[tbb-bugs] #32777 [Applications/Tor Browser]: Weird things happening in Tor Browser (some websites change Tor circuit paths rapidly)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Dec 17 05:55:10 UTC 2019


#32777: Weird things happening in Tor Browser (some websites change Tor circuit
paths rapidly)
--------------------------------------+----------------------------------
 Reporter:  Tor235                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:  Tor: unspecified
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+----------------------------------

Comment (by cypherpunks):

 Replying to [ticket:32777 Tor235]:
 > While using Tor Browser recently, I've noticed that several websites
 change their Tor circuit path many times in a matter of just a few seconds
 (for no apparent reason).
 >
 > One of these websites is ipchicken.com (a website which shows one's
 current IP address). When visiting ipchicken.com, the Tor circuit path
 changes many times in a few seconds. At first, the "current IP address" on
 ipchicken.com is a regular Tor exit node. But when the page is reloaded,
 the "current IP address" becomes an odd IPv6 address.

 1. since https://ipchicken.com/ does not contain any AAAA records, it is
 not possible, it reports a ipv6 to you.

 >Reloading the page a 2nd time shows a similar IPv6 address (with the same
 starting digits, but different >ending digits). This is one of the IPv6
 addresses it displayed:
 >
 > 2405:8100:8000:5ca1::27f:e187

 this is a cloudflare ip
 https://www.cloudflare.com/ips/
 >
 > I checked this IP address in the Tor ExoneraTor
 (metrics.torproject.org/exonerator.html), and this IPv6 address does not
 appear to be in the Tor database.
 yes, because this is a cloudflare ip
 2. ipchicken.com IS cloudflared.

 > The 2nd IP-checking website said that the origin of the IPv6 address is
 "CloudFlare Hong Kong".
 >
 correct, as the website is behind cloudflare.

 > I tried accessing ipchicken.com and other IP-checking websites on a
 different computer, and the same thing happened (weird IPv6 address
 appeared).

 yes, because the website does not check your browser used ip but from
 cloudflare.

 > So multiple websites are, for no apparent reason, changing their Tor
 circuit paths many times in just a few seconds, AND displaying strange
 IPv6 address as the "current IP address". Other websites, such as
 Wikipedia, are normal.
 >
 > Is this just a Tor Browser bug, or could it be some other kind of
 problem?
 not a Tor Browser bug. it  is the website reporting the CDN ip that is
 serving to you.
 > Note that on websites in which the Tor circuit path changed many times
 for no apparent reason, the entry node (guard node) generally stayed the
 same.

 Yes, the guard should stay always the same, even if the malicous website
 forces you into 1000's new circuits. otherwise you could be deanomisized.
 what you should care about is guard rotation attacks, not if it stays the
 same.

 > The Tor Browser used is version 9.0.2.
 false positive.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32777#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list