The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-01-05T16:58:16Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17432(.onion) Bookmarks and Data Forensics2023-01-05T16:58:16ZNima Fatemi(.onion) Bookmarks and Data ForensicsWhen you need to visit an specific .onion repeatedly, you mainly have two options:
1. Bookmark it
1. write them down on a piece of paper
_-as you might have guessed no one goes for the second option, so let's talk about the first one...When you need to visit an specific .onion repeatedly, you mainly have two options:
1. Bookmark it
1. write them down on a piece of paper
_-as you might have guessed no one goes for the second option, so let's talk about the first one-_
Bookmarks are currently being stored in clear on disk.
**Scenario:** A person gets arrested by [put-your-fav-adversary-here] with Tor Browser installed on their computer. So far so good. We've a big range of users... plausible deniablity and all that. Until... they find a link to say a whistle-blowing platform bookmarked on their Tor Browser.
How do we want to deal with this issue?
Should we show user a warning message when they're bookmarking an .onion address, like the one we do when they try to download something and advise them not to bookmark any sensitive address?
Should we somehow encrypt their bookmarks with a password or something? (Tails style)
Should we give them an option to plug in a (possibly encrypted) external storage like a USB stick and never save the bookmark on the primary disk?
Bookmarks are one of the most effective tool users have to defeat phishing attacks.
How do we communicate danger to users?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17431Investigate attacks in fingerprinting paper2023-01-05T16:58:20ZArthur EdelsteinInvestigate attacks in fingerprinting paperHere's a 2015 paper on hardware-targeted JS fingerprinting attacks. We should check if we need to add any protections:
http://arxiv.org/pdf/1503.01408.pdfHere's a 2015 paper on hardware-targeted JS fingerprinting attacks. We should check if we need to add any protections:
http://arxiv.org/pdf/1503.01408.pdfhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17509Write a patch for additional -ldl needed when compiling Tor Browser with ASan...2023-01-05T16:58:29ZGeorg KoppenWrite a patch for additional -ldl needed when compiling Tor Browser with ASan and GCC 5This is a reminder to investigate and write a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1213698.This is a reminder to investigate and write a patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1213698.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17734Use PDF.js to sanitize saved PDFs2023-01-05T16:59:02ZcypherpunksUse PDF.js to sanitize saved PDFsPDF files often have malicious content within itself, which can be used to compromise the security of the system. Rendering PDF file with PDF.js is often slow and broken, which makes the users to open the files with native readers. Unfor...PDF files often have malicious content within itself, which can be used to compromise the security of the system. Rendering PDF file with PDF.js is often slow and broken, which makes the users to open the files with native readers. Unfortunately, there is no good sanitizers: they are mostly written in script languages (s.a. Python and Ruby) and require their runtime. It will be very useful to have a tool to remove malicious content from downloaded PDF implemented in JS right in browser. Fortunately, Firefox already has PDF parsing library inside its PDF.js engine.
* Use PDF.js to parse PDF into internal representation, but do not render it.
* Decompress and destream it.
* Remove all potentially malicious tags (this should be tweakable in popup window similar to "Clear Recent History"): JS, fonts, flash (and other objects calling plugins), 3d, forms, signatures, remote content, anything else not needed for rendering directly.
* Recreate PDF file from the internal representation recomputing all the recomputable fields to destroy memory corruption exploits.
First I asked abou it in PDF.js bug tracker, they refused because it is not the goal of that project.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18080CORS header 'Access-Control-Allow-Origin' missing2023-01-05T16:59:05ZcypherpunksCORS header 'Access-Control-Allow-Origin' missingIt seems Tor Browser sometimes strips the Access-Control-Allow-Origin header. I ran into the issue when using Globe. When the header is stripped the browser console contains the warning
```
Cross-Origin Request Blocked: The Same Origin P...It seems Tor Browser sometimes strips the Access-Control-Allow-Origin header. I ran into the issue when using Globe. When the header is stripped the browser console contains the warning
```
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://onionoo.torproject.org/details?lookup=299F0933E93B6571ED1CB3D52090E6E13D62427C. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
```
The reasons why i believe Tor Browser is the cause are
1. Onionoo explicitly sets the [header](https://gitweb.torproject.org/onionoo.git/tree/src/main/java/org/torproject/onionoo/server/ResourceServlet.java#n343).
