Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
I am on macOS, and my current setup involves an isolation proxy, custom pf rules, an application firewall and the tor browser bundle (7.5.3).
The firefox process has only localhost access to the tor.real process.
The tor.real process has only localhost access to the obf4proxy process.
The obfs4proxy process can only access the remote IP/port tuple.
I modified the tbb-torrc adding UseBridges 1
.
During the latest (vidalia) startup, my application firewall warned me that a process named xpcproxy
was attempting to directly connect to 82.195.75.101/443tcp
.
Since a reverse dns lookup resolves to listera.torproject.org
, I believe this to be non malicious, but I'd count the behaviour as a potential IP leak.
Firefox should wait for the tor process to be ready and spawn the call over a tor circuit; if not, a malicious ISP (eg) has the potential to enumerate users.
I denied the access and restarted the browser, but have not been able to reproduce yet. So this is possibly a race condition between firefox and vidalia, because of this I am unsure if this should be a tor browser or a tor launcher ticket.
How can I inspect this?