TBA - Notify user about possible proxy-bypass before opening external app
igt0 and I already discussed this, but I don't see a ticket for this. Torbutton currently does this when the user asks Tor Browser to open a file. I doubt we can continue relying on Ci.nsIHelperAppWarningDialog for this, so we'll likely need another method for catching this action.
I'm putting this into torbutton's component category for now, because that is where we catch this situation on desktop, but we may need to implement something directly within fennec, on mobile.
Activity
Trac:
Parent: N/A to #24855 (moved)
We have
tbb-paritynow, unparenting.Trac:
Parent: #24855 (moved) to N/A
In mobile/android/base/java/org/mozilla/gecko/notifications/NotificationHelper.java, we might be able to intercept that intent launcher.
I also think that this should be tagged as tbb-proxy-bypass, because if you look at that code, it appears that external apps can be launched without any interaction. That is equivalent to TBA itself leaking, IMO. There is literally nothing the user can do to stop a malicious website from exploiting that.
Trac:
Keywords: N/A deleted, tbb-proxy-bypass added-
We have a patch for review over in #31144 (moved): https://gitweb.torproject.org/user/sysrqb/tor-browser.git/commit/?h=bug31144_01&id=91214ed8db2e5f2df22d6745ce4ce223c49fa756
Trac:
Keywords: TorBrowserTeam201904 deleted, TorBrowserTeam201910R added
Status: new to needs_review -
Looks good to me. I've applied the patch to
tor-browser-68.2.0esr-9.5-1(commit 6dc05e67cdbbb0a74f2c24387a3ea7443e08b57c).Two things I am unsure about: 1)
* launches a file during private browsing. The dialog appears to notify the user that a clicked * link will open in an external application, potentially leaking their browsing history. */That's not the same as explaining possible proxy bypass/anonymity losses. We spent quite some time trying to get the message right for desktop. Do we want to do that as well in this case?
- Are we confident we have caught all possible issues here? There seems to be a variety of potentially problematic code paths.
Trac:
Keywords: TorBrowserTeam201910R deleted, TorBrowserTeam201910 added
Status: needs_review to needs_information Replying to gk:
Looks good to me. I've applied the patch to
tor-browser-68.2.0esr-9.5-1(commit 6dc05e67cdbbb0a74f2c24387a3ea7443e08b57c).Two things I am unsure about: 1) {{{
- launches a file during private browsing. The dialog appears to notify the user that a clicked
- link will open in an external application, potentially leaking their browsing history. */ }}} That's not the same as explaining possible proxy bypass/anonymity losses. We spent quite some time trying to get the message right for desktop. Do we want to do that as well in this case?
On Desktop, our English text is "Some types of files can cause applications to connect to the Internet without using Tor." and "To be safe, you should only open downloaded files while offline, or use a Tor Live CD such as Tails.".
On Android, it says: "This link will open in &formatS;. Are you sure you want to exit Private Browsing?" where
&formatS;is replaced with the target app name. I think using a message like the one on desktop is a better idea.I'm adding Anto. We should think about how we should phrase this.
- Are we confident we have caught all possible issues here? There seems to be a variety of potentially problematic code paths.
I think this deserves another round of auditing. I don't know.
Trac:
Cc: igt0, gk to igt0, gk, antonela