[tor-bugs] #11384 [Tor bundles/installation]: TorBrowser connects over clearnet after activation of 'hidden' torbutton option

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 1 22:23:34 UTC 2014 

#11384: TorBrowser connects over clearnet after activation of 'hidden' torbutton
option
--------------------------------------+-----------------------
 Reporter:  cypherpunks               |          Owner:  erinn
     Type:  defect                    |         Status:  new
 Priority:  normal                    |      Milestone:
Component:  Tor bundles/installation  |        Version:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+-----------------------
 Tested on Linux x86_64, latest TorBrowser version 3.53

 Steps to reproduce problem:
 1. Open TorBrowser and connect normally
 2. Click the Torbutton, this opens the drop down list containing "New
 Identity, Cookie Protections, ..."
 3. Press down key on keyboard once highlights 'New Identity'
 4. Press down key again and the highlighting disappears (highlighting
 hidden 'disable torbutton' option)
 5. Press enter

 This makes TB connect over the clearnet and reveal true IP address
 (checked using check.torproject.org, and yes it is my real IP). No warning
 or confirmation box appears and this could easily be done accidentally.
 This setting persists over New Identity and closing and reopening TB
 completely, and it is not obvious at all to the user how to switch Tor
 back on.

 This is particularly dangerous because opportunities to warn the user are
 missed:
 * The about:tor page remains green even after clicking New Identity
 (although it does switch to its "Something Went Wrong!" form after fully
 closing and reopening TB).
 * The 'Proxy Settings' page (Torbutton -> Preferences) is unchanged and
 indicates the browser is using Tor's recommended proxy settings
 * The 'Test Proxy' button on the Proxy Settings page button confirms that
 the Tor proxy is working properly

 The '''only''' indicator to the user that they have been deanonymized is
 the torbutton changes from green to red, which is easily missed.

 Furthermore, for people who do not allow TB access to the Tor ControlPort*
 this button is red anyway and there is '''no indication whatsoever''' that
 you are deanonymized.

 This hidden option needs to be properly disabled or (like me!) you could
 be deanonymized for days without knowing.


 *i.e. connecting TB to a separate Tor process / transparently routing TB
 traffic / using Tor router or Tor on a different [virtual] machine

 [Note to re-enable Tor proxy just repeat the steps above. Also the
 'Restore Defaults' button on the TorButton Preferences page appears to fix
 it too]

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11384>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list