#25445: Opening site in Tor Browser redirects to FSB ------------------------------+--------------------------- Reporter: timur.davletshin | Owner: (none) Type: defect | Status: closed Priority: Medium | Milestone: Component: Core Tor/Tor | Version: Severity: Major | Resolution: not a bug Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------+---------------------------
Comment (by dcf): A guess: the web server has some kind of automated anti-abuse system, and when it decides that it doesn't want to serve a client, it serves a 302 redirect instead of, say, a 403 Forbidden. The choice of FSB as a destination could be a kind of joke? It cannot be a Great Firewall–like TCP injection, because the connection is HTTPS (even with HSTS and HPKP). It has to be the remote server sending the redirect. comment:6 suggests the server is hacked—that's plausible if, say, there are 10 servers behind a load balancer and one of them is hacked. But that wouldn't explain why, in comment:7, non-Tor connections do not get the redirect. It seems more likely to me that it's some kind of attack detection, or something like that, on the server, and that Tor exits are more likely to be on the wrong side of the classification. Here is what the redirect response looks like (it's HTTP/2, so the header does not literally look like that, but it has the same meaning): {{{ HTTP/2 302 server: nginx date: Wed, 07 Mar 2018 19:38:45 GMT content-type: text/html location: http://fsb.ru// strict-transport-security: max-age=31536000; includeSubdomains; preload public-key-pins: pin- sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin- sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin- sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin- sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin- sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000 x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx</center> </body> </html> }}} I got this with `torsocks -i curl -D header https://psb4ukr.org | tee body`. As in comment:2, I had to try maybe about 10 times before getting the redirect rather than the actual web page. Interestingly, when I use wget rather than curl, I get the redirect every time. With `torsocks -i wget -S https://psb4ukr.org`: {{{ Resolving psb4ukr.org (psb4ukr.org)... 158.69.100.131 Connecting to psb4ukr.org (psb4ukr.org)|158.69.100.131|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: nginx Date: Wed, 07 Mar 2018 19:43:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: http://fsb.ru// Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Public-Key-Pins: pin- sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin- sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin- sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin- sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin- sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Location: http://fsb.ru// [following] }}} For comparison, here is what a non-redirected header looks like (notice the `server` is different): {{{ HTTP/2 200 date: Wed, 07 Mar 2018 19:34:56 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding vary: Accept-Encoding age: 16805 server: NATO HPWS/3.0 cache-control: piblic; max-age=900 x-cache: HIT strict-transport-security: max-age=31536000; includeSubdomains; preload public-key-pins: pin- sha256="YNlv8uD4wQgJXGVEKa2RM0ItL2HRpGH+hWj3d45rVfk="; pin- sha256="pNFoaDvUW2YZ3wk540oPKyZy5JLjbyt+EO6lOhp2C5M="; pin- sha256="h3O7Czw4r8fXsxIT19BCQrmDRfsYLuXJ1CG7OiTWet8="; pin- sha256="GJvPuGTcBJ/0S0R2JFCAv1t9Rh1If4z7T/L7n/BXjdM="; pin- sha256="M/OFIZXw+4BOvCmzEtCCYr2R3CXGQirQD5MUKPQ4VGc="; max-age=15768000 x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25445#comment:13> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs