Opened 13 months ago

Last modified 13 months ago

#25672 new defect

Debugger in developer tools is fetching website over catch-all circuit

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Go to https://sorry.google.com/sorry/misc and you'll see the exit IP address of the circuit bound to the google.com domain.
Now, open the delevoper tools (Ctrl + Shift + K) and select the debugger pane and you see that

1) The page is fetched again (which is a Firefox bug)
2) The catch-all-circuit is used as the debugger does not seem to understand the concept of first party isolation.

See: #15555 for a similar problem.

Found by Rbcafe and reported to HackerOne.

Child Tickets

Change History (6)

comment:1 in reply to:  description Changed 13 months ago by sysrqb

Replying to gk:

2) The catch-all-circuit is used as the debugger does not seem to understand the concept of first party isolation.

I wonder if this is related to #22538, as well.

comment:2 Changed 13 months ago by sysrqb

Hmm, here's another one.

[04-11 00:10:07] Torbutton INFO: tor SOCKS: https://www.torproject.org/dist/torbrowser/7.5.3/torbrowser-install-7.5.3_en-US.exe via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:10:07] Torbutton INFO: controlPort >> 650 STREAM 60 NEW 0 www.torproject.org:443 SOURCE_ADDR=127.0.0.1:46916 PURPOSE=USER
[04-11 00:10:07] Torbutton INFO: controlPort >> 650 STREAM 60 SENTCONNECT 36 www.torproject.org:443
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 60 REMAP 36 138.201.14.197:443 SOURCE=EXIT
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 60 SUCCEEDED 36 138.201.14.197:443
[04-11 00:10:08] Torbutton INFO: tor SOCKS: https://dist.torproject.org/torbrowser/7.5.3/torbrowser-install-7.5.3_en-US.exe via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 NEW 0 dist.torproject.org:443 SOURCE_ADDR=127.0.0.1:46918 PURPOSE=USER
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 SENTCONNECT 36 dist.torproject.org:443
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 REMAP 36 38.229.72.17:443 SOURCE=EXIT
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 SUCCEEDED 36 38.229.72.17:443

,
If you go to any webpage and right-click on any link (<a href=) and select "Save Link As...", then a connection is established over the catch-all circuit. I'd expect this use the first-party-circuit.

comment:3 Changed 13 months ago by sysrqb

I should also mention https://trac.torproject.org/projects/tor/ticket/15599#comment:9 is another instance of this. I noticed this in my logs, too. An OCSP fetch should happen over the domain isolated circuit.

[04-11 00:04:30] Torbutton INFO: tor SOCKS: https://twitter.com/search-advanced via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 NEW 0 twitter.com:443 SOURCE_ADDR=127.0.0.1:46898 PURPOSE=USER
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 SENTCONNECT 36 twitter.com:443
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 REMAP 36 104.244.42.65:443 SOURCE=EXIT
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 SUCCEEDED 36 104.244.42.65:443
[04-11 00:04:31] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 NEW 0 ocsp.digicert.com:80 SOURCE_ADDR=127.0.0.1:46900 PURPOSE=USER
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 SENTCONNECT 36 ocsp.digicert.com:80
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 REMAP 36 93.184.220.29:80 SOURCE=EXIT
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 SUCCEEDED 36 93.184.220.29:80
[04-11 00:06:26] Torbutton INFO: controlPort >> 650 STREAM 52 CLOSED 36 93.184.220.29:80 REASON=DONE
[04-11 00:06:27] Torbutton INFO: controlPort >> 650 STREAM 51 CLOSED 36 104.244.42.65:443 REASON=DONE

Considering how often it seems this occurs, I'm guessing plumbing the first party URI through the layers is more complicated than expected.

comment:4 Changed 13 months ago by sysrqb

Summary: Debugger in delevoper tools is fetching website over catch-all circuitDebugger in developer tools is fetching website over catch-all circuit

(I noticed the typo when I received the email.)

comment:5 in reply to:  2 Changed 13 months ago by gk

Replying to sysrqb:

Hmm, here's another one.

[04-11 00:10:07] Torbutton INFO: tor SOCKS: https://www.torproject.org/dist/torbrowser/7.5.3/torbrowser-install-7.5.3_en-US.exe via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:10:07] Torbutton INFO: controlPort >> 650 STREAM 60 NEW 0 www.torproject.org:443 SOURCE_ADDR=127.0.0.1:46916 PURPOSE=USER
[04-11 00:10:07] Torbutton INFO: controlPort >> 650 STREAM 60 SENTCONNECT 36 www.torproject.org:443
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 60 REMAP 36 138.201.14.197:443 SOURCE=EXIT
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 60 SUCCEEDED 36 138.201.14.197:443
[04-11 00:10:08] Torbutton INFO: tor SOCKS: https://dist.torproject.org/torbrowser/7.5.3/torbrowser-install-7.5.3_en-US.exe via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 NEW 0 dist.torproject.org:443 SOURCE_ADDR=127.0.0.1:46918 PURPOSE=USER
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 SENTCONNECT 36 dist.torproject.org:443
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 REMAP 36 38.229.72.17:443 SOURCE=EXIT
[04-11 00:10:08] Torbutton INFO: controlPort >> 650 STREAM 61 SUCCEEDED 36 38.229.72.17:443

,
If you go to any webpage and right-click on any link (<a href=) and select "Save Link As...", then a connection is established over the catch-all circuit. I'd expect this use the first-party-circuit.

That's not related to the developer tools, so let's keep it separate. It's #22649 and see #22343 as well.

comment:6 in reply to:  3 Changed 13 months ago by gk

Replying to sysrqb:

I should also mention https://trac.torproject.org/projects/tor/ticket/15599#comment:9 is another instance of this. I noticed this in my logs, too. An OCSP fetch should happen over the domain isolated circuit.

[04-11 00:04:30] Torbutton INFO: tor SOCKS: https://twitter.com/search-advanced via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 NEW 0 twitter.com:443 SOURCE_ADDR=127.0.0.1:46898 PURPOSE=USER
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 SENTCONNECT 36 twitter.com:443
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 REMAP 36 104.244.42.65:443 SOURCE=EXIT
[04-11 00:04:30] Torbutton INFO: controlPort >> 650 STREAM 51 SUCCEEDED 36 104.244.42.65:443
[04-11 00:04:31] Torbutton INFO: tor SOCKS: http://ocsp.digicert.com/ via
                       --unknown--:71e69d27f4adff41fb754a6dc960dfeb
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 NEW 0 ocsp.digicert.com:80 SOURCE_ADDR=127.0.0.1:46900 PURPOSE=USER
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 SENTCONNECT 36 ocsp.digicert.com:80
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 REMAP 36 93.184.220.29:80 SOURCE=EXIT
[04-11 00:04:31] Torbutton INFO: controlPort >> 650 STREAM 52 SUCCEEDED 36 93.184.220.29:80
[04-11 00:06:26] Torbutton INFO: controlPort >> 650 STREAM 52 CLOSED 36 93.184.220.29:80 REASON=DONE
[04-11 00:06:27] Torbutton INFO: controlPort >> 650 STREAM 51 CLOSED 36 104.244.42.65:443 REASON=DONE

Considering how often it seems this occurs, I'm guessing plumbing the first party URI through the layers is more complicated than expected.

How is that related to the developer tools? And #15599? That comment there said that the pdf download related OCSP requests go over the catch-all circuit as well which is not surprising given that the download itself started over the download button went over the catch-all circuit. BUT: how does that related to your your Twitter related log snippet?

Note: See TracTickets for help on using tickets.