[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation. (was: torbutton-torCheckService doesn't honor domain isolation.)

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 5 11:27:48 UTC 2016

#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
 Reporter:  yawning                              |          Owner:  legind
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability                      |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
Changes (by gk):

 * severity:  Normal => Major
 * cc: gk (added)
 * component:  Applications/Tor Browser => HTTPS Everywhere/EFF-HTTPS
 * priority:  Medium => High
 * owner:  tbb-team => legind
 * keywords:  tbb-torbutton, tbb-linkability => tbb-linkability


 Replying to [comment:9 yawning]:
 > Ah there.  Looks like the domain isolation code is getting called, but
 wireshark doesn't lie.
 > FWIW, I took the pcaps without my sandboxing stuff in play, and the
 behavior is consistent.
 > {{{
 > [09-22 08:31:02] Torbutton INFO: Component returned failure code:
 > [09-22 08:31:02] Torbutton INFO: tor SOCKS isolation catchall:
 via --unknown--:0
 > [09-22 08:31:02] Torbutton WARN: no SOCKS credentials found for current
 > }}}

 Alright, so here is what is going on. First, do you see the weird float
 number thing appended to the `#` in the `check.torproject.org` URL?
 Torbutton does not do such things. It turns out this is part if the HTTPS-
 Everywhere SSL Observatory code where it checks whether Tor is available
 and to use (e.g. for submissions). As a sidenode: one does see the issue
 in the Tor Browser log as well without pcaps. That request does not go
 over the catch-all circuit but rather is put on one without any
 username/password isolation at all.

 So, even if the request comes from HTTPS-Everywhere why is it not isolated
 like any other internal request? Looking at Necko logs shows that indeed
 things are wrong, already at the nsHTTPConnectionManager level:
 -957356288[7fd9e2dabb60]: nsHttpConnectionMgr::OnMsgSpeculativeConnect
 [ci=.S....check.torproject.org:443 (socks:[:]]
 Before and after the colon in the brackets should be the respective
 username and password.

 Looking closer at the SSL Observatory code shows it is bypassing our proxy
 filter respoonsible for domain isolation in case the CSRF nonce is found
 in the path:

     if (isSubmission || testingForTor) {
       if (aURI.path.search(this.csrf_nonce+"$") != -1) {

         this.log(INFO, "Got observatory url + nonce: "+aURI.spec);
         var proxy_settings = null;
         var proxy = null;

         // Send it through tor by creating an nsIProxy instance
         // for the torbutton proxy settings.
         try {
           proxy_settings = this.getProxySettings(testingForTor);
           proxy = this.pps.newProxyInfo(
             0xFFFFFFFF, null);
         } catch(e) {
           this.log(WARN, "Error specifying proxy for observatory: "+e);

         this.log(INFO, "Specifying proxy: "+proxy);

         // TODO: Use new identity or socks u/p to ensure we get a unique
         // tor circuit for this request
         return proxy;

 FWIW: the reason you thought this was fixed in the alpha was due to HTTPS-
 Everywhere 5.2.4 that was the latest version at that time. In that version
 SSL Observatory code was broken due to #19996. This got fixed in 5.2.5
 which makes this issue visible in the alphas again.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list