[tor-bugs] #20195 [Applications/Tor Browser]: torbutton-torCheckService doesn't honor domain isolation.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 22 07:41:52 UTC 2016
#20195: torbutton-torCheckService doesn't honor domain isolation.
--------------------------------------------+--------------------------
Reporter: yawning | Owner:
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-torbutton, tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------------+--------------------------
Comment (by yawning):
There is no log. The only reason I caught this was because I was dumping
the SOCKS request bodies with my sandbox code.
What happens is, the internal check uses a connection to
`check.torproject.org` to validate that tor is working. That request does
not send a SOCKS username/password for isolation. If it were using domain
isolation correctly, the catchall circuit (Username: `---unknown---`)
would be used.
The easiest way to reproduce this would probably be using a system tor
instance and wireshark.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list