channeltls: Clarify a relay impersonation defence

Clarify the comments in channel_tls_matches_target_method(), and make
it clear that the attack is a covert attack.

diff --git a/src/core/or/channeltls.c b/src/core/or/channeltls.c
index 5cedd9fbca29a82d58c597d446a95e2c4d4c28c3..b424d02a5979adb2d7537b6078c22f9083be7d8c 100644 (file)
--- a/src/core/or/channeltls.c
+++ b/src/core/or/channeltls.c
@@ -739,10 +739,13 @@ channel_tls_matches_target_method(channel_t *chan,
    * base_.addr is updated by connection_or_init_conn_from_address()
    * to be the address in the descriptor. It may be tempting to
    * allow either address to be allowed, but if we did so, it would
-   * enable someone who steals a relay's keys to impersonate/MITM it
+   * enable someone who steals a relay's keys to covertly impersonate/MITM it
    * from anywhere on the Internet! (Because they could make long-lived
    * TLS connections from anywhere to all relays, and wait for them to
    * be used for extends).
+   *
+   * An adversary who has stolen a relay's keys could also post a fake relay
+   * descriptor, but that attack is easier to detect.
    */
   return tor_addr_eq(&(tlschan->conn->real_addr), target);
 }