[tbb-bugs] #20623 [Applications/Tor Browser]: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for socksauth
    Tor Bug Tracker & Wiki 
    blackhole at torproject.org
       
    Thu Nov 10 16:52:45 UTC 2016
    
    
  
#20623: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for
socksauth
-------------------------------------------------+-------------------------
 Reporter:  entr0py                              |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  reopened
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:  Tor:
                                                 |  0.2.8.9
 Severity:  Major                                |     Resolution:
 Keywords:  socksauth first-party base-url       |  Actual Points:
  domain                                         |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Comment (by entr0py):
 @yawning Thanks for the clarification. Didn't realize that random
 passwords were an alpha-only feature. This came up because TBB 6.0.5 was
 re-using existing circuits after being closed and restarted (#20479) under
 system Tor - which I see was a motivation for #19206:
 >The SOCKS username/password isolation should include a instance
 identifier such that each invocation of Tor Browser ends up using
 difference circuits (Currently, the isolation tags will get reused).
 @adrelanos IIUC, stable torbrowser has never used random passwords. It's
 always been 0 + increment per new circuit. Also, I failed to realize that
 a different password isn't needed after `NEWNYM` - by definition.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20623#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
    
    
More information about the tbb-bugs
mailing list