[tor-bugs] #15933 [Tor Browser]: Circuit Isolation in Tor Browser 4.5 breaks File Host sites (was: TorButton 1.9.2.2 breaks File Host sites)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 7 10:10:53 UTC 2015 

#15933: Circuit Isolation in Tor Browser 4.5 breaks File Host sites
-------------------------+-------------------------------------------------
     Reporter:  maxim    |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  tbb-torbutton, tbb-usability-
   Resolution:           |  website, tbb-4.5-regression
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by gk):

 What is happening in this particular case is the following:

 1) User clicks on the download button which causes a POST request sent
 (POST http://ziifile.com/2jlqd5wbfdxm/dictionaries.7z.html) causing a 302.
 2) The Location header then has something like
 http://rebeka.ziifile.com/files/0/vszizsp06hfvlw/dictionaries.7z as value
 3) This causes a new request which goes over a different circuit as the
 FQDN is different.
 4) The file hoster gets a different IP address shown (with very high
 probability) which he can't associate with a former POST request which
 causes it to fail.

 This was no issue in 4.0.8 as we played the 10-minute-circuit game then.

 That reminds me at the Referer faking issues back then breaking sites not
 taking subdomains into account... What exactly would we lose if we take
 the URL bar base domain instead of the FQDN? I wonder if that would fix
 all cases at all (looking at https://blog.torproject.org/blog/tor-
 browser-45-released#comment-92912 I doubt that).

 Another strategy which might work better (but is probably way harder to
 get right) is seeing this behavior as kind of a user-driven redirect which
 would boil down to #3600. Hrm...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15933#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list