Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:27:58Zhttps://gitlab.torproject.org/legacy/trac/-/issues/18952Tor Browser without Tor2020-06-16T01:27:58ZcypherpunksTor Browser without TorIn the past it was possible to remove Tor Launcher from TB and use TB for direct connection (no proxy). Now (5.5) Torbutton asks to be disabled to allow that.
Moreover, with Torbutton disabled, TB with the no proxy setting is "unable to...In the past it was possible to remove Tor Launcher from TB and use TB for direct connection (no proxy). Now (5.5) Torbutton asks to be disabled to allow that.
Moreover, with Torbutton disabled, TB with the no proxy setting is "unable to find the proxy server" when opening a website, though it does work with an HTTP proxy.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/26279Needing help with a custom browser protocol2020-06-16T00:46:47ZTracNeeding help with a custom browser protocolSo what I'm trying to do is create a protocol called "opentor" and when used like "opentor://http://www.website.com/" it'll open that website in tor from another browser. I've gotten the URI scheme working, and it's opening tor when I us...So what I'm trying to do is create a protocol called "opentor" and when used like "opentor://http://www.website.com/" it'll open that website in tor from another browser. I've gotten the URI scheme working, and it's opening tor when I use it, but it's not opening the link in it. What is the problem to this? Is it a bug in tor? Is there something I'm missing? Or is it just not possible at all?
**Trac**:
**Username**: AlienDrewcypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/22058Provide better testing for Tor Browser not breaking important websites (Twitt...2020-06-15T23:43:26ZGeorg KoppenProvide better testing for Tor Browser not breaking important websites (Twitter/Github etc.)We recently had to deal with Twitter being hardly usable for Tor Browser users due to a bug in our code (see #16450 and #21555). We might want to have some tests informing us as early as possible if such a breakage happens. Selenium migh...We recently had to deal with Twitter being hardly usable for Tor Browser users due to a bug in our code (see #16450 and #21555). We might want to have some tests informing us as early as possible if such a breakage happens. Selenium might be a good tool for writing such tests, maybe Marionette as well.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/18361Issues with corporate censorship and mass surveillance2020-06-15T23:33:35ZJacob AppelbaumIssues with corporate censorship and mass surveillanceThere are companies - such as CloudFlare - which are effectively now Global Active Adversaries. Using CF as an example - they do not appear open to working together in open dialog, they actively make it nearly impossible to browse to cer...There are companies - such as CloudFlare - which are effectively now Global Active Adversaries. Using CF as an example - they do not appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.
It would be great if they allowed GET requests - for example - such requests should not and generally do not modify server side content. They do not do this - this breaks the web in so many ways, it is incredible. Using wget with Tor on a website hosted by CF is... a disaster. Using Tor Browser with it - much the same. These requests should be idempotent according to spec, I believe.
I would like to find a solution with Cloudflare - but I'm unclear that the correct answer is to create a single cookie that is shared across all sessions - this effectively links all browsing for the web. When tied with Google, it seems like a basic analytics problem to enumerate users and most sites visited in a given session.
One way - I think - would be to create a warning page upon detection of a CF edge or captcha challenge. This could be similar to an SSL/TLS warning dialog - with an option for users to bypass, engage with their systems or an option to *contact them* or the *site's owners* or to hit a cached version, read only version of the website that is on archive.org, archive.is or other caching systems. That would ensure that *millions* of users would be able to engage with informed consent before they're tagged, tracked and potentially deanonymized. TBB can protect against some of this - of course - but when all your edge nodes are run by one organization that can see plaintext, ip addresses, identifiers and so on - the protection is reduced. It is an open research question how badly it is reduced but intuitively, I think there is a reduction in anonymity.
It would be great to find a solution that allows TBB users to use the web without changes on our end - where they can solve one captcha, if required - perhaps not even prompting for GET requests, for example. Though in any case - I think we have to consider that there is a giant amount of data at CF - and we should ensure that it does not harm end users. I believe CF would share this goal if we explain that we're all interested in protecting users - both those hosting and those using the websites.
Some open questions:
* What kind of per browser session tracking is actually happening?
* What other options do we have on the TBB side?
* What would a reasonable solution look like for a company like Cloudflare?
* What is reasonable for a user to do? (~17 CAPTCHAs for one site == not reasonable)
* Would "Warning this site is under surveillance by Cloudflare" be a reasonable warning or should we make it more general?cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/16917Support torified torsocks ssh -D socks proxy ports (for wingnuts)2020-06-15T23:29:10ZMike PerrySupport torified torsocks ssh -D socks proxy ports (for wingnuts)When Tor is blocked by a website, wingnuts sometimes resort to using ssh -D proxies in combination with torsocks (so that the connection to the ssh server goes over Tor, and then when you connect to the SSH proxy port on localhost, it ge...When Tor is blocked by a website, wingnuts sometimes resort to using ssh -D proxies in combination with torsocks (so that the connection to the ssh server goes over Tor, and then when you connect to the SSH proxy port on localhost, it gets routed through Tor and then it uses your SSH server as your exit IP).
