commit ebda2c3a53bde9f21af0f7296abfe16a1cc12516 Author: David Fifield <david@bamsoftware.com> Date: Mon Jun 9 09:55:06 2014 -0700 Comment #12146 caveat of Firefox helper. People could get burned if they use an HTTP proxy with an unpatched Firefox. ("Burned" in the same sense as if they made a plain Tor connection--the censor knows they're using Tor and are trying to circumvent.) I'm not putting this fact into user-visible documentation because it will affect few users, and be taken care of by a future Firefox release. Those using the Browser Bundle are already covered. Only those attempting to set up their own Firefox helper or BYOB setup will need to know it. --- firefox/components/main.js | 8 ++++++++ meek-client/meek-client.go | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/firefox/components/main.js b/firefox/components/main.js index 4de9532..a84b2d7 100644 --- a/firefox/components/main.js +++ b/firefox/components/main.js @@ -146,6 +146,14 @@ MeekHTTPHelper.buildProxyInfo = function(spec) { // "direct"; i.e., no proxy. This is the default. return MeekHTTPHelper.proxyProtocolService.newProxyInfo("direct", "", 0, flags, 0xffffffff, null); } else if (spec.type === "http") { + // "http" proxy. Versions of Firefox before 32, and Tor Browser before + // 3.6.2, leak the covert Host header in HTTP proxy CONNECT requests. + // Using an HTTP proxy cannot provide effective obfuscation without such + // a patched Firefox. + // https://trac.torproject.org/projects/tor/ticket/12146 + // https://gitweb.torproject.org/tor-browser.git/commitdiff/e08b91c78d919f66dd5... + // https://bugzilla.mozilla.org/show_bug.cgi?id=1017769 + // https://hg.mozilla.org/mozilla-central/rev/a1f6458800d4 return MeekHTTPHelper.proxyProtocolService.newProxyInfo("http", spec.host, spec.port, flags, 0xffffffff, null); } else if (spec.type === "socks5") { // "socks5" is tor's name. "socks" is XPCOM's name. diff --git a/meek-client/meek-client.go b/meek-client/meek-client.go index 441348d..ff1ab04 100644 --- a/meek-client/meek-client.go +++ b/meek-client/meek-client.go @@ -351,6 +351,15 @@ func checkProxyURL(u *url.URL) error { } else { // With the helper we can use HTTP and SOCKS (because it is the // browser that does the proxying, not us). + // For the HTTP proxy with the Firefox helper: versions of + // Firefox before 32 , and Tor Browser before 3.6.2, leak the + // covert Host header in HTTP proxy CONNECT requests. Using an + // HTTP proxy cannot provide effective obfuscation without such + // a patched Firefox. + // https://trac.torproject.org/projects/tor/ticket/12146 + // https://gitweb.torproject.org/tor-browser.git/commitdiff/e08b91c78d919f66dd5... + // https://bugzilla.mozilla.org/show_bug.cgi?id=1017769 + // https://hg.mozilla.org/mozilla-central/rev/a1f6458800d4 switch options.ProxyURL.Scheme { case "http", "socks5", "socks4a": default: