[tor-bugs] #27502 [Applications/Tor Browser]: Prioritize .onion hosts in AltSvc?

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jan 16 01:32:46 UTC 2020 

#27502: Prioritize .onion hosts in AltSvc?
--------------------------------------+--------------------------------
 Reporter:  arthuredelstein           |          Owner:  sysrqb
     Type:  defect                    |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam202001      |  Actual Points:
Parent ID:  #30024                    |         Points:
 Reviewer:                            |        Sponsor:  Sponsor27-must
--------------------------------------+--------------------------------

Comment (by sysrqb):

 To some extent it seems Cloudflare is accidentally exacerbating this
 breakage. On each onion service alternative service it seems they are
 advertising a different onion service.

 {{{
 2020-01-16 00:07:20.383705 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 perfectoid.space:443
 2020-01-16 00:07:22.297908 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:07:22.312586 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
 2020-01-16 00:09:05.517688 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443";
 ma=86400; persist=1
 2020-01-16 00:09:05.537993 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443
 2020-01-16 00:10:32.763704 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:10:53.159927 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 perfectoid.space:443
 2020-01-16 00:10:54.882338 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:10:54.904940 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443
 2020-01-16 00:10:55.938627 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion:443";
 ma=86400; persist=1
 }}}

 I assume this is for load balancing purposes. However, because each new
 alt service must be validated before it is used, the browser is
 continuously chasing the next onion service and validating it. Sometimes
 the validation fails, for whatever reason.

 {{{
 2020-01-16 00:07:20.383705 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 perfectoid.space:443
 2020-01-16 00:07:22.297908 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:07:22.312586 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
 2020-01-16 00:07:25.541287 UTC - [Parent 2414: Socket Thread]: D/nsHttp
 AltSvcTransaction dtor 0x7f50a89119d0 map 0x7f50a93e64a0 validated 1
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:09:05.517688 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443";
 ma=86400; persist=1
 2020-01-16 00:09:05.537993 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443
 2020-01-16 00:09:10.233862 UTC - [Parent 2414: Socket Thread]: D/nsHttp
 AltSvcTransaction dtor 0x7f50a95bed40 map 0x7f50a972d050 validated 1
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:10:32.763704 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:10:32.776046 UTC - [Parent 2414: Socket Thread]: D/nsHttp
 AltSvcTransaction dtor 0x7f50a94bda80 map 0x7f50a892f230 validated 0
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:10:53.159927 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 perfectoid.space:443
 2020-01-16 00:10:54.882338 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443";
 ma=86400; persist=1
 2020-01-16 00:10:54.904940 UTC - [Parent 2414: Socket Thread]:
 D/nsSocketTransport SOCKS 0 Host/Route override: perfectoid.space:443 ->
 cflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion:443
 2020-01-16 00:10:55.938627 UTC - [Parent 2414: Socket Thread]: V/nsHttp
 Http2Decompressor::OutputHeader alt-svc
 h2="cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion:443";
 ma=86400; persist=1
 2020-01-16 00:10:57.336038 UTC - [Parent 2414: Socket Thread]: D/nsHttp
 AltSvcTransaction dtor 0x7f50a93bac90 map 0x7f50aa251e20 validated 1
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 }}}

 {{{
 2020-01-16 00:07:20.342876 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/test.php
 2020-01-16 00:07:20.342936 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a8877000 Using default connection info
 2020-01-16 00:07:22.330752 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/favicon.ico
 2020-01-16 00:07:22.330811 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a9440000 Using default connection info
 2020-01-16 00:09:04.881885 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/test.php
 2020-01-16 00:09:04.882120 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a9443000 Alt Service Mapping Found
 https://cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:09:04.882144 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a9443000 Using connection info from altsvc mapping
 2020-01-16 00:09:05.558213 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/favicon.ico
 2020-01-16 00:09:05.558259 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a94ee000 Alt Service Mapping Found
 https://cflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion:443
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:09:05.558266 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a94ee000 Using connection info from altsvc mapping
 2020-01-16 00:10:32.080806 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/test.php
 2020-01-16 00:10:32.080862 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a896b000 Alt Service Mapping Found
 https://cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:10:32.080867 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a896b000 Using connection info from altsvc mapping
 2020-01-16 00:10:32.787419 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/favicon.ico
 2020-01-16 00:10:32.787463 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a95f4000 Alt Service Mapping Found
 https://cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion:443
 [https:perfectoid.space:443:P:^privateBrowsingId=1&firstPartyDomain=perfectoid.space]
 2020-01-16 00:10:32.787469 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a95f4000 Using connection info from altsvc mapping
 2020-01-16 00:10:53.149106 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/test.php
 2020-01-16 00:10:53.149207 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a8929000 Using default connection info
 2020-01-16 00:10:54.938840 UTC - [Parent 2414: Main Thread]: D/nsHttp
 uri=https://perfectoid.space/favicon.ico
 2020-01-16 00:10:54.938894 UTC - [Parent 2414: Main Thread]: D/nsHttp
 nsHttpChannel 0x7f50a97e0000 Using default connection info
 }}}

 Firefox *should* continue using the previously validated alt service when
 the new address fails (as long as the previous alt svc hasn't expired).
 This seems to be a (or the) bug (see #30599).

 With regard to prioritizing .onion alt services, I'm leaning toward not -
 but we can discuss it with Mozilla as to whether they'd uplift it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27502#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list