[tor-bugs] #11722 [TorBrowserButton]: Add a Torbutton pref to disable local tor check

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 4 17:01:07 UTC 2014 

#11722: Add a Torbutton pref to disable local tor check
----------------------------------------------+---------------------------
 Reporter:  scissors                          |          Owner:  mikeperry
     Type:  enhancement                       |         Status:  new
 Priority:  normal                            |      Milestone:
Component:  TorBrowserButton                  |        Version:
 Keywords:  MikePerry201405R,  tbb-usability  |  Actual Points:
Parent ID:                                    |         Points:
----------------------------------------------+---------------------------
 [ Re: discussion with Mike at #11384 ]

 The Torbutton icon and about:tor page indicate that Tor is not working
 when Torbutton does not have full access to the control port (when not
 using the 'Transparent Torification' option in Torbutton preferences),
 even if the browser ''is'' properly configured to use Tor. This can be
 dangerous when something does go wrong (e.g. bug #11384) because there is
 then no visible difference to the user.

 If Transparent Torification is selected Torbutton skips the local check
 and instead performs a remote check, which gives a correct indication of
 whether the browser is torified. However, there are cases, other than
 transparent torification, that the remote check is desirable over the
 local check. These include:

 A) Connecting TorBrowser to system-wide Tor instance, which you do not
 want the browser to be able to manipulate (e.g. tor-launcher automatically
 stopping Tor process on closing the browser)
 B) Preventing TorBrowser access to control port so that it cannot
 retrieve/leak circuit information
 C) Tails

 Tails encountered this problem (they only allow NEWNYM requests from the
 browser to the control port), but at the time remote Tor check was broken
 (#10189) so they opted to patch Torbutton to completely disable Tor check,
 both local and remote
 (http://git.tails.boum.org/torbutton/commit/?id=7b7aba560dadb0299212a47971d08ac937672868).
 This is arguably unsatisfactory and is only safe because Tails has strict
 firewall rules preventing leaks.

 I propose we add a user pref which tells Torbutton to use the remote check
 instead of local check, so TorBrowser only shouts when it isn't connecting
 over Tor. The default behavior would be unchanged. A (two-line) patch is
 attached.

 If Tails devs are happy with this solution this could also close #10216.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11722>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list