[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19416 [Applications/Tor Browser]: OCSP requests are not isolated to the URL bar domain



#19416: OCSP requests are not isolated to the URL bar domain
---------------------------------------------+--------------------------
 Reporter:  gk                               |          Owner:  tbb-team
     Type:  defect                           |         Status:  new
 Priority:  High                             |      Milestone:
Component:  Applications/Tor Browser         |        Version:
 Severity:  Major                            |     Resolution:
 Keywords:  tbb-regression, tbb-linkability  |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
---------------------------------------------+--------------------------

Comment (by arthuredelstein):

 Replying to [ticket:19416 gk]:
 > Not sure when this regressed but I can find log messages like
 > {{{
 > [06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall:
 http://clients1.google.com/ocsp via --unknown--:1
 > }}}
 > in my terminal. In fact it seems all OCSP requests are affected.

 I'm not able to reproduce this. When 6.5a-1-hardened starts up, I see the
 following in the Browser Console (filtering by the keyword "via"):

 {{{
 [06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall:
 https://check.torproject.org/?TorButton=true#0.5067764289917780.6071708598496006
 via --unknown--:0
 [06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall:
 https://www.torproject.org/dist/torbrowser/update_2/hardened/LitSOCKS
 isolation catchall: http://ocsp.digicert.com/ via --unknown--:0
 [06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall:
 http://ocsp.digicert.com/ via --unknown--:0
 [06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall:
 http://ocsp.digicert.com/ via --unknown--:0
 [06-17 20:29:42] Torbutton INFO: tor SOCKS isolation catchall:
 https://aus1.torproject.org/torbrowser/update_2/hardened/Linux_x86_64-gcc3/6.5a1-hardened/ALL
 via --unknown--:0
 }}}
 But these appear to be OCSP queries for connections that already have
 unknown (chrome) first party.

 After that, when I start connecting to websites, I see ocsp requests going
 over first-party circuits as intended (filtering by keywords "via ocsp":

 {{{
 [06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
 torproject.org:0
 [06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
 torproject.org:0
 [06-17 20:48:43] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via
 washingtonpost.com:0
 [06-17 20:48:49] Torbutton INFO: tor SOCKS:
 http://clients1.google.com/ocsp via washingtonpost.com:0
 [06-17 20:48:49] Torbutton INFO: tor SOCKS:
 http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
 [06-17 20:48:49] Torbutton INFO: tor SOCKS:
 http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
 [06-17 20:48:49] Torbutton INFO: tor SOCKS:
 http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
 [06-17 20:48:53] Torbutton INFO: tor SOCKS:
 http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
 [06-17 20:49:08] Torbutton INFO: tor SOCKS:
 http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
 [06-17 20:49:09] Torbutton INFO: tor SOCKS:
 http://clients1.google.com/ocsp via washingtonpost.com:0
 [06-17 20:49:11] Torbutton INFO: tor SOCKS:
 http://clients1.google.com/ocsp via washingtonpost.com:0
 [06-17 20:49:11] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
 washingtonpost.com:0
 [06-17 20:49:11] Torbutton INFO: tor SOCKS:
 http://clients1.google.com/ocsp via washingtonpost.com:0
 [06-17 20:49:11] Torbutton INFO: tor SOCKS:
 http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
 [06-17 20:49:13] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via
 gnu.org:0
 [06-17 20:49:17] Torbutton INFO: tor SOCKS:
 http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
 [06-17 20:49:22] Torbutton INFO: tor SOCKS: http://ocsp.godaddy.com/ via
 washingtonpost.com:0
 [06-17 20:49:28] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via
 washingtonpost.com:0
 [06-17 20:49:36] Torbutton INFO: tor SOCKS:
 http://clients1.google.com/ocsp via washingtonpost.com:0
 }}}

 Are there specific websites that result in the OCSP going over the
 catchall circuit? Or maybe there is something else I need to try?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19416#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs