Custom Query (4632 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (901 - 1000 of 4632)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ticket Summary Status Owner Type Priority Milestone
#12641 IStreamClientEndpointStringParser is Deprecated new hellais defect Medium
Description

I started Ooni on mlab1 and got the message:

/home/mlab_ooni/lib/python2.6/site-packages/Twisted-14.0.0-py2.6-linux-i686.egg/twisted/internet/endpoints.py:30: DeprecationWarning: twisted.internet.interfaces.IStreamClientEndpointStringParser was deprecated in Twisted 14.0.0: This interface has been superseded by IStreamClientEndpointStringParserWithReactor.

#12654 httpse-ruleset-bug: Parts of Criterion site broken by Cloudfront rule new zyan defect Medium
Description

http://www.criterion.com/hulu

The view all films, online only, featured, learn more, etc. javascript links do not work.

http://www.criterion.com/library/expanded_view?m=bluray&s=spine

The find films by sorting section on the left.

Confirmed cause being HTTPS Everywhere due to working once disabled.

Web console shows..

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://d2ffltj98nrzzh.cloudfront.net/assets/main-6ca94474d75016609b48ad8ea401cdbb.js. This can be fixed by moving the resource to the same domain or enabling CORS.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://d2ffltj98nrzzh.cloudfront.net/assets/hulu-c5c09a2b58d52b4b3d7b3d60c064c9a5.js. This can be fixed by moving the resource to the same domain or enabling CORS.

HTTPS-E 3.5.3

#12661 Some directory authorities reject IP ranges long after we ask them to stop reopened defect Medium
Description

What's going on here?


Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '193.23.244.244:80'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '171.25.193.9:443'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '194.109.206.212:80'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '128.31.0.34:9131'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '154.35.32.5:80'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '76.73.17.194:9030'. Please correct. Jul 20 00:45:16.000 [warn] http status 400 ("Authdir is rejecting routers in this range.") response from dirserver '208.83.223.34:443'. Please correct.

#12663 Orbot, libevent and BSD sed ( includes patch ) new n8fr8 defect Low
Description

Compilation of Orbot stops at libevent if using BSD sed rather than GNU sed.

The error is :

sed -i 's@\(SUBDIRS = . include\) sample test@\1@' libevent/Makefile.am sed: 1: "libevent/Makefile.am": extra characters at the end of l command

I have traced the problem to Orbot's external/Makefile.

There is a difference between BSD and GNU sed with regards to the inplace -i flag, both accept an argument for a file extension to backup to, if no extension is provided no backup is made, however BSD sed requires an argument even if it is empty, whereas GNU sed ignores it.

The attached patch adds an extension rather than provide an empty argument, this *should* work with both GNU and BSD sed, though I haven't tried it with the former.

#12667 HTTPSEverywhere breaks TripAdvisor.com in Chrome for Mac new zyan defect Medium
Description

In order to use login or facebook connect buttons on TripAdvisor.com in Chrome for Mac, HTTPSEverywhere has to be disabled.

See others facing the same issue: ​http://www.tripadvisor.com/ShowTopic-g1-i12105-k7540056-Login_Homepage_Issues_On_Google_Chrome-TripAdvisor_Support.html#59004892

#12679 flashproxy programs don't allow intermixed positional and optional arguments new dcf defect Low
Description

Since #9975 (merge of argparse), it's an error if you put an optional argument between positional arguments.

works:        flashproxy-client --external :0 :0
works:        flashproxy-client :0 :0 --external
doesn't work: flashproxy-client :0 --external :0

The error you get is:

$ ./flashproxy-client :0 --external :0 
usage: flashproxy-client --register [OPTIONS] [LOCAL][:PORT] [REMOTE][:PORT]
flashproxy-client: error: unrecognized arguments: :0

How it used to look is:

$ ./flashproxy-client :0 --external :0 
2014-07-22 09:10:54 Listening remote on 0.0.0.0:43803.
2014-07-22 09:10:54 Listening remote on [::]:45211.
2014-07-22 09:10:54 Listening local on 127.0.0.1:60759.
2014-07-22 09:10:54 Listening local on [::1]:33344.

I'm calling it minor because probably most people don't try to do this.

The analogous ticket for fog is #10004.

#12681 New video for setting up a relay on Windows new defect Medium
Description

Our video for setting up a relay on Windows is way out of date. I'm referring to the one at https://www.torproject.org/docs/tor-doc-windows.html.en. It sounds like arma would like a new replacement for this video (rather than not replacing after it is removed it). The new video should probably teach users how to set up a relay without using the Vidalia bundles.

#12683 Permissions in nsIPermissionManager aren't cleared with TorButton's "New Identity" new tbb-team defect High
Description

When TorButton's "New Identity" button is pressed, the permissions stored with nsIPermissionManager aren't cleared, even though nsIPermissionManager.removeAll() is called. From torbutton_do_new_identity() in src/chrome/content/torbutton.js:

  torbutton_log(3, "New Identity: Clearing permissions");
                       
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
  pm.removeAll();                    

  torbutton_log(3, "New Identity: Sending NEWNYM");

There's a ton of info stored in this thing, including how many time the site has been visited, if popups are allowed, if a site can access offline storage, etc. For me, several dozen sites are listed after clicking "New Identity". It seems to have been keeping these permissions for quite a while, as some of my sites are reported to have hundreds of visits. To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.

#12686 deep web research new defect Medium
#12702 Opera now has mixed content blocking. needs_review zyan defect High
Description

Starting with 23.0, Opera now blocks unencrypted content on encrypted pages, allowing to unblock for the current page and session only.

Platform=mixedcontent should be disabled for Opera. And maybe we could upgrade bug #6975, since all platforms supported by HTTPS-E now have mixed content blocking.

#12703 Fonts problem on the machines used for tor browser testing new boklm defect Medium
Description

Lunar noticed that the screenshots of the fa version of the tor browser look pretty bad: https://people.torproject.org/~boklm/tbbtests/r/3.6.3-5242b-Fedora20-x86_64/results-tor-browser-linux64-3.6.3_fa.tar.xz/screenshots-1.png

I don't have this problem when running the fa tor browser on my computer, so it seems to be a font problem on the machine used for the tests.

#12714 Akamai rule prevents voting on Steam Greenlight new zyan defect Medium
Description

When the Akamai rule is enabled, attempting to vote on Steam Greenlight causes a loading symbol to briefly appear then disappear, without registering the vote. When disabled, voting works normally.

#12716 Make meek-client-torbrowser take the firefox command as a parameter needs_revision dcf defect Low
Description

meek-client-torbrowser hardcodes the firefox binary and profile paths: linux mac windows. The problem is that when Tor Browser is reorganized, as it was in #11641, you need to make the corresponding change in meek-client-torbrowser, for example 178572f5.

meek-client-torbrowser already takes the full meek-client command on the command line; it looks like:

ClientTransportPlugin meek exec ./TorBrowser/Tor/PluggableTransports/meek-client-torbrowser -- ./TorBrowser/Tor/PluggableTransports/meek-client --url=https://meek-reflect.appspot.com/ --front=www.google.com

I don't know of a good clear way to encode two separate command lines into the command line of another program, except maybe to do them both as long strings and then parse the strings before calling exec.

#12717 HTTPS Everywhere Chrome Extension Crashes Silverlight new zyan defect Medium
Description

I recently tried to play some Amazon Video (Prime) on my Windows Vista 64-bit Desktop, running the most current version of Chrome. Each and every time, it crashed Silverlight, the engine that Amazon uses to play the video. It took a fair amount of troubleshooting to discover that it is the HTTPS Everywhere extension that is the cause of this crash. No matter what I did, as long as HTTPS Everywhere was enabled, Silverlight would crash. Whenever I disabled it, Silverlight worked fine, and the Video played. I hope this can be fixed, or some type of work-around suggested. Version shows as 2014.6.26.

#12733 View the Tor log file as it updates from within the Tor Browser new tbb-team defect Medium
Description

A user who wants to copy the current log, without knowing what it looks like, can do so by clicking on the onion-icon next to the address bar, selecting "Open Network Settings" and "Copy Tor Log To Clipboard". It would be great if there was a way to see the Tor log file - as it updates - from within the Tor Browser.

#12736 DLL hijacking vulnerability in TBB new tbb-team defect High
Description

The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable. Steps to reproduce: 1) Create a malicious dll (source code for example is added) 2) Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names 3) Place ".DLL" into a folder listed in the %PATH% environment variable 4) Start DbgView.exe (a tool from microsoft) to get text outputs from the dll 5) Start Tor Browser Bundle

You will now see something similiar to: HIJACKDLL (C:\...\.DLL) Started from: C:\...\TorBrowser\Browser\firefox.exe as user Admin

This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible. http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html

Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.

".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)

Tested on: Win7x64 Tor Browser 3.6.3-Windows

#12754 Problems with <video> tags when HTTPS everywhere is enabled new zyan defect Medium
Description

I discovered that with this extension enabled, I cannot play the videos, for example here: http://www.google.com/design/spec/animation/authentic-motion.html#authentic-motion-mass-weight

When it's disabled - everything works fine.

#12762 Orbot 14.0.5 causes LED to flash while it is running new n8fr8 defect Medium
Description

Samsung Galaxy S4 / Cyanogenmod 11 M8 Orbot 14.0.5.

Problem: After upgrading to the latest version of Orbot (14.0.5) any time the screen goes to sleep and Orbot is running, the LED on the phone will flash. This draws attention to the phone due to the brightness of LED. Previous versions of Orbot did not display this behavior

Reproduce:

  • Install Orbot
  • Run Orbot
  • Let screen go to sleep or manually put it to sleep
  • LED starts to flash
  • Wake screen and unlock, LED stops flashing

Expected outocme:

  • With orbot running if screen goes to sleep, LED should not flash
#12765 Tor fails on rooted GS4 running 4.4.2 new n8fr8 defect Medium
Description

Orbot is starting… tor: PRE: Is binary exec? true polipo: PRE: Is binary exec? true obfsclient: PRE: Is binary exec? true xtables: PRE: Is binary exec? true updating torrc custom configuration... success. Orbot is starting… Control Port config file does not yet exist (waiting for tor): /data/data/org.torproject.android/app_bin/control.txt waiting... Control Port config file does not yet exist (waiting for tor): /data/data/org.torproject.android/app_bin/control.txt waiting... Control Port config file does not yet exist (waiting for tor): /data/data/org.torproject.android/app_bin/control.txt Connecting to control port: 9051 Error connecting to Tor local control port: failed to connect to /127.0.0.1 (port 9051): connect failed: ECONNREFUSED (Connection refused) waiting... Couldn't start Tor process:; exit=0: Tor exit code: 0 Couldn't start Tor process:

#12774 "Firefox is already running" when you select meek after bootstrapping new dcf defect Medium
Description
  1. Let Tor Browser bootstrap without any pluggable transports.
  2. Open Network Settings and choose meek.

An alert appears:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

After that you can't browse. But closing the browser and allowing it to bootstrap from scratch again (with meek) works.

Tested on 3.6.3-meek-1 and on a build of the 4.0-alpha-1 branch.

#12799 fingerprints - descriptor Space removal, case normalization new defect Very Low Tor: unspecified
Description

cached-descriptors... fingerprint 50E9 30FB 6141 E9A7 DAD4 968E 58DE AA1B 06CF 4908 Remove the spaces from the fingerprints.

This isn't OpenPGP, no one goes around reading them off to people. You have to click-hold-carefully-drag to select the whole FP instead of a simple double-click. You have to postprocess strip them to make any use of them anywhere, including everywhere else in Tor... torctl, configs, etc. Nowhere else does Tor present/accept any fingerprints with spaces. And they currently waste about 60kB per descriptor set X all the nodes X frequency. The spaces have no substantive use whatsoever and are very annoying! Please remove them.

With that, normalize all displayed/coded fingerprints everywhere in Tor to be either upper or lower case... regardless of whether either/mixed case are supported/enforced as input. Lower case is suggested for better readability (ie: A4B8D0 vs. a4b8d0) and commonality with outputs of various hash programs.

#12800 citrix rule fail new zyan defect Medium
Description

This link redirects as follows http://cts.vresp.com/c/?DealertrackTechnolog/af0d656f23/efe2b86f85/898264f7b4 302 Redirect http://www1.gotomeeting.com/register/811683745 302 Redirect https://www1.gotomeeting.com/register/811683745

With the Citrix(partial) rule enabled, it fails with https://www1.gomeeting.com/register/811683745 in the url.

reproduced with chrome 37.0.2062.58 beta-m with extension dated 2014.06.26 and with firefox for android 3.5android.0

#12801 documentation and guidelines for hosting flashproxy js new dcf defect Medium
Description

If we want more people to host flashproxy.js on their website, we should give clearer guidelines about informing their visitors what the consequences are. Here are some issues brought up by a reviewer:

<ansgar> <iframe src="//[http://crypto.stanford.edu/flashproxy/embed.html crypto.stanford.edu/flashproxy/embed.html]" width="80" height="15" frameborder="0" scrolling="no"></iframe>
<ansgar> That's what upstream suggests to do. That will *not* be very informative.
<ansgar> A 80x15 icon "Internet Freedom". Totally informative that users will not provide a proxy to the Tor network.
[..]
<infinity0> ansgar: is your problem that it doesn't specifically tell (people that host the javascript) to make it obvious to their visitors that they're running the javascript?
<ansgar> infinity0: Yes. Also I believe such things should default to "No".
<infinity0> ansgar: how do you define "such things"?
<ansgar> infinity0: Things unrelated to the web service one is interested in.
<ansgar> And things that allow third parties to track users (if you don't host the server-side part as well).
<infinity0> ok i see. so on a web page about books, it would be surprising for users to default-on to flashproxy
<infinity0> i think it's reasonable for the main flashproxy web page can be default=on though
<infinity0> but i'll raise your point with upstream
<ansgar> Well, even there I might just want to read what it does, not actually take part.

A few things we could do:

  1. tweak the badge so it's more obvious the user is being used as a proxy
  1. in the README (and maybe options.html) advise websites that embed the badge, to make it obvious what they are doing. perhaps also advise non-internet-freedom-related websites to default=no, or set this ourselves.
  1. explain the consequences of running a proxy in options.html (since the badge links to options.html).

Potential user issues might include:

  • whether the facilitator can see which website the proxy last visited (I don't believe this is the case, but we should explicitly state this, given ansgar's confusion above.)
  • whether they are legally liable for users' traffic going through their browser (I believe not, since everything is encrypted by others' keys)

I'm sure more extensive literature about this is already available, we just need to make it more obvious and accessible.

#12814 No space left in /var prevents Tor Browser from starting properly new tbb-team defect Medium
Description

While testing 4.0-alpha I realized that Tor Browser is not starting properly on my machine. Extensions were missing and the following errors in the console showed up:

[13:29:23.748] ERROR addons.xpi-utils: SQL error 13: database or disk is full @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:204
[13:29:23.753] ERROR addons.xpi: Failed to add add-on https-everywhere@eff.org in app-profile to database: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_rollbackTransaction :: line 457"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:457
[13:29:24.939] ERROR addons.xpi: Error during startup file checks, rolling back any database changes: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_commitTransaction :: line 442"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:442
[13:29:24.941] ERROR addons.manager: Exception calling provider startup: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [mozIStorageStatement.execute]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js :: XPIDB_rollbackTransaction :: line 457"  data: no] @ resource://gre/modules/XPIProvider.jsm -> resource://gre/modules/XPIProviderUtils.js:457

The partition where Tor Browser got extracted had enough space left. The only one that was full was /var. Fixing that fixed the start issues as well. Not sure what exactly gets written to /var but it seems a disk leak to me we need to investigate.

#12836 scramblesuit: 'State' object has no attribute 'closingThreshold' new asn defect Medium
Description

Got this with on a bridge with obfsproxy-0.2.11:

[ERROR] Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 88, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 73, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 81, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
    why = selectable.doRead()
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 215, in doRead
    return self._dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/Twisted-13.2.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 221, in _dataReceived
    rval = self.protocol.dataReceived(data)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/network/network.py", line 320, in dataReceived
    self.circuit.dataReceived(self.buffer, self)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/network/network.py", line 161, in dataReceived
    self.transport.receivedDownstream(data)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy-0.2.11-py2.7.egg/obfsproxy/transports/scramblesuit/scramblesuit.py", line 495, in receivedDownstream
    if self.drainedHandshake > self.srvState.closingThreshold:
exceptions.AttributeError: 'State' object has no attribute 'closingThreshold'
#12842 Helpdesk needs a PGP key to be able to receive encrypted help queries assigned phoul defect Medium
Description

Couple days ago sherief mentioned we need a PGP key to be able to receive and handle encrypted help queries via RT.

I think it's a great idea as protecting our users' sensitive information is and always should be our first priority at support team.

This ticket is to help us remember we need to make this happen (hopefully in near future)

Once we have the pgp, we should start advertising and encouraging our users to use encryption if possible.

#12846 Tor Browser fails to launch with error "Failed to connect to Tor network" new tbb-team defect Medium
Description

When i try to launch Tor Browser, it shows a progress dialog for some time and then exits with message box "Cannot to connect to Tor network" The error reproduces on my Windows 7 system in 100% of cases. Tor debug log attached

#12847 cdn rules for bigcommerce.com new zyan defect Medium
Description

bigcommerce CDN names extend past cdn[12] and include:

cdn.bigcommerce.com cdn1.bigcommerce.com cdn2.bigcommerce.com cdn3.bigcommerce.com cdn4.bigcommerce.com

and more. A more appropriate match would be:

cdn\d*\.bigcommerce\.com$

Leaking of bigcommerce.com CDN URLs can result very detailed tracking of items people are looking to buy, purchases etc for any stores run by them. This seems to be the case even for stores that use bigcommerce.com but that use their own domain name.

#12850 Tor unexpectedly exit new tbb-team defect Medium
Description

Here's the log:

11.08.2014 10:24:37.737 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 11.08.2014 10:24:37.737 [NOTICE] Pluggable transport proxy (fte exec Tor\PluggableTransports\fteproxy --managed) does not provide any needed transports and will not be launched. 11.08.2014 10:24:37.737 [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched. 11.08.2014 10:24:37.737 [NOTICE] Opening Socks listener on 127.0.0.1:9150 11.08.2014 10:24:37.737 [NOTICE] Pluggable transport proxy (fte exec Tor\PluggableTransports\fteproxy --managed) does not provide any needed transports and will not be launched. 11.08.2014 10:24:37.737 [NOTICE] Pluggable transport proxy (flashproxy exec Tor\PluggableTransports\flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched. 11.08.2014 10:24:37.738 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying directory fetches again. 11.08.2014 10:24:40.961 [NOTICE] Bootstrapped 5%: Connecting to directory server. 11.08.2014 10:24:40.964 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server. 11.08.2014 10:24:45.357 [WARN] Proxy Client: unable to connect to 209.141.36.236:45496 ("Connection refused") 11.08.2014 10:24:45.689 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection. 11.08.2014 10:24:45.821 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus. 11.08.2014 10:24:45.945 [NOTICE] Bootstrapped 50%: Loading relay descriptors.

The log lines that mention fte and flashproxy do not necessarily indicate that Pluggable Transports were used, as these lines show up in logs normally, even when no PTs are selected.

OS: Windows 7 Firewall: Microsoft Security Essentials Report: "the browser works only a minute or so after that i get an error which says the browser has exited. after that i cant load any sites"

May or may not be related to #11677

#12856 avast! Online Security plug-in conflict with HTTPS Anywhere (Chrome) new zyan defect Medium
Description

I recently installed the avast! Online Security plug-in for Chrome, and have noticed a periodic "Extension error" alert. The details provided by Chrome in my plug-in list, under HTTPS Anywhere (2014.6.26) are:

"Warning: This extension failed to redirect a network request to https://www.google-analytics.com/ga.js because another extension (avast! Online Security) redirected it to chrome-extension://gomekmidlodglbbmalcneegieacbdmki/common/mocks/ga.js."

I have "Web Tracking blocked" enabled in my avast! settings, and was told by avast tech support to either disable this feature or disable HTTPS Anywhere. Is it possible to add an exception so I can both block analytics with avast and continue to use HTTPS Anywhere without constantly throwing up an error?

#12858 routine bug report new tbb-team defect Medium
Description

I received the following error message in the Message Log while trying to connect to nolo.com. Was asked to send it to "bugs" at Tor.

[Tue Aug 12 13:11:04 2014] Tor Software Error - The Tor software encountered an internal bug. Please report the following error message to the Tor developers at bugs.torproject.org: "microdesc_free(): Bug: microdesc_free() called, but md was still referenced 1 node(s); held_by_nodes == 1

#12863 The http_requests test sometimes only performs one request new hellais defect Medium
Description

It has been reported by some users of ooniprobe [1] that in some circumstances (it is unclear currently exactly how to reproduce this) the report for a http_requests test will only contain one request instead of two. Moreover when this occurs the headers_match and body_length_match keys will be wrongly set to true.

Here is a sample report entry that exhibits this behavior:

---
agent: agent
body_length_match: true
body_proportion: 1.0
control_failure: null
experiment_failure: null
factor: 0.8
headers_diff: !!set {}
headers_match: true
input: http://www.scratchgames.com/
requests:
- request:
    body: null
    headers:
    - - User-Agent
      - ['Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2) Gecko/20100115 Firefox/3.6']
    method: GET
    tor: {is_tor: false}
    url: http://www.scratchgames.com/
  response:
    body: <h1>Bad Request (Invalid Hostname)</h1>
    code: 400
    headers:
    - - Date
      - ['Mon, 23 Jun 2014 13:03:09 GMT']
    - - Connection
      - [close]
    - - Content-Type
      - [text/html]
    - - Content-Length
      - ['39']
socksproxy: null
...

[1] https://lists.torproject.org/pipermail/ooni-dev/2014-August/000139.html

#12865 Two installer construction instructions is one too many. assigned mttp defect Medium
Description

Tor includes two different NSI files for building the the Tor Expert Bundle installer. One is contrib/win32build/tor.nsi.in, and the other is contrib/win32build/tor-mingw.nsi.in. The former file says right at the top:

; NOTE: This file might be obsolete. Look at tor-mingw.nsi.in instead.

Right now tor-mingw.nsi.in is the only file being used to build the actual NSI. I suspect tor.nsi.in is just dead weight.

< armadev> yeah, you should confirm with erinn that nobody has any use for anything in that file, and then remove it

#12870 Not loading rulesets from HTTPSEverywhereUserRules on Firefox 31.0 / OS X 10.9.4 new zyan defect Medium
Description

HTTPS Everywhere 5.0 development 0, does not load rulesets from XML files in the HTTPSEverywhereUserRules subdirectory in the Firefox profile directory. The same for the latest stable version 3.5.3.

#12879 Obfsproxy has incorrect Error type assigned asn defect Medium
Description

In the socks.py file of obfsproxy there is a small bug with the csv reader.

in line 133: except csvError, err: should be except csv.Error, err:. csvError does not exist and I think its just missing the period.

#12885 Windows Jump Lists fail for Tor Browser new mcs defect Medium
Description

This ticket is a spinoff of #6062 (which I am going to close).

Windows 7 and 8 include a jump lists feature which is used by Firefox to provide a menu of tasks that may be accessed from the Start Menu or Taskbar ("Open new tab", "Open new window", etc.) These task items fail in Tor Browser because we have disabled remoting. Similarly, clicking the main "Tor Browser" pinned item fails for the same reason if Tor Browser is already running.

For now, we should change things so we do not show the jump list items. We can do so by setting these two prefs to false:

browser.taskbar.lists.frequent.enabled browser.taskbar.lists.tasks.enabled

(we also want browser.taskbar.lists.recent.enabled = false but that is already done by default).

