From 8665dceb5cf2a197ae270b08066f05c8a2870223 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 6 Aug 2016 13:53:05 +0200 Subject: block direct connections to .onion domains (RFC7687) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Doing a direct connect to an .onion address (if you don't happen to use it as a local domain, which you shouldn't) is bound to fail and does leak the information that you do use Tor and which hidden service you wanted to connect to to a DNS server. Worse, if the DNS is poisoned and actually resolves tricking a user into believing the setup would work correctly… This does block also the usage of wrappers like torsocks with apt, but with native support available and advertised in the error message this shouldn't really be an issue. Inspired-by: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457 --- test/integration/test-method-connect | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100755 test/integration/test-method-connect (limited to 'test') diff --git a/test/integration/test-method-connect b/test/integration/test-method-connect new file mode 100755 index 000000000..b35f96dc3 --- /dev/null +++ b/test/integration/test-method-connect @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment + +cd downloaded +testfailureequal 'Err:1 http://vwakviie2ienjx6t.onion/ + Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http. +E: Failed to fetch http://vwakviie2ienjx6t.onion/ Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http. +E: Download Failed' apthelper download-file 'http://vwakviie2ienjx6t.onion/' ftp.debian.org.html -- cgit v1.2.3