Opened 3 years ago

Closed 3 years ago

#12671 closed defect (not a bug)

Does meek's network-facing browser run javascript?

Reported by: arma Owned by: dcf
Priority: Medium Milestone:
Component: Obfuscation/meek Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Can Amazon S3 pass javascript to meek's network-facing browser (i.e. the copy of Tor Browser that it runs with a separate profile), and it will run it?

Seems like disabling javascript would provide a way for S3 to distinguish meek users from the typical web user, but leaving it enabled would be sad (and surprising) for users who prefer to disable javascript. That said, there are already other ways for S3 itself to learn that it's a meek user, and there shouldn't be a way for an external observer to learn whether they run it? And in that case it would be wise to lock down meek's browser at least as much as tor browser itself?

Child Tickets

Change History (2)

comment:1 in reply to: ↑ description Changed 3 years ago by dcf

Replying to arma:

Can Amazon S3

(meek doesn't have anything to do with S3. You're thinking of CloudTransport. If meek used an Amazon service, it would be their CDN CloudFront, not their storage service S3.)

Can Amazon S3 pass javascript to meek's network-facing browser (i.e. the copy of Tor Browser that it runs with a separate profile), and it will run it?

No, the headless browser doesn't interpret anything it receives, except to base64-encode it and pass it back to meek-client. Here is how the protocol looks. We use an nsIHttpChannel and read the response with nsIBinaryInputStream as a binary string.

It's like when you do an XMLHttpRequest; the browser doesn't interpret or run or display the response, even if it happens to contain HTML. It's not as if we put a URL in the address bar and then read the response by walking the rendered DOM.

And of course, there's no way for the CDN to affect what gets rendered in your actual Tor Browser, because all that the CDN sees (and all the headless browser sees) is encapsulated Tor TLS. The CDN is about as privileged as your ISP or guard.

Seems like disabling javascript would provide a way for S3 to distinguish meek users from the typical web user, but leaving it enabled would be sad (and surprising) for users who prefer to disable javascript. That said, there are already other ways for S3 itself to learn that it's a meek user, and there shouldn't be a way for an external observer to learn whether they run it? And in that case it would be wise to lock down meek's browser at least as much as tor browser itself?

You're right that we don't try to hide from the CDN; we need at least that much from them. After all, the hidden domain name in all the domain-fronted requests points straight to a meek-server instance on a Tor bridge, so there is a trivial distinguisher. (E.g., Google would just block the domain meek-reflect.appspot.com if they wanted to.)

Here are the extra settings we apply in the headless browser, mainly undoing some of Tor Browser's configuration like the proxy setting. Other settings are inherited from Tor Browser. We could disable JavaScript there, but I don't know whether you'd call it defense in depth or voodoo. For example, we could also disable image loading, in order to prevent the headless browser from loading a tracking gif or something, but the extension doesn't work in a way that could cause it to want to load an image.

comment:2 Changed 3 years ago by arma

  • Resolution set to not a bug
  • Status changed from new to closed

Thanks!

Note: See TracTickets for help on using tickets.