[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #25737 [Applications/Tor Browser]: Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #25737 [Applications/Tor Browser]: Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 11 Apr 2018 16:03:50 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 11 Apr 2018 12:04:14 -0400
In-reply-to: <051.a81a815b3e13c48730956f85e7c5439d@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.a81a815b3e13c48730956f85e7c5439d@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#25737: Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-proxy-bypass          |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 I'm the OP, someone else is using the cypherpunks account: such as in 1,
 6, 8, 13 and 15. Just to clarify.

 > Yet another reason for using Tails/Subgraph/Whonix.

 Unfortunately we need to work with Macs, using a separate workstation for
 browsing is too uncomfortable. We tried these days and it didn't worked
 out well. But Tor is part of our security posture, in the past we have
 been targeted and suffered a number of minor data breaches.

 > Logs and cache of what? The application firewall?

 The logs and cache of the dns resolver. Which means the process did a DNS
 lookup on that name, around that time.

 We are sure no outgoing connection has ever been made, because the
 firewall and the transparent proxy never logged any attempted bypass. I
 called it an isolating proxy because it inspects the traffic and blocks
 everything, except done for the connections to Apple, the bridge and our
 own IPs, redirecting each kind of traffic on a different route.

 > Oh, another thing that might be interesting the next time is seeing the
 process hierarchy by clicking on the respective LuLu icon on the alert
 window.

 Did this: `launchd` -> `/usr/libexec/xpcproxy`. But I can not remember
 anything more specific than this now.

 > At some point in the past, the default browser proxy preferences were
 modified.

 No preferences were modified: after the bundle installation, I inserted
 the bridge, closed the browser, opened ~/Library/Application Support
 /TorBrowser-Data/Tor/torrc and added `UseBridges 1`. Only usual browsing
 activity from thereon.

 > I'm not sure I have anything to suggest besides using
 dtrace/lldb/something to capture the full stacktrace from XPCproxy when it
 makes the DNS lookup.

 > So instructing the user to run "ps -ef|grep xpcproxy" might give us the
 arguments to xpcproxy at the time. Since it's basically a launcher, we
 want to know what it's launching that is doing the https requests.

 Will do it if it happens again.

 > If you're using LittleSnitch as your application firewall, it sometimes
 logs connections against the wrong process.

 Denying the outgoing connection blocked the progress of the launcher and
 the browser window never popped up. So, I find this unlikely. But maybe
 I'm missing something here?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25737#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #25737 [Applications/Tor Browser]: Tor Browser Bundle IP Leak
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #25645 [Core Tor/Tor]: n_possible variable goes unused in channel_get_for_extend()
Next by Author: Re: [tor-bugs] #25765 [Applications/Tor Browser]: TBA - Communicating security expectations for .onion: what to say about different padlock states for .onion services
Previous by thread: Re: [tor-bugs] #25737 [Applications/Tor Browser]: Tor Browser's update check bypassed Tor once on macos, because of xpcproxy?
Next by thread: [tor-bugs] #25738 [- Select a component]: I'm waiting best fan thala dhoni and ilayathalapathy vijay
Index(es):
- Author
- Thread