Opened 3 years ago

Closed 3 years ago

#12146 closed defect (fixed)

Firefox meek-http-helper leaks Host header in CONNECT requests

Reported by: dcf Owned by: dcf
Priority: High Milestone:
Component: Obfuscation/meek Version:
Severity: Keywords: MikePerry201406R
Cc: Actual Points:
Parent ID: #10935 Points:
Reviewer: Sponsor:

Description

#12120 enabled the browser extension helper to use an upstream HTTP or SOCKS proxy. I'm watching the requests that go to the proxy, and Firefox is leaking the Host header in the proxy request:

CONNECT www.google.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: meek-reflect.appspot.com

The Host: meek-reflect.appspot.com is not supposed to be visible on the wire. It's encrypted inside of HTTPS. But Firefox leaks it when configured to use an HTTP proxy.

The Host header must be getting special treatment, because the extension also sets X-Session-ID, and that's not showing up in the proxy request.

We have to turn off the HTTP proxy feature if we can't find a way to prevent the Host from leaking.

Child Tickets

Attachments (1)

0001-Make-the-CONNECT-Host-header-the-same-as-the-Request.patch (1.9 KB) - added by dcf 3 years ago.
Backport of Firefox patch to Tor Browser.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 3 years ago by dcf

For reference, when you use meek-client without the browser extension, proxy requests look like:

CONNECT www.google.com:443 HTTP/1.1
Host: www.google.com:443
User-Agent: Go 1.1 package http

comment:2 Changed 3 years ago by dcf

Here's where firefox is peeking into the tunneled request in order to copy the Host to the proxy request.

https://gitweb.torproject.org/tor-browser.git/blob/90a58a42063dcd56e29435656237bf4b976d83b8:/netwerk/protocol/http/nsHttpConnection.cpp#l1469

    val = mTransaction->RequestHead()->PeekHeader(nsHttp::Host);
    if (val) {
        // all HTTP/1.1 requests must include a Host header (even though it
        // may seem redundant in this case; see bug 82388).
        request.SetHeader(nsHttp::Host, nsDependentCString(val));
    }

Here's the linked bug 82388.

comment:3 Changed 3 years ago by dcf

Changed 3 years ago by dcf

Backport of Firefox patch to Tor Browser.

comment:4 in reply to:  3 Changed 3 years ago by dcf

Status: newneeds_review

Replying to dcf:

I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1017769 in the Mozilla tracker. It has a proposed patch.

The patch got merged into Firefox upstream.

attachment:0001-Make-the-CONNECT-Host-header-the-same-as-the-Request.patch is the patch backported to tor-browser.

comment:5 Changed 3 years ago by gk

Keywords: MikePerry201406R added

Looks good to me and as mcmanus gave already his +r I don't think we need a pref here.

comment:6 Changed 3 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Ok. Merged for TBB 3.6.2 and 4.0-alpha-1 then.

Note: See TracTickets for help on using tickets.