Opened 3 months ago

Closed 3 months ago

#25445 closed defect (invalid)

Opening site in Tor Browser redirects to FSB

Reported by: timur.davletshin Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Quite disturbing thing just happened to me.

System: Debian 9, x64, latest updates applied, Tor Browser 7.5 official distribution, checksum check passed.

Description: I open one of the sites which is blocked in Russia and suddenly I got redirected to FSB site (Federal Security Services of the Russian Federation). I tried to change Tor Circuit — result is the same. But... If I restart Tor Browser I worked as expected — blocked site opened. I tried several times and roughly speaking only one of 10 is not working as expected — redirecting me to FSB.

Site: https://psb4ukr.org

I'd love to help though I don't know how to debug Tor.

Screenshot is attached

Child Tickets

Attachments (1)

Untitled1.png (271.6 KB) - added by timur.davletshin 3 months ago.
Site redirects to FSB

Download all attachments as: .zip

Change History (21)

Changed 3 months ago by timur.davletshin

Attachment: Untitled1.png added

Site redirects to FSB

comment:1 Changed 3 months ago by Dbryrtfbcbhgf

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

Last edited 3 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:2 in reply to:  1 ; Changed 3 months ago by timur.davletshin

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

comment:3 in reply to:  2 ; Changed 3 months ago by Dbryrtfbcbhgf

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

I live outside of Russia and I'm still getting the message, so I don't think you should be paranoid, lets see what the Tor Devs say.

Last edited 3 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:4 in reply to:  3 ; Changed 3 months ago by timur.davletshin

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too?

comment:5 in reply to:  4 ; Changed 3 months ago by Dbryrtfbcbhgf

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too?

Yes I do, It does not happen immediately but after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Last edited 3 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:6 in reply to:  5 ; Changed 3 months ago by timur.davletshin

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too?

Yes I do, It does not happen immediately bug after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Thanks a lot! So most likely it's not Tor's problem. Looks like FSB just hacked site they hate so much.

comment:7 in reply to:  6 Changed 3 months ago by Dbryrtfbcbhgf

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Replying to timur.davletshin:

Replying to Dbryrtfbcbhgf:

Odd, even when I use the sites IP 158.69.100.131 I will still get the error if I keep creating a new circuit to that website.

It does work for me 9 out of 10. But when I get redirected to FSB I start developing paranoia.

I live outside of Russia and I'm still getting the message so I don't think you should be paranoid, lets see what the Tor Devs say.

Do you get FSB redirect too?

Yes I do, It does not happen immediately bug after I create many Circuits and the only way to solve it is to restart tor browser as you said above.

Thanks a lot! So most likely it's not Tor's problem. Looks like FSB just hacked site they hate so much.

Sure, When I visit the website using my Non-Tor connection I do not get the FSB redirect.

comment:8 Changed 3 months ago by timur.davletshin

Resolution: not a bug
Status: newclosed

comment:9 Changed 3 months ago by cypherpunks

By the way you can use the following other methods to access it without redirect in the Tor Browser:

1) Go to https://via.hypothes.is/https://psb4ukr.org

2) a) Go to Wayback machine https://web.archive.org/save/https://psb4ukr.org

2) b) Go to Wayback machine onion http://web.archivecrfip2lpi.onion/save/https://psb4ukr.org

3) a) Go to archive.fo https://archive.fo/?run=1&url=https://psb4ukr.org

3) b) Go to archive.fo onion http://archivecaslytosk.onion/?run=1&url=https://psb4ukr.org

4) Use web proxies like https://hidester.net/proxy or https://www.proxysite.com or https://hide.me/en/proxy or https://www.youtubeunblocks.com

5) Search for psb4ukr.org in https://searx.me and click on the Proxy link in the search results

Last edited 3 months ago by cypherpunks (previous) (diff)

comment:10 Changed 3 months ago by cypherpunks

They even have an onion service of their own http://psb4uklopi7ocb5l.onion ;)

comment:11 in reply to:  9 ; Changed 3 months ago by timur.davletshin

Replying to cypherpunks:

By the way you can use the following other methods to access it without redirect in the Tor Browser:

1) Go to https://via.hypothes.is/https://psb4ukr.org

2) a) Go to Wayback machine https://web.archive.org/save/https://psb4ukr.org

2) b) Go to Wayback machine onion http://web.archivecaslytosk.onion/save/https://psb4ukr.org

3) a) Go to archive.fo https://archive.fo/?run=1&url=https://psb4ukr.org

3) b) Go to archive.fo onion http://archivecaslytosk.onion/?run=1&url=https://psb4ukr.org

4) Use web proxies like https://hidester.net/proxy or https://www.proxysite.com or https://hide.me/en/proxy or https://www.youtubeunblocks.com

5) Search for psb4ukr.org in https://searx.me and click on the Proxy link in the search results

Thanks for your recommendation.

