Disable LAN access in Tor Browser
Ignoring the as of today still not finished analysis of the full scale of Jake’s FOCI12 paper (#5340) can’t we stay on the safe side for at least the Tor Browser by disabling access to RFC1918 (LAN/Private) IP addresses in it, and direct users to the Unsafe Browser for such access?
Even if we put aside the possibility of blocking some classes of deanonymization attacks (or whatever), this change makes sense for usability. Especially after we have isolated I2P from the Tor Browser (#7725 (closed)) too we would have three distinct browsers whose names rather clearly define their scope:
- The Tor Browser deals with Tor stuff only.
- The I2P Browser deals with I2P stuff only.
- The Unsafe Browser deals with unsafe stuff, like the LAN, which we consider hostile in our threat model.
Or am I missing something about why we need to have the Tor Browser and Unsafe Browser overlap in functionality in this way?
The only drawback I can see is that users that are used to LAN access in the Tor Browser may get confused. If we consider it more than a documentation issue, perhaps we can add a note about it to the error page that the Tor Browser shows in this situation, i.e. “The Proxy server is refusing connections”? Or perhaps users are too well-trained to ignore browser error pages (except the header) by now?
Feature Branch: feature/7976-disallow-lan-in-tor-browser