Opened 6 years ago

Closed 5 years ago

#11384 closed defect (fixed)

TorBrowser connects over clearnet after activation of 'hidden' torbutton option

Reported by: cypherpunks Owned by: mikeperry
Priority: High Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: tbb-proxy-bypass, tbb-usability, MikePerry201404
Cc: Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

Tested on Linux x86_64, latest TorBrowser version 3.53

Steps to reproduce problem:

  1. Open TorBrowser and connect normally
  2. Click the Torbutton, this opens the drop down list containing "New Identity, Cookie Protections, ..."
  3. Press down key on keyboard once highlights 'New Identity'
  4. Press down key again and the highlighting disappears (highlighting hidden 'disable torbutton' option)
  5. Press enter

This makes TB connect over the clearnet and reveal true IP address (checked using check.torproject.org, and yes it is my real IP). No warning or confirmation box appears and this could easily be done accidentally. This setting persists over New Identity and closing and reopening TB completely, and it is not obvious at all to the user how to switch Tor back on.

This is particularly dangerous because opportunities to warn the user are missed:

  • The about:tor page remains green even after clicking New Identity (although it does switch to its "Something Went Wrong!" form after fully closing and reopening TB).
  • The 'Proxy Settings' page (Torbutton -> Preferences) is unchanged and indicates the browser is using Tor's recommended proxy settings
  • The 'Test Proxy' button on the Proxy Settings page button confirms that the Tor proxy is working properly

The only indicator to the user that they have been deanonymized is the torbutton changes from green to red, which is easily missed.

Furthermore, for people who do not allow TB access to the Tor ControlPort* this button is red anyway and there is no indication whatsoever that you are deanonymized.

This hidden option needs to be properly disabled or (like me!) you could be deanonymized for days without knowing.

*i.e. connecting TB to a separate Tor process / transparently routing TB traffic / using Tor router or Tor on a different [virtual] machine

[Note to re-enable Tor proxy just repeat the steps above. Also the 'Restore Defaults' button on the TorButton Preferences page appears to fix it too]

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by cypherpunks

Keywords: TorBrowser IP leak disable TorButton added

comment:2 Changed 6 years ago by cypherpunks

Tested and confirmed on Win32 TorBrowser 3.5.2

comment:3 Changed 6 years ago by mikeperry

Keywords: tbb-proxy-bypass tbb-usability MikePerry201404 added; TorBrowser IP leak disable TorButton removed
Priority: normalmajor

Wow this is a crazy bug. Nice find. Sorry you got bit by it. Talk about a perfect storm of things to go wrong all at once :/.

comment:4 Changed 6 years ago by mikeperry

Component: Tor bundles/installationTorBrowserButton
Owner: changed from erinn to mikeperry
Status: newassigned

comment:5 Changed 6 years ago by cypherpunks

The only indicator to the user that they have been deanonymized is the torbutton changes from green to red, which is easily missed.

It's very major indicator. If it's red then better not to start using Torbrowser even.

for people who do not allow TB access to the Tor ControlPort* this button is red anyway

If Torbrowser used as standalone app that not starting Tor and have no configured ControlPort then you can to remove Torlauncher extension (remove tor-launcher@torproject.org.xpi file before starting). Indicator should be green after that as long as Torbutton enabled.

comment:6 in reply to:  5 Changed 6 years ago by cypherpunks

Replying to cypherpunks:

If Torbrowser used as standalone app that not starting Tor and have no configured ControlPort then you can to remove Torlauncher extension (remove tor-launcher@torproject.org.xpi file before starting). Indicator should be green after that as long as Torbutton enabled.

I tried this originally but found it disabled the 'New Identity' option in TorButton, so instead I opted to change the 'extensions.torlauncher.start_tor' property in about:config, which leaves the button permanently red. Of course since TB doesn't have access to the ControlPort the 'New Identity' button can't request a new circuit, but it does still [appear to] clear the browser state, certainly faster than closing and reopening the browser.

comment:7 Changed 5 years ago by mikeperry

Points: 1
Resolution: fixed
Status: assignedclosed

This should be fixed in TBB 3.6.

Wrt to the alternate control port issue, you can possibly set the TOR_CONTROL_HOST, TOR_CONTROL_PORT, TOR_CONTROL_PASSWD, and/or TOR_CONTROL_COOKIE_AUTH_FILE env vars prior to launching TBB for that, but it is unsupported behavior. If it breaks, you get to keep both pieces, though I will accept patches to improve the situation. If you end up needing to make such a patch, file a new ticket, and tag it with MikePerry201405R (or the correct month) once a patch is ready.

Note: See TracTickets for help on using tickets.