Opened 5 months ago

Closed 4 months ago

#26353 closed defect (fixed)

First request after copying and pasting an URL in URL bar seems to go over the catch-all circuit

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, tbb-linkability, TorBrowserTeam201807R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If one goes e.g. to our blog and copies and pastes a link from the Upcoming Events section (like https://blog.torproject.org/events/first-amendment-21st-century-pittsburgh) and hits return then the first request seems to go over the catch-all circuit:

[06-12 08:47:21] Torbutton INFO: tor SOCKS: https://blog.torproject.org/events/first-amendment-21st-century-pittsburgh via
                       --unknown--:d106e3543536c1d88e4b356a8d2644e8
[06-12 08:47:21] Torbutton INFO: tor SOCKS: https://blog.torproject.org/events/first-amendment-21st-century-pittsburgh via
                       torproject.org:7ec24bef3562e08e7b096e5b1049cb49

If that's indeed the case we need to fix that

Child Tickets

Change History (3)

comment:1 Changed 4 months ago by arthuredelstein

Keywords: TorBrowserTeam201807R added
Status: newneeds_review

I tracked this down to a speculative connect. It also occurs if the user enters a search term or types in a full http or https URL.

Here's a patch that disables the speculative connect for now:
https://github.com/arthuredelstein/tor-browser/commit/26353

I have also opening a bug on bugzilla to try to track down exactly why FPI is violated here: https://bugzilla.mozilla.org/show_bug.cgi?id=1475811

comment:2 Changed 4 months ago by mcs

r=mcs
The patch looks good to me. Nice find by both of you! Unlike some truly speculative connects such as in response to someone hovering over a link with their mouse, this one is not speculative in the same way (because a network connection is going to happen soon anyway). That is probably why the change that added this "speculative" connect did not raise any red flags for Kathy and me when we reviewed the undocumented FF57 bugs (see https://bugzilla.mozilla.org/show_bug.cgi?id=1383299).

comment:3 Changed 4 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 1b1c4e4143d57a72e02464ac3bc343bd6d57ec9e).

Note: See TracTickets for help on using tickets.