[tor-bugs] #7179 [EFF-HTTPS Everywhere]: Ths SSL Observatory feature leaks DNS requests without the TBB
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Oct 26 23:19:27 UTC 2012
#7179: Ths SSL Observatory feature leaks DNS requests without the TBB
----------------------------------+-----------------------------------------
Reporter: gk | Owner: pde
Type: defect | Status: new
Priority: critical | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by mikeperry):
A PAC approach sounds plausible (if you can actually create PAC rules from
addons), but I don't think the x-prefetch-control header/meta will work
for the cert submission case, as it's just a single AJAX call and that
header appears to be a response header...
Though note we have always wanted IP-based fetches to actually make use of
the observatory exit enclave for stream isolation, and this lack of
isolation is the main reason why we disable the observatory and its popup.
In TBB we should still be able to achieve this isolation by patching it so
that we can send a unique SOCKS username+password for the observatory
request (thus using the tor 0.2.3.x stream isolation support), but for
non-TBB tor users, they're sort of screwed without the enclave unless
*all* their other apps support isolation... As to if this is more serious
than fixing the DNS leak as quickly and cleanly as possible, I'm not sure.
Maybe it's not.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7179#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list