[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23249 [Applications/Tor Browser]: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using SOCKS v5" is enabled



#23249: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using
SOCKS v5" is enabled
--------------------------------------+--------------------------
 Reporter:  lux+tor@…                 |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by lux+tor@…):

 * status:  closed => reopened
 * resolution:  not a bug =>


Comment:

 == State Separation enforces anonymity ==
 I agree with your point: "State Separation" is definitely something
 necessary to favour anonymity. Effectively:

  * if Tor Browser and Some-Other-Browser share a same `hosts`file
  * if, for the sake of the argument, we suppose that a website is able to
 get that information through each of the two browsers

 then: the website might be able to use this information to narrow down the
 identity of the user.

 == The choice anonymity vs security should be left to the user ==
 However, the "State Separation" argument did not disprove mine : "''when
 such kind of a conflict exists [between anonymity and security], '''''the
 choice should be given to the user''''' to decide for himself''".

 To convince you, I have an analogy and two examples taken from the (very
 good!) page you linked.

 === Analogy ===
 Let say two pieces of equipment are at a person's disposal:

  * a mask: to protect his anonymity
  * a helmet: to protect his security

 Let suppose in some cases, the person can't wear both at once. In this
 case, the equipment supplier cannot determine which one the user should
 wear, because it depends on the situation. For instance, if the user
 explores some caves, he might rather have a helmet to protect his head
 from rocks.

 === Example 1: "Disk Avoidance" ===
 The "[https://www.torproject.org/projects/torbrowser/design/#disk-
 avoidance Disk Avoidance]" principle states (I quote) :

   "''The browser MUST NOT write any information ![...] to the disk ![...]
 unless the user has explicitly opted to''"

 To rephrase, "Disk Avoidance" is a principle in favour of anonymity,
 however, '''if the user choose''' not to (here it is for another quality,
 usability), '''you let him do''' so.

 === Example 2: "No filters" ===
 I like this example because the `hosts`file is __exactly__ a filter. The
 "[https://www.torproject.org/projects/torbrowser/design/#philosophy 5. No
 filters]" philosophy states (I quote):

   "''Site-specific or filter-based addons ![...] are to be avoided ![...]
 Users are free to install these addons if they wish, but doing so is not
 recommended, as it will alter the browser request fingerprint''"

 Once again, even if you don't recommend it, '''you still let the user
 choose security over anonymity''' when he thinks it's appropriate.

 == Conclusion ==
 A complete ban of `hosts`file instead of adding a checkbox "''Use local
 hosts file (Not recommended)''", unchecked by default, goes against :

  1. which-might-be-wrong-but-still :-p common sense (analogy)
  1. consistency of Tor Browser own policy (example 1 and 2)

 Consequently, the `hosts`file bypass is an ''unexpected behaviour'',
 therefore: '''''bug'''''.

 I consider this argument quite convincing, but if it still needs a little
 push, I recommend the reading of the W3C "[https://www.w3.org/TR/html-
 design-principles/#priority-of-constituencies Priority of Constituencies]"
 principle that any browser implementor should follow.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23249#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs