Custom Query (4673 matches)


Show under each result:

Results (901 - 1000 of 4673)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ticket Summary Status Owner Type Priority Milestone
#12000 Detect when a probe is using the wrong test helpers new hellais defect Medium

This issue was automatically migrated from github issue

As @stephen-soltesz pointed in out in a ticket:

Also, I recall a discussion in Berlin about validation of uploaded reports; specifically, at the time of report upload, it is necessary to determine that the "expected test-helper" and the "used test-helper" are the same type. This helps eliminate false-positives due to report errors caused by mismatches between the test-helper expected and used. This validation requires that the report is uploaded to the collector co-located with the test helper. Can testdecks be created to support the above?

The hard part of doing this is making the collector speak to the test helpers. In other words to detect that the expected test helper is not the one used, we have to has the test helper that the user is supposed to be using if they have seen those requests from our user.

#12003 Handling filesystem size limitations? new hellais defect Medium

This issue was automatically migrated from github issue

Tests like very quickly generate a large yamloo file, especially against Alexa lists, often to the extent of exceeding filesystem filesize limits. At that point the kernel begins killing every OONI process without warning. Perhaps this is a YAML lib issue instead, but it would be useful either catch the write failure to warn or open a new output file.

#12004 ooni test decks specifying logfile path but it is not used. new hellais defect Medium

This issue was automatically migrated from github issue

Jake reports that ooni is ignoring test .deck logfile paths.

#12006 Is non-determinism in test helper deployment or MLab-ns API acceptable? new hellais defect Medium

This issue was automatically migrated from github issue

Close this ticket with a yes / no.

The MLab script for Ooni selects which test helpers bind to a given port randomly. The requirement is for the same port to provide multiple distinct test helpers, so the current strategy is to partition the MLab slices (and thus IP addresses) for each port according to how many helpers require that port. The random selection accomplishes this in a stateless / configuration-free manner.

Meanwhile, the probe will use the mlab-ns web service to request test helpers and a collector prior to running a net-test. This service currently responds non-deterministically (with various constraints and prioritizations such as scoring based on load).

The question is: Are these two sources of non-determinism a problem?

For scientific repeatability, randomness adds noise. For diagnostic reasons, determinism can make it simpler to understand logs or report data. For security reasons, censors might be able to game non-determinism in a way to favor particular test results. It may be that none of these concerns are strong enough (also considering the dev cost of removing the non-determinism).

*If* the answer is "no", there's a dev cost implication for mlab-ns which should be coordinated with MLab.

#12007 Contributor Bootstrap new hellais defect Medium

This issue was automatically migrated from github issue

How should a contributor get started helping out with Ooni? What documentation should they read? What are good projects for them to tackle?

#12010 Data Pipeline new hellais defect Medium

This issue was automatically migrated from github issue

Ooni is in the M-Lab data pipeline.

#12011 Feature/versioneer automatic version bumping and configuration. new hellais defect Medium

This issue was automatically migrated from github issue

@hellais: Brian Warner made this thing, and I´ve started using it in all my projects. It will make your life so much easier. :)

#12012 clock skew new hellais defect Medium

This issue was automatically migrated from github issue

When the clock on a tor client is so wrong that tor network consensus can not be reached, exit with a user comprehensible error, rather than hanging forever.

#12013 Verify the NetTest version as well as name new hellais defect Medium

We don't implement version checking yet. To confirm: Do we intend for collectors to accept reports from versions of NetTests that are -newer- than the version specified in the policy? Or only the exact version(s)?

#12014 Side Channel Attacks new hellais defect Medium


Reports from ooni-probe are identified by a report id, which is used in a file path. Checking the report id by opening the file may create a side channel that would allow an attacker to extract existing report ids from the server. With the report id, the attacker could overwrite other, existing reports with their own data and possibly do other bad things.

Is this a problem? Are there other side channels that could be a problem?

Note: This is not part of the Least Authority audit.


This is indeed an issue, as we do want to guarantee integrity of not finalised reports.

How would you suggest making such comparison in constant time?

A possible solution would be to make a list of all the files that are stored in the temporary directory, xor every item in the list with the specified report_id. Check if there is any item inside of the list that is 0.

Is there a better way to do this?


@hellais I think the proposed solution would still leak some information when the file is actually opened. You might be able to get away with opening all the files, then only using the file descriptor from the one that matches the provided report_id, but that's very inefficient (and I'm not even sure if that would be safe).

A better approach might be to make it OK for the attacker to learn the report ID. To do this, add a "report key", so that you need the report_id and the report_key to be able to write a report. The report_id would be part of the filename (or database index if you ever use a database), and then inside the file would be a hash of the report_key, which is checked in constant time. Then if someone else gets the report_id, it doesn't matter so much since they can't tamper with it without knowing the report_key.

This could be done without changing the API too much. The report ID currently contains 50 alphanumeric characters, so you could use the first 25 as the new report ID, and the last 25 as the report key.

Beware side channels that would leak the timestamp and/or ASN of other reports, since they are part of the report id and filename too.


Note: While it could be done without changing the API, I don't recommend it. It would not obvious to the client what they have to keep secret and what they don't. It would be better to explicitly give the client a "report_key", which, as the name implies, has to be kept secret.


As @hellais and I discussed in real life, the attacker can only get past the XOR check if they already know the report ID.

However, the report ID, or information about the other report IDs, might still be leaked in some cases:

For example, the attacker might create 1000 new reports, obtaining 1000 report IDs, then can monitor how the response time for each of those IDs changes over time to learn things about the new report IDs (that they don't know) that were created during that time.

Another example: an attacker who can measure cache usage via unprivileged code running on the same physical system might be able to learn information about the report IDs used by actual users.

I doubt something like that would be exploitable in practice, but if we want to be perfectly side-channel free, we should consider those kinds of attacks.

#12017 HTTPS-E has no rulesets, does not work at all in FF29. new zyan defect Medium

I am using Firefox 29, on Mac OS X 10.6.8 Snow Leopard on a MacBook Pro 6,2.

The drop-down menu for HTTPS Everywhere 3.5.1 under the "Tools" menu in Firefox does not appear at all when I hover my mouse over the "HTTPS Everywhere" menu item. When I look at the preferences for HTTPS Everywhere, the redirection rules are all blank. I tried clicking "reset to defaults". It had no effect.

When I try to connect to a site, such as, I get the normal http version, not the https version. If I manually enter ​, I get the https version.

I tried un-installing and re-installing HTTPS Everywhere 3.5.1, as well as installing 4.0development.15, and 4.0development.16. The problem still persists.

My active Firefox add-ons are: Adblock Edge 2.1.1 BetterPrivacy 1.68 Download YouTube Videos as MP4 1.7.18 DownloadHelper 4.9.22 DownThemAll! 2.0.16 DuckDuckGo Plus 0.3.16 Firebug 1.12.8 FxIF Ghostery 5.2.1 HTTPS-Everywhere 3.5.1 Screengrab (fix version) 0.97.24c User Agent Switcher 0.7.3

I also use Tor Browser 3.5.4, which includes the HTTPS Everywhere 3.5.1 add-on. HTTPS Everywhere works properly in Tor Browser 3.5.4.

I also tried using HTTPS Everywhere 3.5.1 in Firefox 28 on OS X 10.9.2 Mavericks. HTTPS Everywhere works properly in Firefox on Mavericks.

My active Firefox add-ons in Mavericks are: Adblock Plus 2.5.1 BetterPrivacy 1.68 DuckDuckGo Plus 0.3.16 Firebug 1.12.8 Ghostery 5.2.1 HTTPS-Everywhere 3.5.1 User Agent Switcher 0.7.3

#12020 Bootstrap gets stuck at 20% when connecting through a bridge. needs_information defect Medium Tor: unspecified

I believe this is different from all the other instances of this bug (#11965 and friends), because the client never recovers (I am using a pluggable transport that is experimental, but the symptoms don't point at my code at first glance).

Client debug log:

May 15 19:36:24.000 [debug] connection_dir_client_reached_eof(): Received response from directory server '': 404 "Not found" (purpose: 6)
May 15 19:36:24.000 [info] connection_dir_client_reached_eof(): Received server info (size 0) from server ''
May 15 19:36:24.000 [info] connection_dir_client_reached_eof(): Received http status code 404 ("Not found") from server '' while fetching "/tor/server/authority.z". I'll try again soon.
May 15 19:36:24.000 [debug] conn_close_if_marked(): Cleaning up connection (fd -1).
May 15 19:36:24.000 [debug] connection_remove(): removing socket -1 (type Directory), n_conns now 3

The bridge is fully bootstrapped at this point according to the logs. Bridge functionality should be fully working once the bridge bootstraps to 100% right? This does seem to happen most after I restart both the client and bridge to pick up a new build of the pt binary...

The only notable config option besides the PT is "PublishServerDescriptor 0" (A cursory search for authority.z brings up #9366).

#12037 videos never load with Cloudfront rule enabled new zyan defect Medium

This is an example of a video loaded through Adobe Flash. If the Cloudfront rule is enabled (as of version 2014-4-25) then the video display will show permanently as loading (in the form of a spinning circle). Disabling the Cloudfront rule causes the video to load immediately.

#12052 test_readline_limit in facilitator-test sometimes fails new dcf defect Medium

This happens more on some machines than others. On my laptop (Debian jessie/sid) it only happens about 1 in 10-15 times but weasel reproduced it 2/3 times.

There is already TODO in the source code, but for now I will disable this test temporarily in the Debian packaging.

FAIL: test_readline_limit (__main__.FacilitatorProcTest)
Test that reads won't buffer indefinitely.
Traceback (most recent call last):
  File "./", line 244, in test_readline_limit"should have raised a socket error")
AssertionError: should have raised a socket error

Ran 18 tests in 2.227s

FAILED (failures=1)
#12053 Infinite loop when 'identity mismatch' error is raised. new brade defect Low

To reproduce this error, launch Tor Browser from behind a captive portal for which you haven't yet agreed to the terms. A window pops up reporting a tor error with the phrase "identity mismatch". Clicking through it will lead to a new window for "Tor failed to launch". Clicking through that will bring you back to the error window for "identity mismatch". This unending parade of error windows will continue even if one disconnects from the network. It is impossible to close Tor Browser at this point without sending a SIGKILL.

#12062 Audit DisableNetwork, we_are_hibernating usage new defect Medium Tor: unspecified

I think a lot of our DisableNetwork checks should instead check net_is_disabled, since so much of what we're doing turning off when the network is disabled is also something we're trying to turn off when we're hibernating.

And probably some of our DisableNetwork checks should call should_delay_dir_fetches or something similar, if they're related to fetching non-bridge-descriptor directory stuff.

Possibly there should be a better designed hierarchy here.

Possibly, most of the fixes here should wait for 0.2.6, since this code is tricky.

#12063 Broken tripadvisor hotel booking calendar with https everywhere new zyan defect Medium

An example:

Clicking on the calendar button when booking for hotels with https everywhere enabled will prevent the calendar popup from showing.

#12089 BridgedDB can be forced to email arbitrary email addresses reopened isis defect High

See #12086.

From this commit message for this unittest:

BridgeDB will accept an email from an arbitrary gmail/yahoo email address at the SMTP layer, and then send the reply to a *different* arbitrary gmail/yahoo email address taken from the contents of the email headers.

As you can see in the example...

(in the ticket description of #12086)

the SMTP command


combined with a 'From:' in the email headers within the SMTP DATA segment caused the reply to be sent the reply to the later, when it came from the former.

While this was done quick-and-dirty with netcat, it's probably possible to configure msmtp to send a the same SMTP commands/info with embedded email headers still specifying an arbitrary email address, such that Gmail/Yahoo would produce a valid DKIM signature for it and pass it along to BridgeDB. (And thus the issue isn't merely that DKIM verification appears to be broken, but the issue is that we're not checking that source of an incoming email matches the destination of the response.)

In addition, the person reading such a unsolicited response from BridgeDB also has no way to know who originally emailed BridgeDB to cause this email to end up in her inbox in the first place.

I'm not exactly certain if this is a bug or a feature. While it could be used for sending some junk to an arbitrary gmail/yahoo address, it could also be used as a sort of

"Dear BridgeDB, can I have some bridges? Asking for a friend."


I'm guessing that we're likely to see more use of it for the former, more malicious activity than the latter benevolent one, and so we should probably consider this a pretty serious bug.

Side note: All the bugs found with that unittest were present in older versions of BridgeDB, and possibly have always been present, and they don't appear to be resultant from my recent rewrite of the email servers (as sysrqb noted, my rewrite retained portions of the old codebase). I just wanted to point that out so that I'm not blamed for introducing them. Unfortunately, I didn't catch this while staring at the code for several hours. (But hiphiphooray for unittests! :D )

#12094 Disappearing bookmarks new tbb-team defect Medium

Upgraded to TorBrowser 3.6.1 Mac OS today. A few weeks since last update. All bookmarks added since last upgrade have not been stored in the browser. Bookmarks added today (after update) have been stored.

On Mac OSX 10.9.2

#12095 Remove dead Transifex teams from translation.git branches new phoul defect Medium

The following teams need to be removed from all branches in translation.git.

af-ZA am-ET bg-BG bn-BD ca-ES cs-CZ el-GR es-NI si sq-AL zh-CN.GB2312 zh

#12105 Radar feature will not load on reopened zyan defect Medium

Site gives the error message, "No radar available at this time" when HTTPS Everyone is enabled.

#12113 Building libevent/openssl on Windows without exception handling would reduce dependencies new erinn defect Low

I believe that in the Tor Browser Bundle on Windows, for the tor.exe component, libgmpxx-4.dll is built using MinGW with exception handling enabled. (Omits -fno-exceptions). MinGW has an archaic exception handling mechanism on Windows, using setjmp/longjmp based exceptions and necessitates the extra dll libgcc_s_sjlj-1.dll.

If libgmp was build without exception handling (it appears to only use it 3 or 4 places in the dll), it'd be possible to eliminate libgcc_s_sjlj-1.dll entirely.

EDIT: This is not about libgmp anymore as we don't ship the libgmpxx any longer. Rather, libevent/openssl are affected by that problem, too.

#12138 No IPv6 support when suggesting a bindaddr to a PT new defect Medium Tor: unspecified

This recent post in tor-talk: revealed that Tor does not support IPv6 when supporting a bind address to a pluggable transport. It seems that we missed that during #7011.

The problem is that the first time someone fires up a ServerTransportPlugin, Tor will suggest to it to bind in This can be seen in get_stored_bindaddr_for_server_transport:

  /** If we didn't find references for this pluggable transport in the
      state file, we should instruct the pluggable transport proxy to
      listen on INADDR_ANY on a random ephemeral port. */
  tor_asprintf(&default_addrport, "%s:%s", fmt_addr32(INADDR_ANY), "0");
  return default_addrport;

Instead of using fmt_addr32(INADDR_ANY), we should use fmt_addrport and suggest [::] if we need to use IPv6. We should probably suggest an IPv6 address, if our ORPort is IPv6 (what if we have both kinds of ORPorts?).

Implementation of this should not be hard. I can do it one of these days.

#12155 Support fully incremental TBB developer builds new tbb-team defect Medium

We should figure out some way to make it less painful for newcomers to create dev builds for testing patches against TBB, especially for Firefox.

Right now, developing patches for TBB requires waiting for an end-to-end Gitian build. We added support for rebuilding only select components of the bundle, but we could take this a step further by allowing incremental builds without having to rebuild everything in a given component.

There are several ways to accomplish this. The easiest will be if we allow partial rebuilds without preserving the reproducibility property. This will be the parent ticket for all manner of ways of doing this, reproducible or not.

#12162 Youtube hotlinking blocked new zyan defect Medium

vBulettin, hotlinked youtube videos are blocked with https everywhere turned on.

#12164 Users with no network obstacles are emailing us instead of clicking connect new brade defect Medium

In the initial dialog window for tor-launcher got reworded to make it clearer that most users should just click 'Connect'.

Clarifying the text was not enough, apparently, because users continue to encounter the initial dialog window, and get confused whether they should 'Configure' or 'Connect'.

Many users are not accustomed to being faced with a decision to make upon starting their browser. However, autoconnecting is not a good solution, as connecting to Tor directly in some regions could put users in real jeopardy.

I suspect that some users do not fully read or fully process the descriptions of these two paths before they contact the help desk.

I think the initial tor-launcher dialog should provide visual cues that direct most users to the 'connect' path and high-risk users to the 'configure' path.

To give some examples of more intuitive designs, changing the size or color of the buttons could be effective. Using a widget besides a button to enter the 'configure' path might also be an improvement.

#12184 Circuit on detached list which I had no reason to mark needs_information defect High Tor: unspecified

I still get this in combination with other warnings. Using FreeBSD 10, with OpenSSL 1.0.1, Tor (git-d2147cc7ba5c5d51).

Jun 01 09:35:49.000 [warn] No unused circIDs found on channel without wide circID support, with 0 inbound and 11 outbound circuits. Found 0 circuit IDs in use by circuits, and 64 with pending destroy cells.Failing a circuit.
Jun 01 09:35:49.000 [warn] failed to get unique circID.
Jun 01 11:17:45.000 [warn] No unused circIDs found on channel without wide circID support, with 0 inbound and 14 outbound circuits. Found 0 circuit IDs in use by circuits, and 64 with pending destroy cells.Failing a circuit.
Jun 01 13:11:58.000 [warn] No unused circIDs found on channel without wide circID support, with 0 inbound and 6 outbound circuits. Found 0 circuit IDs in use by circuits, and 64 with pending destroy cells.Failing a circuit.
Jun 01 13:11:58.000 [warn] failed to get unique circID. [12 similar message(s) suppressed in last 9600 seconds]
Jun 01 13:37:42.000 [notice] Heartbeat: Tor's uptime is 1 day 0:00 hours, with 26180 circuits open. I've sent 901.07 GB and received 858.20 GB.
Jun 01 13:37:42.000 [notice] Average packaged cell fullness: 99.170%
Jun 01 13:37:42.000 [notice] TLS write overhead: 4%
Jun 01 13:37:42.000 [notice] Circuit handshake stats since last time: 1759080/1759080 TAP, 117360/117360 NTor.
Jun 01 19:37:42.000 [notice] Heartbeat: Tor's uptime is 1 day 6:00 hours, with 24593 circuits open. I've sent 1167.66 GB and received 1110.36 GB.
Jun 01 19:37:42.000 [notice] Average packaged cell fullness: 99.179%
Jun 01 19:37:42.000 [notice] TLS write overhead: 4%
Jun 01 19:37:42.000 [notice] Circuit handshake stats since last time: 2056892/2056893 TAP, 136701/136701 NTor.
Jun 02 01:37:42.000 [notice] Heartbeat: Tor's uptime is 1 day 12:00 hours, with 13869 circuits open. I've sent 1395.03 GB and received 1329.05 GB.
Jun 02 01:37:42.000 [notice] Average packaged cell fullness: 99.181%
Jun 02 01:37:42.000 [notice] TLS write overhead: 4%
Jun 02 01:37:42.000 [notice] Circuit handshake stats since last time: 943086/943086 TAP, 86362/86362 NTor.
Jun 02 04:03:15.000 [warn] void circuit_unlink_all_from_channel(channel_t *, int)(): Bug: Circuit on detached list which I had no reason to mark
#12190 Pyptlib does not join args or optargs correctly in ClientTransportPlugin.reportMethodSuccess new asn defect Low

In ClientTransportPlugin.reportMethodSuccess, the code for joining the params args and optargs is wrong. The args and optargs params are defined as strings when they should be lists of strings. Current code

        if args and len(args) > 0:
          methodLine = methodLine + ' ARGS=' + args.join(',')
        if optArgs and len(optArgs) > 0:
          methodLine = methodLine + ' OPT-ARGS=' + args.join(',')

Fixed Code

        if args and len(args) > 0:
          methodLine = methodLine + ' ARGS=' + ','.join(args)
        if optArgs and len(optArgs) > 0:
          methodLine = methodLine + ' OPT-ARGS=' + ','.join(optArgs)

Also the documentation for the types of args and optArgs should be changed to lists.

#12201 Don't weight by bandwidth when selecting among bridges needs_information defect Medium Tor: unspecified

In choose_random_entry_impl() we have:

  if (entry_list_is_constrained(options)) {
    /* We need to weight by bandwidth, because our bridges or entryguards
     * were not already selected proportional to their bandwidth. */
    node = node_sl_choose_by_bandwidth(live_entry_guards, WEIGHT_FOR_GUARD);

This means that bridges are also selected proportional to their bandwidth. However, since there is no bandwidth authorities for bridges their bandwidth is self-reported and potentially a lie. For this reason, it's probably not a good idea to use those values during path selection, since an evil bridge can try to dominate the guard probability.

Fortunately, we also have bridge_get_advertised_bandwidth_bounded() which bounds bridges bandwidth between 20kB/s and 100kB/s. So the danger can't be that great.

Still, it might be a better idea to pick amongst bridges in a uniform random way.

#12204 Revisit flags passed to entry_is_live() around entrynodes.c new defect Low Tor: unspecified

It seems that we are almost always passing need_capacity=True to entry_is_live().

The only case where we don't, is in choose_random_entry_impl() where we actually pick an entry guard. In that case, we pass whatever cpath_build_state_t.need_capacity is set to (which makes sense).

However, in other calls, like the one at entry_guard_register_connect_status(), we always call entry_is_live() with need_capacity set to true. Is this needed?

In entry_guard_register_connect_status(), if we just connected for the first time to a new guard, we re-activate all the previous live guards since it might be a sign that our network was down and it just came back up. However, since entry_is_live() is used with need_capacity we only reactivate the Fast guards.

However, as I understand it, there is no requirement that guards need to be Fast. So it might be the case, that if our primary guard is not fast, we don't reactivate it.

#12216 Google Services rule prevents playback on new zyan defect Medium

The Google Services rule prevents playback on

Versions in use: Firefox 29.0.1 on Windows 7 (all updates installed) HTTPS Everywhere 3.5.1

To reproduce:

Install HTTPS Everywhere, leave default settings. Navigate to and press Play button to begin a given station's playback

Expected Results: Station loads a song, and it plays; play button changes to pause button

Actual Results: Play button changes to pause button, but no song is loaded

Workaround: Disable the rule 'Google Services' in HTTPS Everywhere preferences

#12218 toolbar_button.js should do more null checks needs_review zyan defect Low

I have installed it on WinXP, Win7, Linux(Ubuntu) in Firefox 29.0.1. On XP, I see a long list of rules in the preferences screen. On Win7 and Linux, the rule list is empty. I have tried reinstalling and restarting, but to no avail. I can't tell if it's actually doing anything or not without any rulesets...

