Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2023-10-04T03:50:47Zhttps://gitlab.torproject.org/legacy/trac/-/issues/4427Support Firefox 8: Re-enable pre-installed addons2023-10-04T03:50:47ZMike PerrySupport Firefox 8: Re-enable pre-installed addonshttps://developer.mozilla.org/en/Firefox_8_for_developers looks Mostly Harmless. This shouldn't be too painful.https://developer.mozilla.org/en/Firefox_8_for_developers looks Mostly Harmless. This shouldn't be too painful.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/5741TBB proxy bypass: Some DNS requests not going through Tor2023-01-05T18:15:18ZcypherpunksTBB proxy bypass: Some DNS requests not going through TorObserved behaviour:
When visiting certain websites, for example "http://bitcoincharts.com", with JavaScript enabled, a DNS request for the domain is made without going through Tor. This website is the only one I know of there it happens...Observed behaviour:
When visiting certain websites, for example "http://bitcoincharts.com", with JavaScript enabled, a DNS request for the domain is made without going through Tor. This website is the only one I know of there it happens. This is when running the latest Tor Browser Bundle, properly verified against the gpg signature.
Enabling NoScript to block all JavaScript seems to make the DNS request go away. This was verified by restarting Tor and then disabling JavaScript before visiting the site.
Expected behaviour:
No DNS request should be made through the normal internet, everything should go through Tor. The DNS requests leak information of which sites you are browsing in your Tor Browser.
How to reproduce:
1. Download and verify "tor-browser-gnu-linux-i686-2.2.35-10-dev-en-US.tar.gz"
2. Start up Wireshark to monitor your network, optionally filtering for "dns"
3. Unpack Tor and start it by running the "start-tor-browser" script
4. Once TorBrowser is open, go to "http://bitcoincharts.com/"
5. See DNS request for "bitcoincharts.com" being logged in Wireshark
System information:
Tor Browser Bundle for 32-bit Linux, version 2.2.35-10
Running on Fedora 16
Other:
This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/2874Block access to Components.interfaces from content script2022-11-09T16:43:54ZMike PerryBlock access to Components.interfaces from content scriptComponents.interfaces can be used to fingerprint browser user agent down to OS and minor version. This might not be a lot of data for fingerprinting (depending on how well we keep users upgraded), but it certainly is a concern for target...Components.interfaces can be used to fingerprint browser user agent down to OS and minor version. This might not be a lot of data for fingerprinting (depending on how well we keep users upgraded), but it certainly is a concern for targeting exploit payloads against a particular OS and version combo.
Here's an (outdated) PoC: http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html
Here's the Firefox bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=429070Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/6253Prompt before allowing HTML5 Canvas image extraction2022-06-18T01:15:22ZMike PerryPrompt before allowing HTML5 Canvas image extractionThe HTML5 canvas can be used for fingerprinting WebGL and font rendering as described in http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf. The fingerprint technique hinges on the ability for JS to extract image/data urls from the ca...The HTML5 canvas can be used for fingerprinting WebGL and font rendering as described in http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf. The fingerprint technique hinges on the ability for JS to extract image/data urls from the canvas object and hash them and/or compute differences. There's some demonstration code that works for a specific (but currently unknown) ruby version here: https://github.com/kmowery/canvas-fingerprinting.
I think the least-effort defense for now is to simply prompt before image extraction, and to allow extraction permissions to be set on a url-bar domain basis if the user has opted to store browser state to disk.
Later, we can think about virtualizing this surface during extraction, but I don't think we'll need to do that unless every site in the world decides to make a lolcat captioning HTML5 widget.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/2950Make Permissions-Manager memory-only in TorBrowser2022-06-16T03:55:29ZMike PerryMake Permissions-Manager memory-only in TorBrowserBy default, the new Firefox 4 permissions manager should be memory-only. This will also solve the STS problem, which stores its state in the permissions manager.By default, the new Firefox 4 permissions manager should be memory-only. This will also solve the STS problem, which stores its state in the permissions manager.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10819Create preference for DOM storage isolation and image cache isolation2022-06-16T02:51:54ZMike PerryCreate preference for DOM storage isolation and image cache isolationIn #6564, we created a patch to isolate DOM storage to first party domain. It could use a pref to control if it is enabled, and ideally also have an option to control if it only applies to private browsing mode windows (though that could...In #6564, we created a patch to isolate DOM storage to first party domain. It could use a pref to control if it is enabled, and ideally also have an option to control if it only applies to private browsing mode windows (though that could be a separate ticket if it is substantial).
Our patch for the isolation is here:
https://gitweb.torproject.org/tor-browser.git/commitdiff/1b3c110a29ae11b50ce2bf56d5954773262e67c0Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/6539Image cache isolation causes assert crash in debug builds (and other cases?)2022-06-16T02:51:54ZMike PerryImage cache isolation causes assert crash in debug builds (and other cases?)Turns out that the patch in #5742 crashes in debug builds at VerifyCacheSizes() in imgLoader.cpp:1613.
There might also be a crash on certain XUL dialog types that contain chrome images/icons. In non-debug builds I get a refcount issue ...Turns out that the patch in #5742 crashes in debug builds at VerifyCacheSizes() in imgLoader.cpp:1613.
