From 98ae59700e37fc6040a1769d0eb8cd2605ca708a Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Thu, 2 Jul 2020 11:46:05 -0700 Subject: [PATCH] update connectivity --- src/connectivity.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/src/connectivity.md b/src/connectivity.md index 640a327..54e1abe 100644 --- a/src/connectivity.md +++ b/src/connectivity.md @@ -10,7 +10,7 @@ package for managing the Tor daemon and setting up and tearing down onion ### Private Key Exposure to the Tor Process -**Status: Unmitigated** (Requires Physical Access or Privilege Escalation to +**Status: Partially Mitigated** (Requires Physical Access or Privilege Escalation to exploit) We must pass the private key of any onion service we wish to set up to the @@ -19,13 +19,14 @@ process). This is one of the most critical areas that is outside of our control. Any binding to a rouge tor process or binary will result in compromise of the Onion private key. -#### Potential Mitigations +### Mitigations -We should not attempt to bind to the system-provided Tor process as the default, -unless we have been provided with an authentication token. +Connectivity attempt to bind to the system-provided Tor process as the default, +*only* when it has been provided with an authentication token. -Otherwise we should always attempt to deploy our own Tor process using a known -good binary packaged with the syste (outside of the scope of the connectivity +Otherwise connectivity always attempts to deploy its own Tor process + using a known +good binary packaged with the system (outside of the scope of the connectivity package) In the long term we hope an integrated library will become available and allow @@ -50,8 +51,6 @@ the Tor process changes. However, if sufficiently-privileged users wish they can interfere with this mechanism, and as such the Tor process is a more brittle component interaction than others. - -These mechanisms need to be documented. ## Testing Status