Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:01:20Zhttps://gitlab.torproject.org/legacy/trac/-/issues/29628Distrust DarkMatter Intermediate CAs2020-06-16T01:01:20ZTracDistrust DarkMatter Intermediate CAsMozilla Firefox's root trust store trusts an intermediate ca for a spying firm called DarkMatter. They trust they intermediate ca as it was signed by Quovadis.
This already puts Tor users at risk as they can spy today, however once they...Mozilla Firefox's root trust store trusts an intermediate ca for a spying firm called DarkMatter. They trust they intermediate ca as it was signed by Quovadis.
This already puts Tor users at risk as they can spy today, however once they are a root ca there will be no oversight by Quovadis/Digicert and they can misbehave and issue secret certificates to spy on Tor users.
They have a business interest in spying on HTTPS traffic. Google Chrome and Mozilla Firefox are still discussing this. It's in the best interest of Tor Users to immediately distrust the intermediate CA.
Thoughts?
References:
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-darkmatter-request-to-be-trusted-root-ca-raises-concerns/
https://protonmail.com/blog/dark-matter-quo-vadis/
**Trac**:
**Username**: nsuchyhttps://gitlab.torproject.org/legacy/trac/-/issues/27846DuckDuckGo & DuckDuckGo Onion display on differently in about:tor screen and ...2020-06-16T00:51:29ZTracDuckDuckGo & DuckDuckGo Onion display on differently in about:tor screen and on address barIf you modify your search settings in Tor Browser to use DuckDuckGo's onion service rather than clearweb service searches from the address bar will use DuckDuckGo's onion, however if you search from about:tor page it still uses the clear...If you modify your search settings in Tor Browser to use DuckDuckGo's onion service rather than clearweb service searches from the address bar will use DuckDuckGo's onion, however if you search from about:tor page it still uses the clearweb service. It's not a huge issue considering you connect with Tor and HTTPS anyways but it'd be a nice little thing to fix for UX and Consistency purposes.
**Trac**:
**Username**: nsuchyhttps://gitlab.torproject.org/legacy/trac/-/issues/27579Investigate usage of CDN77 for meek2020-06-13T18:32:41ZTracInvestigate usage of CDN77 for meekThe CDN Provider CDN77 supports origin pull and domain fronting. This may be useful if Microsoft Azure starts matching SNI with the Host header as Cloudflare, AWS, Google, etc have done.
**Confirmation:**
```
curl https://www.cdn77.com/...The CDN Provider CDN77 supports origin pull and domain fronting. This may be useful if Microsoft Azure starts matching SNI with the Host header as Cloudflare, AWS, Google, etc have done.
**Confirmation:**
```
curl https://www.cdn77.com/ --header 'Host: www.phpmyadmin.net' -v
```
**Trac**:
**Username**: nsuchyDavid Fifielddcf@torproject.orgDavid Fifielddcf@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/27478Torbutton in Tor Browser 8 difficult to see in dark theme2020-06-16T00:50:02ZTracTorbutton in Tor Browser 8 difficult to see in dark themeTor Browser 8 includes Firefox ESR 60's "dark theme". It looks quite nice and I elected to enable it. The Torbutton (used for security, and tor network settings) is difficult to see in contrast to other icons. In dark mode it'd be nice t...Tor Browser 8 includes Firefox ESR 60's "dark theme". It looks quite nice and I elected to enable it. The Torbutton (used for security, and tor network settings) is difficult to see in contrast to other icons. In dark mode it'd be nice to enable a light grey version of it. Thoughts?
**Trac**:
**Username**: nsuchyrichardrichardhttps://gitlab.torproject.org/legacy/trac/-/issues/27452"New Identity" does not properly clear state of the find bar2020-06-16T01:28:20ZTrac"New Identity" does not properly clear state of the find barI noticed an issue with Tor Browser on macOS which likely affects Tor Browser on other platforms. The issue being that pressing "New Identity" does not properly clear state of the find bar.
**Steps to reproduce:**
1) Open Tor Browser
2)...I noticed an issue with Tor Browser on macOS which likely affects Tor Browser on other platforms. The issue being that pressing "New Identity" does not properly clear state of the find bar.
**Steps to reproduce:**
1) Open Tor Browser
2) Press control-f ("command-f" on macOS) to bring up the find bar
3) Type something into the find bar.
4) Press new identity
5) Press control-f ("command-f" on macOS) again to bring up the find bar. See that the previously searched text remains in the box.
**Tor Browser Alpha:**
Per arma's suggestion on IRC I tested this in Tor Browser Alpha (This build: https://people.torproject.org/~gk/builds/8.0-build5/tor-browser-linux64-8.0_en-US.tar.xz) on Linux. The bug is partially fixed. However if you click "highlight all" after entering text in the search box and then press new identity, press control-f again, the text is cleared, but the "highlight all" state remains.
**User Impact:**
This appears to be an issue resetting state of the find bar. It's unclear whether a website can access this information using Javascript, with or without user interaction. It's also unclear how long this information could persist. This could potentially reveal during a forensic search on a computer the last thing the user searched for on a page, but not what page they searched on.
It is worth investigating for other components which are not properly reset after clicking "New Identity".
**Screenshots:**
* Bug on Tor Browser Stable macOS https://image.ibb.co/bVOLkK/Screen_Shot_2018_09_04_at_8_23_20_PM.png
* Bug on Tor Browser Alpha Linux https://image.ibb.co/fiVSXz/Problem.png
**Trac**:
**Username**: nsuchyhttps://gitlab.torproject.org/legacy/trac/-/issues/25992Should Tor Browser use DuckDuckGo's onion (hidden) service instead of their n...2020-06-16T00:45:58ZTracShould Tor Browser use DuckDuckGo's onion (hidden) service instead of their normal website as the default search engine?The current version of the Tor Browser Bundle uses the search engine DuckDuckGo to allow users to easily make search queries from the about:tor page and the address bar. I noticed that DuckDuckGo also has an onion (hidden) service availa...The current version of the Tor Browser Bundle uses the search engine DuckDuckGo to allow users to easily make search queries from the about:tor page and the address bar. I noticed that DuckDuckGo also has an onion (hidden) service available. As such, should Tor Browser use DuckDuckGo's onion (hidden) service instead of their normal website as the default search engine?
**A few benefits I see here:**
*) Shows what Tor Hidden Services can do - do all Tor Browser users know about or use a Tor Hidden Service? This could make it shine and users the benefit on a day to day basis.
*) The amount of "exit" bandwidth to DuckDuckGo's services would be diverted into relay bandwidth (based on my understanding of tor hidden services - not exactly sure but relays with a no-exit policy would still help route traffic to DuckDuckGo)
**Example Query (URL Syntax):**
https://3g2upl4pq6kufc4m.onion/?q=Tor+Browser+Bundle&t=hf
**Trac**:
**Username**: nsuchy