But there is one thing I still don't get — why do we get this redirect only in Tor?

comment:12 in reply to:  11 Changed 3 months ago by cypherpunks

Replying to timur.davletshin:

But there is one thing I still don't get — why do we get this redirect only in Tor?

Maybe you hit a Russian exit node?

In any case, to guarantee end-to-end authentication to make sure you're talking to the right server => use their onion service.

comment:13 Changed 3 months ago by dcf

A guess: the web server has some kind of automated anti-abuse system, and when it decides that it doesn't want to serve a client, it serves a 302 redirect instead of, say, a 403 Forbidden. The choice of FSB as a destination could be a kind of joke?

It cannot be a Great Firewall–like TCP injection, because the connection is HTTPS (even with HSTS and HPKP). It has to be the remote server sending the redirect.

comment:6 suggests the server is hacked—that's plausible if, say, there are 10 servers behind a load balancer and one of them is hacked. But that wouldn't explain why, in comment:7, non-Tor connections do not get the redirect. It seems more likely to me that it's some kind of attack detection, or something like that, on the server, and that Tor exits are more likely to be on the wrong side of the classification.

Here is what the redirect response looks like (it's HTTP/2, so the header does not literally look like that, but it has the same meaning):

HTTP/2 302 
server: nginx
date: Wed, 07 Mar 2018 19:38:45 GMT
content-type: text/html
location: http://fsb.ru//
strict-transport-security: max-age=31536000; includeSubdomains; preload
public-key-pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

I got this with torsocks -i curl -D header https://psb4ukr.org | tee body. As in comment:2, I had to try maybe about 10 times before getting the redirect rather than the actual web page.

Interestingly, when I use wget rather than curl, I get the redirect every time. With torsocks -i wget -S https://psb4ukr.org:

Resolving psb4ukr.org (psb4ukr.org)... 158.69.100.131
Connecting to psb4ukr.org (psb4ukr.org)|158.69.100.131|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 302 Moved Temporarily
  Server: nginx
  Date: Wed, 07 Mar 2018 19:43:19 GMT
  Content-Type: text/html
  Transfer-Encoding: chunked
  Connection: keep-alive
  Location: http://fsb.ru//
  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  Public-Key-Pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
Location: http://fsb.ru// [following]

For comparison, here is what a non-redirected header looks like (notice the server is different and the apparent typo piblic):

HTTP/2 200 
date: Wed, 07 Mar 2018 19:34:56 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
vary: Accept-Encoding
age: 16805
server: NATO HPWS/3.0
cache-control: piblic; max-age=900
x-cache: HIT
strict-transport-security: max-age=31536000; includeSubdomains; preload
public-key-pins: pin-sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin-sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin-sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin-sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin-sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Last edited 3 months ago by dcf (previous) (diff)

comment:14 Changed 3 months ago by cypherpunks

Component: Core Tor/TorApplications/Tor Browser
Resolution: not a bug
Status: closedreopened

Do we have an URL bar spoofing in action? (See attachment)

comment:15 Changed 3 months ago by Dbryrtfbcbhgf

When using there onion http://psb4uklopi7ocb5l.onion I do not get the the FSB redirect.

comment:16 in reply to:  14 ; Changed 3 months ago by cypherpunks

Replying to cypherpunks:

Do we have an URL bar spoofing in action? (See attachment)

Doesn't look like it, even in the attachment as there's no lockpad icon, which means the url that you're seeing was manually modified (probably to suggest that he was trying to access https://psb4ukr.org at first).

comment:17 in reply to:  16 Changed 3 months ago by timur.davletshin

Replying to cypherpunks:

Replying to cypherpunks:

Do we have an URL bar spoofing in action? (See attachment)

Doesn't look like it, even in the attachment as there's no lockpad icon, which means the url that you're seeing was manually modified (probably to suggest that he was trying to access https://psb4ukr.org at first).

That is true, I modified URL bar address exactly for this purpose.

comment:18 Changed 3 months ago by cypherpunks

Resolution: not a bug
Status: reopenedclosed

Setting as not a bug again.

comment:19 Changed 3 months ago by cypherpunks

Resolution: not a bug
Status: closedreopened

Wrong Resolution

comment:20 Changed 3 months ago by cypherpunks

Resolution: invalid
Status: reopenedclosed
Note: See TracTickets for help on using tickets.