[meek/master] Comment #12146 caveat of Firefox helper. - tor-commits

9 Jun 2014

commit ebda2c3a53bde9f21af0f7296abfe16a1cc12516
Author: David Fifield david@bamsoftware.com
Date:   Mon Jun 9 09:55:06 2014 -0700
Comment #12146 caveat of Firefox helper.
People could get burned if they use an HTTP proxy with an unpatched
    Firefox. ("Burned" in the same sense as if they made a plain Tor
    connection--the censor knows they're using Tor and are trying to
    circumvent.)
I'm not putting this fact into user-visible documentation because it
    will affect few users, and be taken care of by a future Firefox release.
    Those using the Browser Bundle are already covered. Only those
    attempting to set up their own Firefox helper or BYOB setup will need to
    know it.
---
 firefox/components/main.js |    8 ++++++++
 meek-client/meek-client.go |    9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/firefox/components/main.js b/firefox/components/main.js
index 4de9532..a84b2d7 100644
--- a/firefox/components/main.js
+++ b/firefox/components/main.js
@@ -146,6 +146,14 @@ MeekHTTPHelper.buildProxyInfo = function(spec) {
         // "direct"; i.e., no proxy. This is the default.
         return MeekHTTPHelper.proxyProtocolService.newProxyInfo("direct", "", 0, flags, 0xffffffff, null);
     } else if (spec.type === "http") {
+        // "http" proxy. Versions of Firefox before 32, and Tor Browser before
+        // 3.6.2, leak the covert Host header in HTTP proxy CONNECT requests.
+        // Using an HTTP proxy cannot provide effective obfuscation without such
+        // a patched Firefox.
+        // https://trac.torproject.org/projects/tor/ticket/12146
+        // https://gitweb.torproject.org/tor-browser.git/commitdiff/e08b91c78d919f66dd5...
+        // https://bugzilla.mozilla.org/show_bug.cgi?id=1017769
+        // https://hg.mozilla.org/mozilla-central/rev/a1f6458800d4
         return MeekHTTPHelper.proxyProtocolService.newProxyInfo("http", spec.host, spec.port, flags, 0xffffffff, null);
     } else if (spec.type === "socks5") {
         // "socks5" is tor's name. "socks" is XPCOM's name.
diff --git a/meek-client/meek-client.go b/meek-client/meek-client.go
index 441348d..ff1ab04 100644
--- a/meek-client/meek-client.go
+++ b/meek-client/meek-client.go
@@ -351,6 +351,15 @@ func checkProxyURL(u *url.URL) error {
    } else {
    	// With the helper we can use HTTP and SOCKS (because it is the
    	// browser that does the proxying, not us).
+		// For the HTTP proxy with the Firefox helper: versions of
+		// Firefox before 32 , and Tor Browser before 3.6.2, leak the
+		// covert Host header in HTTP proxy CONNECT requests. Using an
+		// HTTP proxy cannot provide effective obfuscation without such
+		// a patched Firefox.
+		// https://trac.torproject.org/projects/tor/ticket/12146
+		// https://gitweb.torproject.org/tor-browser.git/commitdiff/e08b91c78d919f66dd5...
+		// https://bugzilla.mozilla.org/show_bug.cgi?id=1017769
+		// https://hg.mozilla.org/mozilla-central/rev/a1f6458800d4
    	switch options.ProxyURL.Scheme {
    	case "http", "socks5", "socks4a":
    	default:

    