On Feb 10, 2012, at 12:02 AM, Robert Ransom wrote: > The sole exception to ‘non-safe cookie authentication must die’ is > when a controller knows that it is connected to a server process with > equal or greater access to the same filesystem it has access to. In > practice, this means ‘only if you're completely sure that Tor is > running in the same user account as the controller, and you're > completely sure that you're connected to Tor’, and no controller is > sure of either of those.
Why is it so hard to do this? Can't we tell controllers to do a check of permissions, and only if they can't be sure refuse to use the requested path by default unless a config whitelist or user prompt allows it? I think that's a lot easier to implement for controllers, and I just don't really see the huge threat here. If you have malicious system-wide software on your host, you lost anyway. _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev