[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 5 16:24:02 UTC 2016


#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
 Reporter:  yawning                              |          Owner:  legind
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability                      |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by yawning):

 Replying to [comment:10 gk]:
 > Alright, so here is what is going on. First, do you see the weird
 floating point number thing appended to the `#` in the
 `check.torproject.org` URL? Torbutton does not do such things. It turns
 out this is part if the HTTPS-Everywhere SSL Observatory code where it
 checks whether Tor is available and to use (e.g. for submissions). As a
 sidenode: one does see the issue in the Tor Browser log as well without
 pcaps. It is visible there that the request does not go over the catch-all
 circuit but rather is put on one without any username/password isolation
 at all.

 Nice catch.

 Is there a ticket for "SSL Observatory makes at least one network request
 on startup to check proxy settings, even if it's disabled"?  If "Use the
 Observatory?" isn't checked, this request shouldn't be made at all, but as
 it stands absolutely everyone (with working SSL-Observatory) is hitting
 this bug.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list