[tbb-bugs] #14389 [Core Tor/Tor]: little-t-tor: Provide support for better TBB UI of hidden service client authorization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 25 20:28:46 UTC 2019
#14389: little-t-tor: Provide support for better TBB UI of hidden service client
authorization
-------------------------------------------------+-------------------------
Reporter: asn | Owner: tbb-
| team
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| 0.4.2.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, tbb-usability, ux-team, hs- | Actual Points:
auth |
Parent ID: #30000 | Points: 14-24
Reviewer: | Sponsor:
| Sponsor27-must
-------------------------------------------------+-------------------------
Comment (by mcs):
Replying to [comment:44 asn]:
> So, I guess the plan here is to use HTTP CONNECT for this, and define a
new error code for HTTP CONNECT that says that a destination needs client
auth. I guess we would need a proposal for that. Who wants to write this?
To me, the answer is "someone who can also take into account the other
error scenarios that we will need to address later, e.g., invalid onion
address and other onion-service related errors." Kathy and I don't think
we know enough to write a proposal.
On a related note, we have been experimenting with HTTP CONNECT inside tor
and Tor Browser over the past couple of days to determine if it is
workable from the browser side. We won't have time to work on this
tomorrow (Friday), so I am going to dump some notes here:
* If Torbutton is enabled, it does not work to use tor as an HTTP proxy.
Disabling Torbutton's domain isolation code allows it to work; more
investigation is needed.
* When HTTP and SSL proxies are configured, the Firefox code only uses
HTTP CONNECT for https requests. This probably matches traditional HTTP
proxy expectations, but it is not the behavior we need.
* To fix the above problem, we hacked Tor Browser to always include
`nsIProtocolProxyService::RESOLVE_ALWAYS_TUNNEL` in the proxy flags when
creating an HTTP channel. This change causes clear text http traffic to
also use HTTP CONNECT and therefore to be correctly routed through Tor.
* WebSockets traffic seems to go through the proxy as well (ws:// and
wss://).
* We are not sure what to do about other traffic, e.g., FTP. Our guess is
that due to the architecture of the Firefox networking stack, HTTP CONNECT
is only available for HTTP traffic. It might be difficult to ensure that
no proxy bypass possibilities are introduced if we switch to HTTP CONNECT.
* We would need to modify the browser code to add an `X-Tor-Stream-
Isolation header`.
* Does the `KeepAliveIsolateSOCKSAuth` isolation flag apply to
`HTTPTunnelPort` listeners?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14389#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list