Opened 10 years ago

Closed 9 years ago

#3064 closed defect (fixed)

Vidalia stores ControlPassword as plaintext

Reported by: tornewbie Owned by: chiiph
Priority: Medium Milestone:
Component: Archived/Vidalia Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As in object , but I don't really know if this should be treated as a real bug or a feature

Child Tickets

Change History (13)

comment:1 Changed 10 years ago by chiiph

There's a lot of software that stores passwords in plain text. The idea is to set the file's permissions to be only readable by the owner, so that noone but the current user can read the file.

I don't see any other solution than save the password like this.

comment:2 in reply to:  1 Changed 10 years ago by rransom

Resolution: wontfix
Status: newclosed

Replying to chiiph:

There's a lot of software that stores passwords in plain text. The idea is to set the file's permissions to be only readable by the owner, so that noone but the current user can read the file.

I don't see any other solution than save the password like this.

You could obfuscate the password like Firefox does. That way, users can't tell that their vidalia.conf file is sensitive or recover their password from it if they need to, but attackers can still recover the password quite easily.

But given a choice between storing the password as plaintext and giving users a false sense of security, The Tor Project's choice is plaintext. Closing.

comment:3 Changed 10 years ago by arma

Resolution: wontfix
Status: closedreopened

It would be nice to have more of a solution here.

Right now it is safer to use your Tor with a random password, since that password never gets written to disk. And I bet most users don't realize that.

One answer might be to try to make it clearer to the user what security tradeoff he's making by setting a password -- e.g. some sort of "what are the security implications?" help box nearby.

comment:4 Changed 10 years ago by chiiph

How about add a label under the password setting saying:
"WARNING: If you hand pick the password it will be saved as plain text in Vidalia's configuration file. Using a random password or cookie auth is safer."

comment:5 in reply to:  4 Changed 10 years ago by arma

Replying to chiiph:

How about add a label under the password setting saying:
"WARNING: If you hand pick the password it will be saved as plain text in Vidalia's configuration file. Using a random password or cookie auth is safer."

Theorem: Using cookie auth is unsafe in exactly the same way as storing your password to disk is unsafe.

True/false?

comment:6 Changed 10 years ago by chiiph

True.

Rephrasing:
"WARNING: If you hand pick the password it will be saved as plain text in Vidalia's configuration file. Using a random password is safer."

comment:7 Changed 10 years ago by tornewbie

When tor starts and the ControlPort is set into torrc, it warns about setting a password.

Probably I am wrong but setting a random password could be a really bad idea just in case someone is using Vidalia to access his/her own remote relay : this could permit to others bad things like , for example, changing exit policy at runtime.

comment:8 Changed 10 years ago by tornewbie

Another thing on this :

I had Vidalia set to authenticate with a random password and after accessing once , exiting Vidalia without stopping tor and then restarting vidalia , it could not access to tor again probably because the new random password did not match the previous one.

I've experimented this a while ago , I don't know if it is still so.

comment:9 in reply to:  7 Changed 10 years ago by chiiph

Replying to tornewbie:

When tor starts and the ControlPort is set into torrc, it warns about setting a password.

Probably I am wrong but setting a random password could be a really bad idea just in case someone is using Vidalia to access his/her own remote relay : this could permit to others bad things like , for example, changing exit policy at runtime.

If you are using Vidalia to access a remote relay, then you shouldn't use a random password, since next time you'll try to access you won't be able to.
But other than that, I fail to see how setting a random password would make it change the exit policy.

comment:10 in reply to:  8 Changed 10 years ago by chiiph

Replying to tornewbie:

Another thing on this :

I had Vidalia set to authenticate with a random password and after accessing once , exiting Vidalia without stopping tor and then restarting vidalia , it could not access to tor again probably because the new random password did not match the previous one.

I've experimented this a while ago , I don't know if it is still so.

Yes, that's the idea: let Vidalia handle Tor completely, and like that it can use a random password without saving it anywhere. If you use Vidalia to attach to an already running Tor, then you need to use one of the other auth methods.

comment:11 in reply to:  7 Changed 10 years ago by arma

Replying to tornewbie:

When tor starts and the ControlPort is set into torrc, it warns about setting a password.

If you set controlport but don't set any authentication mechanism, you're using it insecurely.

Probably I am wrong but setting a random password could be a really bad idea just in case someone is using Vidalia to access his/her own remote relay : this could permit to others bad things like , for example, changing exit policy at runtime.

The ControlPort listens to 127.0.0.1 and we don't let you configure that. So if you're using Vidalia to control a remote relay, you would need to set up a stunnel or some other thing to make it work -- and in that case it's the remote connection that you should be focusing on securing.

comment:12 Changed 10 years ago by atagar

Shouldn't we be expecting the user to remember the password if they manually set it? Saving the password this way means that password auth == cookie auth which makes it pointless.

Cookie auth relies on file readability while a manual password should (imho) prompt the user and never store the password on disk unhashed.

On a side note, using a random password makes the control port unusable to other controllers. This isn't often an issue, but it does make random passwords a no-go in some use cases. For instance, when I use TBB I also attach arm so I edit the MaxCircuitDirtiness attribute and keep a closer eye on my circuits.

Cheers! -Damian

comment:13 Changed 9 years ago by chiiph

Resolution: fixed
Status: reopenedclosed

The fix for this is in my branch chiiph/bug3064_passphrase and has been merged to alpha. It'll go out with 0.3.1-alpha.

Note: See TracTickets for help on using tickets.