#20195: torbutton-torCheckService doesn't honor domain isolation.
 Reporter:  yawning                         |          Owner:
     Type:  defect                          |         Status:  reopened
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  tbb-torbutton, tbb-linkability  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:

Comment (by yawning):

 There is no log.  The only reason I caught this was because I was dumping
 the SOCKS request bodies with my sandbox code.

 What happens is, the internal check uses a connection to
 `check.torproject.org` to validate that tor is working.  That request does
 not send a SOCKS username/password for isolation.  If it were using domain
 isolation correctly, the catchall circuit (Username: `---unknown---`)
 would be used.

 The easiest way to reproduce this would probably be using a system tor
 instance and wireshark.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to