Opened 5 months ago

Last modified 4 months ago

#31066 new defect

Consider protection against requests going through catch-all circuit

Reported by: acat Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff68-esr, tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor44-can

Description

While taking a look at upstreaming #26353 to Firefox I was thinking whether it would make sense to have some mitigations to reduce potential anonymity loss if there are requests unintentionally going through the catch-all circuit. We currently isolate requests by originAttributes.firstPartyDomain. If originAttributes.firstPartyDomain is empty, then the request goes to the catch-all circuit (socks username --unknown--).

I would suggest changing this and proxying with socks username --unknown--|||firstPartyDomain(request) instead, where firstPartyDomain is calculated as if the request host was the origin. I think this can only improve user anonymity wrt current behaviour, at the cost of potentially worse network performance (more circuits). But I think there should not be many cases were firstPartyDomain is empty, and also not so many --unknown-- + domain combinations to make this a performance issue. I think it should be seen just as a mitigation for the potential cases in Tor Browser that might not obey first party isolation.

Not sure if this has already been discussed in the past, but I thought it might be interesting to consider.

Child Tickets

Change History (2)

comment:1 Changed 5 months ago by gk

Keywords: tbb-linkability added

comment:2 Changed 4 months ago by pili

Sponsor: Sponsor44-can

Adding Sponsor 44 to ESR68 tickets

Note: See TracTickets for help on using tickets.