Safe cookie authentication gets a changes file

author Nick Mathewson <nickm@torproject.org>

Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)

committer Nick Mathewson <nickm@torproject.org>

Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)
author Nick Mathewson <nickm@torproject.org>
Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)
committer Nick Mathewson <nickm@torproject.org>
Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)
diff --git a/changes/safecookie b/changes/safecookie

new file mode 100644 (file)

index 0000000..fd7d7af
--- /dev/null
+++ b/changes/safecookie
@@ -0,0 +1,9 @@
+  o Security Features:
+    - Provide controllers with a safer way to implement the cookie
+      authentication mechanism. With the old method, if another locally
+      running program could convince a controller that it was the Tor
+      process, then that program could trick the contoller into
+      telling it the contents of an arbitrary 32-byte file. The new
+      "SAFECOOKIE" authentication method uses a challenge-response
+      approach to prevent this. Fixes bug 5185, implements proposal 193. 
+
author	Nick Mathewson <nickm@torproject.org>
	Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 26 Mar 2012 18:06:27 +0000 (14:06 -0400)