[tbb-bugs] #23249 [Applications/Tor Browser]: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using SOCKS v5" is enabled

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Aug 16 07:13:58 UTC 2017 

#23249: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using
SOCKS v5" is enabled
--------------------------------------+---------------------------
 Reporter:  lux+tor@…                 |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by lux+tor@…):

 == Fingerprint problem ==
 I cannot understand how a website (`example1.org`) can know that another
 website (`example2.org`) is not accessible from this same browser. If such
 a thing is possible, it may be a real flaw in some protocol or software.
 However, I am not an expert in fingerprints nor network protocols ...

 If, for the sake of the argument, I suppose such an ability is possible,
 it means there is a '''conflict''' between '''security vs anonymity'''.
 Increasing one means decreasing the other. It is quite bad :-(

 However, when such kind of a conflict exists (between two desirable
 qualities), '''''the choice should be given to the user''''' to decide for
 himself.

 == In this particular case ==
 The '''''right solution''''' should be a checkbox "''Use local hosts file
 (may increase security at the cost of anonymity)''", set to "`false`" by
 default.

 The ''alternative solution'' would be to:

  1. disable "''Proxy DNS when using SOCKS v5''"
  1. install a firewall
  1. configure the firewall to forward DNS requests into the tor service
 opened by Tor Browser

 It kind of defeats the purpose of (I quote) "'''''Tor Browser''' lets you
 use Tor on       Microsoft Windows, Apple MacOS, or GNU/Linux without
 needing to install any software''".

 == Conclusion ==
 As you proposed, I am begging you to please reopen this ticket. I hope it
 will get the attention it deserves from the dev team.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23249#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list