Opened 2 years ago

Last modified 2 years ago

#21273 new defect

Proxy settings unecessarily limit guard selection process

Reported by: pastly Owned by: brade
Priority: Medium Milestone:
Component: Applications/Tor Launcher Version:
Severity: Normal Keywords:
Cc: arma, brade, mcs, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

My use case:

I build an SSH socks5 proxy to a network less restrictive than the one I'm on. I tell Tor Browser to use that socks5 proxy. I leave "This computer goes through a firewall that only allows connections to certain ports" unchecked.

The following lines are added to the torrc.

    Socks5Proxy 127.0.0.1:2343
    ReachableAddresses *:80,*:443
    ReachableAddresses reject *:*
    ReachableAddresses reject *:*

The reachable address lines seem to be added due to https://trac.torproject.org/projects/tor/ticket/11405#comment:7

(The duplicate ReachableAddresses reject line is a known issue ... somewhere. There's a ticket.)

The issue:

I can reach any port on through this socks5 proxy. My guard selection is being artificially limited to guards that have an ORPort of 443.

I suspect that ReachableAddresses should only be set to 80 and 443 if the proxy type is HTTP(S). Or not at all unless "This computer goes through a firewall that only allows connections to certain ports" is checked. In my very limited experience with proxies, it seems sane to assume only 80/443 for HTTP(S) proxies, but it doesn't seem sane to assume 80/443 for a socks5 proxy.

The following python script shows that right now about 42% of guards have the ORPort of 443 (or 80, but most are 443).

from stem.control import Controller
guards_443 = []
guards_all = []
with Controller.from_port(port = 9151) as c:
    c.authenticate()
    for stat in c.get_network_statuses():
        if 'Guard' in stat.flags:
            guards_all.append(stat)
            if stat.or_port == 80 or stat.or_port == 443:
                guards_443.append(stat)
print "Num 443 ORPort guards:", len(guards_443)
print "Num guards:           ", len(guards_all)
print "443/all:", len(guards_443)*1.0/len(guards_all)

More interesting would be

  • what percent by weight am I limited to?
  • what is the geographical distribution of these guards?

Child Tickets

Change History (3)

comment:1 in reply to:  description ; Changed 2 years ago by mcs

Replying to pastly:

I can reach any port on through this socks5 proxy. My guard selection is being artificially limited to guards that have an ORPort of 443.

I suspect that ReachableAddresses should only be set to 80 and 443 if the proxy type is HTTP(S). Or not at all unless "This computer goes through a firewall that only allows connections to certain ports" is checked. In my very limited experience with proxies, it seems sane to assume only 80/443 for HTTP(S) proxies, but it doesn't seem sane to assume 80/443 for a socks5 proxy.

The rationale for Tor Launcher's behavior came from here:

https://trac.torproject.org/projects/tor/ticket/11405#comment:7

I don't know if "many proxies restrict the set of ports they'll proxy for" applies to SOCKS5 proxies or not, but the goal was to do something that would result in a working Tor Browser for most people. You can edit torrc manually, but the ReachableAddresses settings may be overwritten if you make changes later using the Tor Network Settings window.

comment:2 in reply to:  1 Changed 2 years ago by mcs

Replying to mcs:

You can edit torrc manually, but the ReachableAddresses settings may be overwritten if you make changes later using the Tor Network Settings window.

Correction: my colleague reminded me that the port settings are available in the Network Settings window (just not in the setup wizard).

comment:3 Changed 2 years ago by pastly

Update:

Today approx. 40% of guards (by number) have an ORPort of 443 or 80 today. That's about 44% by consensus weight.

Note: See TracTickets for help on using tickets.