Disable self when running in Tor browser

ioerror tells me that there are anonymity attacks when a Tor user is a flash proxy over their Tor connection, having to do with congestion and intersection.

We should at least detect when being run inside Tor browser and disable.

added component::archived/flashproxy owner::dcf priority::medium resolution::fixed status::closed type::defect labels

ioerror, is this the sort of weakness you had in mind when describing this to me? Particularly section 2.3.

On the risks of serving whenever you surf http://freehaven.net/anonbib/#wpes09-bridge-attack

As an additional measure to avoid Tor-in-Tor situations (which is not necessarily what ioerror was concerned about), maybe the facilitator should not answer requests from known Tor exits.

Replying to dcf:

As an additional measure to avoid Tor-in-Tor situations (which is not necessarily what ioerror was concerned about), maybe the facilitator should not answer requests from known Tor exits.

Roger offers this command that exports exits for bridges.torproject.org:

cat $HOME/auto-naming/moria1/cached-des* | python $HOME/git/contrib/exitlist <ip>:<port> > exitlist

Trac:
Username: jct

tbFinger.js

Tor Broswer fingerprint - extended version.

Trac:
Username: jct

First part [1], trying to detect that the proxy is running in a Tor Browser:

Here is a candidate script in order to get the Tor Browser fingerprint:

function tor_browser_fingerprint() {
     var isTB = false;     

     try { var t1 = false, resFunction = Components.lookupMethod(this, 'window'); } catch (err) { if( err.message.indexOf("Permission denied") != -1 ) t1 = true;}

     try { var t2 = false, resObject = Components.interfaces.nsITimer; } catch (err) { if( err.message.indexOf("Permission denied") != -1 ) t2 = true;} 

     if ( t1 && t2 && (navigator.userAgent == "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0") &&  (navigator.platform.indexOf("Win32") != -1) && (sessionStorage === null) && (navigator.mimeTypes.length == 0) && ((navigator.plugins.length == 0) || (navigator.plugins.length == 1 && navigator.plugins[0].name == "Shockwave Flash") ) )
          isTB = true;

     return isTB; }

The logic behind this code comes from the design of the Tor Browser: https://www.torproject.org/projects/torbrowser/design/ :

   * Block **Components.interfaces** and **Components.lookupMethod** 
   * A fixed **userAgent** string
   * Regardless of the actual operating system, the browser is reporting the Windows OS
   * Entirely disable DOM storage
   * Not listing the supported MIME types
   * Not allowing plugins or only allowing Flash

I suppose that is enough with checking the userAgent string, but the others may be needed to decrease the amount of false positives.

I'm attaching an extended version of the proposed script (the attached one is a bit more polite and modular, but essentially does the same as the shorter version that is displayed above.

[1] The second part is to detect that the proxy is already in the Tor Network, not checking if it is running in a Tor Browser, but checking if the proxy reported IP matches with a Tor Exit node.

Trac:
Username: jct

Thanks, this is good work.

I'm willing to trade some false positives (and perhaps remove some false negatives) for an even simpler test. Grepping for "Permission denied" in error text strikes me as not robust. Similarly "Shockwave Flash": I don't want to couple this test too closely to the internals of Tor Browser. Checking navigator.platform seems redundant with the user-agent check.

I'll bet that the user-agent comparison already gets us almost all the way there. To that let's add the sessionStorage === null and navigator.mimeTypes.length == 0 tests, and make that the whole of the detection.

Please do the above in the form of a patch against flashproxy.js, and attach the patch to the ticket. The function should be called is_likely_tor_browser or something similar. You can add a call to this function to flashproxy_should_disable.

Trac:
Status: new to needs_revision

I created #7549 (closed) to keep track of the facilitator part of this.

Trac:
Username: jct

check-proxy-running-in-tor-proxy.patch

Patch in order to checking if the proxy is running in a Tor Proxy browser and disable it.

Trac:
Username: jct

Done!

Trac:
Username: jct

Good work. I committed your patch.

Trac:
Status: needs_revision to closed
Resolution: N/A to fixed

Just bookmarking this page: http://marcorondini.eu/research/resource_uri/.

It tests for Tor Browser by trying to load a script from a resource URL and calling it Tor Browser when the script loads successfully.

<script type="text/javascript" src="re[//defaults/preferences/%23tor.js"](//defaults/preferences/%23tor.js") onload="alert('Tor Browser');"></script>

Replying to dcf:

It tests for Tor Browser by trying to load a script from a resource URL

AKA #8725 (moved).

closed

mentioned in issue #7549 (closed)