[tbb-bugs] #32777 [Applications/Tor Browser]: Weird things happening in Tor Browser (some websites change Tor circuit paths rapidly)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 17 05:55:10 UTC 2019
#32777: Weird things happening in Tor Browser (some websites change Tor circuit
paths rapidly)
--------------------------------------+----------------------------------
Reporter: Tor235 | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version: Tor: unspecified
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+----------------------------------
Comment (by cypherpunks):
Replying to [ticket:32777 Tor235]:
> While using Tor Browser recently, I've noticed that several websites
change their Tor circuit path many times in a matter of just a few seconds
(for no apparent reason).
>
> One of these websites is ipchicken.com (a website which shows one's
current IP address). When visiting ipchicken.com, the Tor circuit path
changes many times in a few seconds. At first, the "current IP address" on
ipchicken.com is a regular Tor exit node. But when the page is reloaded,
the "current IP address" becomes an odd IPv6 address.
1. since https://ipchicken.com/ does not contain any AAAA records, it is
not possible, it reports a ipv6 to you.
>Reloading the page a 2nd time shows a similar IPv6 address (with the same
starting digits, but different >ending digits). This is one of the IPv6
addresses it displayed:
>
> 2405:8100:8000:5ca1::27f:e187
this is a cloudflare ip
https://www.cloudflare.com/ips/
>
> I checked this IP address in the Tor ExoneraTor
(metrics.torproject.org/exonerator.html), and this IPv6 address does not
appear to be in the Tor database.
yes, because this is a cloudflare ip
2. ipchicken.com IS cloudflared.
> The 2nd IP-checking website said that the origin of the IPv6 address is
"CloudFlare Hong Kong".
>
correct, as the website is behind cloudflare.
> I tried accessing ipchicken.com and other IP-checking websites on a
different computer, and the same thing happened (weird IPv6 address
appeared).
yes, because the website does not check your browser used ip but from
cloudflare.
> So multiple websites are, for no apparent reason, changing their Tor
circuit paths many times in just a few seconds, AND displaying strange
IPv6 address as the "current IP address". Other websites, such as
Wikipedia, are normal.
>
> Is this just a Tor Browser bug, or could it be some other kind of
problem?
not a Tor Browser bug. it is the website reporting the CDN ip that is
serving to you.
> Note that on websites in which the Tor circuit path changed many times
for no apparent reason, the entry node (guard node) generally stayed the
same.
Yes, the guard should stay always the same, even if the malicous website
forces you into 1000's new circuits. otherwise you could be deanomisized.
what you should care about is guard rotation attacks, not if it stays the
same.
> The Tor Browser used is version 9.0.2.
false positive.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32777#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list