[tor-bugs] #23249 [Applications/Tor Browser]: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using SOCKS v5" is enabled
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 18 16:40:16 UTC 2017
#23249: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using
SOCKS v5" is enabled
--------------------------------------+--------------------------
Reporter: lux+tor@… | Owner: tbb-team
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by lux+tor@…):
* status: closed => reopened
* resolution: not a bug =>
Comment:
== State Separation enforces anonymity ==
I agree with your point: "State Separation" is definitely something
necessary to favour anonymity. Effectively:
* if Tor Browser and Some-Other-Browser share a same `hosts`file
* if, for the sake of the argument, we suppose that a website is able to
get that information through each of the two browsers
then: the website might be able to use this information to narrow down the
identity of the user.
== The choice anonymity vs security should be left to the user ==
However, the "State Separation" argument did not disprove mine : "''when
such kind of a conflict exists [between anonymity and security], '''''the
choice should be given to the user''''' to decide for himself''".
To convince you, I have an analogy and two examples taken from the (very
good!) page you linked.
=== Analogy ===
Let say two pieces of equipment are at a person's disposal:
* a mask: to protect his anonymity
* a helmet: to protect his security
Let suppose in some cases, the person can't wear both at once. In this
case, the equipment supplier cannot determine which one the user should
wear, because it depends on the situation. For instance, if the user
explores some caves, he might rather have a helmet to protect his head
from rocks.
=== Example 1: "Disk Avoidance" ===
The "[https://www.torproject.org/projects/torbrowser/design/#disk-
avoidance Disk Avoidance]" principle states (I quote) :
"''The browser MUST NOT write any information ![...] to the disk ![...]
unless the user has explicitly opted to''"
To rephrase, "Disk Avoidance" is a principle in favour of anonymity,
however, '''if the user choose''' not to (here it is for another quality,
usability), '''you let him do''' so.
=== Example 2: "No filters" ===
I like this example because the `hosts`file is __exactly__ a filter. The
"[https://www.torproject.org/projects/torbrowser/design/#philosophy 5. No
filters]" philosophy states (I quote):
"''Site-specific or filter-based addons ![...] are to be avoided ![...]
Users are free to install these addons if they wish, but doing so is not
recommended, as it will alter the browser request fingerprint''"
Once again, even if you don't recommend it, '''you still let the user
choose security over anonymity''' when he thinks it's appropriate.
== Conclusion ==
A complete ban of `hosts`file instead of adding a checkbox "''Use local
hosts file (Not recommended)''", unchecked by default, goes against :
1. which-might-be-wrong-but-still :-p common sense (analogy)
1. consistency of Tor Browser own policy (example 1 and 2)
Consequently, the `hosts`file bypass is an ''unexpected behaviour'',
therefore: '''''bug'''''.
I consider this argument quite convincing, but if it still needs a little
push, I recommend the reading of the W3C "[https://www.w3.org/TR/html-
design-principles/#priority-of-constituencies Priority of Constituencies]"
principle that any browser implementor should follow.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23249#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list