[tor-bugs] #23963 [Applications/Tor Browser]: Tor Browser can use a Tor that's running under another user
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 26 13:32:01 UTC 2017
#23963: Tor Browser can use a Tor that's running under another user
--------------------------------------+--------------------------
Reporter: teor | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by mcs):
I think this issue probably occurs on all platforms. I do not know of a
way to ensure that the SOCKSPort is "trusted" except to switch to Unix
domain sockets (which is possible via hidden prefs inside Tor Browser). I
am also not sure how Tor Browser can tell the difference between "I am
using a system Tor which is what the user wants" and "I am using a
leftover Tor that was possibly started by another user." I think the
argument will be "If Tor Browser is configured to start tor, it should
only use the tor that it starts" (which seems reasonable but may be
difficult to implement).
One good step in the right direction would be to prevent URLs from being
opened until after Tor Launcher has finished its business. I thought we
had a ticket for that, but I cannot find it right now. I wonder if we
should create a parent ticket to track this and related issues, e.g.,
"support Tor Browser as the system default browser."
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23963#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list