[tor-bugs] #21273 [Applications/Tor Launcher]: Proxy settings unecessarily limit guard selection process

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 20 14:40:58 UTC 2017


#21273: Proxy settings unecessarily limit guard selection process
-------------------------------------------+-------------------
     Reporter:  pastly                     |      Owner:  brade
         Type:  defect                     |     Status:  new
     Priority:  Medium                     |  Milestone:
    Component:  Applications/Tor Launcher  |    Version:
     Severity:  Normal                     |   Keywords:
Actual Points:                             |  Parent ID:
       Points:                             |   Reviewer:
      Sponsor:                             |
-------------------------------------------+-------------------
 My use case:

 I build an SSH socks5 proxy to a network less restrictive than the one I'm
 on. I tell Tor Browser to use that socks5 proxy. I leave "This computer
 goes through a firewall that only allows connections to certain ports"
 unchecked.

 The following lines are added to the torrc.

 {{{
     Socks5Proxy 127.0.0.1:2343
     ReachableAddresses *:80,*:443
     ReachableAddresses reject *:*
     ReachableAddresses reject *:*
 }}}

 The reachable address lines seem to be added due to
 https://trac.torproject.org/projects/tor/ticket/11405#comment:7

 (The duplicate ReachableAddresses reject line is a known issue ...
 somewhere. There's a ticket.)

 The issue:

 I can reach any port on through this socks5 proxy. My guard selection is
 being artificially limited to guards that have an ORPort of 443.

 I suspect that ReachableAddresses should only be set to 80 and 443 if the
 proxy type is HTTP(S). Or not at all unless "This computer goes through a
 firewall that only allows connections to certain ports" is checked. In my
 very limited experience with proxies, it seems sane to assume only 80/443
 for HTTP(S) proxies, but it doesn't seem sane to assume 80/443 for a
 socks5 proxy.

 The following python script shows that right now about 42% of guards have
 the ORPort of 443 (or 80, but most are 443).

 {{{
 from stem.control import Controller
 guards_443 = []
 guards_all = []
 with Controller.from_port(port = 9151) as c:
     c.authenticate()
     for stat in c.get_network_statuses():
         if 'Guard' in stat.flags:
             guards_all.append(stat)
             if stat.or_port == 80 or stat.or_port == 443:
                 guards_443.append(stat)
 print "Num 443 ORPort guards:", len(guards_443)
 print "Num guards:           ", len(guards_all)
 print "443/all:", len(guards_443)*1.0/len(guards_all)
 }}}

 More interesting would be

 - what percent by weight am I limited to?
 - what is the geographical distribution of these guards?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21273>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list