[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21200 [Applications/Tor Browser]: Move all TB Mozilla service calls to .onions



#21200: Move all TB Mozilla service calls to .onions
--------------------------------------+--------------------------
 Reporter:  tom                       |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 This is a near-complete list, I think. It does _NOT_ include every place
 that Tor Browser *links* to a website, but it hopefully contains every
 automated behind the scenes call to Mozilla websites and it does include
 some links also.

 - Extension Blacklisting from Mozilla is enabled
  - Pref: extensions.blocklist.enabled
  - URL: https://blocklist.addons.mozilla.org/
 - Extension Updating
  - Pref: extensions.update.background.url
  - Url: https://versioncheck.addons.mozilla.org
 - 'Get Add-Ons' - this happens if you choose that tab in Tor Browser
  - Pref: extensions.getAddons.*
  - URL: https://services.addons.mozilla.org
 - Extension Discovery - not sure what this is
  - Pref: extensions.webservice.discoverURL
  - https://discovery.addons.mozilla.org/
 - Customize -> Themes -> Get More Themes opens a tab with this url
  - Pref: lightweightThemes.getMoreURL
  - URL: https://addons.mozilla.org/
 - There's some stuff about media.gmp* but I'm not sure what this is...
 - Firefox Sync
  - Left uninvestigated due to the assumption that while I believe you
 _can_ use this in Tor Browser, that no one does. (and I have no idea how
 it would behave)
 - Devtools
  - It appears devtools.devices.url
 (https://code.cdn.mozilla.net/devices/devices.json) will get downloaded
 for a database of device information.
 - WebIDE will auto-install extensions from https://ftp.mozilla.org/
  - In particular I saw devtools.webide.adaptersAddonURL and
 devtools.webide.adbAddonURL but devtools.webide.simulatorAddonsURL looks
 like another one
  - And templates downloaded from devtools.webide.templatesURL
 - OneCRL and other Kinto-based services (This may not be in ESR 45 but
 will be in 52)
  - Services: OneCRL, 'addons', 'gfx', 'plugins'
   - OneCRL is certificate blacklisting
   - gfx is disabling hardware acceleration for graphics cards or drivers,
 see https://wiki.mozilla.org/Blocklisting/Graphics
   - I am unsure how addon/plugin blacklisting functions here compared to
 the above blocklist.
  - Pref: services.settings.server and services.blocklist.*
  - URL: https://firefox.settings.services.mozilla.com/v1
  - Example:
 https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/records
 (I couldn't figure out what a link to an actual data source would be...)
 - Crash Reporter and Telemetry are disable

 I researched what would happen if Mozilla's blocklist was used against the
 Tor add-ons. The next restart of Tor Browser would have the add-ons
 disabled; and browsing would not work, giving an error that the proxy
 server is refusing connections.

 I confirmed that extensions.systemAddons were not enabled. I also put some
 random other notes in #19048

 Based off of all of this I am going to propose Mozilla start with one of
 the following with the choice probably being whichever one is easiest:

  - ​https://versioncheck.addons.mozilla.org - This one may be most
 preferable, as the version check can be initiated by the user, which
 allows for easy testing.
  - https://blocklist.addons.mozilla.org
  - https://firefox.settings.services.mozilla.com

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21200#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs