[tor-bugs] #20623 [Applications/Tor Browser]: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for socksauth
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 10 16:52:45 UTC 2016
#20623: TBB 6.0.5 DomainIsolator does not generate unique nonce paswords for
socksauth
-------------------------------------------------+-------------------------
Reporter: entr0py | Owner: tbb-
| team
Type: defect | Status:
| reopened
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version: Tor:
| 0.2.8.9
Severity: Major | Resolution:
Keywords: socksauth first-party base-url | Actual Points:
domain |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by entr0py):
@yawning Thanks for the clarification. Didn't realize that random
passwords were an alpha-only feature. This came up because TBB 6.0.5 was
re-using existing circuits after being closed and restarted (#20479) under
system Tor - which I see was a motivation for #19206:
>The SOCKS username/password isolation should include a instance
identifier such that each invocation of Tor Browser ends up using
difference circuits (Currently, the isolation tags will get reused).
@adrelanos IIUC, stable torbrowser has never used random passwords. It's
always been 0 + increment per new circuit. Also, I failed to realize that
a different password isn't needed after `NEWNYM` - by definition.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20623#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list