[tor-bugs] #10963 [Tor bundles/installation]: Bypassing proxy settings?

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 20 09:11:50 UTC 2014 

#10963: Bypassing proxy settings?
--------------------------------------+-----------------------
 Reporter:  cypherpunks               |          Owner:  erinn
     Type:  defect                    |         Status:  new
 Priority:  normal                    |      Milestone:
Component:  Tor bundles/installation  |        Version:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+-----------------------
 [https://blog.torproject.org/blog/tor-browser-3521-released#comment-47234
 Post] was posted to blog's comments:

 One TBB behaviour that continues to trouble me is that Firefox continues
 to try to connect to the internet. I use standard install on ubuntu with
 no add-ons (tor-browser-linux32-3.5.2.1_en-US.tar) and with js disabled in
 both NoScript and about:config.

 I see additional changes with each update that improve browser isolation
 by disabling / blocking more auto-connect threats like blacklist updates,
 rule-set updates, safebrowsing reporting...etc...etc...

 So with every new TBB release, I have renewed hope that Firefox will not
 go outside of the tor process with an internet connection attempt. Each
 release I allow tor to access the internet and firefox to access tor via
 127.0.0.1. Each release I am either immediately or later disappointed when
 Firefox attempts its own internet connection.

 My concerns...

 1) Why does TBB continue to be released with default settings that allow
 Firefox automatically seek an internet connection? I can not imagine this
 not being noted in testing. What is trying to connect and what information
 is trying to be shared?

 2) How many people trust any connections from TBB and allow both tor and
 TBB Firefox connections to outside world? Why is this not a significant
 security flaw? Tor works fine when I block these Firefox external
 connection attempts. I run a minimal ubuntu box with standard Forefox
 gutted to the best of my ability. I have a process connection map running
 and see that the Firexoz attempting to connect is from the TBB package.

 3) If this behaviour is known and accepted, how do we know that
 connections are not being made and information being sent to unknown
 locations by Firefox through tor? This is something that I would never
 catch even with my layers of application and port level firewalls...

 Sorry that I do not have Wireshark capabilities, but can not imagine that
 this behaviour is not seen on all installations.

 Thanks for your efforts.

 inside

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10963>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list