Write proposals to allow an external program that discovers bridge addresses to tell Tor about them and start implementing the proposals
This ticket is part of sponsor F deliverable 7. Once we have a recommended approach for an external program that discovers bridge addresses to tell Tor about them, we need to write proposals and start implementing them. The "and start implementation as needed" part of the deliverable text is vague enough to focus on the design discussion and proposals. If there's time left to implement something, great, but if not, that's fine, too. We can still implement proposals between March and November 2012.
Activity
I've begun work on this. First proposal is up at https://lists.torproject.org/pipermail/tor-dev/2012-March/003368.html.
Trac:
Cc: mikeperry, nickm, asn, chiiph, arma to mikeperry, nickm, asn, chiiph, arma, n8fr8
Owner: N/A to mikeperry
Keywords: N/A deleted, MikePerry201203 added-
Replying to mikeperry:
asn said he said nickm was concerned about non-controllers having control port access.
nickm: Is that true? If so, should we write a third proposal that describes a low-privilege control port mode? Perhaps one that can only use POSTMESSAGE?
The underlying assumption here being that low-priv controllers would POSTMESSAGE to Vidalia, who would then decide to approve or deny their requests, perhaps after asking for user input.
For those of you just joining this ticket and who have no idea what is going on, see https://trac.torproject.org/projects/tor/ticket/5011#comment:10
-
For posterity (and since nick might miss IRC scrollback):
19:18 < nickm> mikeperry: So, I wouldn't be totally opposed in all conceivable cases to having nonprivileged control port mode, but it makes me super-nervous. 19:19 < nickm> It's hard for me to reason abou the security properties of the POSTMESSAGE thing, since it's kind of pushing the semantics of the operation out to controllers, and I don't know what security properties they would rely on 19:22 < nickm> mikeperry: I need to read your proposal and think about it. If you want to argue for an unprivileged option, I'd like to see a threat model for that in the proposal. 21:28 < mikeperry> nickm: maybe we're putting the cart before the horse. I am not saying we need a low-priv control port. I am just trying to minimize all the ports and IPC channels we are planning to create with all of this pluggable transport and bridge discovery stuff 21:29 < mikeperry> so it is a bit early for a threat model, I think 21:33 < mikeperry> the question to answer before that is "could we reduce the number of extra ports with a better control port protocol" 21:34 < mikeperry> if the answer is "no", or "not without a lot more work", then we can forget about the low-priv mode 21:35 < mikeperry> but if keeping everything in the control port is a more robust design, and/or less rickety, and/or less work, then maybe we should think about how we could do it
Removing parent ticket relationship to #5010 (moved) in order to close it.
Trac:
Parent: #5010 (moved) to N/A-
As far as I'm concerned, this is now completed in my torspec.git remote of mikeperry/bridgefinder2 and ready to merge.
Trac:
Parent: N/A to #5010 (moved)
Status: assigned to closed
Resolution: N/A to fixed
Actualpoints: N/A to 21
Points: N/A to 21