#12220 Give a better warning on header/library mismatch for openssl assigned defect Medium Tor: unspecified

Reported by Vinod:

I am getting the following error building tor- on my Mac (10.6.8
Snow Leopard, g++ 4.8.1_3, openssl 1.0.1h)

Undefined symbols for architecture x86_64:
  "_SSL_set_session_secret_cb", referenced from:
      _tor_tls_session_secret_cb in libor-crypto.a(tortls.o)
      _tor_tls_new in libor-crypto.a(tortls.o)
  "_EVP_aes_128_ctr", referenced from:
      _aes_new_cipher in libor-crypto.a(aes.o)
ld: symbol(s) not found for architecture x86_64
collect2: error: ld returned 1 exit status
make[1]: *** [src/or/tor] Error 1
make: *** [all] Error 2

He says he's building from the tarball. I asked him to check if tarball has the same issue and he says it does.

#12228 HTTPS everywhere in Chrome breaks new zyan defect Medium

try opening any popup on the page to view details on an item. Or use the search box and try clicking on the results items (nothing happens). Had to disable it to use the site.

I saw an error in the console about jquery.min.js not found, not sure if that is related.

#12248 Zillow rules prevent home map from loading new zyan defect Medium

Type an address into Zillow. You should see the neighborhood with the house you listed selected, and prices on the neighboring lots. You should be able to click neighboring lots and receive information about the home/lot you clicked on. None of this works when HTTPS Everywhere's "Zillow (partial)" rule is in effect. Toggling this rule makes things work again.

Using Firefox, but I didn't see that option in the component dropdown.

#12251 Bug 9981 (CodeSkulptur - Google APIs) may be back new zyan defect Medium

An old bug (9981) where a Google API rule seems to break (Used in MOOC classes) seems to be back.

Disabling rule does not eliminate problem, but disable Google API does. Looking at XML text for CodeSkulptur gets an error "Unable to download source." URL asks for "Filename: null ...src/chrome/content/rules/null. Can successfully get XML for other rules.

Disable ALL, or disable HTTPS-Everywhere also makes problem go away.

FireFox 29.0.1 Win XP SP3+, NoScript, HTTPS Everywhere 3.5.1 June 2014.

#12255 Polygon images fail to load new zyan defect Low

Images on fail to load with HTTPS-Everywhere enabled. Version 4.0development.17 (which I don't see on the dropdown list of versions) on Firefox 29.0.1.

#12261 Flash Player Crashes new zyan defect Medium

When https everywhere extension is enabled with Chrome on and Flash player crashes and videos don't play and they do not show on to the webpage. When the extension is disabled no issues with flash player crashing.

If I use Firefox I don't have the same issues.

#12299 Do not verify inputs if no policy is specified new hellais defect Medium

At 2013-09-12 12:20:23 Arturo Filastò wrote: @aagbsn pointed out in #199 that we need to not verify inputs if no policy is specified.

This issue was automatically migrated from github issue

#12375 https everywhere breaks new zyan defect Medium

I suddenly had trouble using the site. The Flash app would show an error loading the configuration. When I submitted a support ticket to speedtest they asked if I was using https everywhere and that if I was to disable it. After checking my own solution I told them that disabling https everywhere just for also worked.

I'm sorry but I don't know how to fill in most of the other fields. The HTTPS Everywhere version is the current one, 3.5.1, but it doesn't appear in your Version dropdown. The other fields ask for information that I can't provide!

#12377 get_interface_address6() behaviour iff all interface addresses are internal new defect Medium Tor: unspecified

First, let us assume that all network interfaces for IP host that runs Tor instance are internal as judged by tor_addr_is_internal() function.

There is the following code in get_interface_address6() function.

  /* Try to do this the smart way if possible. */
  if ((addrs = get_interface_addresses_raw(severity))) {
    int rv = -1;
    SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, a) {
      if (family != AF_UNSPEC && family != tor_addr_family(a))
      if (tor_addr_is_loopback(a) ||

      tor_addr_copy(addr, a);
      rv = 0;

      /* If we found a non-internal address, declare success.  Otherwise,
       * keep looking. */
      if (!tor_addr_is_internal(a, 0))

    SMARTLIST_FOREACH(addrs, tor_addr_t *, a, tor_free(a));
    return rv;

Caller will get the last entry from a interface address smartlist. Is this okay?

#12380 HTTPS-E 3.5.3 Breaks Flash Player Settings Manager new zyan defect Medium

Appears to make it so one can not access the online Flash Player Settings Manager due to it blocking mixed content. Disabling HTTPS Everywhere allows one to access it.

Thank you.

#12381 Pluggable Transports + proxy is not working on Windows with TBB 3.6.2 needs_revision asn defect High

While PTs + proxy are working fine on Linux and Mac OS X they are broken on Windows:

12.06.2014 14:22:10.893 [WARN] Managed proxy failed to configure the pluggable transport's outgoing proxy. (We don't have txsocksx. Can't do proxy. Please install txsocksx.) 
12.06.2014 14:22:10.894 [WARN] Managed proxy at 'Tor\PluggableTransports\obfsproxy' failed the configuration protocol and will be destroyed. 
#12384 Google APIs rule breaks this website new zyan defect Medium

Google APIs rule breaks this website:

Reproduced in Chrome and Firefox.

Chrome 35.0.1916.153 with HTTPS Everywhere 2014.4.25 Firefox 24.6.0 with HTTPS-Everywhere 3.5.1

Regards, NewEraCracker

#12387 (Some) Pluggable Transport binaries are not stripped assigned mikeperry defect Medium

Mike mentioned the other day that (some) Pluggable Transport binaries are not stripped. We should make sure that is the case to make the TBBs not larger as needed.

#12389 Should we warn when exit nodes are using opendns or google dns? needs_revision nickm defect Medium Tor: unspecified

Somewhat related to discussion on #8093 -- people are still setting up exit nodes to use OpenDNS or Google DNS. Is that really a safe idea? That makes it distressingly easy for these DNS services (or anybody watching them) to get timing information on user DNS requests.

Furthermore, the default OpenDNS configuration blocks some stuff. If we don't warn about OpenDNS in general, maybe we should warn when configuring an OpenDNS server in a way that hasn't disabled blocking.

#12393 adjust Standalone Vidalia packages for TBB 4.x new erinn defect Medium

I am not sure, but the Standalone Vidalia packages may need to be adjusted to account for the directory restructuring that was done as part of #11641. The current plan is to not ship a TBB that uses the new layout until 4.0, but I am filing this ticket so we do not forget to check.

Erinn - do the Standalone Vidalia bundles depend on the location of torrc and other files?

#12395 Silverlight crashes on Netflix, fixed by disabling Facebook or Microsoft (partial) rules new zyan defect Medium

When trying to stream video on Netflix, Silverlight crashes in Chrome, gives me a Netflix error code in Firefox. Works just fine in IE 11. Running Windows 8.1, x64.

Problem is resolved when: Disabling HTTPS Everywhere completely Disabling Facebook rule Disabling Microsoft (partial) rule

#12397 Tor Browser should proactively identify missing dependencies and suggest resolution new erinn defect Medium

See ticket #10789 for examples of where odd failures due to missing symbol dependencies occur and cause user confusion. If Tor Launcher identified missing dependencies and suggested resolution much end user support confusion and overhead would be reduced.

NOTE: this is specific to Win32/Win64 environments. The same may be applicable in *nix environments but so far has not been problematic to the degree that Windows environments have been.

