OCSP requests are not isolated to the URL bar domain

Not sure when this regressed but I can find log messages like

[06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall: http://clients1.google.com/ocsp via --unknown--:1

in my terminal. In fact it seems all OCSP requests are affected.

added component::applications/tor browser owner::tbb-team priority::high resolution::worksforme severity::major status::closed tbb-linkability tbb-regression type::defect labels

Good morning ticket:18937#comment:5

Oh, I forgot to mention this is on a Linux box with 6.5a1-hardened. And only about OCSP as the description says (favicons are fine).

Replying to gk: All other cases of non-isolation of https are also affected. Plus now when clicking on links to pdfs as in #17604 (moved).

Replying to bugzilla:

Replying to gk: All other cases of non-isolation of https are also affected. Plus now when clicking on links to pdfs as in #17604 (moved).

Please file additional tickets for unrelated issues otherwise this ticket becomes unactionable as well. Thanks. Re the pdf bug, this is #15599 (moved).

Replying to gk:

Please file additional tickets for unrelated issues otherwise this ticket becomes unactionable as well. Thanks. Re the pdf bug, this is #15599 (moved). No, the comments are about that if you open some https link that goes through catchall, then its OCSP request always goes through catchall too. (not only favicons)

Replying to gk:

Not sure when this regressed but I can find log messages like

[06-15 09:22:41] Torbutton INFO: tor SOCKS isolation catchall: http://clients1.google.com/ocsp via --unknown--:1
}}}
in my terminal. In fact it seems all OCSP requests are affected.

I'm not able to reproduce this. When 6.5a-1-hardened starts up, I see the following in the Browser Console (filtering by the keyword "via"):

{{{ [06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall: https://check.torproject.org/?TorButton=true#0.5067764289917780.6071708598496006 via --unknown--:0 [06-17 20:29:40] Torbutton INFO: tor SOCKS isolation catchall: https://www.torproject.org/dist/torbrowser/update_2/hardened/LitSOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0 [06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0 [06-17 20:29:41] Torbutton INFO: tor SOCKS isolation catchall: http://ocsp.digicert.com/ via --unknown--:0 [06-17 20:29:42] Torbutton INFO: tor SOCKS isolation catchall: https://aus1.torproject.org/torbrowser/update_2/hardened/Linux_x86_64-gcc3/6.5a1-hardened/ALL via --unknown--:0

But these appear to be OCSP queries for connections that already have unknown (chrome) first party. 

After that, when I start connecting to websites, I see ocsp requests going over first-party circuits as intended (filtering by keywords "via ocsp":

[06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via torproject.org:0 [06-17 20:48:07] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via torproject.org:0 [06-17 20:48:43] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via washingtonpost.com:0 [06-17 20:48:49] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0 [06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0 [06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0 [06-17 20:48:49] Torbutton INFO: tor SOCKS: http://ocsp2.globalsign.com/cloudsslsha2g3 via washingtonpost.com:0 [06-17 20:48:53] Torbutton INFO: tor SOCKS: http://ocsp.int-x3.letsencrypt.org/ via eff.org:0 [06-17 20:49:08] Torbutton INFO: tor SOCKS: http://ocsp.int-x3.letsencrypt.org/ via eff.org:0 [06-17 20:49:09] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0 [06-17 20:49:11] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0 [06-17 20:49:11] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via washingtonpost.com:0 [06-17 20:49:11] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0 [06-17 20:49:11] Torbutton INFO: tor SOCKS: http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0 [06-17 20:49:13] Torbutton INFO: tor SOCKS: http://ocsp.usertrust.com/ via gnu.org:0 [06-17 20:49:17] Torbutton INFO: tor SOCKS: http://vassg142.ocsp.omniroot.com/ via washingtonpost.com:0 [06-17 20:49:22] Torbutton INFO: tor SOCKS: http://ocsp.godaddy.com/ via washingtonpost.com:0 [06-17 20:49:28] Torbutton INFO: tor SOCKS: http://ocsp.entrust.net/ via washingtonpost.com:0 [06-17 20:49:36] Torbutton INFO: tor SOCKS: http://clients1.google.com/ocsp via washingtonpost.com:0

Are there specific websites that result in the OCSP going over the catchall circuit? Or maybe there is something else I need to try?

Ah, it seems I had a profile with extensions.torbutton.restrict_thirdparty set to false. I guess I got confused why this is only affecting OCSP requests. Not sure if that is a different bug we should file. In any way, I assume Mozilla will make sure this is working as expected while they are upstreaming our isolation patches. Thus this is fine with me. Sorry for the noise.

Trac:
Resolution: N/A to worksforme
Status: new to closed

closed

mentioned in issue #19741 (moved)

moved to tpo/applications/tor-browser#19416 (closed)