2. Responses from direct requests to an [Onionoo resource](https://onionoo.torproject.org/summary?limit=4) using Tor Browser sometimes do not show the header in the Network Monitor.
3. Responses from direct requests to the same Onionoo resource using curl consistently contain the header.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40787Prevent redirects from transmitting+storing cookies+identifiers2023-01-05T17:00:26ZMike PerryPrevent redirects from transmitting+storing cookies+identifiersI've been using RequestPolicy for so long I'd not realized that redirects have been getting more and more transparent. In Firefox 4/5, the loading indications are impossible to differentiate between redirects and 3rd party loads.
There ...I've been using RequestPolicy for so long I'd not realized that redirects have been getting more and more transparent. In Firefox 4/5, the loading indications are impossible to differentiate between redirects and 3rd party loads.
There does not appear to be any obvious about:config options to enable more prompting either. We may have to dig into the RequestPolicy source to see how they do this.
Redirect notification is important if we're going to try to keep 3rd party cookies disabled (or dual-keyed). If redirects are 100% transparent, there's little point in disabling 3rd party cookies.
NoScript has some options for notifying in the case of JS redirects. We'll probably want to enable those options in TBB, too.ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18107Prevent automatic HTTP redirects2023-01-05T17:00:27ZTracPrevent automatic HTTP redirectsApparently, at some point this feature was removed from Firefox. The option "Advanced -> General -> Warn me when websites try to redirect" doesn't seem to work. For example, this link redirects automatically: http://bit.ly/M4DEDa
I thin...Apparently, at some point this feature was removed from Firefox. The option "Advanced -> General -> Warn me when websites try to redirect" doesn't seem to work. For example, this link redirects automatically: http://bit.ly/M4DEDa
I think that automatic HTTP redirects are a potential attack vector. (See, for example, [1]). Can the option to disable them be restored?
[1] https://www.reddit.com/r/TOR/comments/41bfwq/tor_exits_can_strip_ssl_inject_malicious_js_then/
**Trac**:
**Username**: slycelotehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17355Investigate whether we should re-implement methods of JS Date to avoid finger...2023-01-05T17:00:39ZArthur EdelsteinInvestigate whether we should re-implement methods of JS Date to avoid fingerprintingWith legacy/trac#17329 we may have some Linux systems with "C.UTF-8" locale and others with "C". It's also possible, perhaps, that different systems may have different implementations of the "C" locale. We can investigate whether it woul...With legacy/trac#17329 we may have some Linux systems with "C.UTF-8" locale and others with "C". It's also possible, perhaps, that different systems may have different implementations of the "C" locale. We can investigate whether it would be possible to re-implement the JS Date object so that it is fully uniform across systems.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18587"Download an external file type" doesn't work as expected2023-01-05T17:01:28Zcypherpunks"Download an external file type" doesn't work as expectedI clicked a pdf file in hardened tor browser (a6--I don't see it in "versions") and got a popup warning of the dangers of downloaded files. OK. I clicked "Automatically download files from now on" and "download" and the very next screen ...I clicked a pdf file in hardened tor browser (a6--I don't see it in "versions") and got a popup warning of the dangers of downloaded files. OK. I clicked "Automatically download files from now on" and "download" and the very next screen asked me whether to open or download. I already told it to always download! And that's what I want, and I can click another "always" button there to fix it for pdfs, but now I have to do that for every file type I see (the preferences have no way to set download as default). Worse, "open" is the default and I consider that dangerous.
Either the text needs to be changed to match the real behavior (in that case please add some option to bypass the open/download dailog) or the "always download" box should do what it says. In any case I don't think "open" should be the default on the next screen.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18696Add support for self-signed HTTPS onion sites derived from onion service's ed...2023-01-05T17:01:52ZDavid HusebyAdd support for self-signed HTTPS onion sites derived from onion service's ed25519 keyCompanion bug to https://bgz.la/1250696
I'd like to get feedback on this proposal.
The idea is to allow TBB to accept a self-signed trust root cert if the hash of the public key matches the .onion address. This will allow servers ru...Companion bug to https://bgz.la/1250696
I'd like to get feedback on this proposal.
The idea is to allow TBB to accept a self-signed trust root cert if the hash of the public key matches the .onion address. This will allow servers running as .onion sites to generate strong/modern TLS certs that are signed by a self-signed root cert containing the .onion public key.
This should allow us to get around the DV cert problem and allow valid .onion TLS certs be validated by the .onion name and have strong/modern TLS certs.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18829Media Preview in Page Info may not meet TBB expectations for media handling2023-01-05T17:02:00ZcypherpunksMedia Preview in Page Info may not meet TBB expectations for media handlingMedia Preview seems to allow what should be disabled via internal settings, and may not be under the same controls as other parts of the browser.
Examples with gstreamer at legacy/trac#18782; an additional test was performed using the i...Media Preview seems to allow what should be disabled via internal settings, and may not be under the same controls as other parts of the browser.
Examples with gstreamer at legacy/trac#18782; an additional test was performed using the internal setting for disabling images (permissions.default.image) and they still showed up in Media preview. Not just in the Address section as URLs, but as actual displayed pictures. Any need for eliminating tracking pixels, for instance, might be subverted by this.
The objective here is to check where Page Info/Media Preview's settings are, whether they are under the control of settings at all, and most importantly to find out if anything they do can contradict user-intended/expected levels of security.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19037Suppress content access to page visibility API2023-01-05T17:02:08ZArthur EdelsteinSuppress content access to page visibility APIThe `document.visibility` property and the `visibilitychange` event let content know if the user has selected or deselected a tab. If the user switches from tab A to tab B, then tab A can receive a "hidden" event at the same time that ta...The `document.visibility` property and the `visibilitychange` event let content know if the user has selected or deselected a tab. If the user switches from tab A to tab B, then tab A can receive a "hidden" event at the same time that tab B receives a "visible" event. So it seems potentially useful to suppress this information.
See https://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_APISponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19119Repurpose block-malicious-sites-checkbox on TLS error page in Tor Browser2023-01-05T17:02:17ZGeorg KoppenRepurpose block-malicious-sites-checkbox on TLS error page in Tor BrowserRight now the checkbox on the neterror page sends a report about an TLS error to Mozilla (containing host, port, timestamp, useragent, update channel, buildid, certificate chain and version of that feature). We might want to repurpose th...Right now the checkbox on the neterror page sends a report about an TLS error to Mozilla (containing host, port, timestamp, useragent, update channel, buildid, certificate chain and version of that feature). We might want to repurpose that checkbox as, first, I see no reason why Mozilla should gather data related to a Tor Browser user. Second, this message is highly confusing in our context. Say, an exit node is MITMing a user. Why should the user report that to Mozilla in order to identify and block malicious sites? What is Mozilla supposed to do with that information?
We could think about having an own infrastructure for this that might help detecting bad relayshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19198Examine whether we have proper first-party isolation inside nested Workers2023-01-05T17:02:22ZArthur EdelsteinExamine whether we have proper first-party isolation inside nested WorkersIt's possible that our first-party isolation mechanism for blobs, the HTTP cache, or other things does not work properly inside nested Workers. We should check and potentially add to our regression tests.It's possible that our first-party isolation mechanism for blobs, the HTTP cache, or other things does not work properly inside nested Workers. We should check and potentially add to our regression tests.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19520Investigate "No last modified time" entries visible in about:cache2023-01-05T17:02:27ZGeorg KoppenInvestigate "No last modified time" entries visible in about:cacheToday I stumbled over entities in the browser cache that were not isolated to the first party domain and contained a Last Modified date "No last modified time (bug 1000338)". They are all resources loaded when visiting www.torproject.org...Today I stumbled over entities in the browser cache that were not isolated to the first party domain and contained a Last Modified date "No last modified time (bug 1000338)". They are all resources loaded when visiting www.torproject.org.