Also – although one would think that setting browser.taskbar.lists.enabled = false would be sufficient to turn everything off, doing that may leave old jump list menu items around. So it is better to turn off the three more specific prefs. See:

http://mxr.mozilla.org/mozilla-esr24/source/browser/modules/WindowsJumpLists.jsm#219

#12900 Remove config related naming stuff assigned Sebastian defect Low Tor: unspecified
Description

We should warn users when they specify nicknames anywhere in their Tor config except for the Nickname option

#12901 Remove client-related naming stuff assigned Sebastian defect Low Tor: unspecified
Description

Recognizing the Named flag in a consensus, related data structures.

#12902 ScribD breaks with the rule enabled new zyan defect Medium
Description

ScribD.Com breaks when viewing a page

Using version 3.5.3, on Firefox

This bug appears, for me, when viewing a full page: this was the particular URL: http://www.scribd.com/fullscreen/237238876?access_key=key-dyYcG9f5ue4x6lBrAdmd&allow_share=true&escape=false&view_mode=scroll

#12906 Google image search "redirect notice new zyan defect Medium
Description

I've been using HTTPS Everywhere almost since it first came out, but one thing that has always annoyed me, a lot is how it seems to break parts of google image search. If I on the main page google.com write something I want an image of, it comes up with the most likely image results and a load of text results.

If I then click on one of the image results, it no longer takes me directly to that result, instead it just takes me to the image search result page and I'll have to find the specific image again manually.

If I then find said image and click on it and then click "visit page" or "view image" I'm taken to a redirect notice, and this happens 100% of the time without fail.

I don't actually know if this is something you guys can fix, or if it's on googles end, it's just been annoying me for a long time so I finally decided to report it to someone. Apart from this I love HTTPS Everywhere. Have a nice day =)

P.S. my current version is 3.5.3 but I couldn't find it in the versions thingy, and my browser is firefox 31, and I'm on windows 7 if that helps anythin too.

#12911 Cloudfront Ruleset Breaks IKEA Online Catalogue new zyan defect Medium HTTPS-E next Firefox dev release
Description

When trying to view the IKEA Online Catalogue at http://onlinecatalogue.ikea.com/IE/en/IKEA_Catalogue/ the Cloudfront ruleset is invoked and it prevents the catalogue interface from loading.

Using HTTS-E 5.0dev on Firefox 31

#12926 Make sure our linker gets used when compiling Tor Browser for Windows new tbb-team defect Medium
Description

#12753 zeroed out the timestamp in the PE header but surprisingly not everywhere (e.g. not in the tor.exe). This might be due to the fact that our own linker is not used in these cases. See the hint in gitian-firefoy.yml

 XXX: the path to ld is hardcoded in mingw..

which would explain why tor.exe and the mingw-w64 libs we build in gitian-utils.yml are affected.

#12930 Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS" arguments. new asn defect Medium
Description

Per pt-spec.txt:

      - ARGS:K=V,K=V,K=V

        If this option is set, the K=V arguments are added to Tor's
        extrainfo document. Equal signs and commas must be escaped
        with a backslash.

All of obfs4's server (extra info) document arguments end with a number of equal signs because they are Base64 strings.

goptlib does the right thing here and escapes the args, so the trailing Base64 padding passed to tor as part of SMETHOD ARGS ends with \\=. The fun here is that, tor does not unescape the ARGS line, so \\= is what ends up in the extrainfo document on BridgeDB.

The arguments that appear on obfs4 bridge lines should not be escaped, so someone, somewhere between little-t tor, and the place where the arguments appear on whatever BridgeDB frontend the end user sees, needs to unescape the arguments.

#12936 CloudFlare rule breaks wunderground.com new zyan defect Medium
Description

The CloudFlare redirection rule breaks wunderground.com - the weather maps and 10 day forecast no longer display.

Fedora 19 Firefox 31.0 Https Everywhere 4.0.0

#12937 httpse-ruleset-bug : Zencoder flash video not playing new zyan defect Medium HTTPS-E 4 stable
Description

The video doesn't start, it can found here http://www.therealfoodchannel.com/videos/the-food-industry/100-lemon-juice---not.html

#12938 https://members.bet365.com/ stops loading with blank screen new zyan defect Medium
Description

Chrome Version 36.0.1985.143 m Win 8.1 EN 64 bit HTTPS Everywhere 2014.8.22

Go to https://members.bet365.com/ The page stops loading with a blank screen.

Disable by unchecking "bet365 Group (partial)"

Page loads ok: http://www.bet365.com/home/FlashGen4/WebConsoleApp.asp?&cb=xxxxxxxxx

#12941 Firefox is already running. new tbb-team defect Medium
Description

The full error message is reported as "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system." This happens when the user tries to Start Tor Browser after previously closing it normally. The error blocks Tor Browser from launching.

This error has been reported on both Windows and Mac.

Tor Browser is on the Desktop.

User reports that they can indeed find a lingering Firefox.exe process in task manager after Tor Browser has already been closed, and that killing the process allows them to start Tor Browser successfully.

The contents of the Data/Browser/profile.default folder are listed below:

bookmarkbackups File folder 8/22/2014 9:52:45 PM 5/22/2014 6:40:12 AM extensions File folder 8/23/2014 9:40:31 AM 5/22/2014 6:36:45 AM HTTPSEverywhereUserRules File folder 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM preferences File folder 5/22/2014 6:36:46 AM 5/22/2014 6:36:46 AM safebrowsing File folder 8/23/2014 9:34:28 AM 8/23/2014 9:34:28 AM startupCache File folder 8/23/2014 9:38:53 AM 8/1/2014 5:02:52 AM thumbnails File folder 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM webapps File folder 8/23/2014 9:34:24 AM 5/22/2014 6:40:12 AM blocklist.xml xml 131 KB XML Document 8/23/2014 9:42:27 AM 5/22/2014 6:46:15 AM bookmarks.html html 4 KB Opera Web Document 12/31/1999 8:00:00 PM 12/31/1999 8:00:00 PM cert8.db db 64 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM compatibility.ini ini 1 KB Configuration settings 8/1/2014 5:02:51 AM 5/22/2014 6:39:55 AM cookies.sqlite sqlite 512 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:39:56 AM cookies.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:20 AM 8/23/2014 8:35:09 AM cookies.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 8:35:09 AM 8/23/2014 8:35:09 AM downloads.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:40:24 AM 5/22/2014 6:40:24 AM extensions.ini ini 1 KB Configuration settings 7/31/2014 7:23:44 AM 7/31/2014 7:23:40 AM extensions.sqlite sqlite 448 KB SQLITE File 7/31/2014 7:23:40 AM 5/22/2014 6:39:55 AM formhistory.sqlite sqlite 192 KB SQLITE File 6/29/2014 9:30:11 AM 6/29/2014 9:30:11 AM key3.db db 16 KB Data Base File 8/22/2014 9:52:45 PM 5/22/2014 6:39:55 AM localstore.rdf rdf 3 KB RDF File 8/23/2014 6:50:53 PM 8/23/2014 6:50:53 PM marionette.log log 1 KB Text Document 8/23/2014 9:34:23 AM 5/22/2014 6:39:59 AM mimeTypes.rdf rdf 4 KB RDF File 5/22/2014 6:40:12 AM 5/22/2014 6:40:12 AM parent.lock lock 0 LOCK File 8/23/2014 9:34:19 AM 5/22/2014 6:39:55 AM places.sqlite sqlite 10,240 KB SQLITE File 8/22/2014 10:54:40 AM 5/22/2014 6:40:12 AM places.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:24 AM 8/23/2014 8:35:15 AM places.sqlite-wal sqlite-wal 65 KB SQLITE-WAL File 8/23/2014 10:00:13 AM 8/23/2014 8:35:15 AM pluginreg.dat dat 1 KB DAT File 7/10/2014 8:13:56 AM 7/10/2014 8:13:56 AM prefs.js js 6 KB JScript Script File 8/23/2014 7:10:30 PM 8/23/2014 7:10:30 PM search.json json 21 KB JSON File 5/22/2014 6:40:13 AM 5/22/2014 6:40:13 AM secmod.db db 16 KB Data Base File 5/22/2014 6:39:55 AM 5/22/2014 6:39:55 AM Telemetry.FailedProfileLocks.txt txt 1 KB Text Document 8/23/2014 9:33:58 AM 7/27/2014 4:10:19 PM webappsstore.sqlite sqlite 96 KB SQLITE File 5/22/2014 6:49:22 AM 5/22/2014 6:40:14 AM webappsstore.sqlite-shm sqlite-shm 32 KB SQLITE-SHM File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AM webappsstore.sqlite-wal sqlite-wal 0 SQLITE-WAL File 8/23/2014 9:34:25 AM 8/23/2014 9:34:25 AM

#12945 The formatting tools dissappear from this forum platform with this extension. new zyan defect Medium
Description

Example this page:

http://www.overclock.net/t/1509086/i-cant-see-the-formatting-tools-in-chrome-or-give-rep/0_100#post_22752686

But it needs an account to see the issue (since it's the posting formatting tools of the forum).

