Opened 7 months ago

Closed 7 months ago

#32321 closed defect (fixed) is contacted over catch-all circuit

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-9.0-issues, tbb-9.0.1-can, tbb-linkability, TorBrowserTeam201910R, GeorgKoppen201910
Cc: Actual Points: 0.1
Parent ID: Points: 0.1
Reviewer: Sponsor:


If one triggers a MitM-warning (e.g. on what seems to be a background request is sent over the catch-all circuit to

[10-25 07:50:12] Torbutton INFO: tor SOCKS: via

Either we properly do FPI here OR we just omit contacting Mozilla here at all (I think the latter sounds fine).

Reported on our blog.

Child Tickets

Change History (5)

comment:1 Changed 7 months ago by gk

It seems security.certerrors.mitm.priming.enabled is the pref we need to take care of here.

comment:2 Changed 7 months ago by gk

Actual Points: 0.1
Keywords: TorBrowserTeam201910R added
Points: 0.1
Status: newneeds_review

I think it's fine do disable that ping to Mozilla right now. We should think generally about improving our certificate error pages though. #19119 has some ideas here.

bug_32321 ( has a patch for review.

comment:3 Changed 7 months ago by gk

Keywords: GeorgKoppen201910 added

comment:4 Changed 7 months ago by mcs

Looks good to me.

comment:5 Changed 7 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Cherry-picked onto tor-browser-68.2.0esr-9.5-1 (commit 15c35b79675acbfb5949aae6d18630ce20050891) and tor-browser-68.2.0esr-9.0-1 (commit a467e27614c9632cd847a3fd3d1487ae57a87cc2).

Note: See TracTickets for help on using tickets.