45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
It would be interesting to remove the patches tagged 'tbb-proxy-bypass' (on https://torpat.ch/uplift) and see if this prevented (some) of those.
-tom
On Thu, 15 Mar 2018, Tom Ritter wrote:
45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
Even if it doesn't add a lot of protection, it doesn't cost a lot to enable it, so it sounds like a good idea.
I mentioned in IRC today that the Mac Sandbox in 60 at least (but possibly also in 52!!) blocks network access.
I got added to https://bugzilla.mozilla.org/show_bug.cgi?id=1281296 today, which talks about Linux, and is promising!
And finally there's Windows, which is blocked by https://bugzilla.mozilla.org/show_bug.cgi?id=1432303 at least (possibly some others.)
-tom
On 15 March 2018 at 17:04, Nicolas Vigier boklm@mars-attacks.org wrote:
On Thu, 15 Mar 2018, Tom Ritter wrote:
45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
Even if it doesn't add a lot of protection, it doesn't cost a lot to enable it, so it sounds like a good idea.
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
Tom Ritter:
45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
Not really. Or, sort of. I can use a Tor Browser without a proxy if I
1) Unset the proxy on the network pane on about:preferences#advanced and choose a direct connection
2) Disable Torbutton and Tor Launcher
3) Flip `network.proxy.socks_remote_dns` to `false` (You might have overlooked that one and, yes, we have that enforces a proxy if that pref is set to `true`)
It would be interesting to remove the patches tagged 'tbb-proxy-bypass' (on https://torpat.ch/uplift) and see if this prevented (some) of those.
Indeed! I've created a ticket for considering MOZ_DISABLE_NONLOCAL_CONNECTIONS (#25622). It could contain an analysis about which of those proxy bypasses would be prevented by that setting. And we can think about whether we want to have it set for Tor Browser 8 (or even earlier?).
Georg
-tom _______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev