[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 6 08:29:52 UTC 2016


#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
 Reporter:  yawning                              |          Owner:  legind
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability                      |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:11 yawning]:
 > Is there a ticket for "SSL Observatory makes at least one network
 request on startup to check proxy settings, even if it's disabled"?  If
 "Use the Observatory?" isn't checked, this request shouldn't be made at
 all, but as it stands absolutely everyone (with working SSL-Observatory)
 is hitting this bug.

 Not yet, but I guess a good solution for this one would solve that problem
 as well.

 So the following things could be done:

 If you want to check whether Tor is enabled check for an existing
 Torbutton component. No request getting sent to `check.torproject.org` is
 necessary in this scenario. And if such a component is found let Tor
 Browser handle the traffic (i.e. don't mess with proxy settings) as
 Torbutton alone should not be functional anymore (i.e. you can be sure the
 user has a Tor Browser).

 That would be sufficient for us. But what if you don't find an existing
 Torbutton component? Still, I think, there should not be any check if the
 SSL Observatory is disabled. Not sure, though, if you want to support
 Firefox users that have a tor running somewhere but are not using Tor
 Browser.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list