[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
From: yan <yan@xxxxxxxxxxxxxx>
Date: Tue, 6 Oct 2015 22:57:26 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 06 Oct 2015 22:57:42 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:To:References:Subject:Reply-To; bh=7s06DhbJFXi/c7tbX27HKH58Xlad/Js323qDKrh1D+I=; b=nAIgstkTc+Jrb6DBesygUB/1NzGrDbDIhIpCGyyowdvlZMxMYDEyaTawDTY4cnFrEnMm5ELssBYeZ2nYddGGNQiSjD7d2JfGnEPIRlHOJgJw6k7mWF93KAVg+JJd1H6Y2gosO5TxaxAiLsnITJ8ASZgVHhMkHBcxlT15QEloIG0=;
In-reply-to: <CA+cU71mBXROp2rPORtzV5ACT-SAnrWSO0U-_rhRTMocw6tZMFQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <21C31982-E17D-49DB-8FC0-CDF6457CE290@xxxxxxxxx> <CA+cU71mBXROp2rPORtzV5ACT-SAnrWSO0U-_rhRTMocw6tZMFQ@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

Hey Tom and co,

I am the person who wrote the fix in a hurry 14 months ago (as astop-gap before FF38 with all its referer goodness was released). Gladit's finally being reviewed!


Here is the patch: https://github.com/diracdeltas/torbutton/pull/1/files
Here is the ticket: https://trac.torproject.org/projects/tor/ticket/9623

The patch only clears referer on cross-domain requests involving THS's.So referer will be preserved on http(s)://www.facebookcorewwwi.onion tohttp(s)://cdn.facebookcorewwwi.onion, for instance. Referer will NOT besent to http(s)://someotheronion.onion or http://google.com, for instance.

I agree HS owners can do this with CSP1.1 right now (or the old <meta>referrer tags, though i think that was reverted in Firefox?) but it'simportant enough to prevent leaks that I think the client should handle it.


Cheers,
Yan

On 10/6/15 9:57 PM, Tom Ritter wrote:

What's the fix in the works?  There is a specification being developed
to allow sites to opt to remove referers (or opt to let them leak
*more* information.) http://www.w3.org/TR/referrer-policy/

(If you're wondering why one would want to leak more information, it's
basically to promote HTTPS adoption. One of the things holding back
HTTPS adoption is the lack of Referer on a HTTPS->HTTP link, so by
removing that constraint, the originating origin can move to HTTPS.)

Firefox supports Referrer Policy as of 36:
https://blog.mozilla.org/security/2015/01/21/meta-referrer/ so
arguably HS owners have the ability to fix this themselves for users
on ESR38.

-tom


On 6 October 2015 at 18:15, Tim Wilson-Brown - teor <teor2345@xxxxxxxxx> wrote:

Hi All,

Currently thereâs an information leak in Tor Browser: it sends referrer
headers containing .onion site addresses when the user clicks on a link on
the .onion site.

Thereâs a fix in the works, but we were wondering:
Does anyoneâs hidden service depend on the referrer header?
The currently favoured fix is to stop sending referrers cross-origin
(between different .onion sites, and between .onion sites and sites on the
internet).

But this may break sites that are set up with multiple .onion addresses and
use referrers to check that requests are coming from the parent site.
(People sometimes set up different .onion sites to serve different types of
content, such as images.)

In general, I would discourage people from using referrers in this way,
because they arenât secure and can be faked.

But does anyone have a compelling use case for cross-origin referrers, or is
using them at the moment?
We could include a preference if removing them would break too many sites.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F


_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
  - From: Conrad Kramer

References:
- [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
  - From: Tim Wilson-Brown - teor
- Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
  - From: Tom Ritter

Prev by Author: Re: [tor-dev] [tor-talk] Desired exit node diversity
Next by Author: Re: [tor-dev] Hello, I am a Tor Browser user in China. Currently, many obfs4 bridges are blocked by China's firewall.
Previous by thread: Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
Next by thread: Re: [tor-dev] #9623 [Tor Browser]: Referers being sent from hidden service websites
Index(es):
- Author
- Thread