Opening site in Tor Browser redirects to FSB

Quite disturbing thing just happened to me.

System: Debian 9, x64, latest updates applied, Tor Browser 7.5 official distribution, checksum check passed.

Description: I open one of the sites which is blocked in Russia and suddenly I got redirected to FSB site (Federal Security Services of the Russian Federation). I tried to change Tor Circuit — result is the same. But... If I restart Tor Browser I worked as expected — blocked site opened. I tried several times and roughly speaking only one of 10 is not working as expected — redirecting me to FSB.

Site: https://psb4ukr.org

I'd love to help though I don't know how to debug Tor.

Screenshot is attached

Trac:
Username: timur.davletshin

added component::applications/tor browser priority::medium reporter::timur.davletshin resolution::invalid severity::major status::closed type::defect labels

Trac:
Username: timur.davletshin

Site redirects to FSB

Trac:
Username: timur.davletshin

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

Trac:
Username: Dbryrtfbcbhgf

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

Trac:
Username: timur.davletshin

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia. I live outside of Russia and I'm still getting the message, so I don't think you should be paranoid, lets see what the Tor Devs say.

Trac:
Username: Dbryrtfbcbhgf

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia. I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too?

Trac:
Username: timur.davletshin

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia. I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too? Yes I do, It does not happen immediately but after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Trac:
Username: Dbryrtfbcbhgf

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia. I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too? Yes I do, It does not happen immediately bug after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Thanks a lot! So most likely it's not Tor's problem. Looks like FSB just hacked site they hate so much.

Trac:
Username: timur.davletshin

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia. I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too? Yes I do, It does not happen immediately bug after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Thanks a lot! So most likely it's not Tor's problem. Looks like FSB just hacked site they hate so much. Sure, When I visit the website using my Non-Tor connection I do not get the FSB redirect.

Trac:
Username: Dbryrtfbcbhgf

Trac:
Username: timur.davletshin
Resolution: N/A to not a bug
Status: new to closed

By the way you can use the following other methods to access it without redirect in the Tor Browser:

1. Go to https://via.hypothes.is/https://psb4ukr.org

2. a) Go to Wayback machine https://web.archive.org/save/https://psb4ukr.org

3. b) Go to Wayback machine onion http://web.archivecrfip2lpi.onion/save/https://psb4ukr.org

4. a) Go to archive.fo https://archive.fo/?run=1&url=https://psb4ukr.org

5. b) Go to archive.fo onion http://archivecaslytosk.onion/?run=1&url=https://psb4ukr.org

6. Use web proxies like https://hidester.net/proxy or https://www.proxysite.com or https://hide.me/en/proxy or https://www.youtubeunblocks.com

7. Search for psb4ukr.org in https://searx.me and click on the Proxy link in the search results

They even have an onion service of their own http://psb4uklopi7ocb5l.onion ;)

Replying to cypherpunks:

By the way you can use the following other methods to access it without redirect in the Tor Browser:

1. Go to https://via.hypothes.is/https://psb4ukr.org

2. a) Go to Wayback machine https://web.archive.org/save/https://psb4ukr.org

3. b) Go to Wayback machine onion http://web.archivecaslytosk.onion/save/https://psb4ukr.org

4. a) Go to archive.fo https://archive.fo/?run=1&url=https://psb4ukr.org

5. b) Go to archive.fo onion http://archivecaslytosk.onion/?run=1&url=https://psb4ukr.org

6. Use web proxies like https://hidester.net/proxy or https://www.proxysite.com or https://hide.me/en/proxy or https://www.youtubeunblocks.com

7. Search for psb4ukr.org in https://searx.me and click on the Proxy link in the search results

Thanks for your recommendation.

But there is one thing I still don't get — why do we get this redirect only in Tor?

Trac:
Username: timur.davletshin

Replying to timur.davletshin:

But there is one thing I still don't get — why do we get this redirect only in Tor? Maybe you hit a Russian exit node?

In any case, to guarantee end-to-end authentication to make sure you're talking to the right server => use their onion service.

A guess: the web server has some kind of automated anti-abuse system, and when it decides that it doesn't want to serve a client, it serves a 302 redirect instead of, say, a 403 Forbidden. The choice of FSB as a destination could be a kind of joke?

It cannot be a Great Firewall–like TCP injection, because the connection is HTTPS (even with HSTS and HPKP). It has to be the remote server sending the redirect.

comment:6 suggests the server is hacked—that's plausible if, say, there are 10 servers behind a load balancer and one of them is hacked. But that wouldn't explain why, in comment:7, non-Tor connections do not get the redirect. It seems more likely to me that it's some kind of attack detection, or something like that, on the server, and that Tor exits are more likely to be on the wrong side of the classification.

Here is what the redirect response looks like (it's HTTP/2, so the header does not literally look like that, but it has the same meaning):

HTTP/2 302 
server: nginx
date: Wed, 07 Mar 2018 19:38:45 GMT
content-type: text/html
location: http://fsb.ru//
strict-transport-security: max-age=31536000; includeSubdomains; preload
public-key-pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

I got this with torsocks -i curl -D header https://psb4ukr.org | tee body. As in comment:2, I had to try maybe about 10 times before getting the redirect rather than the actual web page.

Interestingly, when I use wget rather than curl, I get the redirect every time. With torsocks -i wget -S https://psb4ukr.org:

Resolving psb4ukr.org (psb4ukr.org)... 158.69.100.131
Connecting to psb4ukr.org (psb4ukr.org)|158.69.100.131|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Moved Temporarily
  Server: nginx
  Date: Wed, 07 Mar 2018 19:43:19 GMT
  Content-Type: text/html
  Transfer-Encoding: chunked
  Connection: keep-alive
  Location: http://fsb.ru//
  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  Public-Key-Pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
Location: http://fsb.ru// [following]

For comparison, here is what a non-redirected header looks like (notice the server is different and the apparent typo piblic):

HTTP/2 200 
date: Wed, 07 Mar 2018 19:34:56 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
vary: Accept-Encoding
age: 16805
server: NATO HPWS/3.0
cache-control: piblic; max-age=900
x-cache: HIT
strict-transport-security: max-age=31536000; includeSubdomains; preload
public-key-pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Do we have an URL bar spoofing in action? (See attachment)

Trac:
Status: closed to reopened
Resolution: not a bug to N/A
Component: Core Tor/Tor to Applications/Tor Browser

When using there onion http://psb4uklopi7ocb5l.onion I do not get the the FSB redirect.

Trac:
Username: Dbryrtfbcbhgf

Replying to cypherpunks:

Do we have an URL bar spoofing in action? (See attachment) Doesn't look like it, even in the attachment as there's no lockpad icon, which means the url that you're seeing was manually modified (probably to suggest that he was trying to access https://psb4ukr.org at first).

Replying to cypherpunks:

Replying to cypherpunks:

Do we have an URL bar spoofing in action? (See attachment) Doesn't look like it, even in the attachment as there's no lockpad icon, which means the url that you're seeing was manually modified (probably to suggest that he was trying to access https://psb4ukr.org at first).

That is true, I modified URL bar address exactly for this purpose.

Trac:
Username: timur.davletshin

Setting as not a bug again.

Trac:
Resolution: N/A to not a bug
Status: reopened to closed

Wrong Resolution

Trac:
Resolution: not a bug to N/A
Status: closed to reopened

Trac:
Resolution: N/A to invalid
Status: reopened to closed

closed

moved to tpo/applications/tor-browser#25445 (closed)