#12399 Hash of session info was not as expected new defect Medium Tor: unspecified


[warn] Hash of session info was not as expected.

on fast relays, both exits and non exits (ndnr1, DFRI0, DFRI2) several times today. First one spotted at Jun 14 00:26 CEST.

These are on Linux and FreeBSD, versions and respectively.

#12401 Document EntryGuardPathBias in doc/state-contents.txt assigned mikeperry defect Low Tor: unspecified

We should document the newly added EntryGuardPathBias and EntryGuardPathUseBias to doc/state-contents.txt.

#12411 Orbot broke using DNSPort reopened n8fr8 defect Medium

Orbot completely breaks networking, if you have firewall scripts which don't allow leaks.

THIS MEANS THAT ORBOT IS LEAKING LIKE THE FUCKING PENTAGON PAPERS, EXCEPT NOT IN A GOOD WAY. This is because Orbot (as of and later) sets `DNSPort 0`, which disables tor's DNSPort entirely. This means that people who use iptables scripts outside of Orbot (as described in Mike Perry's recent blog post) to redirect UDP DNS traffic to the DNSPort cannot do so. It also means that every other application will leak traffic all over the place. Currently, the only way to fix this mess is to force stop and uninstall Orbot, download an older (14.0.1) .apk onto another device, and copy it over manually to the broken one to reinstall it. This is ridiculous. You're practically bricking people's devices, and you're forcing them to jump through extreme hoops to preserve their anonymity.

#12412 Orbot broke using TransPort new n8fr8 defect Immediate

Orbot (as of and later) sets `TransPort 0`, which disables tor's TransPort entirely. This means that people who use iptables scripts outside of Orbot (as described in Mike Perry's recent blog post) to redirect TCP traffic to the TransPort cannot do so. Related, see #12411.

Leaks are not the problem; they are the symptom. --Heather Brooke

#12418 TBBs with UBSan create lots of errors when running assigned tbb-team defect Medium

When running TBBs (based on ESR 24) built with UBSan we get loads of errors which look like:

/home/ubuntu/build/tor-browser/js/src/jsobj.cpp:1008:17: runtime error: load of value 120, which is not a valid value for type 'bool'
pkix_pl_object.c:580:31: runtime error: left shift of 4276994303 by 32 places cannot be represented in type 'long int'
/home/ubuntu/build/tor-browser/db/sqlite3/src/sqlite3.c:62742:22: runtime error: left shift of 173 by 24 places cannot be represented in type 'int'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:4861:53: runtime error: load of value 128, which is not a valid value for type 'bool'
/home/ubuntu/build/tor-browser/layout/style/../base/nsStyleConsts.h:27:12: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:6181:3: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/layout/style/nsCSSParser.cpp:7962:5: runtime error: load of value 4, which is not a valid value for type 'Side'
/home/ubuntu/build/tor-browser/dom/workers/Workers.h:81:18: runtime error: load of value 4294967295, which is not a valid value for type 'JSGCParamKey'
/home/ubuntu/build/tor-browser/dom/workers/Workers.h:135:23: runtime error: load of value 4294967295, which is not a valid value for type 'JSGCParamKey'
#12435 HTTPS Everywhere HDTracks issue new zyan defect Medium

Enabling HTTPS Everywhere in FireFox prevents music samples from playing on HDTracks. That makes it pretty useless on that site. They already use https for checkouts.

#12436 Mail archive lint new defect Medium

Some messages in the gzip pipermail archives ( lack the correct metadata and format for what would otherwise be full use by MUA's.

If the full raw archives exist, it may be easier to see what reimporting with current mailman tools looks like.

From a concatenation of the three main lists: dev, relays, talk (the others were not checked and may suffer as well)

There is...

#12441 Add use cases for each tor-launcher option. new brade defect Medium

It's pretty common to hear things like "I don't know what any of the 'Configure' options mean." It would help users if each Tor launcher option briefly described a situation where using it would be necessary. For example:

  • This computer needs to use a proxy to access the Internet. Only select if you can't use your regular browser without setting a proxy.
  • This computer goes through a firewall that only allows connections to certain ports. This applies at some universities and large companies.
  • My Internet Service Provider (ISP) blocks connections to the Tor network. Users in China need this option.

These are only examples of how the strings could be modified.

#12447 HTTPS Everywhere causes Firefox to crash on OS X new zyan defect Medium

I’ve been having problems with Firefox crashing periodically.  After a fair amount of testing, I’ve determined that it is related to HTTPS Everywhere.

Steps to reproduce the issue:

starting with all add-ons disabled, I enable HTTPS Everywhere I restart Firefox as required The crash reporter indicates that Firefox has crashed I choose the ‘Restart Firefox’, which it does.  No additional crashes occur after this point.

The crash report’s text:

AdapterDeviceID: 0x fd5 AdapterVendorID: 0x10de Add-ons:,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:30.0 BuildID: 20140605174243 CrashTime: 1402845293 EMCheckCompatibility: true EventLoopNestingLevel: 3 FramePoisonBase: 7ffffffff0dea000 FramePoisonSize: 4096 InstallTime: 1402515559 Notes: AdapterVendorID: 0x10de, AdapterDeviceID: 0x fd5GL Layers! GL Context? GL Context+ GL Layers+ ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384} ProductName: Firefox ReleaseChannel: release SecondsSinceLastCrash: 363 StartupTime: 1402845291 Theme: classic/1.0 Throttleable: 1 URL: about:addons Vendor: Mozilla Version: 30.0 useragent_locale: en-US

This report also contains technical information about the state of the application when it crashed.

I’m using HTTPS Everywhere 3.5.1 with Firefox 30.0 on OS X Mavericks (10.9.3 build 13d65).

#12449 Firefox is insecure, it can't used with Tor new tbb-team defect Medium

Firefox is insecure, no sense to use it with Tor. It ruins everything: privacy, anonymity. #10631 +, etc, makes browser most danger process in system that runs privacy related software.

#12454 many PT components ship with "test" or "tests" directories new dcf defect Medium

I am not sure if this is a PT packaging issue or a TBB build issue (and I don't know who should own this bug).

On Mac OS – and probably on all platforms – within the installed TBB 3.6.2 app bundle there are many directories named "test" or "tests", all located under Tor/PluggableTransports. Is it safe to remove these directories and the files they contain? It seems like a waste of space / added complexity to ship extra files that are (presumably) not used in TBB.

./Tor/PluggableTransports/fte/tests ./Tor/PluggableTransports/fteproxy/tests ./Tor/PluggableTransports/obfsproxy/test ./Tor/PluggableTransports/ometa/test ./Tor/PluggableTransports/terml/test ./Tor/PluggableTransports/twisted/application/test ./Tor/PluggableTransports/twisted/conch/test ./Tor/PluggableTransports/twisted/internet/test ./Tor/PluggableTransports/twisted/lore/test ./Tor/PluggableTransports/twisted/mail/test ./Tor/PluggableTransports/twisted/manhole/test ./Tor/PluggableTransports/twisted/manhole/ui/test ./Tor/PluggableTransports/twisted/names/test ./Tor/PluggableTransports/twisted/news/test ./Tor/PluggableTransports/twisted/pair/test ./Tor/PluggableTransports/twisted/persisted/test ./Tor/PluggableTransports/twisted/protocols/test ./Tor/PluggableTransports/twisted/python/test ./Tor/PluggableTransports/twisted/runner/test ./Tor/PluggableTransports/twisted/scripts/test ./Tor/PluggableTransports/twisted/test ./Tor/PluggableTransports/twisted/trial/_dist/test ./Tor/PluggableTransports/twisted/trial/test ./Tor/PluggableTransports/twisted/web/test ./Tor/PluggableTransports/twisted/words/test ./Tor/PluggableTransports/txsocksx/test ./Tor/PluggableTransports/zope/interface/common/tests ./Tor/PluggableTransports/zope/interface/tests

#12456 Implement prop229 ("Further SOCKS5 extensions") assigned defect Medium Tor: unspecified

In proposal 229, Yawning describes a few improvements to the SOCKS5 protocol for better use by Tor-aware tools.

We should implement that.

(I'm putting this ticket in 0.2.??? since I don't think I'll be able to do it on an 0.2.6 timeframe, but if somebody else does the coding, it might be able to get done sooner.)

#12472 HTTPS-Everywhere should not dump URLs to stdout by default new zyan defect High

On many systems including MacOS and several Linux Desktops, the console output of Firefox ends up written to disk. Since HTTPS-Everywhere can log urls at any loglevel, this means that the user's browsing activity ends up on disk in these logs as well.

We should make a log scrubber for removing/omitting these urls either above a certain loglevel setting, or if a separate pref is set.

#12477 HTTPS Everywhere crashes Shockwave Flash in Iron new zyan defect Medium HTTPS-E next Chrome release

Using version 35.0.1900.0 (280000) of SRWare Iron, an offshoot of Chrome. When HTTPS Everywhere is enabled it seems to cause Shockwave Flash crashing on various websites' players such as

I'm using the version of HTTPS Everywhere I downloaded off of Chrome's extension store.

#12478 Ownership error on hidden service dir encountered on config reload kills Tor process new defect Medium Tor: unspecified

If you add a new hidden service to your torrc with a hidden service dir not owned by the Tor process user (I ran across this by rsyncing an HS dir from another box), and SIGHUP the Tor process, the error adding the HS is not handled cleanly:


Jun 26 20:14:06.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
Jun 26 20:14:06.000 [notice] Read configuration file "/etc/tor/torrc".
Jun 26 20:14:06.000 [notice] Tor opening log file.
Jun 26 20:14:06.000 [warn] /var/tor/bitcoind_hidden_service/ is not owned by this user (tor, 58) but by root (0). Perhaps you are running Tor as the wrong user?
Jun 26 20:14:06.000 [warn] Error loading rendezvous service keys
Jun 26 20:14:06.000 [err] set_options(): Bug: Acting on config options left us in a broken state. Dying.
#12481 Tor Browser crashes on shutdown on Linux and Mac OS X debug builds new tbb-team defect High

Testing the debug build for #10533 yields another crash which is reproducible during shutdown:

WARNING: NS_ENSURE_TRUE(mThread != PR_GetCurrentThread()) failed: file /home/firefox/tor-browser/xpcom/threads/nsThread.cpp, line 445
WARNING: nsExceptionService ignoring thread destruction after shutdown: file /home/firefox/tor-browser/xpcom/base/nsExceptionService.cpp, line 167
Hit MOZ_CRASH() at /home/firefox/tor-browser/storage/src/mozStorageService.cpp:789
0  0xb77a1424 in __kernel_vsyscall ()
#1  0xb75140a6 in nanosleep () at ../sysdeps/unix/syscall-template.S:81
#2  0xb7513e7d in __sleep (seconds=0)
    at ../sysdeps/unix/sysv/linux/sleep.c:137
#3  0xb2b0d016 in ah_crap_handler (signum=11)
    at /home/firefox/tor-browser/toolkit/xre/nsSigHandlers.cpp:88
#4  0xb2b1436e in nsProfileLock::FatalSignalHandler (signo=11, 
    info=0xbfb329cc, context=0xbfb32a4c)
    at /home/firefox/tor-browser/obj-i686-pc-linux-gnu/toolkit/profile/nsProfileLock.cpp:190
#5  <signal handler called>
#6  0xb40e03c0 in mozilla::storage::Service::Observe (this=0xad8aa780, 
    aTopic=0xb608bb93 "xpcom-shutdown-threads")
    at /home/firefox/tor-browser/storage/src/mozStorageService.cpp:789
#7  0xb49ea49d in nsObserverList::NotifyObservers (this=0xa97ee87c, 
    aSubject=0x0, aTopic=0xb608bb93 "xpcom-shutdown-threads", someData=0x0)
    at /home/firefox/tor-browser/xpcom/ds/nsObserverList.cpp:99
#8  0xb49ec8b2 in nsObserverService::NotifyObservers (this=0xafe0da90, 
    aSubject=0x0, aTopic=0xb608bb93 "xpcom-shutdown-threads", someData=0x0)
    at /home/firefox/tor-browser/xpcom/ds/nsObserverService.cpp:161
#9  0xb49d6f25 in mozilla::ShutdownXPCOM (servMgr=0xb7211604)
    at /home/firefox/tor-browser/xpcom/build/nsXPComInit.cpp:589
#10 0xb49d6c9e in NS_ShutdownXPCOM (servMgr=0xb7211604)
    at /home/firefox/tor-browser/xpcom/build/nsXPComInit.cpp:540
---Type <return> to continue, or q <return> to quit---
#11 0xb2aff8d6 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0xb725d248, 
    __in_chrg=<optimized out>)
    at /home/firefox/tor-browser/toolkit/xre/nsAppRunner.cpp:1141
#12 0xb2b087e9 in XREMain::XRE_main (this=0xbfb32f90, argc=4, 
    argv=0xbfb342e4, aAppData=0xbfb330d8)
    at /home/firefox/tor-browser/toolkit/xre/nsAppRunner.cpp:3961
#13 0xb2b0899a in XRE_main (argc=4, argv=0xbfb342e4, aAppData=0xbfb330d8, 
    aFlags=0) at /home/firefox/tor-browser/toolkit/xre/nsAppRunner.cpp:4138
#14 0x0804bce5 in do_main (argc=4, argv=0xbfb342e4, xreDirectory=0xb7238480)
    at /home/firefox/tor-browser/browser/app/nsBrowserApp.cpp:272
#15 0x0804c1a1 in main (argc=4, argv=0xbfb342e4)
    at /home/firefox/tor-browser/browser/app/nsBrowserApp.cpp:632

Might be related to #11258 although this crash happens with a clean, new bundle when shutting down after about:tor shows up. Whether this happens with a vanilla Firefox 24.6.0 ESR needs to be investigated yet.

#12483 Missing tests new hellais defect Medium

The following tests are missing: Switzerland RST packet detection

#12487 infinite loading animation on new zyan defect Medium

Something does't work well for presentations on I don't know if it is temporary or not but after https everywhere is disabled works good and there is no infinite loading animation

#12491 Zenfolio photo info load fails new zyan defect Medium

For HTTP-E 3.5.3 and 3.5.1 (neither seems to be an option in the Version pulldown?!), the photo info load fails. To reproduce this, go to a picture, e.g. this one:

Move the mouse to the upper right corner of the photo until a circular overlay with a white lowercase 'i' in the middle appears. Below the mouse pointer you'll see 'Photo info\nLoading...' but the information will never load.

#12494 bundle 3.6.2_en-64bit opens too many files on Linux new tbb-team defect Medium

After a while (if you visit many-many pages) the Tor browser starts misbehaving - can't save files, difficulties with loading/displaying pages, and eventually all fonts (i.e., all text) suddenly disappears from pages and menus as well (except for a leading underscore _). You get errors on console by some shm_*() function (cannot recall name correctly) complaining about too many open files and lsof indeed shows bazillion files for the Tor firefox in directory tor-browser_en-US/Data/Browser/profile.default/thumbnails/ mostly in deleted status. Clearly unexpected behavior.

