Stop connecting to check.torproject.org on every browser startup #2719
Comments
I never looked at the SSL Observatory in any great detail but this might be as simple as adding
to https://github.com/EFForg/https-everywhere/blob/master/src/components/ssl-observatory.js#L130. |
@fuglede I thought Tor was checked for some reason to establish certain compatibility settings? |
@vgturtle127: Proxy settings to be precise (at least if we are talking about the same part of the code). |
But these proxy settings should only be checked when the proxy settings are actually configured, shouldn't they? |
@Hainish, can you take a look at this one? |
Any update on this? This is still an issue in the latest version of https-everywhere. |
This is high on my priority list, I'll look into it next week. |
I'm not overly concerned with requests to Following the logic of L832: We are using the Tor Browser and The only one of these three that results in the request not going over Tor in normal circumstances is the middle conditional. In that case, most users are protected because it's rare that users will manually set an observatory proxy in While investigating this issue I was concerned about DNS leaks. I ran a packet dump and fired up a clean HTTPS Everywhere profile (the startup sequence of which would reach the 'otherwise' conditional above, trying to make the request over socks |
Looking at it now, within Tor Browser seems like we never actually succeed with the first conditional, because the |
Strikingly, the above has probably been an issue since the days of Torbutton. |
Does HTTPS Everywhere still connect to check.tpo even when the SSL Observatory is disabled? If relevant, I'm asking in the context of Tor Browser. I understand this is not a privacy issue if it goes through Tor, but would be nice to avoid if it's unneeded. Sorry if this is already the case, but couldn't make sure reading the code. |
@gunesacar in Tor Browser, Tor connectivity will be tested (even if the observatory is disabled) by connecting to check.tpo. This is in order to provide the appropriate UX for observatory settings. |
@Hainish Thanks! |
Is this still an issue? Looking at uBlock Origin's I'm seeing behind-the-scene requests are requests going to There's no assurance that HTTPS Everywhere is making this request (because uBlock Origin doesn't know who did), but it's the only addon I have related to Tor. I'm running HTTPS Everywhere 5.2.8 with SSL Observatory disabled in regular Firefox 50.1. |
I'm on Nightly 55, SSL Observatory disabled, same issue. |
Thanks for the notifications, this was fixed in #10028 and will be deployed in 5.2.18. |
Or at least offer the possibility to disable this checkup and assume the browser isn't (or is) using tor.
This is phoning home and that doesn't make sense for a privacy extension.
The text was updated successfully, but these errors were encountered: