Re: [tor-bugs] #31066 [Applications/Tor Browser]: Consider protection against requests going through catch-all circuit

2020-06-12 Thread Tor Bug Tracker & Wiki 
#31066: Consider protection against requests going through catch-all circuit
-+-
 Reporter:  acat |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff68-esr, tbb-linkability, tbb-  |  Actual Points:
  torbutton, gitlab-tb-torbutton |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor44-can
-+-
Changes (by acat):

 * keywords:  ff68-esr, tbb-linkability => ff68-esr, tbb-linkability, tbb-
 torbutton, gitlab-tb-torbutton


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #31066 [Applications/Tor Browser]: Consider protection against requests going through catch-all circuit

2019-07-04 Thread Tor Bug Tracker & Wiki 
#31066: Consider protection against requests going through catch-all circuit
---+--
 Reporter:  acat   |  Owner:  tbb-team
 Type:  defect | Status:  new
 Priority:  Medium |  Milestone:
Component:  Applications/Tor Browser   |Version:
 Severity:  Normal | Resolution:
 Keywords:  ff68-esr, tbb-linkability  |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+--
Changes (by gk):

 * keywords:  ff68-esr => ff68-esr, tbb-linkability


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #31066 [Applications/Tor Browser]: Consider protection against requests going through catch-all circuit

2019-07-02 Thread Tor Bug Tracker & Wiki 
#31066: Consider protection against requests going through catch-all circuit
--+--
 Reporter:  acat  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  ff68-esr
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 While taking a look at upstreaming #26353 to Firefox I was thinking
 whether it would make sense to have some mitigations to reduce potential
 anonymity loss if there are requests unintentionally going through the
 catch-all circuit. We currently isolate requests by
 `originAttributes.firstPartyDomain`. If
 `originAttributes.firstPartyDomain` is empty, then the request goes to the
 catch-all circuit (socks username `--unknown--`).

 I would suggest changing this and proxying with socks username
 `--unknown--|||firstPartyDomain(request)` instead, where
 `firstPartyDomain` is calculated as if the request host was the origin. I
 think this can only improve user anonymity wrt current behaviour, at the
 cost of potentially worse network performance (more circuits). But I think
 there should not be many cases were `firstPartyDomain` is empty, and also
 not so many `--unknown-- + domain` combinations to make this a performance
 issue. I think it should be seen just as a mitigation for the potential
 cases in Tor Browser that might not obey first party isolation.

 Not sure if this has already been discussed in the past, but I thought it
 might be interesting to consider.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs