[tor-bugs] #25445 [Core Tor/Tor]: Opening site in Tor Browser redirects to FSB

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 7 19:51:53 UTC 2018 

#25445: Opening site in Tor Browser redirects to FSB
------------------------------+---------------------------
 Reporter:  timur.davletshin  |          Owner:  (none)
     Type:  defect            |         Status:  closed
 Priority:  Medium            |      Milestone:
Component:  Core Tor/Tor      |        Version:
 Severity:  Major             |     Resolution:  not a bug
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+---------------------------

Comment (by dcf):

 A guess: the web server has some kind of automated anti-abuse system, and
 when it decides that it doesn't want to serve a client, it serves a 302
 redirect instead of, say, a 403 Forbidden. The choice of FSB as a
 destination could be a kind of joke?

 It cannot be a Great Firewall–like TCP injection, because the connection
 is HTTPS (even with HSTS and HPKP). It has to be the remote server sending
 the redirect.

 comment:6 suggests the server is hacked—that's plausible if, say, there
 are 10 servers behind a load balancer and one of them is hacked. But that
 wouldn't explain why, in comment:7, non-Tor connections do not get the
 redirect. It seems more likely to me that it's some kind of attack
 detection, or something like that, on the server, and that Tor exits are
 more likely to be on the wrong side of the classification.

 Here is what the redirect response looks like (it's HTTP/2, so the header
 does not literally look like that, but it has the same meaning):
 {{{
 HTTP/2 302
 server: nginx
 date: Wed, 07 Mar 2018 19:38:45 GMT
 content-type: text/html
 location: http://fsb.ru//
 strict-transport-security: max-age=31536000; includeSubdomains; preload
 public-key-pins: pin-
 sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-
 sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-
 sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-
 sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-
 sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
 x-frame-options: SAMEORIGIN
 x-xss-protection: 1; mode=block

 <html>
 <head><title>302 Found</title></head>
 <body bgcolor="white">
 <center><h1>302 Found</h1></center>
 <hr><center>nginx</center>
 </body>
 </html>
 }}}

 I got this with `torsocks -i curl -D header https://psb4ukr.org | tee
 body`. As in comment:2, I had to try maybe about 10 times before getting
 the redirect rather than the actual web page.

 Interestingly, when I use wget rather than curl, I get the redirect every
 time. With `torsocks -i wget -S https://psb4ukr.org`:
 {{{
 Resolving psb4ukr.org (psb4ukr.org)... 158.69.100.131
 Connecting to psb4ukr.org (psb4ukr.org)|158.69.100.131|:443... connected.
 HTTP request sent, awaiting response...
   HTTP/1.1 302 Moved Temporarily
   Server: nginx
   Date: Wed, 07 Mar 2018 19:43:19 GMT
   Content-Type: text/html
   Transfer-Encoding: chunked
   Connection: keep-alive
   Location: http://fsb.ru//
   Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
   Public-Key-Pins: pin-
 sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-
 sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-
 sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-
 sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-
 sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
   X-Frame-Options: SAMEORIGIN
   X-XSS-Protection: 1; mode=block
 Location: http://fsb.ru// [following]
 }}}

 For comparison, here is what a non-redirected header looks like (notice
 the `server` is different):
 {{{
 HTTP/2 200
 date: Wed, 07 Mar 2018 19:34:56 GMT
 content-type: text/html; charset=UTF-8
 vary: Accept-Encoding
 vary: Accept-Encoding
 age: 16805
 server: NATO HPWS/3.0
 cache-control: piblic; max-age=900
 x-cache: HIT
 strict-transport-security: max-age=31536000; includeSubdomains; preload
 public-key-pins: pin-
 sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-
 sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-
 sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-
 sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-
 sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
 x-frame-options: SAMEORIGIN
 x-xss-protection: 1; mode=block

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25445#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list