Opened 11 months ago

Last modified 8 months ago

#32777 new defect

Weird things happening in Tor Browser (some websites change Tor circuit paths rapidly)

Reported by: Tor235 Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version: Tor: unspecified
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While using Tor Browser recently, I've noticed that several websites change their Tor circuit path many times in a matter of just a few seconds (for no apparent reason).

One of these websites is ipchicken.com (a website which shows one's current IP address). When visiting ipchicken.com, the Tor circuit path changes many times in a few seconds. At first, the "current IP address" on ipchicken.com is a regular Tor exit node. But when the page is reloaded, the "current IP address" becomes an odd IPv6 address. Reloading the page a 2nd time shows a similar IPv6 address (with the same starting digits, but different ending digits). This is one of the IPv6 addresses it displayed:

2405:8100:8000:5ca1::27f:e187

I checked this IP address in the Tor ExoneraTor (metrics.torproject.org/exonerator.html), and this IPv6 address does not appear to be in the Tor database.

Also, the exact same thing that happened on ipchicken.com happened on a completely different IP-checking website -- the IP address displayed was (at first) the Tor exit node, but then when the page was reloaded, it became an IPv6 address beginning with "2405:8100:8000:5ca1..." (That website changed its Tor circuit path many times in a matter of seconds as well).

The 2nd IP-checking website said that the origin of the IPv6 address is "CloudFlare Hong Kong".

I tried accessing ipchicken.com and other IP-checking websites on a different computer, and the same thing happened (weird IPv6 address appeared).

So multiple websites are, for no apparent reason, changing their Tor circuit paths many times in just a few seconds, AND displaying strange IPv6 address as the "current IP address". Other websites, such as Wikipedia, are normal.

Is this just a Tor Browser bug, or could it be some other kind of problem?

Note that on websites in which the Tor circuit path changed many times for no apparent reason, the entry node (guard node) generally stayed the same.

The Tor Browser used is version 9.0.2.

Child Tickets

Change History (5)

comment:1 Changed 11 months ago by nickm

Component: Core Tor/TorApplications/Tor Browser
Owner: set to tbb-team

comment:2 in reply to:  description Changed 11 months ago by cypherpunks

Replying to Tor235:

While using Tor Browser recently, I've noticed that several websites change their Tor circuit path many times in a matter of just a few seconds (for no apparent reason).

One of these websites is ipchicken.com (a website which shows one's current IP address). When visiting ipchicken.com, the Tor circuit path changes many times in a few seconds. At first, the "current IP address" on ipchicken.com is a regular Tor exit node. But when the page is reloaded, the "current IP address" becomes an odd IPv6 address.

  1. since https://ipchicken.com/ does not contain any AAAA records, it is not possible, it reports a ipv6 to you.

Reloading the page a 2nd time shows a similar IPv6 address (with the same starting digits, but different >ending digits). This is one of the IPv6 addresses it displayed:

2405:8100:8000:5ca1::27f:e187

this is a cloudflare ip
https://www.cloudflare.com/ips/

I checked this IP address in the Tor ExoneraTor (metrics.torproject.org/exonerator.html), and this IPv6 address does not appear to be in the Tor database.

yes, because this is a cloudflare ip

  1. ipchicken.com IS cloudflared.


The 2nd IP-checking website said that the origin of the IPv6 address is "CloudFlare Hong Kong".

correct, as the website is behind cloudflare.

I tried accessing ipchicken.com and other IP-checking websites on a different computer, and the same thing happened (weird IPv6 address appeared).

yes, because the website does not check your browser used ip but from cloudflare.

So multiple websites are, for no apparent reason, changing their Tor circuit paths many times in just a few seconds, AND displaying strange IPv6 address as the "current IP address". Other websites, such as Wikipedia, are normal.

Is this just a Tor Browser bug, or could it be some other kind of problem?

not a Tor Browser bug. it is the website reporting the CDN ip that is serving to you.

Note that on websites in which the Tor circuit path changed many times for no apparent reason, the entry node (guard node) generally stayed the same.

Yes, the guard should stay always the same, even if the malicous website forces you into 1000's new circuits. otherwise you could be deanomisized. what you should care about is guard rotation attacks, not if it stays the same.

The Tor Browser used is version 9.0.2.

false positive.

comment:3 in reply to:  description Changed 11 months ago by cypherpunks

Replying to Tor235:

Note that on websites in which the Tor circuit path changed many times for no apparent reason, the entry node (guard node) generally stayed the same.

https://support.torproject.org/tbb/tbb-2/

comment:4 Changed 8 months ago by pastly

This is due to onion alt-svc headers. There is nothing nefarious going on. The only thing that might need fixing is the circuit display and how it chooses which of the 1 or more circuits that Tor has open to load resources from the URL-bar domain and any embedded resources to display.

comment:5 Changed 8 months ago by pili

Duplicate of #27590 ?

Note: See TracTickets for help on using tickets.