Opened 5 years ago

Last modified 19 months ago

#10963 assigned defect

Bypassing proxy settings?

Reported by: cypherpunks Owned by: mikeperry
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: needs-triage
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Post was posted to blog's comments:

One TBB behaviour that continues to trouble me is that Firefox continues to try to connect to the internet. I use standard install on ubuntu with no add-ons (tor-browser-linux32-3.5.2.1_en-US.tar) and with js disabled in both NoScript and about:config.

I see additional changes with each update that improve browser isolation by disabling / blocking more auto-connect threats like blacklist updates, rule-set updates, safebrowsing reporting...etc...etc...

So with every new TBB release, I have renewed hope that Firefox will not go outside of the tor process with an internet connection attempt. Each release I allow tor to access the internet and firefox to access tor via 127.0.0.1. Each release I am either immediately or later disappointed when Firefox attempts its own internet connection.

My concerns...

1) Why does TBB continue to be released with default settings that allow Firefox automatically seek an internet connection? I can not imagine this not being noted in testing. What is trying to connect and what information is trying to be shared?

2) How many people trust any connections from TBB and allow both tor and TBB Firefox connections to outside world? Why is this not a significant security flaw? Tor works fine when I block these Firefox external connection attempts. I run a minimal ubuntu box with standard Forefox gutted to the best of my ability. I have a process connection map running and see that the Firexoz attempting to connect is from the TBB package.

3) If this behaviour is known and accepted, how do we know that connections are not being made and information being sent to unknown locations by Firefox through tor? This is something that I would never catch even with my layers of application and port level firewalls...

Sorry that I do not have Wireshark capabilities, but can not imagine that this behaviour is not seen on all installations.

Thanks for your efforts.

inside

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by cypherpunks

Any ideas what that means and how it's possible to verify or reproduce?
Anybody knows where to find author of comment?

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:2 Changed 5 years ago by erinn

Owner: changed from erinn to mikeperry
Status: newassigned

comment:3 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:4 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser

comment:5 Changed 19 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.