[tor-bugs] #5461 [TorBrowserButton]: Circuit reused after New Identity is selected

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Mar 23 23:39:19 UTC 2012 

#5461: Circuit reused after New Identity is selected
------------------------------+---------------------------------------------
 Reporter:  cypherpunks       |          Owner:  mikeperry
     Type:  defect            |         Status:  new      
 Priority:  normal            |      Milestone:           
Component:  TorBrowserButton  |        Version:           
 Keywords:                    |         Parent:           
   Points:                    |   Actualpoints:           
------------------------------+---------------------------------------------
 Not sure if this is a fault of Tor Browser or TorBrowserButton, it would
 seem that the latter is at fault, but it's a recent regression (it didn't
 occur in 2.2.35-7.1) and TorButton version didn't change, so I'm a little
 confused.

 Anyway here's the jist, one of the websites I visit (let's call it IP1)
 detects if certain Tor exit nodes are used and if the IP is blacklisted it
 redirects (server-side 302) to a specific URL in another domain (let's
 call it IP2). In the previous TBB, I just selected New Identity from Tor
 Button and if I was lucky to have a "clean" exit node IP in the new
 identity, there would be no redirect. In 2.2.35-8 however, I can try New
 Identity as many times as I want and it will keep redirecting if I had
 stumbled on a blacklisted exit node once. I have verified by looking at
 open circuits in Vidalia's Tor Network Map that this is not because the
 website has banned more Tor exit nodes. I noticed that after I press New
 Identity, the circuit for "IP1" remains open. Also, loading IP1 in the
 browser does NOT open a new connection to IP1, it automatically goes
 straight to IP2 in a new circuit. If I manually close the "stalled"
 circuit for IP1, I can finally access the website (if the new connection
 to IP1 comes from a circuit with a "clean" exit node).

 TorBrowserButton should ensure that ALL circuits are closed when New
 Identity is selected. Otherwise, a website can create unique redirects for
 every connection and identify users across TorButton identities.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5461>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list