[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation

Subject: Re: [tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 30 Mar 2015 18:08:13 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Mar 2015 14:08:23 -0400
In-reply-to: <055.f9fbaf07444dbb42dc5f11f56c921a84@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <055.f9fbaf07444dbb42dc5f11f56c921a84@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13670: ensure OCSP & favicons respect URL bar domain isolation
---------------------------------+---------------------------------------
     Reporter:  arthuredelstein  |      Owner:  arthuredelstein
         Type:  defect           |     Status:  needs_revision
     Priority:  major            |  Milestone:
    Component:  Tor Browser      |    Version:
   Resolution:                   |   Keywords:  tbb-linkability, ff38-esr
Actual Points:                   |  Parent ID:
       Points:                   |
---------------------------------+---------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:28 mikeperry]:

 > I also feel that the OCSP cache isolation is too invasive - it touches
 too many pieces of the code. This patch seems very unlikely to be taken by
 Mozilla. We need to find a less invasive way of isolating the OCSP cache
 and requests.

 I think the OCSP patch may be less invasive than it looks. While a lot of
 files are involved, most of the changes are minimal, and involve simply
 adding an "isolationKey" parameter to an internal API call. The only
 potentially breaking change to an outward-facing API is in
 nsISocketProvider.idl. But this API is native-only, so it is unlikely to
 interfere with extensions.

 I've been trying to find ways to make this patch smaller, and I'm open to
 suggestions, but given the existing code path from new HTTPS connection to
 OCSP request, I haven't succeeded in finding a good way to shorten it.
 (Mozilla did accept another patch from us which changes substantially more
 lines of code: https://hg.mozilla.org/mozilla-central/rev/04c452764339)

 In case it's useful to understanding this patch, the code path of the
 isolation key string is as follows:
 * The browser is making an original HTTPS request using an nsHttpChannel.
 `nsHttpChannel::BeginConnect()` calls `GetFirstPartyIsolationURI` and
 passes it to the `nsHttpConnectionInfo` constructor
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 70a990c1d10c050c5fcc69b226c33c5eR4583 (1)].
 * Soon, `nsHalfOpenSocket::SetupStreams`, called by
 `HttpConnectionManager`, gets the isolation key using
 `nsHttpConnectionInfo->GetIsolationKey()` and passes it to a new
 `nsSocketTransport` instance [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 53ed112a31e979194c9a11e9bc2f2360R2921 (2)].
 * `nsSocketTransport::BuildSocket` passes it to
 `nsISocketProvider::NewSocket` and `nsISocketProvider::AddToSocket`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9a8b8fc5f459e75178b24a914f566fe1R1084 (3)].
 * The three implementations of these latter two methods in turn pass the
 isolationKey to `nsSSLIOLayerNewSocket` and `nsSSLIOLayerAddToSocket`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 1f8efd3d29ccd85c52e1dce6a10f889fR1610 (4)], which in turn assign the
 isolationKey to a new `TransportSecurityInfo`instance
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 1f8efd3d29ccd85c52e1dce6a10f889fR2398 (5)].
 * The socket now needs to be verified: `SSLServerCertVerificationJob
 AuthCertificate` is called, gets the isolationKey from the
 `TransportSecurityInfo` instance [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 68c147cbaf390182ee5056f93abbfb13R976 (6)]. The isolationKey is then passed
 to `CertVerifier::VerifySSLServerCert` [https://github.com/arthuredelstein
 /tor-browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR973 (7)], to `CertVerifier::VerifyCert`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR999 (8)], and then to
 `CertVerifier::MozillaPKIXVerifyCert` [https://github.com/arthuredelstein
 /tor-browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR617 (9)], the last of which instantiates
 an `NSSCertDBTrustDomain` containing the isolation key
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 8f6b762fc8edcdb46bc9686e9c66f9afR53 (10)].
 * When `NSSCertDBTrustDomain::CheckRevocation` is called, it passes the
 isolationKey to `OCSPCache::Get`, `OCSPCache::Put` and
 `OCSPRequestor::DoOCSPRequest()` [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 8f6b762fc8edcdb46bc9686e9c66f9af (11)].

 Up to this point, all code has simply been passing the isolationKey down
 from the original http channel to the OCSP code.

 * Now `OCSPCache.Get()` and `OCSPCache.Put()` call
 `OCSPCache::CertIDHash`, which uses the isolationKey in its generation of
 the hash. [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 5414a4fc321178b6cec876a71b92459dR52 (12)].
 * The `DoOCSPRequest` call stores the isolation key in new
 `nsNSSHttpRequestSession` instance (in a `createFcn` call).
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 b1f5a7b403bbc8fd08dc522d09b61b58R36 (13)]
 * The `nsNSSHttpRequestSession` instance creates a new
 nsHttpDownloadEvent, which uses the nsNSSHttpRequestSession's isolation
 key to set the document URI for a new `nsHttpChannel` for the OCSP request
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 6f45031d8280c2357ad3baa0500fa764R101 (14)]. The channel's document URI set
 to ensure that when GetFirstPartyIsolationURI is later on the channel by
 torbutton's domain isolator, the same first party URI will be returned as
 that for the original HTTPS channel [https://github.com/arthuredelstein
 /tor-browser/commit/29d9ee9013a67f82e132539744e518d1daafebfb#diff-
 e4a227365743cbeb42b62b823cd8f3edR179 (16)].

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:33>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Next by Author: Re: [tor-bugs] #14429 [Tor Browser]: Automated rounding of content window dimensions
Previous by thread: Re: [tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation
Next by thread: [tor-bugs] #15441 [Tor Browser]: Patch "TB1" is obsolete
Index(es):
- Author
- Thread