[tbb-bugs] #19416 [Applications/Tor Browser]: OCSP requests are not isolated to the URL bar domain
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 17 20:51:40 UTC 2016
#19416: OCSP requests are not isolated to the URL bar domain
---------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-regression, tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+--------------------------
Comment (by arthuredelstein):
Replying to [ticket:19416 gk]:
> Not sure when this regressed but I can find log messages like
> {{{
> [06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall:
http://clients1.google.com/ocsp via --unknown--:1
> }}}
> in my terminal. In fact it seems all OCSP requests are affected.
I'm not able to reproduce this. When 6.5a-1-hardened starts up, I see the
following in the Browser Console (filtering by the keyword "via"):
{{{
[06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall:
https://check.torproject.org/?TorButton=true#0.5067764289917780.6071708598496006
via --unknown--:0
[06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall:
https://www.torproject.org/dist/torbrowser/update_2/hardened/LitSOCKS
isolation catchall: http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall:
http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall:
http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:42] Torbutton INFO: tor SOCKS isolation catchall:
https://aus1.torproject.org/torbrowser/update_2/hardened/Linux_x86_64-gcc3/6.5a1-hardened/ALL
via --unknown--:0
}}}
But these appear to be OCSP queries for connections that already have
unknown (chrome) first party.
After that, when I start connecting to websites, I see ocsp requests going
over first-party circuits as intended (filtering by keywords "via ocsp":
{{{
[06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
torproject.org:0
[06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
torproject.org:0
[06-17 20:48:43] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via
washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS:
http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS:
http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS:
http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS:
http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:53] Torbutton INFO: tor SOCKS:
http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
[06-17 20:49:08] Torbutton INFO: tor SOCKS:
http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
[06-17 20:49:09] Torbutton INFO: tor SOCKS:
http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS:
http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS:
http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS:
http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
[06-17 20:49:13] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via
gnu.org:0
[06-17 20:49:17] Torbutton INFO: tor SOCKS:
http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
[06-17 20:49:22] Torbutton INFO: tor SOCKS: http://ocsp.godaddy.com/ via
washingtonpost.com:0
[06-17 20:49:28] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via
washingtonpost.com:0
[06-17 20:49:36] Torbutton INFO: tor SOCKS:
http://clients1.google.com/ocsp via washingtonpost.com:0
}}}
Are there specific websites that result in the OCSP going over the
catchall circuit? Or maybe there is something else I need to try?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19416#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list