Unfortunately, in TBB 4.5 we added socks username+password isolation to Torbutton, and there is no way to disable this easily. For example, see this sad panda: https://superuser.com/questions/941136/how-can-i-bypass-proxy-using-tunneling (though that guy is still doing it wrong. ssh -D is way more flexible, if TBB 4.5+ supported it).
The following Torbutton patch works to completely disable the use of SOCKS auth in TBB (which also disables circuit isolation):
```
--- a/src/components/domain-isolator.js
+++ b/src/components/domain-isolator.js
@@ -71,8 +71,8 @@ tor.socksProxyCredentials = function (originalProxy, domain) {
return mozilla.protocolProxyService
.newSOCKSProxyInfo(proxy.host,
proxy.port,
- domain, // username
- tor.noncesForDomains[domain].toString(), // password
+ null, //domain, // username
+ null, //tor.noncesForDomains[domain].toString(), // password
proxy.flags,
proxy.failoverTimeout,
proxy.failoverProxy);
```
You also need to set the following about:config prefs to false: **extensions.torbutton.local_tor_check** and **extensions.torbutton.test_enabled**.
You also need to start TBB with TOR_SOCKS_PORT=4444, or whatever your ssh -D SOCKS port is.
Finally, you need to set 'AllowInbound 1' in /etc/tor/torsocks.conf (or wherever torsocks.conf lives).
If some random cypherpunk(s) want to turn that Torbutton patch into a Torbutton pref and either script the rest of this or document this process better, I would merge the patch and add a link to the script to the TBB Hacking Guide. We should also put the answer on a few stackoverflow questions like the one I linked. There probably are more.
The following Hacking Guide sections may be useful in this process:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#BuildingJustTorLauncherOrTorbutton
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcesscypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/9966Work with Debian or another FOSS vendor to provide non-x86 TBB packages2020-06-15T23:16:49ZcypherpunksWork with Debian or another FOSS vendor to provide non-x86 TBB packagesTor Browser Bundles should exist for PowerPC Mac and PowerPC Debian.
ppc, ppc64.
thank you!Tor Browser Bundles should exist for PowerPC Mac and PowerPC Debian.
ppc, ppc64.
thank you!cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/7446TorButton should not fixup .onion domains2020-06-15T23:14:58ZSteven MurdochTorButton should not fixup .onion domainsI received the following email, which might be worth investigating:
> Sorry to bother you with this, but didn't know who else to contact.
>
> Defaults (about:config) for TorBrowser should include:
>
> browser.fixup.alternate.enable...I received the following email, which might be worth investigating:
> Sorry to bother you with this, but didn't know who else to contact.
>
> Defaults (about:config) for TorBrowser should include:
>
> browser.fixup.alternate.enabled;false
>
> to prevent injecting www. & .com on timed-out sites.
>
> Thanks for all your great work; it means a lot to a lot of people.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/5767Document auditing setups for testers to use2020-06-15T23:14:13ZMike PerryDocument auditing setups for testers to useWe've got a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB. On #5741, some dude named unknown posted iptables rules that log violations. I hear there is also an OSX Seatbelt policy floating aroun...We've got a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB. On #5741, some dude named unknown posted iptables rules that log violations. I hear there is also an OSX Seatbelt policy floating around somewhere that may also be useful.
We should create a meta document, or perhaps just describe on https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff how to use these things to test for disk leaks, proxy issues, oddities, and other violations.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/5545Destroy DNT2020-06-15T23:14:01ZMike PerryDestroy DNTNick and Roger suggested that we figure out how to communicate to policy people in their own language why we are reluctant to believe DNT will actually accomplish anything productive, and therefore why we are reluctant to endorse it.
I ...Nick and Roger suggested that we figure out how to communicate to policy people in their own language why we are reluctant to believe DNT will actually accomplish anything productive, and therefore why we are reluctant to endorse it.
I hold a slightly more extreme position: That DNT is actually likely to introduce a regulatory sinkhole that we want no part of. In almost every case, we should be developing end to end cryptographic strategies to dealing with the issue of infrastructure trust and tracking.
We should spend the time to communicate these ideas to the DNT folks. To quote Roger, "the more the policy people think they're solving the problem, the less likely anybody is to solve the problem."
