After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 750249 - DNS queries not sent to proxy (information leak)
DNS queries not sent to proxy (information leak)
Status: RESOLVED NOTGNOME
Product: epiphany
Classification: Core
Component: General
unspecified
Other All
: Normal major
: ---
Assigned To: Michael Catanzaro
Epiphany Maintainers
Depends on:
Blocks:
 
 
Reported: 2015-06-01 22:25 UTC by Christoph Anton Mitterer
Modified: 2015-06-02 15:43 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Christoph Anton Mitterer 2015-06-01 22:25:04 UTC
Hi.

Apparently it seems that even when configured to use Tor as proxy,
epiphany is so "smart" to send DNS queries directly to the wire,
thus making any effort of Tor useless.

Just check with wireshark and one can see it.


Marking this as blocker so that people get notified about this
inadequacy... actually people in many countries who need to rely
on Tor, can get into severe troubles (up to being tortured or having their life threatened) when their anonymity is compromised.


Chris.
Comment 1 Michael Catanzaro 2015-06-02 01:27:25 UTC
We have no functionality in either WebKit or Epiphany for setting a proxy, so how was Epiphany "configured to use Tor as proxy"? Was this done using the Network panel in System Settings?

Anyway, I have two guesses before I delve deeper:

Guess #1: webkit_web_context_prefetch_dns() does not know to use whatever proxy that libsoup uses. Epiphany 3.16 doesn't use this function due to a temporary implementation issue in Epiphany, but Epiphany 3.14 does and it will again in the future. So the test for this theory is simple: if the issue occurs in Epiphany 3.14 but is "fixed" in 3.16, then this is almost certainly the cause. Requested info: what version of Epiphany are you using?

Guess #2: If guess #1 is wrong, then I guess WebKit always uses the proxy for HTTP only, but never for DNS.

Tangent: I will lower the priority from blocker to major, because Epiphany is not intended to be used with Tor, at least not at this time (it would certainly be cool to turn Incognito Mode into a real Tor mode that protects you from network adversaries instead of just people using your computer). The Tor developers say "using any browser besides Tor Browser with Tor is a really bad idea" [1] and I have no reason to doubt them on that; I guess they do lots more than simply change your proxy settings to make Tor safer to use (e.g. maybe they disable DNS prefetch :), but I haven't studied their browser much so I dunno. But the same information leak surely applies to users of traditional proxies, so I still consider this a major bug.

[1] https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser
Comment 2 Christoph Anton Mitterer 2015-06-02 01:37:32 UTC
(In reply to Michael Catanzaro from comment #1)
> We have no functionality in either WebKit or Epiphany for setting a proxy,
> so how was Epiphany "configured to use Tor as proxy"? Was this done using
> the Network panel in System Settings?

Yes.


> Guess #1: webkit_web_context_prefetch_dns() does not know to use whatever
> proxy that libsoup uses. Epiphany 3.16 doesn't use this function due to a
> temporary implementation issue in Epiphany, but Epiphany 3.14 does and it
> will again in the future. So the test for this theory is simple: if the
> issue occurs in Epiphany 3.14 but is "fixed" in 3.16, then this is almost
> certainly the cause. Requested info: what version of Epiphany are you using?

Unfortunately I cannot test this right now.
While 3.16 is already in Debian since some days, I'm using Cinnamon (GNOME3 does not only not fit my needs, it also simply crashes everytime I start it...) and the network panel of that seems to be no longer compatible with current Debian's NM.
So I can't change the proxy as of now to check that.


> I will lower the priority from blocker to major, because Epiphany
> is not intended to be used with Tor

The problem is that this seems to be nowhere really communicated.
Apart from perhaps the Tor-side, but they generally just recommend their "Tor-browser".

And I doubt that a tortured or whatever victim of non-working anonymity would know about any hidden "not intended for Tor" message in some bug report.


> The Tor developers say "using any browser besides Tor Browser with Tor is a
> really bad idea" [1] and I have no reason to doubt them on that; I guess
> they do lots more than simply change your proxy settings to make Tor safer
> to use (e.g. maybe they disable DNS prefetch :), but I haven't studied their
> browser much so I dunno. But the same information leak surely applies to
> users of traditional proxies, so I still consider this a major bug.

Well I guess different security experts have different opinions on the advantages/disadvantages of a Torbrowser as a fork from FF...
I rather tend to see it critical and not a proper solution.


Interestingly, btw, online tor checks like http://torcheck.xenobite.eu/ didn't warn me that I was using a leaking browser.
I'd have expected that they could detect whether I used a DNS from them, but maybe that was just too optimistic.
Comment 3 Michael Catanzaro 2015-06-02 03:14:28 UTC
Guess #1 was correct. This is a WebKit bug and there is nothing to fix in Epiphany, so I will close this. See: https://bugs.webkit.org/show_bug.cgi?id=145542
Comment 4 Michael Catanzaro 2015-06-02 03:33:49 UTC
P.S. That means Epiphany 3.16 should be unaffected, since we temporarily disabled DNS prefetch.
Comment 5 Michael Catanzaro 2015-06-02 15:43:57 UTC
Here is the list of things the Tor browser does to keep you safe, which Epiphany mostly does not do: https://www.torproject.org/projects/torbrowser/design/

Bug #750288 is an enhancement request to provide these features. No plans to work on this in the near future, unfortunately.