onion-grater leaks info about unassociated circuits to Tor Browser
(This is a general issue, but let's be concrete and talk only about the Tor Browser situation.)
The current Tor Browser filter rules has restrict-stream-events
so when subscribing to stream events it will only learn about its own streams, great. However, the filter rules also allow getinfo circuit-status
, so Tor Browser can actually see all circuits, while it would be sufficient if it could only see those that are associated with any of its streams (and since we employ proper stream isolation, circuits are not shared with other applications, so it wouldn't see any other applications' circuits). So we could do better here.
There is a similar story about getinfo stream-status
and subscribing to circuit events, but it is not relevant for our current filter rules so we should just wait for arti, but in the meantime Tor Browser knowing about all circuits is an issue.
The impact is basically: "Tor Browser knows which exit nodes that are used at any given time". Since circuit-status
also lists Socks username/password set for stream isolation purposes it could potentially tell which application is using which circuit, but I believe we don't use that, except when torsocks --isolate
is involved (so e.g. wget
) which sets the Socks credentials based on the torified process' PID, but we are narrowly saved since Tor Browser's AppArmor confinement should prevent it from mapping PID to application. But maybe there is some other leak I haven't thought about.
Is it worth fixing, or should we wait for arti? I think the fix shouldn't be too hard: onion-grater
would need to intercept getinfo circuit-status
and for each circuit only show those that has a stream that belongs to the application.