Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #11384
Closed
Open
Created Apr 01, 2014 by cypherpunks@cypherpunks

TorBrowser connects over clearnet after activation of 'hidden' torbutton option

Tested on Linux x86_64, latest TorBrowser version 3.53

Steps to reproduce problem:

  1. Open TorBrowser and connect normally
  2. Click the Torbutton, this opens the drop down list containing "New Identity, Cookie Protections, ..."
  3. Press down key on keyboard once highlights 'New Identity'
  4. Press down key again and the highlighting disappears (highlighting hidden 'disable torbutton' option)
  5. Press enter

This makes TB connect over the clearnet and reveal true IP address (checked using check.torproject.org, and yes it is my real IP). No warning or confirmation box appears and this could easily be done accidentally. This setting persists over New Identity and closing and reopening TB completely, and it is not obvious at all to the user how to switch Tor back on.

This is particularly dangerous because opportunities to warn the user are missed:

  • The about:tor page remains green even after clicking New Identity (although it does switch to its "Something Went Wrong!" form after fully closing and reopening TB).
  • The 'Proxy Settings' page (Torbutton -> Preferences) is unchanged and indicates the browser is using Tor's recommended proxy settings
  • The 'Test Proxy' button on the Proxy Settings page button confirms that the Tor proxy is working properly

The only indicator to the user that they have been deanonymized is the torbutton changes from green to red, which is easily missed.

Furthermore, for people who do not allow TB access to the Tor ControlPort* this button is red anyway and there is no indication whatsoever that you are deanonymized.

This hidden option needs to be properly disabled or (like me!) you could be deanonymized for days without knowing.

*i.e. connecting TB to a separate Tor process / transparently routing TB traffic / using Tor router or Tor on a different [virtual] machine

[Note to re-enable Tor proxy just repeat the steps above. Also the 'Restore Defaults' button on the TorButton Preferences page appears to fix it too]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking