[tbb-bugs] #13747 [Applications/Tor Browser]: Block non .onion content on .onion addresses

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jul 9 05:38:34 UTC 2017


#13747: Block non .onion content on .onion addresses
--------------------------------------+--------------------------
 Reporter:  legind                    |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 There was a paper relatively recently which showed that a very large chunk
 of hidden services (~20%) were referencing external resources on non-onion
 domains (like Google Analytics and jquery). I believe
 https://mascherari.press/onionscan-report-august-2016-revisiting-caronte-
 analytics-bitcoins-and-correlations/ describes it. Although a solution to
 this ticket won't mitigate the HS deanonymization issues, the onionscan
 results show conclusively that there are a significant number of hidden
 services which do, often accidentally, expose non-onion resources.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13747#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list