Skip to content
Snippets Groups Projects
New look: Off

check.torproject.org giving false positive

    • Closed (moved) Issue created by cypherpunks @cypherpunks

    Having unchecked "Remote DNS" in the network settings just to see what would happen, check.torproject.org indicated I was using Tor, though Torbutton was grey and crossed out and actual .onion links failed, with a redirect to my ISP.

    As a side note, ISP redirects should be blocked by TorBrowser probably.

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items ...

    • Activity

    • cypherpunks added component::applications/tor check owner::arlolra priority::high resolution::not a bug severity::normal status::closed type::defect labels

      added component::applications/tor check owner::arlolra priority::high resolution::not a bug severity::normal status::closed type::defect labels

    • Roger Dingledine
      Roger Dingledine @arma ·

      I don't see how this is a bug?

      You might enjoy http://tor.stackexchange.com/questions/190/why-does-check-torproject-org-sometimes-tell-me-im-not-using-tor-when-i-am

      But in your case, it sounds like the opposite -- your traffic was going over Tor, but you maybe had your browser configured unsafely, and you wanted the remote website to somehow notice and tell you?

    • C
      cypherpunks @cypherpunks ·
      Author

      The link above refers to a false negative, this bug is about false positives. So yes, the opposite. Which is a bigger problem.

      • "actual .onion links failed"

      My baseline metric for whether my traffic is going over Tor is is whether .onion links can be resolved, but I use check.tp.o just because it has been presented by The Tor Project as THE check page.

      I wasn't able to resolve any .onion links. Tor was not running properly. And check.tp.o said I was fine. If I'd gone surfing somewhere dangerous assuming I was ok since check.tp.o said I was, I would be in trouble.

      The situation you linked to basically alludes to everything being fine and the user getting confused but ultimately having nothing to worry about. This bug is about things not being fine while the user sails on expecting all is well.

      Does that really not seem like an issue?

      And yes, I did use the New Identity switch, check.tp.o still reported wrong.

      I now wonder whether remote DNS may be required to resolve .onion links, but not to route over Tor in general; but if this is so, perhaps that is what you should have replied plainly, rather than linking to that dense thread which is only obliquely related.

    • Georg Koppen
      Georg Koppen @gk ·

      check.torproject.org is nothing the Tor Browser team is taking care of moving this to the proper component.

      Trac:
      Component: Applications/Tor Browser to Applications/Tor Check
      Owner: tbb-team to arlolra
      Status: new to assigned

    • C
      cypherpunks @cypherpunks ·
      Author

      The bug here, in my opinion, is that Tor Browser doesn't give you a scary warning when you disable remote DNS. It does at least make the onion red or whatever, but an "are you sure" dialog box would be nice. Or maybe just remove the checkbox all together (it is still in about:config for people who want to shoot themselves in the foot).

      And the question for OP is, why did you do that? :)

      I now wonder whether remote DNS may be required to resolve .onion links, but not to route over Tor in general; but if this is so, perhaps that is what you should have replied plainly, rather than linking to that dense thread which is only obliquely related.

      "Remote DNS" means Firefox uses the proxy (tor) to resolve names, instead of using your operating system's resolver. If you don't use remote DNS, all of your DNS names will leak. You won't be able to resolve .onion names, but non-onion names will still be resolved (without tor) and firefox will still connect to them via Tor.

      At first I was thinking there isn't any good way for check.tp.o to know if you leaked a DNS request before arriving there, but thinking about it more... perhaps it could do something using a .onion address?

      Ultimately, though, if you've configured your browser to not use Tor (or to leak DNS while using Tor) and you have a local network adversary who wants to make you think you are using it when you go to check.torproject.org... I don't think there is anything check.torproject.org can do to stop them. Except maybe onions.

      Now I'm wondering what happens if you uncheck remote DNS and do a .onion lookup and get an answer... presumably you connect to it (via Tor)? That actually sounds quite terrible now that I think of it.

      As a side note, ISP redirects should be blocked by TorBrowser probably.

      I don't know how that could be possible generally, but, for onion links Tor Browser should absolutely never ever be sending DNS requests!

      If that actually happens presently, wow, pls fix kthx bye!

    • C
      cypherpunks @cypherpunks ·
      Author

      And the question for OP is, why did you do that? :)

      I was just curious what would happen. I vaguely knew what a Domain Name Service was and always thought it was a sketchy idea anonymity-wise. Rather than look it up I decided to experiment (more fun, less extraneous data to get clobbered with). I didn't intend to go anywhere linked to my identity.

      perhaps it could do something using a .onion address?

      That seems obvious from a user perspective, but then if the user couldn't resolve the address there wouldn't be a useful error message. It would only be helpful in the positive. Which just gave me an idea for a TorBrowser feature. Bug filed as #19251 (moved).

    • Arlo Breault
      Arlo Breault @arlo ·

      Trac:
      Resolution: N/A to not a bug
      Status: assigned to closed

    • Trac closed

      closed

    Please register or sign in to reply