The referenced bug number and https://bugzilla.mozilla.org/show_bug.cgi?id=1119406 might be starting points to understand what is going on (although the latter is supposed to be fixed since ESR38)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19548Report bad exit button in tor browser2023-01-05T17:03:09ZcypherpunksReport bad exit button in tor browserwhen a site doesn't load properly, bad SSL certificates are shown, or other indicators appear that could be due to the network, the user should be able to report that.
https://blog.torproject.org/blog/how-report-bad-relays provides meth...when a site doesn't load properly, bad SSL certificates are shown, or other indicators appear that could be due to the network, the user should be able to report that.
https://blog.torproject.org/blog/how-report-bad-relays provides methods - but there should be a report user interface to generate an appropriate email to bad-relays with the diagnostic information available to the browser for the current session.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/19741favicon in searchbar popup uses catchall circuit2023-01-05T17:03:13ZArthur Edelsteinfavicon in searchbar popup uses catchall circuitTo reproduce:
* Set "torbutton.loglevel" to 3.
* Enter the word "test" in the searchbar. Click on the DuckDuckGo icon in the popup menu below to cause a search for "test" to be performed on DuckDuckGo. After the search is performed, a g...To reproduce:
* Set "torbutton.loglevel" to 3.
* Enter the word "test" in the searchbar. Click on the DuckDuckGo icon in the popup menu below to cause a search for "test" to be performed on DuckDuckGo. After the search is performed, a green "plus" symbol appears on the searchbar magnifying glass icon.
* Open the browser console, and clear it.
* Click on the searchbar again. An additional menu item appears, which contains the text `Add "DuckDuckGo (HTML)"` and a DuckDuckGo favicon.
* Examine the browser console. Log messages should appear as follows:
```
[07-22 22:38:01] Torbutton INFO: tor SOCKS: http://3g2upl4pq6kufc4m.onion/favicon.ico via --NoFirstPartyHost-chrome-browser.xul--:9bb8a61534faf1f952647a3537560fb0
GET
http://3g2upl4pq6kufc4m.onion/favicon.ico [HTTP/1.1 200 OK 0ms]
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 NEW 0 3g2upl4pq6kufc4m.onion:80 SOURCE_ADDR=127.0.0.1:52895 PURPOSE=USER
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SENTCONNECT 15 3g2upl4pq6kufc4m.onion:80
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
[07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SUCCEEDED 15 3g2upl4pq6kufc4m.onion:80
```
should be visible. I believe these messages are caused by
So it appears that the favicon display inside "add-engines" vbox of the search popup is being sent over the catchall circuit.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20314Make SVG click-to-play and support fallback2023-01-05T17:03:20ZbugzillaMake SVG click-to-play and support fallbackCurrently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.Currently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31963Feature Request - Tor Team / Contributors link in 'About Tor Browser'2023-01-05T17:04:01ZTracFeature Request - Tor Team / Contributors link in 'About Tor Browser'- Feature Request:
In Extensions/Addons (about:addons) there are names only of the contributors for specific Language Pack for the Firefox itself, but not for the Translators of Language Pack for the Tor Browser. This is not right!
Sim...- Feature Request:
In Extensions/Addons (about:addons) there are names only of the contributors for specific Language Pack for the Firefox itself, but not for the Translators of Language Pack for the Tor Browser. This is not right!
Simple Language add-on (string holder) extension can be easily added just for the crediting, or better idea is the next solution:
In Help -> "About Tor" dialog on the bottom before LINKS: _"Questions?", "Help the Tor Network Grow!" and "Licensing Information"_ to be added a NEW Link **"Tor Team"** or **"Contributors"** that clicking on it will redirect the user to localized page where he/she will be able to see **WHO IS WHO in the Tor Project (in General), and translators and reviewers for his/her language.
**
Example:
![https://i.imgur.com/dsTtIyo.jpg](https://i.imgur.com/dsTtIyo.jpg)
**Trac**:
**Username**: Zarko_Gjurovhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20329Prevent add-ons updates from being written to the OS temporary directory2023-01-05T17:04:06ZbugzillaPrevent add-ons updates from being written to the OS temporary directoryExample:
```
1475974982800 addons.xpi DEBUG Download started for https://www.eff.org/files/https-everywhere-5.2.5-eff.xpi to file C:\Users\%USERNAME%\AppData\Local\Temp\tmp-v8h.xpi
```Example:
```
1475974982800 addons.xpi DEBUG Download started for https://www.eff.org/files/https-everywhere-5.2.5-eff.xpi to file C:\Users\%USERNAME%\AppData\Local\Temp\tmp-v8h.xpi
```