#20022: Tor should deprecate insecure cookie auth
--------------------------+---------------------
Reporter: dkg | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+---------------------
Comment (by yawning):
For what it's worth `bulb` (the Go controller library) doesn't support
`COOKIE` at all, under the assumption that `"COOKIE" authentication
exists, but anything modern supports "SAFECOOKIE".`.
Any project that finds `SAFECOOKIE` hard to implement either should use
library code that does it for them or be the target of merciless mockery.
Somewhat orthogonal to this, the browser code's treatment of controller
auth in general could be improved (eg: #16017).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20022#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
