[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
Reporter: yawning | Owner: legind
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: HTTPS Everywhere/EFF-HTTPS | Version:
Everywhere |
Severity: Major | Resolution:
Keywords: tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by yawning):
Replying to [comment:10 gk]:
> Alright, so here is what is going on. First, do you see the weird
floating point number thing appended to the `#` in the
`check.torproject.org` URL? Torbutton does not do such things. It turns
out this is part if the HTTPS-Everywhere SSL Observatory code where it
checks whether Tor is available and to use (e.g. for submissions). As a
sidenode: one does see the issue in the Tor Browser log as well without
pcaps. It is visible there that the request does not go over the catch-all
circuit but rather is put on one without any username/password isolation
at all.
Nice catch.
Is there a ticket for "SSL Observatory makes at least one network request
on startup to check proxy settings, even if it's disabled"? If "Use the
Observatory?" isn't checked, this request shouldn't be made at all, but as
it stands absolutely everyone (with working SSL-Observatory) is hitting
this bug.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs