Opened 3 years ago

Closed 3 years ago

#19218 closed defect (not a bug)

check.torproject.org giving false positive

Reported by: cypherpunks Owned by: arlolra
Priority: High Milestone:
Component: Applications/Tor Check Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Having unchecked "Remote DNS" in the network settings just to see what would happen, check.torproject.org indicated I was using Tor, though Torbutton was grey and crossed out and actual .onion links failed, with a redirect to my ISP.

As a side note, ISP redirects should be blocked by TorBrowser probably.

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by arma

I don't see how this is a bug?

You might enjoy
http://tor.stackexchange.com/questions/190/why-does-check-torproject-org-sometimes-tell-me-im-not-using-tor-when-i-am

But in your case, it sounds like the opposite -- your traffic was going over Tor, but you maybe had your browser configured unsafely, and you wanted the remote website to somehow notice and tell you?

comment:2 Changed 3 years ago by cypherpunks

The link above refers to a false negative, this bug is about false positives. So yes, the opposite. Which is a bigger problem.

  • "actual .onion links failed"

My baseline metric for whether my traffic is going over Tor is is whether .onion links can be resolved, but I use check.tp.o just because it has been presented by The Tor Project as THE check page.

I wasn't able to resolve any .onion links. Tor was not running properly. And check.tp.o said I was fine. If I'd gone surfing somewhere dangerous assuming I was ok since check.tp.o said I was, I would be in trouble.

The situation you linked to basically alludes to everything being fine and the user getting confused but ultimately having nothing to worry about. This bug is about things not being fine while the user sails on expecting all is well.

Does that really not seem like an issue?

And yes, I did use the New Identity switch, check.tp.o still reported wrong.

I now wonder whether remote DNS may be required to resolve .onion links, but not to route over Tor in general; but if this is so, perhaps that is what you should have replied plainly, rather than linking to that dense thread which is only obliquely related.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:3 Changed 3 years ago by gk

Component: Applications/Tor BrowserApplications/Tor Check
Owner: changed from tbb-team to arlolra
Status: newassigned

check.torproject.org is nothing the Tor Browser team is taking care of moving this to the proper component.

comment:4 Changed 3 years ago by cypherpunks

The bug here, in my opinion, is that Tor Browser doesn't give you a scary warning when you disable remote DNS. It does at least make the onion red or whatever, but an "are you sure" dialog box would be nice. Or maybe just remove the checkbox all together (it is still in about:config for people who want to shoot themselves in the foot).

And the question for OP is, why did you do that? :)

I now wonder whether remote DNS may be required to resolve .onion links, but not to route over Tor in general; but if this is so, perhaps that is what you should have replied plainly, rather than linking to that dense thread which is only obliquely related.

"Remote DNS" means Firefox uses the proxy (tor) to resolve names, instead of using your operating system's resolver. If you don't use remote DNS, all of your DNS names will leak. You won't be able to resolve .onion names, but non-onion names will still be resolved (without tor) and firefox will still connect to them via Tor.

At first I was thinking there isn't any good way for check.tp.o to know if you leaked a DNS request before arriving there, but thinking about it more... perhaps it could do something using a .onion address?

Ultimately, though, if you've configured your browser to not use Tor (or to leak DNS while using Tor) and you have a local network adversary who wants to make you think you are using it when you go to check.torproject.org... I don't think there is anything check.torproject.org can do to stop them. Except maybe onions.

Now I'm wondering what happens if you uncheck remote DNS and do a .onion lookup and get an answer... presumably you connect to it (via Tor)? That actually sounds quite terrible now that I think of it.

As a side note, ISP redirects should be blocked by TorBrowser probably.

I don't know how that could be possible generally, but, for onion links Tor Browser should absolutely never ever be sending DNS requests!

If that actually happens presently, wow, pls fix kthx bye!

comment:5 Changed 3 years ago by cypherpunks

And the question for OP is, why did you do that? :)

I was just curious what would happen. I vaguely knew what a Domain Name Service was and always thought it was a sketchy idea anonymity-wise. Rather than look it up I decided to experiment (more fun, less extraneous data to get clobbered with). I didn't intend to go anywhere linked to my identity.

perhaps it could do something using a .onion address?

That seems obvious from a user perspective, but then if the user couldn't resolve the address there wouldn't be a useful error message. It would only be helpful in the positive. Which just gave me an idea for a TorBrowser feature. Bug filed as #19251.

comment:6 Changed 3 years ago by arlolra

Resolution: not a bug
Status: assignedclosed
Note: See TracTickets for help on using tickets.