[tbb-bugs] #24622 [Applications/Tor Browser]: Torcrazybutton can't decipher website s3.amazonaws.com

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 4 17:46:47 UTC 2019


#24622: Torcrazybutton can't decipher website s3.amazonaws.com
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-7.0-issues, tbb-regression,      |  Actual Points:
  tbb-linkability, GeorgKoppen201903,            |
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by acat):

 Firefox computes the firstPartyDomain with
 `Services.eTLD.getBaseDomainFromHost('s3.amazonaws.com')`, and that one
 throws an error with top-level domains (like s3.amazonaws.com) as defined
 in mozilla public suffix list https://publicsuffix.org/list/. And I assume
 if there's an exception then it gets set to an empty string (unless it's
 about:*, etc.).

 Which means that all domains here will go to the same catch-all circuit:
 https://gitweb.torproject.org/tor-
 browser.git/tree/netwerk/dns/effective_tld_names.dat?h=tor-
 browser-60.6.1esr-8.0-1-build1. So urls like http://mycd.eu,
 http://s3.amazonaws.com/whatever, https://ownprovider.com/en/Main, ...,
 will go to the same catch-all circuit with the current firstPartyDomain
 implementation. The same happens with any random domain like
 http://foobarfoo. Also note the list in the repo is not up to date with
 https://publicsuffix.org/list/public_suffix_list.dat.

 Shouldn't firstPartyDomain be the first-level domain on those cases
 (instead of empty string), or am I missing some reason why this is not a
 good idea?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24622#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list