Add a Torbutton pref to disable local tor check
[ Re: discussion with Mike at #11384 (closed) ]
The Torbutton icon and about:tor page indicate that Tor is not working when Torbutton does not have full access to the control port (when not using the 'Transparent Torification' option in Torbutton preferences), even if the browser is properly configured to use Tor. This can be dangerous when something does go wrong (e.g. bug #11384 (closed)) because there is then no visible difference to the user.
If Transparent Torification is selected Torbutton skips the local check and instead performs a remote check, which gives a correct indication of whether the browser is torified. However, there are cases, other than transparent torification, that the remote check is desirable over the local check. These include:
A) Connecting TorBrowser to system-wide Tor instance, which you do not want the browser to be able to manipulate (e.g. tor-launcher automatically stopping Tor process on closing the browser) B) Preventing TorBrowser access to control port so that it cannot retrieve/leak circuit information C) Tails
Tails encountered this problem (they only allow NEWNYM requests from the browser to the control port), but at the time remote Tor check was broken (#10189 (closed)) so they opted to patch Torbutton to completely disable Tor check, both local and remote (http://git.tails.boum.org/torbutton/commit/?id=7b7aba560dadb0299212a47971d08ac937672868). This is arguably unsatisfactory and is only safe because Tails has strict firewall rules preventing leaks.
I propose we add a user pref which tells Torbutton to use the remote check instead of local check, so TorBrowser only shouts when it isn't connecting over Tor. The default behavior would be unchanged. A (two-line) patch is attached.
If Tails devs are happy with this solution this could also close #10216 (moved).
Trac:
Username: scissors