_Originally created by @anonym on [#7976 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/7976)_ Ignoring the as of today still not finished analysis of the full scale of Jake’s FOCI12 paper (tails/tails#5340) can’t we stay on the safe side for at least the Tor Browser by disabling access to RFC1918 (LAN/Private) IP addresses in it, and direct users to the Unsafe Browser for such access? Even if we put aside the possibility of blocking some classes of deanonymization attacks (or whatever), this change makes sense for usability. Especially after we have isolated I2P from the Tor Browser (tails/tails#7725) too we would have three distinct browsers whose names rather clearly define their scope: - The **Tor** Browser deals with **Tor** stuff only. <!-- end list --> - The **I2P** Browser deals with **I2P** stuff only. <!-- end list --> - The **Unsafe** Browser deals with **unsafe** stuff, like the LAN, which we consider hostile in our threat model. Or am I missing something about why we need to have the Tor Browser and Unsafe Browser **overlap** in functionality in this way? The only drawback I can see is that users that are used to LAN access in the Tor Browser may get confused. If we consider it more than a documentation issue, perhaps we can add a note about it to the error page that the Tor Browser shows in this situation, i.e. “The Proxy server is refusing connections”? Or perhaps users are too well-trained to ignore browser error pages (except the header) by now? Feature Branch: feature/7976-disallow-lan-in-tor-browser ### Subtasks - [x] tails/tails#8218 - [x] tails/tails#9431 ### Related issues - **Related to** tails/tails#5340 - **Related to** tails/tails#7725 - **Related to** tails/tails#7951 - **Related to** tails/tails#7774 - **Blocks** tails/tails#5293