One workaround is to sigterm the browser with kill + pid and when you restart recover all tabs etc. Firefox also has docs on disabling thumbnail collection or usage altogether which should work (have not tried it). I decided to replace the thumbnails directory with an immutable file and have not seen the bug since.

Saw this with the latest 3.6.2 but also with earlier ones.

#12501 "Tor unexpectedly exited" if there is a wrong line in torrc new brade defect Medium

I decided to add a new fte bridge and by chance I had torrc open in my text editor then entered "bridg fte ip:port fingerprint". (I shouldn't have done that.)

Then I started Tor Launcher and it kept spitting out "Tor Unexpectedly exited". So I did a ./start-tor-browser

Jun 30 22:49:58.033 [warn] Failed to parse/validate config: Unknown option 'Bridg'.  Failing.
Jun 30 22:49:58.033 [err] Reading config failed--see warnings above.

Wouldn't it be better if Tor Launcher reported back the above messages? I would've never knew my error if I were using Windows.

Also, here's a part of my conversation with arma:

<arma4> what is the bad bridge line? i assume tor does give an explanation.
<sherief> I would've never knew what's wrong without ./start-tor-browser
<sherief> "bridg" missing an "e"
<sherief> :)
<sherief> bridg transportType IP:Port fingerprint
<arma4> expands to bridgeauthoritativedir
<arma4> can you file a ticket, that bridg should expand to bridge?
<arma4>   V(BridgeAuthoritativeDir,      BOOL,     "0"),
<arma4>   VAR("Bridge",                  LINELIST, Bridges,    NULL),
<arma4> i think we just reverse the order of these two lines and it's done
<arma4> doesn't resolve your general issue, but resolves this specific one
#12505 Refactor BridgeDB's hashrings assigned isis defect High

I have slowly been refactoring all of BridgeDB. Code which has been already refactored is named with "proper" (according to PEP8) lower-cased module names in lib/bridgedb in the BridgeDB repository. Some of the largest, least-unitested, (and most difficult to refactor) sections of BridgeDB's code are the module and the module. This code primarily controls the hashrings and the distributors (which for some reason are subclasses of the very-confused hashrings structures).

The biggest problems are:

  1. The code for the various types of hashrings in bridgedb.Bridges is a complete mess. In some places, hashrings are referred to as BridgeHolders, in other places as Buckets (though not to be confused with the module, and in other places as "hashrings". Subclassing is haphazard and confusing to say the least. In addition, the hashrings are not algorithmically as efficient as they could be. Throughout the hashring code were old-style classes, unused methods, half-implemented methods, and unnecessary parameters. All of this code needs some serious help.

  1. The Distributors in bridgedb.Dist inherit, for some unknown reason, from the improperly implemented "base class" bridgedb.Bridges.BridgeHolder. One, this isn't how one implements a proper Python base class (by deriving from a class with __metaclass__ = abc.ABCMeta). Two, why a Distributor should be a subclass of a the "base" hashring class is unclear and unnecessary, and we should move away from that. A Distributor is something which distributes bridges to users, not some weird half-thought-out hashring subclass.

  1. The various Distributors in bridgedb.Dist should be different modules.

  1. Almost none of the code in and is unittested. These modules have the highest number of untested lines of code currently in BridgeDB.

After this is finished, I am mostly willing to tag BridgeDB-1.0.0. There may be a few other refactoring that should get finished before then, but this is the main piece remaining to be completed.

#12511 Skip German exits when using Youtube new tbb-team defect Medium

Could Tor skip German exit nodes for youtube domains to improve usability.

The reason is that a big part of Youtube is unavailable on German IPs, due to licensing problems.

#12514 Tor Button does not work unless Navigation toolbar is enabled new tbb-team defect Medium

Just letting you know that the Tor Button does not have any functionality unless the Navigation toolbar is enabled. I like to customize my layout for maximum content viewing area and I do this by dragging certain buttons off of the Navigation toolbar and putting them elsewhere. All of the other buttons seem to work fine but not the Tor Button and its most important feature, the ability to choose a New Identity.

Thanks. Tim

#12519 Flash not working on with HTTPS Everywhere active in Google Chrome new zyan defect Medium

Hello EFF-Team,

with the latest HTTPS Everywhere Plug-in for Google Chrome (2014.6.26) active, I am unable to watch any live ticker or video on the largest german news website A thread addressing this problem can be found in the german Chrome-Forum. (!topic/chrome-de/313LTA9lQGg)


#12524 rule breaks akamai on some sites new zyan defect Medium

HTTPS Everywhere 4.0development17 on Firefox breaks and Both sites use the akamai and rules. With the default rule set, akamai would return 400 errors for most requests.

To fix, I needed to disable the rule for

#12529 HTTPS-Everywhere for Firefox does not function with Silverlight new zyan defect Medium

Hello Mike and Peter. Thanks for creating this add-on. Please note, HTTPS-Everywhere 3.5.3 for Firefox does not function with Silverlight, making video streaming on Amazon and Netflix not possible.

#12540 life steam does not load new zyan defect Medium HTTPS-E next Chrome release
Description the live steam part does not load when Https Everywhere is active.

Windows 7 HP x64 NL Chrome 35.0.1916.153 Https Everywhere 2014.6.26

#12554 https interferes with linked youtube videos on phpBB sites new zyan defect Medium

I subscribe to and Both are phpBB sites


Discussion on those websites sometimes involves the linking of youtube videos. When creating links to youtube videos, https is not permitted. Youtube URLs need to be modified by the removal of the 's' from a link. For example:

needs to be modified to

to enable linking. This is obviously not an HTTPS issue but demonstrates that the site does not handle https content.


With https everywhere enabled, youtube videos posted by others are not visible. Instead of the video, white space is displayed.

Chrome Version 2014.26.6

#12562 TorBrowser Health Report is empty new tbb-team defect Medium

TBB -> Help -> Health Report opens a blank page, no info whatsoever.

Has this feature been disabled?

Tested under TBB 3.6.2-Windows


#12587 Specify Ooni "next release" process. new hellais defect Medium

The current Ooni release document covers how to do a release. What about the "next release"? It would be nice to specify (or link to) a description of the process for preparing a next release. This should cover details like:

  • how to find the deadline, schedule, version number, for the next release.
  • how to find all tickets specific to the next release.
  • any details about "meta-criteria" or the process of release planning. Some examples:
    • "we have a monthly meeting to discuss the next release"
    • "we do a feature freeze, then release on a strict 3-month periodic schedule"
    • "after we make a release, we have a meeting and decide on all tickets which are targets for the next release, and we make releases whenever those tickets are closed."

It can also be useful to define a release process for emergency security fix releases, because it's especially nice to be prepared in that case. A good technique here is to assign a single person unambiguously as responsible for a security release to prevent people from blocking or stalling due to responsibility confusion.

#12594 Languages for displaying web pages are not saved in Options new tbb-team defect Medium

Steps to reproduce:

  • Launch Tor Browser
  • Open Tools->Options dialog. Navigate to "Content" tab
  • In group "Languages" click on "Choose" button
  • Add some language, for example "French [fr]". Accept all options dialogs with "OK"
  • Exit Tor Browser and launch it again. French language is missing in Options.

Tested OS: WinXP SP3

#12603 broken in chrome new zyan defect Medium

I'm running Chrome 35.0.1916.114 under CentOS, but I believe even newer versions of Chrome continue to have TLS 1.2 disabled. fails with "This webpage is not available" and ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Originally I believe this was due to Outbrain only accepting TLS 1.2, but Qualys says that's not true. So I'm not sure exactly what's wrong, but it sure doesn't work.

