Opened 2 years ago

Last modified 7 months ago

#23115 needs_information defect

If "Tor is not working in this browser", don't download an update

Reported by: teor Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-update
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When I opened an old Tor Browser Alpha I had lying around (7.5a1), it told me two things:

  • Tor is not working in this browser
  • This browser is out of date

Then it started downloading an update.

This might not be a bug, but it made me very nervous to be downloading an update over what looked like an insecure connection.

Child Tickets

Change History (9)

comment:1 Changed 2 years ago by cypherpunks

All the more reason why Tor Browser updates should be downloaded from .onion, no Tor = no screw up.

comment:2 Changed 2 years ago by gk

Status: newneeds_information

Was it really not working and it downloaded bypassing Tor? That would be a serious bug. Or was that just the about:tor page that was misleading but the updater did do the correct thing?

comment:3 in reply to:  2 ; Changed 2 years ago by teor

Replying to gk:

Was it really not working and it downloaded bypassing Tor? That would be a serious bug. Or was that just the about:tor page that was misleading but the updater did do the correct thing?

I don't know: I was concerned that these conflicting messages could happen. I didn't check which one was correct.

comment:4 in reply to:  3 ; Changed 2 years ago by teor

Status: needs_informationnew

Replying to teor:

Replying to gk:

Was it really not working and it downloaded bypassing Tor? That would be a serious bug. Or was that just the about:tor page that was misleading but the updater did do the correct thing?

I don't know: I was concerned that these conflicting messages could happen. I didn't check which one was correct.

This is reproducible, at least on my machine.
It doesn't seem to depend on the exit.
Tor is working, according to check.torproject.org.

The combination of messages is a false alarm, and potentially alarming to users.

comment:5 in reply to:  4 Changed 2 years ago by gk

Status: newneeds_information

Replying to teor:

Replying to teor:

Replying to gk:

Was it really not working and it downloaded bypassing Tor? That would be a serious bug. Or was that just the about:tor page that was misleading but the updater did do the correct thing?

I don't know: I was concerned that these conflicting messages could happen. I didn't check which one was correct.

This is reproducible, at least on my machine.

How? By just taking a sufficiently outdated Tor Browser? (If so, which version did you test with again? 7.5a1?)

comment:6 Changed 2 years ago by teor

It was reproducible by re-launching the copy of 7.5a1 that I hadn't updated.
It went away when I updated.

The Tor check failure might have be due to the increased latency I had on a wireless broadband link (in Australia, outside a major east coast city).

comment:7 in reply to:  6 Changed 2 years ago by gk

Replying to teor:

It was reproducible by re-launching the copy of 7.5a1 that I hadn't updated.
It went away when I updated.

The Tor check failure might have be due to the increased latency I had on a wireless broadband link (in Australia, outside a major east coast city).

Hm, did you have a non-standard Tor Browser environment because the first thing that gets tried is the check via the control port. So, latency should not play a role here. Regardless, if latency played a role here I am not sure not downloading the update is the solution to your bug as I can imagine using tricks to deny the update download in those cases on purpose.

Last edited 2 years ago by gk (previous) (diff)

comment:8 Changed 7 months ago by gk

Keywords: tbb-updater added

comment:9 Changed 7 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

Note: See TracTickets for help on using tickets.