Trezor had just released its CoinJoin feature for its Suite software, and also recently released Tor features. So, it caught my attention and interest to investigate further, starting with its Tor features.
To use Tor features, he official page from Trezor says configure Tor Browser Bundle (TBB):
- Set network.proxy.no_proxies_on to 127.0.0.1:21325
- Set network.http.referer.hideOnionSource to false
- Disable the NoScript addon
It is puzzling, because: for traffic to go through Tor, all it takes is launch the TBB and set the Trezor suite to route traffic via 127.0.0.1:9150. So, why:
- Why is it necessary to set TBB to listen on port 21325 with “network.proxy.no_proxies_on” which is to skip using proxies? (I'm not sure how TBB handles traffic when it receives it through this option.)
- Setting “network.http.referer.hideOnionSource” to false will provide the referrer info to Trezor suite. Why does the Trezor suite wants to know the referrer for the onion traffic?
- If a user is actively using TBB for browsing, then disabling this can increase vulnerabilities and security issues when it is accidentally and unintentionally left disabled.
Honestly, at this moment, I'm not using Trezor with Tor features. It is either fishy or just poorly implemented. I'm hoping someone could explain/comment on the above. I've used other software which go through Tor, and all it takes to configure it is to set SOCKS proxy to “127.0.0.1:9150” and of course, launch TBB and keep it open.
5 thoughts on “Trezor’s Tor features are either fishy or poorly implemented. What do you think?”
Please bear in mind that no one from the Trezor team would send you a private message first.
If you want to discuss a sensitive issue, we suggest contacting our Support team via the Troubleshooter: https://trezor.io/support/
No one from the Trezor team (Reddit mods, Support agents, etc) would ever ask for your recovery seed!
Beware of scams and phishings: https://blog.trezor.io/recognize-and-avoid-phishing-ef0948698aec
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
allow me to do a guided reading of the page you yourself link to:
> Tor is now supported natively in Trezor Suite. Enable it by clicking the Tor icon in the top-right hand corner of the app
so not sure what are you even doing configuring TBB
but perhaps this…?
> Using the web version of Trezor Suite
in that case maybe you can answer your own question here? this one?
because, see, you would be opening the suite webpage in the Tor browser window?
…anyway, moving on. you ask:
> Why is it necessary to set TBB to listen on port 21325 with “network.proxy.no_proxies_on” which is to skip using proxies?
and the webpage answers:
> When using Trezor Suite with Firefox (which is a base for Tor Browser), you cannot use WebUSB (like in Chrome), but instead must use Trezor Bridge
> Tor Browser routes all traffic via Tor by default, and Trezor Suite cannot directly contact Trezor Bridge. Luckily, we can add an exception
as for your question 2, that isn’t directly answered, so I’ll add to that: it’s Trezor Bridge that requires knowing the referer; without it, it will reject traffic. This is a security measure so that any random website can’t start talking to Bridge, and must go through Trezor Connect.
Firstly, you can avoid all this if you use the desktop app. It has built in Tor functionality.
> Why is it necessary to set TBB to listen on port 21325
Since Tor browser is based on Firefox, WebUSB is not supported, then Trezor Bridge is required for device communication. Trezor Bridge operators on port 21325: https://www.speedguide.net/port.php?port=21325
> Why does the Trezor suite wants to know the referrer for the onion traffic?
Trezor Bridge will only communicate with domains it trusts (.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad.onion and .trezor.io), otherwise any site on the internet could speak to you Trezor. Source: https://github.com/trezor/trezord-go/blob/cde24695535f71de36837d667355855f870ab921/server/api/api.go#L232-L236
> If a user is actively using TBB for browsing, then disabling this can increase vulnerabilities and security issues when it is accidentally and unintentionally left disabled.
I’m sure you can tweak NoScript enough to just allow Trezor Suite to work, though for someone using something like Tails, they want the least amount of fiddling.
If you are that privacy conscious, have your Tor browser in default settings and install Trezor Suite for desktop.
> Enable it by clicking the Tor icon in the top-right hand corner of the app
Thanks for the answers!
I need to clarify: The issues were meant only for using Trezor web suite with Tor Browser Bundle (TBB). It does not apply to the Trezor desktop app. I should had edited my text more clearly.
Comments are closed.