Outbrain should be removed from the default ruleset until Chrome supports TLS 1.2.

#12604 Preventing videos being played new zyan defect Medium

After going through my addons, HTTPS Everywhere appears to be the cause of videos not playing on's cycling website.

Example of a video not working with HTTPS Everywhere enabled: (I am in Australia, I'm unsure if these videos are region blocked from elsewhere).

Disabling the addon makes the video play without issue. Adblock and Disconnect were disabled at the time of testing.

The version I'm using is 2014.6.26.

#12607 Problem: Flash video in JW Player recently stopped working on a specific site new zyan defect Medium

About three days ago video (Flash video in JW Player) stopped working on It took me a while, but I finally discovered that turning HTTPS Everywhere off fixes the problem. I wonder what has changed recently that could cause this? For now I will turn H.E. off for that site.


#12609 HTML5 fullscreen API makes TB fingerprintable, disable it! needs_revision mikeperry defect High

Shouldn't TB set the full-screen-api.enabled pref to false so websites can't fingerprint the screen size?

(Firefox's "exit/allow fullscreen" dialog appears after the window has become full screen.)

#12614 Design a good way to pass transport options to child PTs new RushingWookie defect Medium

Client transports get their k=v options from the SOCKS parameters, which is given in the Bridge line. Server transports get their k=v options from ServerTransportOptions.

We need to define ways for fog to pass these options down to the relevant child.

For example, one basic syntax would be, if fog receives an option of the form "fog-child-n-k=v", it passes "k=v" as the option (either SOCKS or ServerTransportOptions) down to the nth child PT in the chain. (This may not be the best idea; the consequences should be examine before we commit to this.)

This must be documented as a public API of fog.

#12616 doesn't change to https new zyan defect Medium

When logging out it goes to http and doesn't change like the other web-sites

#12627 canonicalFromSMTP is not what we think it should be new isis defect High

13:29:04 INFO L568:autoresponder.reply() Got an email; deciding whether to reply. 13:29:04 DEBUG L606:autoresponder.runCheck() Canonicalizing client email domain... 13:29:04 DEBUG L613:autoresponder.runCheck() Canonical email domain: 13:29:04 ERROR L620:autoresponder.runCheck() SMTP/Email canonical domain mismatch! ponticum vs

The last line is generated by:

        # The canonical domains from the SMTP ``MAIL FROM:`` and the email                                                                                   
        # ``From:`` header should match:                                                                                                                     
        if self.incoming.canonicalFromSMTP != canonicalFromEmail:
            logging.error("SMTP/Email canonical domain mismatch!")                                                                                           
            return False

and canonicalFromSMTP is provided by SMTPMessage().

I'm hotfixing it for now.

#12641 IStreamClientEndpointStringParser is Deprecated new hellais defect Medium

I started Ooni on mlab1 and got the message:

/home/mlab_ooni/lib/python2.6/site-packages/Twisted-14.0.0-py2.6-linux-i686.egg/twisted/internet/ DeprecationWarning: twisted.internet.interfaces.IStreamClientEndpointStringParser was deprecated in Twisted 14.0.0: This interface has been superseded by IStreamClientEndpointStringParserWithReactor.

#12654 httpse-ruleset-bug: Parts of Criterion site broken by Cloudfront rule new zyan defect Medium

The view all films, online only, featured, learn more, etc. javascript links do not work.

The find films by sorting section on the left.

Confirmed cause being HTTPS Everywhere due to working once disabled.

Web console shows..

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at This can be fixed by moving the resource to the same domain or enabling CORS.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at This can be fixed by moving the resource to the same domain or enabling CORS.

HTTPS-E 3.5.3

#12661 Some directory authorities reject IP ranges long after we ask them to stop reopened defect Medium Tor: unspecified

What's going on here?

Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver ''. Please correct.

#12663 Orbot, libevent and BSD sed ( includes patch ) new n8fr8 defect Low

Compilation of Orbot stops at libevent if using BSD sed rather than GNU sed.

The error is :

sed -i 's@\(SUBDIRS = . include\) sample test@\1@' libevent/ sed: 1: "libevent/": extra characters at the end of l command

I have traced the problem to Orbot's external/Makefile.

There is a difference between BSD and GNU sed with regards to the inplace -i flag, both accept an argument for a file extension to backup to, if no extension is provided no backup is made, however BSD sed requires an argument even if it is empty, whereas GNU sed ignores it.

The attached patch adds an extension rather than provide an empty argument, this *should* work with both GNU and BSD sed, though I haven't tried it with the former.

#12667 HTTPSEverywhere breaks in Chrome for Mac new zyan defect Medium

In order to use login or facebook connect buttons on in Chrome for Mac, HTTPSEverywhere has to be disabled.

See others facing the same issue: ​

#12679 flashproxy programs don't allow intermixed positional and optional arguments new dcf defect Low

Since #9975 (merge of argparse), it's an error if you put an optional argument between positional arguments.

works:        flashproxy-client --external :0 :0
works:        flashproxy-client :0 :0 --external
doesn't work: flashproxy-client :0 --external :0

The error you get is:

$ ./flashproxy-client :0 --external :0 
usage: flashproxy-client --register [OPTIONS] [LOCAL][:PORT] [REMOTE][:PORT]
flashproxy-client: error: unrecognized arguments: :0

How it used to look is:

$ ./flashproxy-client :0 --external :0 
2014-07-22 09:10:54 Listening remote on
2014-07-22 09:10:54 Listening remote on [::]:45211.
2014-07-22 09:10:54 Listening local on
2014-07-22 09:10:54 Listening local on [::1]:33344.

I'm calling it minor because probably most people don't try to do this.

The analogous ticket for fog is #10004.

#12681 New video for setting up a relay on Windows new defect Medium

Our video for setting up a relay on Windows is way out of date. I'm referring to the one at It sounds like arma would like a new replacement for this video (rather than not replacing after it is removed it). The new video should probably teach users how to set up a relay without using the Vidalia bundles.

#12683 Permissions in nsIPermissionManager aren't cleared with TorButton's "New Identity" new tbb-team defect High

When TorButton's "New Identity" button is pressed, the permissions stored with nsIPermissionManager aren't cleared, even though nsIPermissionManager.removeAll() is called. From torbutton_do_new_identity() in src/chrome/content/torbutton.js:

  torbutton_log(3, "New Identity: Clearing permissions");
  let pm = Cc[";1"].

  torbutton_log(3, "New Identity: Sending NEWNYM");

There's a ton of info stored in this thing, including how many time the site has been visited, if popups are allowed, if a site can access offline storage, etc. For me, several dozen sites are listed after clicking "New Identity". It seems to have been keeping these permissions for quite a while, as some of my sites are reported to have hundreds of visits. To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.

#12686 deep web research new defect Medium
#12702 Opera now has mixed content blocking. needs_review zyan defect High

Starting with 23.0, Opera now blocks unencrypted content on encrypted pages, allowing to unblock for the current page and session only.

Platform=mixedcontent should be disabled for Opera. And maybe we could upgrade bug #6975, since all platforms supported by HTTPS-E now have mixed content blocking.

#12703 Fonts problem on the machines used for tor browser testing new boklm defect Medium

Lunar noticed that the screenshots of the fa version of the tor browser look pretty bad:

I don't have this problem when running the fa tor browser on my computer, so it seems to be a font problem on the machine used for the tests.

#12714 Akamai rule prevents voting on Steam Greenlight new zyan defect Medium

When the Akamai rule is enabled, attempting to vote on Steam Greenlight causes a loading symbol to briefly appear then disappear, without registering the vote. When disabled, voting works normally.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Note: See TracQuery for help on using queries.