From 3a94530595cfb57bdb4e3401d29a8a4d0b638d01 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Fri, 17 Feb 2012 14:02:25 -0500 Subject: [PATCH] document a cool attack that we evaluated --- src/or/policies.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/or/policies.c b/src/or/policies.c index 0982b4b8c9..e5062cd6ec 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -1452,7 +1452,17 @@ compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, else accept = ! policy->is_accept; - /* ???? are these right? */ + /* ???? are these right? -NM */ + /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept + * case here, because it would cause clients to believe that the node + * allows exit enclaving. Trying it anyway would open up a cool attack + * where the node refuses due to exitpolicy, the client reacts in + * surprise by rewriting the node's exitpolicy to reject *:*, and then + * a bad guy targets users by causing them to attempt such connections + * to 98% of the exits. + * + * Once microdescriptors can handle addresses in special cases (e.g. if + * we ever solve ticket 1774), we can provide certainty here. -RD */ if (accept) return ADDR_POLICY_PROBABLY_ACCEPTED; else