Tor Browser Alt-Svc as a potential huge anonymity threat

Support
1

Hello. HTTP specification has a header called Alt-Svc which can automatically redirect user to another network location on a server side without !!! even asking a user.

(Cannot post a link here, you can Google for Alt-Svc Developer Mozilla Org documentation page)

I personally faced that problem when I visited some kind of web sites which used third-party domains like Cloudflare. When using Tor Broswer, Cloudflare automatically redirects all traffic from clearnet cloudflare dot com domain to its .onion one (cflareblahblahblah… .onion) without asking a user! When I checked my IP address on that site (yes, using a standard Tor Browser on a Whonix-Workstation), it shown me not the IP address of Tor exit node but Cloudflare CDN US IP !!!

So, to turn that hidden redirection off, I need to type about:config and set the value of the option to false:

network.http.altsvc.enabled → false

I recommend Whonix developers to turn off Alt-Svc header by default because I think it is a potential dangerous feature which is dangerous for anonymity. I am not sure if Tor Project developers turn this option off.

1 Like
2

Welcome to the internet where when you go to a website, it’s most likely hosted in some cloud that user’s usually don’t know and has a ton of requests to third-party resources, including fonts from Google that can be abused for tracking or direct tracking scripts such as Google Analytics etc.

So otherwise you’d be connected over clearnet to a server that is likely behind cloudflare anyhow. No advantage that I can see.

Wasn’t Alt-Svc invented by The Tor Project together with its support in Tor Browser?

Issue, if it is any, is not caused by Whonix. If you think that’s an issue, it should be raised upstream at The Tor Project, the developers of Tor Browser.

Whonix doesn’t modify Tor Browser in that way and that’s by design. Related:
Tor Browser Essentials chapter Whonix Tor Browser Differences in Whonix wiki

I am not convinced this is an issue. Bug Reports, Software Development and Feature Requests chapter Support Request Policy in Whonix wiki applies.