#12952 PBS Video broken 6 months, "Crossdomain loading denied" assigned ivanovpetr defect Medium
Description

All PBS video has been broken here since March when I installed HTTPS Everywhere... (I never connected the events.) Recently PBS began including an error message - "Error loading skin: Crossdomain loading denied." Disable HTTPS Everywhere and the same video works.

Chrome Version 38.0.2125.8 dev-m, Win7, HTTPS Everywhere 2014.8.22

I can't tell you what your toolbar menu rules show, because every time I click it you get disabled - "This extension may have been corrupted by malware." Makes it rather hard to discover what is blocking pages...

#12959 Google APIs breaks www.mojasvadba.sk new zyan defect Medium
Description

Try for example www.mojasvadba.sk/blog/miriem/album/svadobne-pismena-2asfwq/ Clicking on a photo should display a big photo on the same page. With HTTPS-E Google APIs enabled, it goes to a new page. And on the whole site no "JS" links work ("like" button, showing comments, ...). Firefox 31, HTTPS-E 4.0.0

#12965 Amazon CloudFront compatibility (FF / Chrome) new zyan defect Medium
Description

Some sites fail to load external data unless EFF-HTTPS Everywhere is disabled for the CloudFront service.

#12976 Orbot's new identity feature is not mentioned anywhere in app or documentation new n8fr8 defect Medium
Description

Nowhere in the app UI, wizard or websites can I find any mention of the Orbot's new identity feature. I only discovered it by accident and I'm sure other users will be in a similar position. I thought I'd seen a bug of someone actually requesting for a new identity feature to be added because they didn't know it already existed, but I can't seem to find it now.

I think a simple mention in the UI would be enough. Just like we already have Orbot is deactivated - long press to start -, we could simply change the string Connected to the Tor network to something like Connected to the Tor network - Swipe for new circuit -. A mention in the in-app wizard and/or in the interactive how-to on the Guardian Project website also wouldn't go a miss.

#12977 Fix Firefox's Full Screen Permissions Prompt new tbb-team defect High
Description

It looks like it may be slightly tricky but not impossible to fix the full screen permissions prompt. The full screen code lives in nsDocument::RequestFullScreen(). It actually registers an observer ("fullscreen-approved") topic for reacting to the prompt, but then goes ahead and reparents the element and full screens anyway.

We might be able to refactor this code such that it gets called from the observer callback, after the user has interacted with the dialog.

Probably best done after FF31-ESR though.

#12987 www.MapMyRide.com not fully loading new zyan defect Medium
Description

This site suddenly started failing for all the graphical parts, hover menus and the like. There were per observation no updates to https everywhere add-on 4.0 or firefox 31.0. Reported to mapmyride, but they vain ignorance. Effectively, if https everywhere is disabled, both on android tablet and windows pc, the site loads properly. Enable the add-in and is does the endless wheel spinning again where graphics or lists are supposed to appear. Dev version 5.0.0 of add-in made no difference.

Thx

#12990 route certificate errors new tbb-team defect Medium
Description

So on August 17th, I experienced a weird error and haven't noticed it since, but thought I'd try to determine the cause. I was using the latest TBB (3.6.4) on Ubuntu 14.04 x64. Figure this was just an uber glitch, but wanted to report it just in case it happens for someone else also:

Aug 17 00:45:22.000 [warn] Tried connecting to router at 185.13.39.135:443, but identity key was not as expected: wanted 2F7C841C58F475EDE7C5D69393D07617BF387E99 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.

Full session below:

griffin@mercurius:~/Downloads/tor-browser_en-US$ ./start-tor-browser

Launching Tor Browser Bundle for Linux in /home/griffin/Downloads/tor-browser_en-US

(process:29067): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

(firefox:29067): Gtk-WARNING **: Unable to locate theme engine in module_path: "adwaita",

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised

(firefox:29067): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
Aug 17 00:43:30.909 [notice] Tor v0.2.4.23 (git-a9ea51dc0bd48126) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1i.
Aug 17 00:43:30.910 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug 17 00:43:30.910 [notice] Read configuration file "/home/griffin/Downloads/tor-browser_en-US/Data/Tor/torrc-defaults".
Aug 17 00:43:30.910 [notice] Read configuration file "/home/griffin/Downloads/tor-browser_en-US/Data/Tor/torrc".
Aug 17 00:43:30.916 [notice] Opening Socks listener on 127.0.0.1:9150
Aug 17 00:43:30.916 [notice] Opening Control listener on 127.0.0.1:9151
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (fte exec ./Tor/PluggableTransports/fteproxy.bin --managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (obfs2,obfs3 exec ./Tor/PluggableTransports/obfsproxy.bin managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Pluggable transport proxy (flashproxy exec ./Tor/PluggableTransports/flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched.
Aug 17 00:43:30.000 [notice] Parsing GEOIP IPv4 file /home/griffin/Downloads/tor-browser_en-US/Data/Tor/geoip.
Aug 17 00:43:30.000 [notice] Parsing GEOIP IPv6 file /home/griffin/Downloads/tor-browser_en-US/Data/Tor/geoip6.
Aug 17 00:43:31.000 [notice] We now have enough directory information to build circuits.
Aug 17 00:43:31.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Aug 17 00:43:31.000 [notice] New control connection opened.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (fte exec ./Tor/PluggableTransports/fteproxy.bin --managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (obfs2,obfs3 exec ./Tor/PluggableTransports/obfsproxy.bin managed) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] Pluggable transport proxy (flashproxy exec ./Tor/PluggableTransports/flashproxy-client --register :0 :9000) does not provide any needed transports and will not be launched.
Aug 17 00:43:31.000 [notice] New control connection opened.
Aug 17 00:43:31.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Aug 17 00:43:32.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Aug 17 00:43:33.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 17 00:43:33.000 [notice] Bootstrapped 100%: Done.
Aug 17 00:43:34.000 [notice] New control connection opened.
Aug 17 00:45:22.000 [warn] Tried connecting to router at 185.13.39.135:443, but identity key was not as expected: wanted 2F7C841C58F475EDE7C5D69393D07617BF387E99 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:27.000 [warn] Tried connecting to router at 77.109.141.139:443, but identity key was not as expected: wanted 527ED954F9E7800AB00BCE366542CB074B42DD2A but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:29.000 [warn] Tried connecting to router at 5.34.183.205:443, but identity key was not as expected: wanted DDD7871C1B7FA32CB55061E08869A236E61BDDF8 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:30.000 [warn] Tried connecting to router at 88.198.100.230:443, but identity key was not as expected: wanted 093E76DE8EF51256E0FDC51B41237989ADA4AC2E but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:31.000 [warn] Tried connecting to router at 5.39.80.135:443, but identity key was not as expected: wanted AB73816E5D7BC52664CBB9D005FF579BAFEAFE87 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:34.000 [warn] Tried connecting to router at 86.59.119.83:443, but identity key was not as expected: wanted FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:35.000 [warn] Tried connecting to router at 62.210.84.20:443, but identity key was not as expected: wanted 5A16F7E31B26F286889F20027F57A5E253AF3F23 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:38.000 [warn] Tried connecting to router at 96.44.189.102:443, but identity key was not as expected: wanted 3B486DEC5A22694C0960B4A97A3665C617C89B1C but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:45:38.000 [warn] Tried connecting to router at 188.165.138.55:443, but identity key was not as expected: wanted 95A3BC167A575964F40F251B850ABB47960A530D but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:47:02.000 [warn] Tried connecting to router at 62.210.82.177:443, but identity key was not as expected: wanted 7663AD93B561AA11F40982BBDB3D3063AD28E3C7 but got 4279541B61CD552B3E63D53C4857F59FFB45CE4A.
Aug 17 00:47:04.000 [notice] Owning controller connection has closed -- exiting now.

