[tor-bugs] #10682 [TorBrowserButton]: Disable update pings for Torbutton and Tor Launcher
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 8 20:33:39 UTC 2014
#10682: Disable update pings for Torbutton and Tor Launcher
-------------------------+-------------------------------------------------
Reporter: | Owner: mikeperry
mikeperry | Status: new
Type: defect | Milestone:
Priority: | Version:
critical | Keywords: tbb-security, extdev-interview,
Component: | MikePerry201401R
TorBrowserButton | Parent ID:
Resolution: |
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Replying to [comment:16 cypherpunks]:
> >fix for #10419
> Security hole.
Can you explain how this fix is a security hole?
> >ExtendAllowPrivateAddresses
> no. ClientRejectInternalAddresses
Sorry, pasted the server side option. But it is still blocked by the Tor
client by default.
> >The browser will no longer connect to directly to 127.0.0.1, nor will
connections to 127.0.0.1 be sent to the exit node
> It's all depends Tor not Torbrowser that has security hole with passing
localhost over proxy.
Fair enough, I guess if people want to extend Tor Browser to support other
SOCKS proxies, I would not refuse patches that made that more secure or
functional. But it is not a development priority at this point for us to
do this.
It also sounds like you are now asking for an additional patch that
completely blocks 127.0.0.1 from the browser independent of upgrades?
Should we also extend that patch to block all RFC1918 addresses from the
browser, too? This definitely sounds like a separate ticket.
> > https://127.0.0.1:0
> TBB not get it like valid URL, passing it to search engine.
There are banned ports that are hardcoded in Firefox, like 25. Should we
use one of those instead?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10682#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list