[tor-bugs] #10682 [TorBrowserButton]: Disable update pings for Torbutton and Tor Launcher

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 8 20:33:39 UTC 2014


#10682: Disable update pings for Torbutton and Tor Launcher
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mikeperry
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:           |    Version:
  critical               |   Keywords:  tbb-security, extdev-interview,
    Component:           |  MikePerry201401R
  TorBrowserButton       |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Replying to [comment:16 cypherpunks]:
 > >fix for #10419
 > Security hole.

 Can you explain how this fix is a security hole?

 > >ExtendAllowPrivateAddresses
 > no. ClientRejectInternalAddresses

 Sorry, pasted the server side option. But it is still blocked by the Tor
 client by default.

 > >The browser will no longer connect to directly to 127.0.0.1, nor will
 connections to 127.0.0.1 be sent to the exit node
 > It's all depends Tor not Torbrowser that has security hole with passing
 localhost over proxy.

 Fair enough, I guess if people want to extend Tor Browser to support other
 SOCKS proxies, I would not refuse patches that made that more secure or
 functional. But it is not a development priority at this point for us to
 do this.

 It also sounds like you are now asking for an additional patch that
 completely blocks 127.0.0.1 from the browser independent of upgrades?
 Should we also extend that patch to block all RFC1918 addresses from the
 browser, too? This definitely sounds like a separate ticket.

 > > ​https://127.0.0.1:0
 > TBB not get it like valid URL, passing it to search engine.

 There are banned ports that are hardcoded in Firefox, like 25. Should we
 use one of those instead?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10682#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list