See also #5501.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/18121anti-conformational attack (theory)2020-06-13T18:36:09ZTracanti-conformational attack (theory)The design is simple inside this image:-
![https://forums.whonix.org/uploads/default/original/1X/258fdf25ca73641ee3610de4a6893ee6e001b60b.png](https://forums.whonix.org/uploads/default/original/1X/258fdf25ca73641ee3610de4a6893ee6e001b60...The design is simple inside this image:-
![https://forums.whonix.org/uploads/default/original/1X/258fdf25ca73641ee3610de4a6893ee6e001b60b.png](https://forums.whonix.org/uploads/default/original/1X/258fdf25ca73641ee3610de4a6893ee6e001b60b.png)
with this design if im getting it correctly , it will be very hard to make a conformational attack or at least very hard also to compromise the GW (Whonix GateWay = medified debian + Tor).
Note:- this design is very possible to happen inside Qubes OS + Whonix OS
The explanation:-
there will be for e.g. five DisposableVM (amnesic VM) which they are connected to the WS (Whonix workstation = medified debian + TBB) , but in fact they wont be working together how?
if u c the refresh icon it means the DisposableVM is turning OFF and going to be ON again after few minutes. while others r still working , and by this we get:-
continuing connection to workstation (working area) , and anti-compromisation to Tor , because the disposableVM will keep shutting shutdown itself and start again from point 0.
the green lines means the disposableVM is working, and red lines means disposableVM is refreshing itself by turning on/off itself from time to time (automatic off/on switcher).
i dunno if my guess is right or wrong. hope i c some activity to this idea.
for more info visit:-
- [https://www.qubes-os.org/]
- [https://www.qubes-os.org/doc/dispvm/]
- [https://www.whonix.org/]
- [https://www.whonix.org/wiki/Dev/Design-Gateway]
- [https://www.whonix.org/wiki/Dev/Design-Workstation]
**Trac**:
**Username**: bo0odcypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/26083Bridge detector. Fake?2020-06-13T18:31:19ZcypherpunksBridge detector. Fake?Some code for detection found. Is it real?Some code for detection found. Is it real?cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/21623Replace the loading icon with a Bootstrap progress bar2020-06-13T18:07:06ZcypherpunksReplace the loading icon with a Bootstrap progress barThe loading icon is an image which does not scale. A Bootstrap progress bar uses CSS thus scales properly.The loading icon is an image which does not scale. A Bootstrap progress bar uses CSS thus scales properly.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/21398Atlas tooltips appear partially off-screen2020-06-13T18:07:00ZcypherpunksAtlas tooltips appear partially off-screenIn the Atlas relay/bridge details page, there are "tooltips" that show a description when you hover over each item.
When using Tor Browser at its default window size, the tooltips for the items in the left-hand column appear partially o...In the Atlas relay/bridge details page, there are "tooltips" that show a description when you hover over each item.
When using Tor Browser at its default window size, the tooltips for the items in the left-hand column appear partially off-screen, so that the text is cut off. These include "Nickname", "OR Addresses", "Contact", "Dir Address", "Advertised Bandwidth", "IPv4 Exit Policy Summary", "IPv6 Exit Policy Summary", and "Exit Policy".
For example: if I open https://atlas.torproject.org/#details/5CECC5C30ACC4B3DE462792323967087CC53D947 , and hover over "OR Addresses", I see
```
ses and ports where the relay
for incoming connections from
and other relays.
```cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/15415display relay directly if the search finds one relay only2020-06-13T18:06:33Zcypherpunksdisplay relay directly if the search finds one relay onlyIf you currently enter a search term in atlas then you will get an overview of relays matching that search.
That is useful for results with more than one hit, but if you enter lets say a fingerprint or other search term that gets only o...If you currently enter a search term in atlas then you will get an overview of relays matching that search.
That is useful for results with more than one hit, but if you enter lets say a fingerprint or other search term that gets only one hit, lets jump to that relay directly.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/34182Write new integration tests for Tor Browser based on Fenix based on O1.22020-06-13T17:41:30ZMatthew FinkelWrite new integration tests for Tor Browser based on Fenix based on O1.2Add new tests.Add new tests.cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/33288forrestii/fpcentral still has stretch packages (mongodb)2020-06-13T17:41:29Zanarcatforrestii/fpcentral still has stretch packages (mongodb)fpcentral requires mongodb to operate, but that package was removed from Debian stable in february 2019, mainly [because of license problems](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916107). to quote wikipedia:
> MongoDB has ...fpcentral requires mongodb to operate, but that package was removed from Debian stable in february 2019, mainly [because of license problems](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916107). to quote wikipedia:
> MongoDB has been dropped from the Debian, Fedora and Red Hat Enterprise Linux distributions due to the licensing change. Fedora determined that the SSPL version 1 is not a free software license because it is "intentionally crafted to be aggressively discriminatory" towards commercial users.