Tor Browser exited cleanly.
griffin@mercurius:~/Downloads/tor-browser_en-US$ cd
#12993 Fastly breaks www.whitepages.com new zyan defect Medium
Description

The Fastly rule prevents proper rendering of pages on whitepages.com website.

Versions in use: Firefox 31 on Mac OS 10.6.8 HTTPS Everywhere 4.0.0

To reproduce:

Install HTTPS Everywhere. Browse to http://www.whitepages.com

Expected results:

The web page should display as is does w/o HTTPS Everywhere, with an image and dialog boxes for data entry.

Observed results:

The web page shows text only, as if all the Javascript has been lost/blocked.

Workaround: Disable the Fastly rule in HTTPS Everywhere and reload the page.

#12995 default font seems seems to leak system locale information new tbb-team defect Medium
Description

I recently changed the default system locale on my GNU Linux system, and I noticed that afterwards the default font used on web pages in Tor Browser had changed (I didn't change the version/language of Tor Browser).

I suppose that this means that an attacker can guess a user's locale based on the font used to display a page.

#13001 HTTPS Everywhere breaks eloconcursos.com.br new zyan defect High
Description

When HTTPS Everywhere is activated, I can't properly load videos from that website.

Usually, when trying to load videos from eloconcursos.com.br, several rules are marked with the green mark:

YouTube (partial) Google Services AppNexus (partial) Amazon Web Services Cloudfront

One is marked with a lighter green color: Facebook

And one is marked with a red mark: Doubleclick.net (testing)

I don't know how to troubleshoot the issue with HTTPS Everywhere enabled.

It disappears if I click at disable HTTPS Everywhere.

#13005 Please document Tor Browser environment variables new tbb-team defect Medium
Description

It's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they should all be documented in one place. Users should be able to visit a single document, FAQ entry, or wiki page where they can read the functionality of

TOR_SKIP_LAUNCH TOR_FORCE_NET_CONFIG TOR_CONFIGURE_ONLY TOR_CONTROL_HOST TOR_CONTROL_PORT TOR_CONTROL_PASSWD TOR_CONTROL_COOKIE_AUTH_FILE TOR_SOCKS_HOST TOR_SOCKS_PORT TOR_TRANSPROXY

and how to set each. (Did I miss any?)

#13012 Reviewing Bug #3229: Make content pref service memory-only + clearable assigned boklm defect Medium
Description

I noticed that nsContentPrefService.js can be expected to store prefs in memory, providing that any provided "loading context" has "usePrivateBrowsing" set to true, an assumption that may or may not hold for Firefox's Private Browsing (PB) mode. The patch for #3229 in addition applies to non-PB mode. Since Tor Browser uses PB mode by default, it's not entirely clear whether or not #3229 is needed.

To complicate matters, nsContentPrefService.js has been deprecated in favor of ContentPrefService2.jsm, at least in ESR31. In this new implementation, it looks like PB mode will also use an in-memory store, provided we make the same possibly dangerous assumption that loading contexts will always have "usePrivateBrowsing" set to true.

So my question is: should we drop the #3229 patch (assuming Firefox gets the loading contexts right), or should we be extra defensive and write a similar patch to apply to ContentPrefService2.jsm? Perhaps Mike has some insight here.

#13014 copy and paste trick could be used to deanonymise users new tbb-team defect Medium
Description

This website demonstrates a trick that could easily be used to deanonymise users by tricking them into copying malicious commands into the clipboard.

Mitigating this threat might be difficult, one way would be to display a notification containing the contents of the clipboard whenever something is copied.

#13018 Math routines are OS fingerprintable new tbb-team defect Medium
Description

The Math class now exposes high-precision versions of several mathematical functions. If these are OS-specific, they may be fingerprintable.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math

OS-level fingerprinting probably is not a terribly high priority. The only situation where this is high priority is if different OS versions and library versions end up producing different results for these functions.

#13030 Tor unexpectedly exited needs_information erinn defect Medium
Description

OS: Windows Vista Home premium sp2

Just downloaded Tor browser 3.6.4, installed it fine but everytime I click 'Start Tor Browser' I get the error message

"Tor unexpectedly exited Please restart this application"

But restarting only leads to the same message being given again. I have tried uninstalling and reinstalling.

#13043 torspec lies about accepting both IPv4 and IPv6 for ORAddress lines new massar defect Medium Tor: 0.3.2.x-final
Description

(From this comment on #9380)

tl;dr: The "a"/"or-address" lines, in implementation, only happen once each per router, and only ever contain IPv6 addresses, despite what dir-spec.txt says. The spec says:

     "a" SP address ":" port NL

        [Any number]

        The "or-address" element as specified in section 2.1.1.

and:

   "or-address" SP ADDRESS ":" PORT NL

       [Any number]
      
       ADDRESS = IP6ADDR | IP4ADDR
       IPV6ADDR = an ipv6 address, surrounded by square brackets.
       IPV4ADDR = an ipv4 address, represented as a dotted quad.
       PORT = a number between 1 and 65535 inclusive.                
       An alternative for the address and ORPort of the "router" line, but with
       two added capabilities:  
      
         * or-address can be either an IPv4 or IPv6 address
         * or-address allows for multiple ORPorts and addresses

       A descriptor SHOULD NOT include an or-address line that does nothing but
       duplicate the address:port pair from its "router" line.

       The ordering of or-address lines and their PORT entries matter because
       Tor MAY accept a limited number of addresses or ports. As of Tor 0.2.3.x
       only the first address and the first port are used.

  • In terms of how many "a"/"or-address" lines there may be, the spec is only correct if you pay super close attention to the last sentence (this is actually the first time I've noticed it :) ).
  • In terms of whether IPv4 and/or IPv6 addresses are acceptable, the spec is currently wrong, according to the functions router_rebuild_descriptor() [source] and router_dump_router_to_string() [source] in src/or/router.c in tor's source code.

#13051 TBB 3.6.5 is ignoring ExcludeNodes and ExcludeExitNodes settings new tbb-team defect Medium
Description

Okay, I have TBB set up to Exclude certain nodes based on country, name of node, and IP addresses. Since upgrading to the TBB 3.6.5 new version, TOR has been ignoring my settings completely. It connected to nodes in countries that I have totally blacklisted (based on nodes from them filtering things that are legal in my nation) and nodes that I specifically blacklisted by IP and name.

#13052 Torbrowser window size/rendering issue new tbb-team defect Medium
Description

Hello,

I'm using the dwm window manager (Version 6.0). If I start the Torbrowser, the window is not properly rendered (picture). As soon as I resize the window manually with my cursor, everything works properly.

I'm using the TB 3.6.5.

Kind regards, oierror

#13056 Some stack canaries are still missing on Tor Browser binaries on Linux new tbb-team defect Medium
Description

It seems that the following binaries have missing stack canaries:

libmozalloc.so libnssckbi.so libplc4.so libplds4.so TorBrowser/Tor/libgmpxx.so TorBrowser/Tor/libgmpxx.so.4 TorBrowser/Tor/libgmpxx.so.4.3.3 TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_ARC4.so TorBrowser/Tor/PluggableTransports/Crypto/Cipher/_XOR.so TorBrowser/Tor/PluggableTransports/Crypto/Util/_counter.so TorBrowser/Tor/PluggableTransports/meek-client-torbrowser TorBrowser/Tor/PluggableTransports/twisted/python/_initgroups.so TorBrowser/Tor/PluggableTransports/twisted/runner/portmap.so TorBrowser/Tor/PluggableTransports/twisted/test/raiser.so TorBrowser/Tor/PluggableTransports/zope/interface/_zope_interface_coptimizations.so

#13059 Create bad-relays file needs_revision defect Medium Tor: unspecified
Description

In the wake of #12899, it became apparent that redoing the approved-routers file is a good idea. It'll be replaced by a torrc-style file called bad-relays.

