[tbb-bugs] #18517 [Tor Browser]: meek is broken in Tor Browser 6.0a3

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 19 23:46:22 UTC 2016


#18517: meek is broken in Tor Browser 6.0a3
-------------------------+--------------------------
 Reporter:  gk           |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  Very High    |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:  regression   |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:  None
-------------------------+--------------------------
Changes (by teor):

 * component:  Tor => Tor Browser
 * priority:  Medium => Very High
 * keywords:  must-fix-before-028-rc, regression => regression
 * version:  Tor: 0.2.8.1-alpha =>
 * milestone:  Tor: 0.2.8.x-final =>
 * owner:   => tbb-team


Comment:

 I think this is a Tor Browser issue and we should adopt dcf's workaround
 of changing the dummy IP addresses to publicly routable IP addresses.

 Tor is correctly checking for internal addresses and refusing to build
 circuits to them. This is a bugfix on #17674 and #8976. Tor can't make an
 exception for Tor Browser's sentinel addresses, without also allowing
 relays and hidden services to mistakenly connect to those addresses. This
 would open up the same attack vector we're trying to fix here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18517#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list