[tor-bugs] #24622 [Applications/Tor Browser]: Torcrazybutton can't decipher website s3.amazonaws.com

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 4 18:05:40 UTC 2019 

#24622: Torcrazybutton can't decipher website s3.amazonaws.com
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-7.0-issues, tbb-regression,      |  Actual Points:
  tbb-linkability, GeorgKoppen201903,            |
  TorBrowserTeam201904                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:40 acat]:
 > Firefox computes the firstPartyDomain with
 `Services.eTLD.getBaseDomainFromHost('s3.amazonaws.com')`, and that one
 throws an error with top-level domains (like s3.amazonaws.com) as defined
 in mozilla public suffix list https://publicsuffix.org/list/. And I assume
 if there's an exception then it gets set to an empty string (unless it's
 about:*, etc.).
 >
 > Which means that all domains here will go to the same catch-all circuit:
 https://gitweb.torproject.org/tor-
 browser.git/tree/netwerk/dns/effective_tld_names.dat?h=tor-
 browser-60.6.1esr-8.0-1-build1. So urls like http://mycd.eu,
 http://s3.amazonaws.com/whatever, https://ownprovider.com/en/Main, ...,
 will go to the same catch-all circuit with the current firstPartyDomain
 implementation. The same happens with any random domain like
 http://foobarfoo. Also note the list in the repo is not up to date with
 https://publicsuffix.org/list/public_suffix_list.dat.
 >
 > Shouldn't firstPartyDomain be the first-level domain on those cases
 (instead of empty string), or am I missing some reason why this is not a
 good idea?
 >

 Interesting. My intuition goes with you here and I'd assume that's a bug.
 Could you file a bug at Mozilla's bug tracker blocking
 https://bugzilla.mozilla.org/show_bug.cgi?id=1299996? We could ask :ethan
 to help us finding someone at Mozilla who'd have an opinion about that.

 Meanwhile, feel free to work on a patch implementing your suggestion. We
 should take it for Tor Browser at least.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24622#comment:41>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list