#13065 counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file new tbb-team defect Medium
Description

Securely downloading https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions solely relies on SSL, is currently neither signed, nor gets verified by Tor Button.

This is problematic, because should torproject.org's web server or CA be compromised one day, applications such as Tor Button and torbrowser-launcher could be fooled into using an outdated and/or malicious RecommendedTBBVersions file.

Suggestion: could you please, 1) provide a signed version of RecommendedTBBVersions, 2) verify RecommendedTBBVersions in Tor Button.

To prevent downgrade and stale mirror attacks, the signature would have to be renewed after every X weeks, and rejected by the verification mechanism [+ user notification] if is is too old. (Similar to Valid-Until / #9810.)

#13081 Fix build with Visual Studio in Windows needs_review defect Medium Tor: unspecified
Description

I have attached a patch to fix the missing objects during compilation.

The build process itself will have to be better documented in the future.

#13083 HTTPS Everywhere Breaks Video new zyan defect Medium
Description

HTTPS Everywhere for Chrome v 35, 36, & 37, breaks Videos on www.usatoday websites.

Any article that has an embedded javascript video, it will fail to play unless HTTPS Everywhere is disabled. I believe it may be responsible for similar problems on other sites with embedded videos, if and when I can confirm this, I will report those issues here.

I'm not a developer, so I'm just reporting the issue to you folks.

Thanks,

Chuck B. 27463331 [@] opayq.com

#13086 Causing wrong rendering of openstreetmap in Pale Moon new zyan defect Medium
Description

Using the Pale Moon browser the edit page of openstreetmap.org is not properly rendered:

The background sat imagery is not shown and the dropdown menu is empty (see attachments: firefox vs palemoon)

I'm using Palemoon 24.7.1 (x86) on Windows 7 Professional SP 1.

Also reported in Pale Moon forum under https://forum.palemoon.org/viewtopic.php?f=29&t=5622

#13095 Countdown on Apple.com not working new zyan defect Medium
Description

The Apple live event countdown doesn't show numbers on http://www.apple.com/live/.

From dev console:

Tested with HTTPS Everywhere 2014.8.22 in Chrome for Mac 37.0.2062.94. Temporary plugin deactivation solves the problem.

#13110 HTTPS Everywhere with Chrome: display error on www.id.unibe.ch new zyan defect Medium
Description

When HTTPS Everywhere is enable in Chrome/Chromium, some subdomains of unibe.ch are not properly displayed. Examples are www.id.unibe.ch and www.philnat.unibe.ch. I will attach a screenshots of the page with http and with https.

#13112 Some things are probably broken when we advertise multiple ORPorts and only some are reachable new defect Medium Tor: unspecified
Description

Observations on reachability testing made while fixing #12160:

  • We only have a 1-bit notion of reachability; if we get an incoming non-local connection, we assume reachability in onionskin_answer() and call router_orport_found_reachable() to publish a descriptor.
  • We should have a reachability bit per *advertised* ORPort to determine its inclusion in the published descriptor, and publish if and only if we have one or more reachable ORPorts.
  • To implement this, we need a way to link incoming testing circuits to a particular advertised ORPort; we don't know this from the port the underlying channel was listening on because reverse proxies might make this not one-to-one in general.
  • Arma suggests in IRC that netinfo cells know the IP the connection was attempted on and if they were extended with a port number they might provide a sufficient mechanism.
#13121 App Conflict new n8fr8 defect Low
Description

Please disable this app in Android: -> settings-> Apps if you are having problems with Orbot: com.sec.msc.nts.android.proxy

#13140 ooniprobe should realise that the system is out of memory needs_review hellais defect Medium
Description

Currently if you run a test like bridge_reachability and the system runs out of memory the kernel will start randomly killing tor processes. ooniprobe should detect that it is running out of memory and:

1) Print a warning message

2) Stop starting new measurements until the memory usage goes below the critical level

#13147 Curious debian hurd unit test failure new defect Medium Tor: unspecified
Description

0.2.5.7-rc and master fail unit tests on the hurd.

The failing test is util/spawn_background_fail, the reported error is (line 2832 in current master): assert((expected_status) == (process_handle->status)): 1 vs 0.

This only happens when running all unit tests, when I just say src/test/test util/spawn_background_fail, the test passes.

I'm setting this for 0.2.5.x-final because it would be nice to build there for the next release (it's a regression to fail tests against 0.2.4-stable), but if nobody has any ideas I guess we'll defer it

Originally reported by weasel

#13155 I can use an extend cell to remotely determine whether two relays have a connection open new defect Medium Tor: unspecified
Description

Send an extend cell to relay A, listing the address and identity key of relay B but the wrong port.

Relay A calls circuit_extend() for the new cell, which calls channel_get_for_extend(), which tries to figure out if there's a canonical connection already established. To do that, it asks

    if (!channel_is_canonical(chan) &&
         channel_is_canonical_is_reliable(chan) &&
        !channel_matches_target_addr_for_extend(chan, target_addr)) {
      ++n_noncanonical;
      continue;
    }

and channel_matches_target_addr_for_extend() turns into channel_tls_matches_target_method() which basically is

  return tor_addr_eq(&(tlschan->conn->real_addr), target);

It doesn't consider the port. So if there is a canonical channel open, bingo we use it.

But if there isn't one open, then off we go to make one:

      n_chan = channel_connect_for_circuit(&ec.orport_ipv4.addr,
                                           ec.orport_ipv4.port,
                                           (const char*)ec.node_id);

where ec.orport_ipv4.port was set from extend_cell_parse(), i.e. it came from our extend cell. If we specify the wrong port, that connect attempt will fail. Now we can distinguish, remotely, which situation we're in.

#13160 make a deb of meek and get into Debian new dcf defect Medium
Description

aka

apt-get install meek

Speaking for Whonix, this would be very useful. Perhaps for Tails as well, but I am not speaking for them.

#13167 Export dirauth files via directory protocol new defect Medium Tor: unspecified
Description

Metrics downloads a few files (consensus, descriptors, extrainfo, v3 votes) from dirauths for further processing. It'd be good if all these files could be served by Tor directly, as this would alleviate the need for the dirauth ops to take special steps to make these files available.

#13170 network.allow-experiments ~~ FALSE would be better (sane) default new tbb-team defect Medium
Description

trac provides a "version" field, yet I don't see a suitable option

installed: torbrowser-install-3.6.5_en-US.exe help-}aboutTorBrowser: 24.8.0

I'm questioning about:config: network.allow-experiment = true which seems to be an undesirable default

#13185 Orbot still accesses the public Tor network with bridges configured new n8fr8 defect High
Description

I configured Orbot 14.0.8.1 to use bridges, and then set up my upstream firewall to block all connection attempts except to that bridge, yet Orbot still seems to try to connect to many other nodes in the public directory.

Note I have the same configuration on my laptop, and tor does not do this. If bridges are configured, Tor only connects to those IPs.

It should also be possible to observe by inspecting Orbot's connections on your Android device in OS Monitor app's "Connections" tab: https://play.google.com/store/apps/details?id=com.eolwral.osmonitor&hl=en https://f-droid.org/repository/browse/?fdid=com.eolwral.osmonitor

#13198 clean up torbutton use of Mozilla services new tbb-team defect Medium
Description

Most of the invocations to Cc...getService in the torbutton JS code are unnecessary. Writing a patch to clean it up.

#13203 youtube videos doesn't load new zyan defect Medium
Description

The youtube videos at the following URL doesn't load. If I look in the network tab of the Chrome dev tools, all the youtube request are stuck at (pending).

http://www.pizzamaking.com/forum/index.php?topic=19201.0

HTTPS Everywhere 2014.9.11 Chome 37.0.2062.120 m (64-bit) Windows 8.1 (64-bit)

#13204 TOR Browser Bundle interprets 'mailto' links as downloads new tbb-team defect Medium
Description

If a 'mailto' link (e.g. mailto:user@…) is clicked, instead of starting a new email in an email client, the TOR Browser Bundle gives the warning:

Tor Browser cannot display this file. You will need to open it with another application. Some types of files can cause applications to connect to the internet without using Tor. To be safe, you should only open downloaded files while offline, or use a Tor live CD such as Tails.

mailto: addresses are not files, and no data can be leaked from clicking on one. To be fixed, this warning should be removed for mailto: addresses and an attempt should be made to open the address in the default system mail client.