There might also be a crash on certain XUL dialog types that contain chrome images/icons. In non-debug builds I get a refcount issue when pointing my new Firefox build at an old profile, or when running it with -P -no-remote.. Could be the fact that I re-use the same nsIURI pointer for two arguments in the XUL icon codepath, or could be something else.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/6564Enable DOM Storage and isolate it to url bar domain2022-06-16T02:51:54ZMike PerryEnable DOM Storage and isolate it to url bar domainDOM storage is currently disabled in TBB. We should be isolating it to url bar domain. See mozIThirdPartyUtil and #5742 for useful APIs.DOM storage is currently disabled in TBB. We should be isolating it to url bar domain. See mozIThirdPartyUtil and #5742 for useful APIs.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/2875Spoof Desktop Resolution in TorBrowser2022-06-16T02:51:54ZMike PerrySpoof Desktop Resolution in TorBrowserWe currently have Javascript hooks in Torbutton to spoof our desktop resolution, but this information is now available due to CSS3 media queries. We need to patch Firefox at a deeper level to prevent any pieces of it from obtaining valid...We currently have Javascript hooks in Torbutton to spoof our desktop resolution, but this information is now available due to CSS3 media queries. We need to patch Firefox at a deeper level to prevent any pieces of it from obtaining valid desktop resolution information.
This could work as an about:config approach that tells the patch to either spoof the next largest common desktop size that is bigger than the window, or to a specific fixed size, or to the size of the content window (as if the content window only was the entire desktop).
We'll also want to try to remap mouse event coordinates back to this spoofed desktop:
https://developer.mozilla.org/en/DOM/Event/UIEvent/MouseEvent
Spoofing the content window to the desktop size is the cleanest approach that leaks the least information, but the Panopticlick test makes people believe that they are always unique because this is such a rare thing to do relative to the rest of the web, so people are always wrongly complaining we don't defend against Panopticlick :/TorBrowserBundle 2.3.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/5856Patch Firefox to alter window.screen directly2022-06-16T02:51:54ZMike PerryPatch Firefox to alter window.screen directlyGeorg Koppen found a race condition in our Javascript hook application that allows the hooks to be bypassed. Right now, they only exist to project window.screen and associated resolution information, so we can probably just replace them ...Georg Koppen found a race condition in our Javascript hook application that allows the hooks to be bypassed. Right now, they only exist to project window.screen and associated resolution information, so we can probably just replace them with a patch.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/3229Make content pref service memory-only + clearable2022-06-16T00:22:07ZMike PerryMake content pref service memory-only + clearableOur current blanket disable of site-specific zoom has very annoying effects on pages like wikipedia. If you zoom to view the text and then click on an anchor link, the zoom gets reset because it is not stored.
We should make this memory...Our current blanket disable of site-specific zoom has very annoying effects on pages like wikipedia. If you zoom to view the text and then click on an anchor link, the zoom gets reset because it is not stored.
We should make this memory only and clearable via an observer or pref.TorBrowserBundle 2.2.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/9173Relocate RelativeLink functionality to Firefox patch2022-05-27T16:01:31ZMike PerryRelocate RelativeLink functionality to Firefox patchWe need to hardcode our home and profile settings from RelativeLink into a Firefox patch so that users still get expected behavior on Mac and Windows if they dock Firefox instead of the RelativeLink exe/containing app.
This will also pr...We need to hardcode our home and profile settings from RelativeLink into a Firefox patch so that users still get expected behavior on Mac and Windows if they dock Firefox instead of the RelativeLink exe/containing app.
This will also prevent situations where TBB ends up set as the default browser or link handler, and gets launched to handle a url without RelativeLink.
This is a pretty bad usability bug, because Firefox will end up using the wrong profile if you launch it without RelativeLink right now.
In most cases, this will cause it to fail closed (because the socks proxy won't be listening), but not if the user already has proxy settings overrides for their default profile.Mark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/4099Disable TLS Session resumption and Session IDs2020-06-16T00:46:31ZMike PerryDisable TLS Session resumption and Session IDsWe need to disable TLS session resumption and HTTP keep-alive to prevent third parties from possibly using them to track users between different domains.
Ideally, we should simply prevent 3rd party origins from using these two features,...We need to disable TLS session resumption and HTTP keep-alive to prevent third parties from possibly using them to track users between different domains.
Ideally, we should simply prevent 3rd party origins from using these two features, but I suspect that differentiating 3rd party loads at the HTTP and TLS layers will prove difficult.TorBrowserBundle 2.2.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/5282Randomize non-pipelined requests to defend against traffic fingerprinting2020-06-15T23:44:16ZMike PerryRandomize non-pipelined requests to defend against traffic fingerprintingAccording to Martin Henze (who works with Andriy Panchenko), the defense in #3914 is inadequate due to the fact that many sites forcibly disable pipelining.
He implemented a defense that randomizes non-pipelined HTTP requests as well, b...According to Martin Henze (who works with Andriy Panchenko), the defense in #3914 is inadequate due to the fact that many sites forcibly disable pipelining.
