Opened 8 months ago

Closed 8 months ago

#29620 closed enhancement (duplicate)

bridge: Make tor sign the networkstatus-bridges document

Reported by: dgoulet Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: bridgedb, authority
Cc: Actual Points:
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

Turns out that networkstatus-bridges document, when dumped on disk on the Bridge Authority side, is not signed.

This means that when it is pushed to BridgeDB, the only trust anchor we have is the SSH key thus making BridgeDB unable to verify the received document signature that it was indeed signed by the authority.

For now, it is "OK" that we do that because the configured SSH key between the authority and BridgeDB has a pinned IP address to it so an attacker would need to steal that key _and_ push descriptors from that IP which is somehow already a lot.

Regardless, adding the signature is something quite cheap that tor can do which would allow BridgeDB an extra validation there instead of relying solely on the SSH tunnel.

Child Tickets

Change History (2)

comment:1 Changed 8 months ago by sysrqb

(see #12254 for some more details and thought on this topic, too)

comment:2 Changed 8 months ago by dgoulet

Resolution: duplicate
Status: newclosed

Oh wow... total duplicate! Closing this one in favor of #12254. Good catch sysrqb!

Note: See TracTickets for help on using tickets.