check.torproject.org & IPv6
TLDR: Exit nodes with IPv6 addresses connect to check.torproject.org over IPv6, causing the IP not to be recognised as being one of an exit node. This triggers a scary “Sorry. You are not using Tor.” warning.
When firing up Tor Browser today and checking if the browser was properly using Tor, I got the following scary message.
What I assume happened
Confused, I quickly checked if that was my IPv6 address. Thankfully it wasn’t. Tor browser was correctly proxying traffic over the Tor network but the exit node resolved check.torproject.org over IPv6. A DNS lookup for check.torproject.org gives:
~ ❯❯❯ host check.torproject.org check.torproject.org is an alias for chiwui.torproject.org. chiwui.torproject.org has address 126.96.36.199 chiwui.torproject.org has IPv6 address 2a01:4f8:172:1b46::abba:20:1 chiwui.torproject.org mail is handled by 10 eugeni.torproject.org.
What likely happened is that the exit node connected to check.torproject.org over IPv6. Since Tor doesn’t have full support for IPv6 yet, the exit node appeared as unknown, hence triggering this warning.
I think the warnings are scary and we shouldn’t be telling users to just ignore them. A quick easy fix would be to simply not have any IPv6 DNS records in check.torproject.org as long as IPv6 isn’t fully supported.
Any thoughts or suggestions? Discuss on Tor-Dev.
Update (24th of August): The AAAA record was removed, waiting for a more broader IPv6 support in Tor.