downgrade connections using tainted keys to protocol warnings.

Link auth keys from the following sources are trusted:

  • hard-coded authorities
  • the consensus signed by hard-coded authorities

Link auth keys from the following sources are untrusted:

  • hardcoded fallback dirs, because relay keys change over time
  • our state file (if not confirmed in the consensus), because relay keys change over time
  • onion service descriptors, because they come from untrusted services
  • onion service introduce cells, because they come from untrusted clients

Split off #26924.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.