[tor-bugs] #31066 [Applications/Tor Browser]: Consider protection against requests going through catch-all circuit

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 2 18:21:39 UTC 2019


#31066: Consider protection against requests going through catch-all circuit
------------------------------------------+----------------------
     Reporter:  acat                      |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  ff68-esr
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 While taking a look at upstreaming #26353 to Firefox I was thinking
 whether it would make sense to have some mitigations to reduce potential
 anonymity loss if there are requests unintentionally going through the
 catch-all circuit. We currently isolate requests by
 `originAttributes.firstPartyDomain`. If
 `originAttributes.firstPartyDomain` is empty, then the request goes to the
 catch-all circuit (socks username `--unknown--`).

 I would suggest changing this and proxying with socks username
 `--unknown--|||firstPartyDomain(request)` instead, where
 `firstPartyDomain` is calculated as if the request host was the origin. I
 think this can only improve user anonymity wrt current behaviour, at the
 cost of potentially worse network performance (more circuits). But I think
 there should not be many cases were `firstPartyDomain` is empty, and also
 not so many `--unknown-- + domain` combinations to make this a performance
 issue. I think it should be seen just as a mitigation for the potential
 cases in Tor Browser that might not obey first party isolation.

 Not sure if this has already been discussed in the past, but I thought it
 might be interesting to consider.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31066>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list