TrackHostExits option in torrc file not working as documented

1. Shut down Tor
2. Edit torrc file at c:\Program Files (x86)\Tor Browser\Browser\TorBrowser\Data\Tor\torrc so that it has the line:

TrackHostExits .

According to docs, this should mean to use the same exit node for all websites.

3. Launch Tor, and open any two websites - let's say https://duckduckgo.com/ and https://www.nasa.gov/
4. Note that the exit node for each website may differ. If not reproducing, try using the IP addresses rather than URLs.

Why is this a problem? Some sites will generate a link that only works from the same IP as the original page. (In my case, one link is an IP that cannot be resolved to a URL, so using a URL isn't an option.)

Version: Tor 7.5 (The versions in the picker are massively out of date - not a good sign.)

Trac:
Username: LittleTorFanAnnie

changed milestone to %Tor: unspecified

added 034-removed-20180328 034-triage-20180328 component::core tor/tor doc easy milestone::Tor: unspecified points::0.1 priority::medium reporter::LittleTorFanAnnie severity::normal status::new type::defect labels

Note that Tor Browser configures its Tor in a nonstandard way, by using the socks isolation feature to separate each socks request (browser tab) to a different circuit.

I suggest you start by taking a standard Tor, run by itself and not as part of Tor Browser, and see if TrackHostExits works for you there. (It looks like you're on Windows? In that case you probably want the Windows Expert Bundle.)

If using it on a vanilla Tor works, then the bug is that TrackHostExits and IsolateSOCKSAuth don't play well together, and maybe we fix it by documenting the difference better, or maybe there's some better fix.

Trac:
Component: - Select a component to Core Tor/Tor

Replying to LittleTorFanAnnie:

Version: Tor 7.5 (The versions in the picker are massively out of date - not a good sign.)

Btw, the explanation for this one is that you mean Tor Browser 7.5. Tor Browser and Tor are different programs.

https://blog.torproject.org/tor-browser-75-released links to the Tor Browser changelog: https://gitweb.torproject.org/builders/tor-browser-build.git/plain/projects/tor-browser/Bundle-Data/Docs/ChangeLog.txt?h=maint-7.5 which tells you that the Tor version is 0.3.2.9.

Trac:
Keywords: N/A deleted, doc-maybe added
Milestone: N/A to Tor: 0.3.4.x-final

TracExitHosts is not supposed to make every destination use the same website: it is supposed to make it so that every time you go to the same destination, you get the same website.

For your example, I would expect every visit to duckduckgo to use some exit A, and every visit to nasa.gov to use some exit B, but I wouldn't expect "A" and "B" to be the same exit.

Is this something that the documentation should be more clear about?

Replying to nickm:

TracExitHosts is not supposed to make every destination use the same website: it is supposed to make it so that every time you go to the same destination, you get the same website.

Is this something that the documentation should be more clear about?

Yes. The man page right now says "For each value in the comma separated list, Tor will track recent connections to hosts that match this value and attempt to reuse the same exit node for each. [...] If one of the values is just a '.', it means match everything." To me that means every time you get a match, you try to reuse the same exit node as for previous matches, and . is always a match.

Trac:
Points: N/A to 0.1
Keywords: doc-maybe deleted, easy doc added

OK, if the error is in the docs and TrackHostExits isn't intended to provide that behavior, then is there another way to solve the problem?

The situation is that I visit a web page that generates a link which is just an IP (and not the IP associated with that page). I need to open that link with Tor using the same IP used to visit the page, or it won't work - because it detects the connecting IP.

Trac:
Username: LittleTorFanAnnie

Tor isn't really designed to pin exits like this. You could try using NoIsolateDestAddr on your SOCKSPort, but it really isn't safe to use it for general browsing.

If I add the following line to my torrc, the result is that the TOR browser no longer starts:

SocksPort 9150 NoIsolateDestAddr

This is the port listed in the browser's TOR network configuration. I know it's the right port because if I use a different one in the torrc file, TOR browser starts normally but it has no effect - a different exit IP is still used for each connection like before.

[Note: I've corrected the torrc line which originally had the wrong option, NoIsolateClientAddr, but the problem remains. The TOR Browser won't start with that line in place.]

Trac:
Username: LittleTorFanAnnie

Trac:
Keywords: easy doc deleted, doc, easy, 034-triage-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

Trac:
Keywords: N/A deleted, 034-removed-20180328 added

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

Trac:
Milestone: Tor: 0.3.4.x-final to Tor: unspecified

changed time estimate to 48m

moved to tpo/core/tor#25412 (closed)