[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 14 17:02:11 UTC 2016


#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
 Reporter:  yawning                              |          Owner:  legind
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability                      |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by legind):

 The suggestion in
 https://trac.torproject.org/projects/tor/ticket/20195#comment:13 has been
 implemented in https://github.com/EFForg/https-everywhere/pull/7342:

 > This resolves the issue in
 https://trac.torproject.org/projects/tor/ticket/20195 where the SSL
 Observatory proxy checking code and submissions were bypassing domain
 isolation. That code was a relic from the !TorButton days.
 >
 > Now, check.torproject.org is no longer accessed when we're using Tor
 Browser, we assume successful Tor access. In this case, we let TB
 transparently proxy for us, instead of accessing the Tor Browser proxy
 settings directly.

 This can be tested within HTTPS Everywhere by running:

 {{{
 test/tor-browser.sh PATH_TO_TOR_ARCHIVE
 }}}

 I'll close this once the fix is merged on our side.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list