#13220 Remember window size and position new tbb-team defect Medium
Description

Hi. Seriously, resizing it everyday gets kinda boring already. So what I'm asking is that you would resize it as you want it and next time you launch Tor Browser it stays like that.

Now it just resets to its jerky default position and size.

#13221 Misleading error messages about bind_ipv4_only and bind_ipv6_only? new defect Low Tor: unspecified
Description
      if (bind_ipv4_only && tor_addr_family(&addr) == AF_INET6) {
        log_warn(LD_CONFIG, "Could not interpret %sPort address as IPv6",
                 portname);
        goto err;
      }

Is this warn mixed up? Same with the one below it.

#13231 Tor(Windows) don't close ports when killed from service control new defect Medium Tor: unspecified
Description

Reproduce steps:

  1. Extract Tor Browser bundle, and copy "Tor" folder to any directory.
  2. Install tor.exe as a service. Wait about 1 minute.
  3. Open "services.msc". Restart "Tor Win32 service".
  4. Tor failed to restart.

tor.exe was closed, but these sockets are still opened. So Tor can't open its ports. <unknown> PID:xxx Prot:TCP LocalP:9150

Expected result: Tor should close its ports when services.msc order him to stop.

#13234 Consensus Algorithm Causes Flip-Flopping new defect Medium Tor: unspecified
Description

I had a relay running on 94.23.214.156. It's an unmetered VPS that is NATed with other VPSes, so everyone ends up with the same IPv4 address, but on different ports with port forwarding. Everyone gets their own IPv6 address, but AFAIK, you can't run a relay without IPv4.

This was fine initially, as my relay just ran on a high-numbered port. Currently, there are two other relays using the same IP. This apparently causes the consensus algorithm to flip-flop, keeping any of the relays from becoming stable.

To mitigate this, I've disabled my relay, but this is a less than ideal situation, especially if someone else starts running a relay.

Relevant IRC discussion:

<Sebastian> well, this situation totally sucks.
<Sebastian> I think it is a Tor bug, too.
<Sebastian> because the dirauths disagree on who they think should go in the consensus
<Sebastian> so there's flopping
<pipeep> Ouch.
<Sebastian> so of the three relays doing potentially useful things, zero are useful atm
<pipeep> Sebastian, well, I can shut down my relay for now, so at least there won't be any flip-flopping.
<pipeep> And I can contact one of the two other relay operators, and we can decide based on who has the beefier box
* galex-713 has quit (Ping timeout: 480 seconds)
<pipeep> The other one didn't appear to put valid contact information
<Sebastian> that would be nice. You can also file a Tor bug with the information so other people can see that this is an issue

...

<pipeep> Sebastian, what's the issue exactly? That the consensus algorithm is unstable?
<Sebastian> that's one of the issues, the other issue is imo the restriction to two relays/IP itself
#13236 investigate Firefox SSL for things that might allow user tracking new tbb-team defect Medium
Description

From a comment by Patrick McManus:

(In reply to David Keeler (:keeler) [use needinfo?] from comment #5)

mcmanus, are there other TLS features that are enabled by default that would allow tracking users? (The aim of this bug is to add an option that would prevent that sort of thing.)

sure - at various levels of granularity. None as extreme as session tickets. Anything that keeps state, right?

some that come to mind:

  • the version intolerance cache
  • our false start behavior involves "have I seen this algorithm before"
  • the hsts database
#13260 Transform code to cleaner c99 style new defect Low Tor: unspecified
Description

For #13233, we added a loose c99 requirement for building Tor. If we decide to keep it through the 0.2.6.x series, we can beautify our code a little.

#13270 spam in torproject.org wiki / consider automated spam prevention assigned hiro defect Medium
Description

https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO?action=diff&version=515

Removed this two or three times already. Manually repeating this is getting boring.

Looks like a manual rather than automated spam.

Maybe for start it would be sufficient to ban the erictenne user account.

#13279 In Tor Browser Sync is not working anymore new tbb-team defect Medium
Description

Hello. This morning I've installed on my iMac the last release of TorBundle: 3.6.6

As usual first thing I did, just after installing last release, was to use 'sync' function of the browser to restore bookmark, tabs and so on, but suprise: it did not word.

I clicked, as usual, on Sync in the tool menu; the usual popup opened asking me usual data: username, password and restore key; I fill all fields, but on clicking on the 'continue' button, nothing happends!!!

Same if i click before the 'Syncronisation Option'. In both cases, the only way to get out from the popup, is clikcing on red dot in upper-left corner.

Hope the sync function can be restored asap, couse I'm sure a lot of people use it.

Best Regards.

Joe

#13297 compute_weighted_bandwidths() broken for dirauths new defect Medium Tor: unspecified
Description

I suspect that compute_weighted_bandwidths() is broken for dirauths. All the booleans is_guard, is_exit, etc. are populated according to the node_t.

However, nodelist_set_consensus() which creates those node_ts does not fill in those fields if we are a dirauth:

    if (!authdir) {
      node->is_valid = rs->is_valid;
      node->is_running = rs->is_flagged_running;
      node->is_fast = rs->is_fast;
      node->is_stable = rs->is_stable;
      node->is_possible_guard = rs->is_possible_guard;
...

I don't think this has any big implications, but dirauths are probably doing the wrong path selection. Maybe it's more important if someone is doing bwauth measurements using the dirauth code (if that even makes sense).

#13298 Broken [Confirm Security Exception] button new tbb-team defect Medium
Description
  • Preferences > Privacy > Use custom settings for history
  • Untick "Always use private browsing mode". TB will now restart
  • Visit website with self-signed certificate
  • Tick "Permanently store this exception"
  • Clicking [Confirm Security Exception] won't have any effect. The button is non-functional without any feedback to the user

I would have expected the "Permanently store this exception" checkbox to be disabled (i.e. read-only in the off-state), rather than having a non-functional button that confuses the user.

This is probably related to the securty.nocertdb pref from #12998.

#13304 AWS Ruleset Breaks Amazon Previews and Cart new zyan defect Medium
Description

Enabling the Amazon Web Services ruleset breaks Amazon.com/.ca in the following ways:

  • cannot select different preview pictures or bring up the pictures overlay
  • quantity selection in the cart is broken
  • cannot get estimates for shipping/tax

Tested on Firefox 28.0 (HTTPS-E 4.0.1) and Chrome 37.0.2062 (HTTPS-E 2014.9.1).

#13305 joomla.org infinite redirect loop new zyan defect Medium
Description

http://extensions.joomla.org/extensions/e-commerce/paid-downloads/18146

extension redirects to https, server redirects to http, and so it goes

#13307 Tor Browser might crash on Windows if opened from a USB drive. needs_information tbb-team defect Medium
Description

A Windows user reported to the help desk that they experienced a crash when opening Tor Browser from a USB drive, complete with "Windows is searching for a solution to the problem..." dialog (this is the default message Window gives out when any running program crashes). This person said that opening Tor Browser from the Desktop worked fine for them, and they only experienced the problem opening Tor Browser from USB. It sounded like they got this message before TorLauncher started.

#13308 Partial Rule for CNBC breaks the controld on flash video new zyan defect Medium
Description

The partial rule for CNBC ("CNBC - partial") breaks the controls for the Flash object video. With the rule enabled, the flash video appears and starts up, but does not contain the controls, and there is no way to pause the video

Using HTTPS-Everywhere 4.0.1

Disabling the rule allows the control panel to appear

Discovered with: URL: http://www.cnbc.com/id/102035634

The video is a round table discussion

The object reports the player as

thePlatform PDK

with a version:

5.5.3.359507 (2014-08-28 10:04 am)

I am using updated flash:

15.0.0.152

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Note: See TracQuery for help on using queries.