GNOME Bugzilla – Bug 750249
DNS queries not sent to proxy (information leak)
Last modified: 2015-06-02 15:43:57 UTC
Hi. Apparently it seems that even when configured to use Tor as proxy, epiphany is so "smart" to send DNS queries directly to the wire, thus making any effort of Tor useless. Just check with wireshark and one can see it. Marking this as blocker so that people get notified about this inadequacy... actually people in many countries who need to rely on Tor, can get into severe troubles (up to being tortured or having their life threatened) when their anonymity is compromised. Chris.
We have no functionality in either WebKit or Epiphany for setting a proxy, so how was Epiphany "configured to use Tor as proxy"? Was this done using the Network panel in System Settings? Anyway, I have two guesses before I delve deeper: Guess #1: webkit_web_context_prefetch_dns() does not know to use whatever proxy that libsoup uses. Epiphany 3.16 doesn't use this function due to a temporary implementation issue in Epiphany, but Epiphany 3.14 does and it will again in the future. So the test for this theory is simple: if the issue occurs in Epiphany 3.14 but is "fixed" in 3.16, then this is almost certainly the cause. Requested info: what version of Epiphany are you using? Guess #2: If guess #1 is wrong, then I guess WebKit always uses the proxy for HTTP only, but never for DNS. Tangent: I will lower the priority from blocker to major, because Epiphany is not intended to be used with Tor, at least not at this time (it would certainly be cool to turn Incognito Mode into a real Tor mode that protects you from network adversaries instead of just people using your computer). The Tor developers say "using any browser besides Tor Browser with Tor is a really bad idea" [1] and I have no reason to doubt them on that; I guess they do lots more than simply change your proxy settings to make Tor safer to use (e.g. maybe they disable DNS prefetch :), but I haven't studied their browser much so I dunno. But the same information leak surely applies to users of traditional proxies, so I still consider this a major bug. [1] https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser
(In reply to Michael Catanzaro from comment #1) > We have no functionality in either WebKit or Epiphany for setting a proxy, > so how was Epiphany "configured to use Tor as proxy"? Was this done using > the Network panel in System Settings? Yes. > Guess #1: webkit_web_context_prefetch_dns() does not know to use whatever > proxy that libsoup uses. Epiphany 3.16 doesn't use this function due to a > temporary implementation issue in Epiphany, but Epiphany 3.14 does and it > will again in the future. So the test for this theory is simple: if the > issue occurs in Epiphany 3.14 but is "fixed" in 3.16, then this is almost > certainly the cause. Requested info: what version of Epiphany are you using? Unfortunately I cannot test this right now. While 3.16 is already in Debian since some days, I'm using Cinnamon (GNOME3 does not only not fit my needs, it also simply crashes everytime I start it...) and the network panel of that seems to be no longer compatible with current Debian's NM. So I can't change the proxy as of now to check that. > I will lower the priority from blocker to major, because Epiphany > is not intended to be used with Tor The problem is that this seems to be nowhere really communicated. Apart from perhaps the Tor-side, but they generally just recommend their "Tor-browser". And I doubt that a tortured or whatever victim of non-working anonymity would know about any hidden "not intended for Tor" message in some bug report. > The Tor developers say "using any browser besides Tor Browser with Tor is a > really bad idea" [1] and I have no reason to doubt them on that; I guess > they do lots more than simply change your proxy settings to make Tor safer > to use (e.g. maybe they disable DNS prefetch :), but I haven't studied their > browser much so I dunno. But the same information leak surely applies to > users of traditional proxies, so I still consider this a major bug. Well I guess different security experts have different opinions on the advantages/disadvantages of a Torbrowser as a fork from FF... I rather tend to see it critical and not a proper solution. Interestingly, btw, online tor checks like http://torcheck.xenobite.eu/ didn't warn me that I was using a leaking browser. I'd have expected that they could detect whether I used a DNS from them, but maybe that was just too optimistic.
Guess #1 was correct. This is a WebKit bug and there is nothing to fix in Epiphany, so I will close this. See: https://bugs.webkit.org/show_bug.cgi?id=145542
P.S. That means Epiphany 3.16 should be unaffected, since we temporarily disabled DNS prefetch.
Here is the list of things the Tor browser does to keep you safe, which Epiphany mostly does not do: https://www.torproject.org/projects/torbrowser/design/ Bug #750288 is an enhancement request to provide these features. No plans to work on this in the near future, unfortunately.