[tor-bugs] #13670 [Tor Browser]: ensure OCSP & favicons respect URL bar domain isolation

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Mar 30 18:08:13 UTC 2015


#13670: ensure OCSP & favicons respect URL bar domain isolation
---------------------------------+---------------------------------------
     Reporter:  arthuredelstein  |      Owner:  arthuredelstein
         Type:  defect           |     Status:  needs_revision
     Priority:  major            |  Milestone:
    Component:  Tor Browser      |    Version:
   Resolution:                   |   Keywords:  tbb-linkability, ff38-esr
Actual Points:                   |  Parent ID:
       Points:                   |
---------------------------------+---------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:28 mikeperry]:

 > I also feel that the OCSP cache isolation is too invasive - it touches
 too many pieces of the code. This patch seems very unlikely to be taken by
 Mozilla. We need to find a less invasive way of isolating the OCSP cache
 and requests.

 I think the OCSP patch may be less invasive than it looks. While a lot of
 files are involved, most of the changes are minimal, and involve simply
 adding an "isolationKey" parameter to an internal API call. The only
 potentially breaking change to an outward-facing API is in
 nsISocketProvider.idl. But this API is native-only, so it is unlikely to
 interfere with extensions.

 I've been trying to find ways to make this patch smaller, and I'm open to
 suggestions, but given the existing code path from new HTTPS connection to
 OCSP request, I haven't succeeded in finding a good way to shorten it.
 (Mozilla did accept another patch from us which changes substantially more
 lines of code: https://hg.mozilla.org/mozilla-central/rev/04c452764339)

 In case it's useful to understanding this patch, the code path of the
 isolation key string is as follows:
 * The browser is making an original HTTPS request using an nsHttpChannel.
 `nsHttpChannel::BeginConnect()` calls `GetFirstPartyIsolationURI` and
 passes it to the `nsHttpConnectionInfo` constructor
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 70a990c1d10c050c5fcc69b226c33c5eR4583 (1)].
 * Soon, `nsHalfOpenSocket::SetupStreams`, called by
 `HttpConnectionManager`, gets the isolation key using
 `nsHttpConnectionInfo->GetIsolationKey()` and passes it to a new
 `nsSocketTransport` instance [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 53ed112a31e979194c9a11e9bc2f2360R2921 (2)].
 * `nsSocketTransport::BuildSocket` passes it to
 `nsISocketProvider::NewSocket` and `nsISocketProvider::AddToSocket`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9a8b8fc5f459e75178b24a914f566fe1R1084 (3)].
 * The three implementations of these latter two methods in turn pass the
 isolationKey to `nsSSLIOLayerNewSocket` and `nsSSLIOLayerAddToSocket`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 1f8efd3d29ccd85c52e1dce6a10f889fR1610 (4)], which in turn assign the
 isolationKey to a new `TransportSecurityInfo`instance
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 1f8efd3d29ccd85c52e1dce6a10f889fR2398 (5)].
 * The socket now needs to be verified: `SSLServerCertVerificationJob
 AuthCertificate` is called, gets the isolationKey from the
 `TransportSecurityInfo` instance [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 68c147cbaf390182ee5056f93abbfb13R976 (6)]. The isolationKey is then passed
 to `CertVerifier::VerifySSLServerCert` [https://github.com/arthuredelstein
 /tor-browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR973 (7)], to `CertVerifier::VerifyCert`
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR999 (8)], and then to
 `CertVerifier::MozillaPKIXVerifyCert` [https://github.com/arthuredelstein
 /tor-browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 9548a147d99cf934883fe1d7132942eeR617 (9)], the last of which instantiates
 an `NSSCertDBTrustDomain` containing the isolation key
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 8f6b762fc8edcdb46bc9686e9c66f9afR53 (10)].
 * When `NSSCertDBTrustDomain::CheckRevocation` is called, it passes the
 isolationKey to `OCSPCache::Get`, `OCSPCache::Put` and
 `OCSPRequestor::DoOCSPRequest()` [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 8f6b762fc8edcdb46bc9686e9c66f9af (11)].

 Up to this point, all code has simply been passing the isolationKey down
 from the original http channel to the OCSP code.

 * Now `OCSPCache.Get()` and `OCSPCache.Put()` call
 `OCSPCache::CertIDHash`, which uses the isolationKey in its generation of
 the hash. [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 5414a4fc321178b6cec876a71b92459dR52 (12)].
 * The `DoOCSPRequest` call stores the isolation key in new
 `nsNSSHttpRequestSession` instance (in a `createFcn` call).
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 b1f5a7b403bbc8fd08dc522d09b61b58R36 (13)]
 * The `nsNSSHttpRequestSession` instance creates a new
 nsHttpDownloadEvent, which uses the nsNSSHttpRequestSession's isolation
 key to set the document URI for a new `nsHttpChannel` for the OCSP request
 [https://github.com/arthuredelstein/tor-
 browser/commit/781838c1a198df369eafcb4c763d597023eb1f03#diff-
 6f45031d8280c2357ad3baa0500fa764R101 (14)]. The channel's document URI set
 to ensure that when GetFirstPartyIsolationURI is later on the channel by
 torbutton's domain isolator, the same first party URI will be returned as
 that for the original HTTPS channel [https://github.com/arthuredelstein
 /tor-browser/commit/29d9ee9013a67f82e132539744e518d1daafebfb#diff-
 e4a227365743cbeb42b62b823cd8f3edR179 (16)].

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13670#comment:33>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list