(there is also an [unpatched security issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934783) against mongodb, by the way...)
we can't maintain this service like that in the long term. stretch will stop being supported this summer and mongodb isn't supported in its free form.
what's the plan for replacing mongodb?cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/30450tbb-testsuite: Fix the readelf_stack_canary test2020-06-13T17:41:25Zboklmtbb-testsuite: Fix the readelf_stack_canary testThe readelf_stack_canary test currently fails on the following files:
```
abicheck
gtk2/libmozgtk.so
libmozgtk.so
TorBrowser/Tor/libstdc++/libstdc++.so.6
```The readelf_stack_canary test currently fails on the following files:
```
abicheck
gtk2/libmozgtk.so
libmozgtk.so
TorBrowser/Tor/libstdc++/libstdc++.so.6
```cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/30341tbb-testsuite: fix the screenshots test2020-06-13T17:41:24Zboklmtbb-testsuite: fix the screenshots testThe screenshots test is currently failing with the error:
```
Traceback (most recent call last):
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_harness-4.3.0-py2.7.egg/mar...The screenshots test is currently failing with the error:
```
Traceback (most recent call last):
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_harness-4.3.0-py2.7.egg/marionette_harness/marionette_test/testcases.py", line 156, in run
testMethod()
File "/home/tbb-testsuite/tbb-testsuite/marionette/tor_browser_tests/test_screenshots.py", line 27, in test_check_tpo
marionette.navigate(url)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 1632, in navigate
self._send_message("get", {"url": url})
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/decorators.py", line 23, in _
return func(*args, **kwargs)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 740, in _send_message
self._handle_error(err)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 764, in _handle_error
raise errors.lookup(error)(message, stacktrace=stacktrace)
UnknownException: Reached error page: about:neterror?e=fileNotFound&u=chrome%3A//torbutton/content/preferences.xul&c=UTF-8&f=regular&d=Die%20Dateien%20unter%20chrome%3A//torbutton/content/preferences.xul%20konnten%20nicht%20gefunden%20werden.
stacktrace:
WebDriverError@chrome://marionette/content/error.js:178:5
UnknownError@chrome://marionette/content/error.js:529:5
handleReadyState@chrome://marionette/content/listener.js:277:21
handleEvent@chrome://marionette/content/listener.js:245:9
```cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/30333tbb-testsuite: fix the download_pdf test2020-06-13T17:41:22Zboklmtbb-testsuite: fix the download_pdf testThe `download_pdf` test currently fails with the error:
```
Traceback (most recent call last):
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_harness-4.3.0-py2.7.egg/mario...The `download_pdf` test currently fails with the error:
```
Traceback (most recent call last):
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_harness-4.3.0-py2.7.egg/marionette_harness/marionette_test/testcases.py", line 156, in run
testMethod()
File "/home/tbb-testsuite/tbb-testsuite/marionette/tor_browser_tests/test_download_pdf.py", line 24, in test_download_pdf
m.set_window_size(1024, 300)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 2063, in set_window_size
return self._send_message("setWindowSize", body)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/decorators.py", line 23, in _
return func(*args, **kwargs)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 740, in _send_message
self._handle_error(err)
File "/home/tbb-testsuite/tbb-testsuite/virtualenv-marionette-4.3.0/local/lib/python2.7/site-packages/marionette_driver-2.5.0-py2.7.egg/marionette_driver/marionette.py", line 764, in _handle_error
raise errors.lookup(error)(message, stacktrace=stacktrace)
UnknownCommandException: setWindowSize
stacktrace:
WebDriverError@chrome://marionette/content/error.js:178:5
UnknownCommandError@chrome://marionette/content/error.js:518:5
despatch@chrome://marionette/content/server.js:286:13
execute@chrome://marionette/content/server.js:267:11
onPacket/<@chrome://marionette/content/server.js:242:15
onPacket@chrome://marionette/content/server.js:241:8
_onJSONObjectReady/<@chrome://marionette/content/transport.js:500:9
```cypherpunkscypherpunkshttps://gitlab.torproject.org/legacy/trac/-/issues/29675Nightly build should fail if "make fetch" fails2020-06-13T17:41:20ZboklmNightly build should fail if "make fetch" failsWe run `make fetch` during the nightly builds to fetch the latest commits before starting the build. However we ignore the exit code from `make fetch`, so if there an error in the middle of fetching, then we build with old commits.
Inst...We run `make fetch` during the nightly builds to fetch the latest commits before starting the build. However we ignore the exit code from `make fetch`, so if there an error in the middle of fetching, then we build with old commits.
Instead we should make the build fail if there was an error in `make fetch`, so we can know there was something wrong and can fix it.cypherpunkscypherpunks