[tor-bugs] #20623 [Applications/Tor Browser]: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for socksauth

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 10 16:52:45 UTC 2016


#20623: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for
socksauth
-------------------------------------------------+-------------------------
 Reporter:  entr0py                              |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  reopened
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:  Tor:
                                                 |  0.2.8.9
 Severity:  Major                                |     Resolution:
 Keywords:  socksauth first-party base-url       |  Actual Points:
  domain                                         |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by entr0py):

 @yawning Thanks for the clarification. Didn't realize that random
 passwords were an alpha-only feature. This came up because TBB 6.0.5 was
 re-using existing circuits after being closed and restarted (#20479) under
 system Tor - which I see was a motivation for #19206:

 >The SOCKS username/password isolation should include a instance
 identifier such that each invocation of Tor Browser ends up using
 difference circuits (Currently, the isolation tags will get reused).

 @adrelanos IIUC, stable torbrowser has never used random passwords. It's
 always been 0 + increment per new circuit. Also, I failed to realize that
 a different password isn't needed after `NEWNYM` - by definition.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20623#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list