#30242: Impossible to change circuit for a site when its SSL certificate is invalid -------------------------------------+------------------------------------- Reporter: pf.team | Owner: tbb-team Type: defect | Status: new Priority: High | Component: Applications/Tor | Browser Version: | Severity: Normal Keywords: ssl tbb-8.0-issues tor- | Actual Points: circuit tbb-circuit-display | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------+------------------------------------- When accessing a website that uses SSL and the browser raises a certificate error (certificate expired, doesn't match domain name etc) the user no longer can change the circuit by using the "New Circuit for this Site" button. Even if you press it, the browser still keeps using the old circuit.
This is not just an interface error - the circuit remains unchanged, we've managed to reproduce this problem while dumping incoming traffic on one of our own services, and after the button was pressed, the requests still came from the same exit node. What is especially important, is that a certificate error may arise not only due to actual problems with certificate on the destination server, but also because the exit node is compromised and tries to conduct a Man- in-the-Middle attack. We observed cases when, with Tor Browser version 6 and 7, the certificate error went away after changing the circuit, which points to the exit node itself being compromised. This issue does not allow the user to circumvent a potentially compromised exit node to exchange information safely, and forces users to either abandon their attempts altogether, accept the incorrect certificate and be compromised or go through the process of resetting the identity (that still works, but any and all sessions etc are lost, obviously). -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30242> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs