[tor-bugs] #20195 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation. (was: torbutton-torCheckService doesn't honor domain isolation.)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 5 11:27:48 UTC 2016
#20195: HTTPS Everywhere's SSL Observatory code doesn't honor domain isolation.
-------------------------------------------------+-------------------------
Reporter: yawning | Owner: legind
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: HTTPS Everywhere/EFF-HTTPS | Version:
Everywhere |
Severity: Major | Resolution:
Keywords: tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* severity: Normal => Major
* cc: gk (added)
* component: Applications/Tor Browser => HTTPS Everywhere/EFF-HTTPS
Everywhere
* priority: Medium => High
* owner: tbb-team => legind
* keywords: tbb-torbutton, tbb-linkability => tbb-linkability
Comment:
Replying to [comment:9 yawning]:
> Ah there. Looks like the domain isolation code is getting called, but
wireshark doesn't lie.
> FWIW, I took the pcaps without my sandboxing stuff in play, and the
behavior is consistent.
>
> {{{
> [09-22 08:31:02] Torbutton INFO: Component returned failure code:
0x80070057 (NS_ERROR_ILLEGAL_VALUE)
[mozIThirdPartyUtil.getFirstPartyURIFromChannel]
> [09-22 08:31:02] Torbutton INFO: tor SOCKS isolation catchall:
https://check.torproject.org/?TorButton=true#0.99726695529027310.5190771246311907
via --unknown--:0
> [09-22 08:31:02] Torbutton WARN: no SOCKS credentials found for current
document.
> }}}
Alright, so here is what is going on. First, do you see the weird float
number thing appended to the `#` in the `check.torproject.org` URL?
Torbutton does not do such things. It turns out this is part if the HTTPS-
Everywhere SSL Observatory code where it checks whether Tor is available
and to use (e.g. for submissions). As a sidenode: one does see the issue
in the Tor Browser log as well without pcaps. That request does not go
over the catch-all circuit but rather is put on one without any
username/password isolation at all.
So, even if the request comes from HTTPS-Everywhere why is it not isolated
like any other internal request? Looking at Necko logs shows that indeed
things are wrong, already at the nsHTTPConnectionManager level:
{{{
-957356288[7fd9e2dabb60]: nsHttpConnectionMgr::OnMsgSpeculativeConnect
[ci=.S....check.torproject.org:443 (socks:127.0.0.1:9150)[:]]
}}}
Before and after the colon in the brackets should be the respective
username and password.
Looking closer at the SSL Observatory code shows it is bypassing our proxy
filter respoonsible for domain isolation in case the CSRF nonce is found
in the path:
{{{
if (isSubmission || testingForTor) {
if (aURI.path.search(this.csrf_nonce+"$") != -1) {
this.log(INFO, "Got observatory url + nonce: "+aURI.spec);
var proxy_settings = null;
var proxy = null;
// Send it through tor by creating an nsIProxy instance
// for the torbutton proxy settings.
try {
proxy_settings = this.getProxySettings(testingForTor);
proxy = this.pps.newProxyInfo(
proxy_settings.type,
proxy_settings.host,
proxy_settings.port,
Ci.nsIProxyInfo.TRANSPARENT_PROXY_RESOLVES_HOST,
0xFFFFFFFF, null);
} catch(e) {
this.log(WARN, "Error specifying proxy for observatory: "+e);
}
this.log(INFO, "Specifying proxy: "+proxy);
// TODO: Use new identity or socks u/p to ensure we get a unique
// tor circuit for this request
return proxy;
}
}
}}}
FWIW: the reason you thought this was fixed in the alpha was due to HTTPS-
Everywhere 5.2.4 that was the latest version at that time. In that version
SSL Observatory code was broken due to #19996. This got fixed in 5.2.5
which makes this issue visible in the alphas again.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20195#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list