Opened 6 months ago

Last modified 4 months ago

#25412 new defect

TrackHostExits option in torrc file not working as documented

Reported by: LittleTorFanAnnie Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: easy, doc, 034-triage-20180328, 034-removed-20180328
Cc: Actual Points:
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

  1. Shut down Tor
  2. Edit torrc file at c:\Program Files (x86)\Tor Browser\Browser\TorBrowser\Data\Tor\torrc so that it has the line:

TrackHostExits .

According to docs, this should mean to use the same exit node for all websites.

  1. Launch Tor, and open any two websites - let's say https://duckduckgo.com/ and https://www.nasa.gov/
  2. Note that the exit node for each website may differ. If not reproducing, try using the IP addresses rather than URLs.

Why is this a problem? Some sites will generate a link that only works from the same IP as the original page. (In my case, one link is an IP that cannot be resolved to a URL, so using a URL isn't an option.)

Version: Tor 7.5 (The versions in the picker are massively out of date - not a good sign.)

Child Tickets

Change History (12)

comment:1 Changed 6 months ago by arma

Component: - Select a componentCore Tor/Tor

Note that Tor Browser configures its Tor in a nonstandard way, by using the socks isolation feature to separate each socks request (browser tab) to a different circuit.

I suggest you start by taking a standard Tor, run by itself and not as part of Tor Browser, and see if TrackHostExits works for you there. (It looks like you're on Windows? In that case you probably want the Windows Expert Bundle.)

If using it on a vanilla Tor works, then the bug is that TrackHostExits and IsolateSOCKSAuth don't play well together, and maybe we fix it by documenting the difference better, or maybe there's some better fix.

comment:2 in reply to:  description Changed 6 months ago by arma

Replying to LittleTorFanAnnie:

Version: Tor 7.5 (The versions in the picker are massively out of date - not a good sign.)

Btw, the explanation for this one is that you mean Tor Browser 7.5. Tor Browser and Tor are different programs.

https://blog.torproject.org/tor-browser-75-released
links to the Tor Browser changelog:
https://gitweb.torproject.org/builders/tor-browser-build.git/plain/projects/tor-browser/Bundle-Data/Docs/ChangeLog.txt?h=maint-7.5
which tells you that the Tor version is 0.3.2.9.

comment:3 Changed 6 months ago by teor

Keywords: doc-maybe added
Milestone: Tor: 0.3.4.x-final

comment:4 Changed 6 months ago by nickm

TracExitHosts is not supposed to make every destination use the same website: it is supposed to make it so that every time you go to the _same_ destination, you get the _same_ website.

For your example, I would expect every visit to duckduckgo to use some exit A, and every visit to nasa.gov to use some exit B, but I wouldn't expect "A" and "B" to be the same exit.

Is this something that the documentation should be more clear about?

comment:5 in reply to:  4 Changed 6 months ago by arma

Replying to nickm:

TracExitHosts is not supposed to make every destination use the same website: it is supposed to make it so that every time you go to the _same_ destination, you get the _same_ website.

Is this something that the documentation should be more clear about?

Yes. The man page right now says "For each value in the comma separated list, Tor will track recent connections to hosts that match this value and attempt to reuse the same exit node for each. [...] If one of the values is just a '.', it means match everything." To me that means every time you get a match, you try to reuse the same exit node as for previous matches, and . is always a match.

comment:6 Changed 6 months ago by teor

Keywords: easy doc added; doc-maybe removed
Points: 0.1

comment:7 Changed 6 months ago by LittleTorFanAnnie

OK, if the error is in the docs and TrackHostExits isn't intended to provide that behavior, then is there another way to solve the problem?

The situation is that I visit a web page that generates a link which is just an IP (and not the IP associated with that page). I need to open that link with Tor using the same IP used to visit the page, or it won't work - because it detects the connecting IP.

comment:8 Changed 6 months ago by teor

Tor isn't really designed to pin exits like this. You could try using NoIsolateDestAddr on your SOCKSPort, but it really isn't safe to use it for general browsing.

comment:9 Changed 5 months ago by LittleTorFanAnnie

If I add the following line to my torrc, the result is that the TOR browser no longer starts:

SocksPort 9150 NoIsolateDestAddr

This is the port listed in the browser's TOR network configuration. I know it's the right port because if I use a different one in the torrc file, TOR browser starts normally but it has no effect - a different exit IP is still used for each connection like before.

[Note: I've corrected the torrc line which originally had the wrong option, NoIsolateClientAddr, but the problem remains. The TOR Browser won't start with that line in place.]

Last edited 5 months ago by LittleTorFanAnnie (previous) (diff)

comment:10 Changed 5 months ago by nickm

Keywords: 034-triage-20180328 added

comment:11 Changed 5 months ago by nickm

Keywords: 034-removed-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

comment:12 Changed 4 months ago by nickm

Milestone: Tor: 0.3.4.x-finalTor: unspecified

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

Note: See TracTickets for help on using tickets.