[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation. (was: torbutton-torCheckService doesn't honor domain isolation.)



#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
 Reporter:  yawning                              |          Owner:  legind
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  HTTPS Everywhere/EFF-HTTPS           |        Version:
  Everywhere                                     |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-linkability                      |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * severity:  Normal => Major
 * cc: gk (added)
 * component:  Applications/Tor Browser => HTTPS Everywhere/EFF-HTTPS
     Everywhere
 * priority:  Medium => High
 * owner:  tbb-team => legind
 * keywords:  tbb-torbutton, tbb-linkability => tbb-linkability


Comment:

 Replying to [comment:9 yawning]:
 > Ah there.  Looks like the domain isolation code is getting called, but
 wireshark doesn't lie.
 > FWIW, I took the pcaps without my sandboxing stuff in play, and the
 behavior is consistent.
 >
 > {{{
 > [09-22 08:31:02] Torbutton INFO: Component returned failure code:
 0x80070057 (NS_ERROR_ILLEGAL_VALUE)
 [mozIThirdPartyUtil.getFirstPartyURIFromChannel]
 > [09-22 08:31:02] Torbutton INFO: tor SOCKS isolation catchall:
 https://check.torproject.org/?TorButton=true#0.99726695529027310.5190771246311907
 via --unknown--:0
 > [09-22 08:31:02] Torbutton WARN: no SOCKS credentials found for current
 document.
 > }}}

 Alright, so here is what is going on. First, do you see the weird float
 number thing appended to the `#` in the `check.torproject.org` URL?
 Torbutton does not do such things. It turns out this is part if the HTTPS-
 Everywhere SSL Observatory code where it checks whether Tor is available
 and to use (e.g. for submissions). As a sidenode: one does see the issue
 in the Tor Browser log as well without pcaps. That request does not go
 over the catch-all circuit but rather is put on one without any
 username/password isolation at all.

 So, even if the request comes from HTTPS-Everywhere why is it not isolated
 like any other internal request? Looking at Necko logs shows that indeed
 things are wrong, already at the nsHTTPConnectionManager level:
 {{{
 -957356288[7fd9e2dabb60]: nsHttpConnectionMgr::OnMsgSpeculativeConnect
 [ci=.S....check.torproject.org:443 (socks:127.0.0.1:9150)[:]]
 }}}
 Before and after the colon in the brackets should be the respective
 username and password.

 Looking closer at the SSL Observatory code shows it is bypassing our proxy
 filter respoonsible for domain isolation in case the CSRF nonce is found
 in the path:

 {{{
     if (isSubmission || testingForTor) {
       if (aURI.path.search(this.csrf_nonce+"$") != -1) {

         this.log(INFO, "Got observatory url + nonce: "+aURI.spec);
         var proxy_settings = null;
         var proxy = null;

         // Send it through tor by creating an nsIProxy instance
         // for the torbutton proxy settings.
         try {
           proxy_settings = this.getProxySettings(testingForTor);
           proxy = this.pps.newProxyInfo(
             proxy_settings.type,
             proxy_settings.host,
             proxy_settings.port,
             Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST,
             0xFFFFFFFF, null);
         } catch(e) {
           this.log(WARN, "Error specifying proxy for observatory: "+e);
         }

         this.log(INFO, "Specifying proxy: "+proxy);

         // TODO: Use new identity or socks u/p to ensure we get a unique
         // tor circuit for this request
         return proxy;
       }
     }
 }}}

 FWIW: the reason you thought this was fixed in the alpha was due to HTTPS-
 Everywhere 5.2.4 that was the latest version at that time. In that version
 SSL Observatory code was broken due to #19996. This got fixed in 5.2.5
 which makes this issue visible in the alphas again.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs