summaryrefslogtreecommitdiff
path: root/src/or/policies.c
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2012-02-17 14:02:25 -0500
committerRoger Dingledine <arma@torproject.org>2012-02-17 14:02:25 -0500
commit3a94530595cfb57bdb4e3401d29a8a4d0b638d01 (patch)
treecddd9f4fe0681428892f197086f93e16b89dd3fb /src/or/policies.c
parent1d36693570e5e2994a05b8860a4fceaf81be306a (diff)
downloadtor-3a94530595cfb57bdb4e3401d29a8a4d0b638d01.tar.gz
tor-3a94530595cfb57bdb4e3401d29a8a4d0b638d01.zip
document a cool attack that we evaluated
Diffstat (limited to 'src/or/policies.c')
-rw-r--r--src/or/policies.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/src/or/policies.c b/src/or/policies.c
index 0982b4b8c9..e5062cd6ec 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -1452,7 +1452,17 @@ compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port,
else
accept = ! policy->is_accept;
- /* ???? are these right? */
+ /* ???? are these right? -NM */
+ /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
+ * case here, because it would cause clients to believe that the node
+ * allows exit enclaving. Trying it anyway would open up a cool attack
+ * where the node refuses due to exitpolicy, the client reacts in
+ * surprise by rewriting the node's exitpolicy to reject *:*, and then
+ * a bad guy targets users by causing them to attempt such connections
+ * to 98% of the exits.
+ *
+ * Once microdescriptors can handle addresses in special cases (e.g. if
+ * we ever solve ticket 1774), we can provide certainty here. -RD */
if (accept)
return ADDR_POLICY_PROBABLY_ACCEPTED;
else