[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 6 08:29:52 UTC 2016
#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
Reporter: yawning | Owner: legind
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: HTTPS Everywhere/EFF-HTTPS | Version:
Everywhere |
Severity: Major | Resolution:
Keywords: tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:11 yawning]:
> Is there a ticket for "SSL Observatory makes at least one network
request on startup to check proxy settings, even if it's disabled"? If
"Use the Observatory?" isn't checked, this request shouldn't be made at
all, but as it stands absolutely everyone (with working SSL-Observatory)
is hitting this bug.
Not yet, but I guess a good solution for this one would solve that problem
as well.
So the following things could be done:
If you want to check whether Tor is enabled check for an existing
Torbutton component. No request getting sent to `check.torproject.org` is
necessary in this scenario. And if such a component is found let Tor
Browser handle the traffic (i.e. don't mess with proxy settings) as
Torbutton alone should not be functional anymore (i.e. you can be sure the
user has a Tor Browser).
That would be sufficient for us. But what if you don't find an existing
Torbutton component? Still, I think, there should not be any check if the
SSL Observatory is disabled. Not sure, though, if you want to support
Firefox users that have a tor running somewhere but are not using Tor
Browser.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list