document a cool attack that we evaluated

This commit is contained in:
Roger Dingledine 2012-02-17 14:02:25 -05:00
parent 1d36693570
commit 3a94530595

View File

@ -1452,7 +1452,17 @@ compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port,
else else
accept = ! policy->is_accept; accept = ! policy->is_accept;
/* ???? are these right? */ /* ???? are these right? -NM */
/* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
* case here, because it would cause clients to believe that the node
* allows exit enclaving. Trying it anyway would open up a cool attack
* where the node refuses due to exitpolicy, the client reacts in
* surprise by rewriting the node's exitpolicy to reject *:*, and then
* a bad guy targets users by causing them to attempt such connections
* to 98% of the exits.
*
* Once microdescriptors can handle addresses in special cases (e.g. if
* we ever solve ticket 1774), we can provide certainty here. -RD */
if (accept) if (accept)
return ADDR_POLICY_PROBABLY_ACCEPTED; return ADDR_POLICY_PROBABLY_ACCEPTED;
else else