Opened 3 years ago

Closed 3 years ago

#19416 closed defect (worksforme)

OCSP requests are not isolated to the URL bar domain

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-regression, tbb-linkability
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Not sure when this regressed but I can find log messages like

[06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall: http://clients1.google.com/ocsp via --unknown--:1

in my terminal. In fact it seems all OCSP requests are affected.

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by bugzilla

Good morning ticket:18937#comment:5

comment:2 Changed 3 years ago by gk

Oh, I forgot to mention this is on a Linux box with 6.5a1-hardened. And only about OCSP as the description says (favicons are fine).

comment:3 in reply to:  2 ; Changed 3 years ago by bugzilla

Replying to gk:
All other cases of non-isolation of https are also affected.
Plus now when clicking on links to pdfs as in #17604.

comment:4 in reply to:  3 ; Changed 3 years ago by gk

Replying to bugzilla:

Replying to gk:
All other cases of non-isolation of https are also affected.
Plus now when clicking on links to pdfs as in #17604.

Please file additional tickets for unrelated issues otherwise this ticket becomes unactionable as well. Thanks. Re the pdf bug, this is #15599.

comment:5 in reply to:  4 Changed 3 years ago by bugzilla

Replying to gk:

Please file additional tickets for unrelated issues otherwise this ticket becomes unactionable as well. Thanks. Re the pdf bug, this is #15599.

No, the comments are about that if you open some https link that goes through catchall, then its OCSP request always goes through catchall too. (not only favicons)

comment:6 in reply to:  description Changed 3 years ago by arthuredelstein

Replying to gk:

Not sure when this regressed but I can find log messages like

[06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall: http://clients1.google.com/ocsp via --unknown--:1

in my terminal. In fact it seems all OCSP requests are affected.

I'm not able to reproduce this. When 6.5a-1-hardened starts up, I see the following in the Browser Console (filtering by the keyword "via"):

[06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall: https://check.torproject.org/?TorButton=true#0.5067764289917780.6071708598496006 via --unknown--:0
[06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall: https://www.torproject.org/dist/torbrowser/update_2/hardened/LitSOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0
[06-17 20:29:42] Torbutton INFO: tor SOCKS isolation catchall: https://aus1.torproject.org/torbrowser/update_2/hardened/Linux_x86_64-gcc3/6.5a1-hardened/ALL via --unknown--:0

But these appear to be OCSP queries for connections that already have unknown (chrome) first party.

After that, when I start connecting to websites, I see ocsp requests going over first-party circuits as intended (filtering by keywords "via ocsp":

[06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via torproject.org:0
[06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via torproject.org:0
[06-17 20:48:43] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0
[06-17 20:48:53] Torbutton INFO: tor SOCKS: http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
[06-17 20:49:08] Torbutton INFO: tor SOCKS: http://ocsp.int-x3.letsencrypt.org/ via eff.org:0
[06-17 20:49:09] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0
[06-17 20:49:11] Torbutton INFO: tor SOCKS: http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
[06-17 20:49:13] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via gnu.org:0
[06-17 20:49:17] Torbutton INFO: tor SOCKS: http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0
[06-17 20:49:22] Torbutton INFO: tor SOCKS: http://ocsp.godaddy.com/ via washingtonpost.com:0
[06-17 20:49:28] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via washingtonpost.com:0
[06-17 20:49:36] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0

Are there specific websites that result in the OCSP going over the catchall circuit? Or maybe there is something else I need to try?

comment:7 Changed 3 years ago by gk

Resolution: worksforme
Status: newclosed

Ah, it seems I had a profile with extensions.torbutton.restrict_thirdparty set to false. I guess I got confused why this is only affecting OCSP requests. Not sure if that is a different bug we should file. In any way, I assume Mozilla will make sure this is working as expected while they are upstreaming our isolation patches. Thus this is fine with me. Sorry for the noise.

Note: See TracTickets for help on using tickets.