[tor-bugs] #19218 [Applications/Tor Check]: check.torproject.org giving false positive

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 2 13:44:47 UTC 2016 

#19218: check.torproject.org giving false positive
------------------------------------+--------------------------
 Reporter:  cypherpunks             |          Owner:  arlolra
     Type:  defect                  |         Status:  assigned
 Priority:  High                    |      Milestone:
Component:  Applications/Tor Check  |        Version:
 Severity:  Normal                  |     Resolution:
 Keywords:                          |  Actual Points:
Parent ID:                          |         Points:
 Reviewer:                          |        Sponsor:
------------------------------------+--------------------------

Comment (by cypherpunks):

 The bug here, in my opinion, is that Tor Browser doesn't give you a scary
 warning when you disable remote DNS. It does at least make the onion red
 or whatever, but an "are you sure" dialog box would be nice. Or maybe just
 remove the checkbox all together (it is still in `about:config` for people
 who want to shoot themselves in the foot).

 And the question for OP is, why did you do that? :)

 > I now wonder whether remote DNS may be required to resolve .onion links,
 but not to route over Tor in general; but if this is so, perhaps that is
 what you should have replied plainly, rather than linking to that dense
 thread which is only obliquely related.

 "Remote DNS" means Firefox uses the proxy (tor) to resolve names, instead
 of using your operating system's resolver. If you don't use remote DNS,
 all of your DNS names will leak. You won't be able to resolve .onion
 names, but non-onion names will still be resolved (without tor) and
 firefox will still connect to them via Tor.

 At first I was thinking there isn't any good way for check.tp.o to know if
 you leaked a DNS request before arriving there, but thinking about it
 more... perhaps it could do something using a .onion address?

 Ultimately, though, if you've configured your browser to not use Tor (or
 to leak DNS while using Tor) and you have a local network adversary who
 wants to make you think you are using it when you go to
 check.torproject.org... I don't think there is anything
 check.torproject.org can do to stop them. Except maybe onions.

 Now I'm wondering what happens if you uncheck remote DNS and do a .onion
 lookup and get an answer... presumably you connect to it (via Tor)? That
 actually sounds quite terrible now that I think of it.

 >  As a side note, ISP redirects should be blocked by TorBrowser probably.

 I don't know how that could be possible generally, but, for onion links
 Tor Browser should absolutely never ever be sending DNS requests!

 If that actually happens presently, wow, pls fix kthx bye!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19218#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list