He implemented a defense that randomizes non-pipelined HTTP requests as well, but it may need some cleanup. It also needs testing against their framework still, I believe.TorBrowserBundle 2.3.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/12212Disable deprecated Audio Data API2020-06-15T23:42:45ZMike PerryDisable deprecated Audio Data APIiSec pointed out that the Audio Data API was superceded by the WebAudio API, but it remains on by default in the Firefox 24ESR series. This is bad for business, especially given how many vulnerabilities have been in WebAudio. There is a ...iSec pointed out that the Audio Data API was superceded by the WebAudio API, but it remains on by default in the Firefox 24ESR series. This is bad for business, especially given how many vulnerabilities have been in WebAudio. There is a risk that similar vulnerabilies have simply gone unfixed in AudioData.
https://bugzilla.mozilla.org/show_bug.cgi?id=927245
The pref is media.audio_data.enabled.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/11253Turn on TLS 1.1 and 1.2 in TorBrowser2020-06-15T23:42:45ZTracTurn on TLS 1.1 and 1.2 in TorBrowserTLS 1.1 and TLS 1.2 support is already implemented in FF 24 ESR, but for some unknown reason Mozilla haven't truned it on by default, even though TLS 1.1 and 1.2 is supported by Chrome, IE, Opera, and FF stable (the non-ESR version).
Th...TLS 1.1 and TLS 1.2 support is already implemented in FF 24 ESR, but for some unknown reason Mozilla haven't truned it on by default, even though TLS 1.1 and 1.2 is supported by Chrome, IE, Opera, and FF stable (the non-ESR version).
Thru about:config, search for security.tls.version.max and replace 1 with 3 and that's it.
Note we're not disabling SSL 3.0 so no sites at all will be broken.
The reasons and benefits for enaling TLS 1.1 and 1.2 are obvious and self-evident, including
-higher security for encrypted traffic to websites leaving Tor exit nodes
-Making the said traffic ubove resistant to cryptanalysis and sniffing
There are no draw backs from this upgrade because SSL 3.0 will not be disbaled and hence websites not supporting TLS 1.1 and 1.2 will not be broken and will function as normal.
**Trac**:
**Username**: YunoTLSMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/9867Flash is not click-to-play2020-06-15T23:42:45ZMike PerryFlash is not click-to-playIt turns out that Mozilla exempted Flash from click-to-play. We need to also set plugin.state.flash to 1 to actually enforce click-to-play for flash.It turns out that Mozilla exempted Flash from click-to-play. We need to also set plugin.state.flash to 1 to actually enforce click-to-play for flash.Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/2872Limit the fonts available in TorBrowser2020-06-15T23:38:50ZMike PerryLimit the fonts available in TorBrowserAccording to the Panopticlick data set, the font list (which they obtained through plugins) was the second most identifiable chunk of data they saw, behind plugins themselves. We block plugins, but fonts are still available through CSS.
...According to the Panopticlick data set, the font list (which they obtained through plugins) was the second most identifiable chunk of data they saw, behind plugins themselves. We block plugins, but fonts are still available through CSS.
There are seemingly two potential ways to solve this:
1. Ship with a fixed set of fonts in TorBrowser
2. Limit the number of fonts that can be loaded on a single page
Because of the wide variety of languages we support, and because we'd like this feature merged upstream in Firefox, I think the way to do this is is #2. The maximum number of fonts per page should be governed by an about:config setting.TorBrowserBundle 2.3.x-stableMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/8312Remove "This Plugin is Disabled" click-through2020-06-15T23:36:31ZproperRemove "This Plugin is Disabled" click-throughI try a newbie user perspective...
> I just want to see that video. Let's go to that video site.
> Ok. Hmm. I see...
>> "The plugin is disabled.*
>> Manage plugins..."
> Click!
> Flash... Enable...
> Doesn't work. Let's try another page...I try a newbie user perspective...
> I just want to see that video. Let's go to that video site.
> Ok. Hmm. I see...
>> "The plugin is disabled.*
>> Manage plugins..."
> Click!
> Flash... Enable...
> Doesn't work. Let's try another page. It says...
>> "Click here to activate unknown plugin."
> Click!
And boom. The user shoot it's own feet.
The option "Tor Button -> Preferences -> Security Settings -> Disable Browser Plugins (such as Flash)" is checked.
I think this is a regression. If that Tor Button setting is set, plugins shouldn't get activated, unless that option gets unchecked.
Version: Tor Browser Bundle (2.3.25-4)Mike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/3547Disable all plugins but flash2020-06-15T23:36:31ZMike PerryDisable all plugins but flashWe need to patch Tor Browser to disable all plugins but the flash plugin. The addon manager has the ability to do this, but it is not exported to XPCOM, so we must write a patch in C++.
We should do this instead of mucking with the Fire...We need to patch Tor Browser to disable all plugins but the flash plugin. The addon manager has the ability to do this, but it is not exported to XPCOM, so we must write a patch in C++.
We should do this instead of mucking with the Firefox plugin search paths in Tor Browser.TorBrowserBundle 2.2.x-stableMike PerryMike Perry