Opened 3 years ago

Last modified 14 months ago

#21200 new enhancement

Move all TB Mozilla service calls to .onions

Reported by: tom Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: fdsfgs@…, dgoulet Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser currently pings Mozilla for a (limited) number of things, such as add-on update pings. (At least that's what I'm told, it sounds plausible.)

Mozilla is interested in providing .onions for the endpoints TB uses.

Child Tickets

Change History (10)

comment:1 Changed 3 years ago by tom

Trying to build a complete list:

  • Add-On Update Check
  • NoScript Update Check
  • Extension Blacklist

(Filtering about:config for mozilla.org yields a bunch of URLs but most/all(?) of the things are disabled.)

comment:2 Changed 3 years ago by julien

NoScript Update Check should be part of the Add-On update check (called VersionCheck).
Does TBB receive OneCRL data from firefox.settings.services.mozilla.com or the AMO Blocklist?

comment:3 Changed 3 years ago by cypherpunks

As a user... I am very pleased that Mozilla wants to do this!

comment:4 Changed 3 years ago by tom

This is a near-complete list, I think. It does _NOT_ include every place that Tor Browser *links* to a website, but it hopefully contains every automated behind the scenes call to Mozilla websites and it does include some links also.

I researched what would happen if Mozilla's blocklist was used against the Tor add-ons. The next restart of Tor Browser would have the add-ons disabled; and browsing would not work, giving an error that the proxy server is refusing connections.

I confirmed that extensions.systemAddons were not enabled. I also put some random other notes in #19048

Based off of all of this I am going to propose Mozilla start with one of the following with the choice probably being whichever one is easiest:

comment:5 Changed 3 years ago by gk

Sounds good to me and thanks for the detailed write-up!

comment:6 Changed 3 years ago by tom

After some internal discussion:

  • The kinto-based plugin/addon blocking is the 'new way' add-on blocking will be done. They are different views of the same data.
  • On Android there is something called the 'bouncer' app, details here: http://gecko.readthedocs.io/en/latest/mobile/android/fennec/bouncer.html
  • gmp (Gecko Media Plugin) is for EME. I believe it is a generic extension point and not 'the one single EME' but that EMEs are built to live inside it. I hope we don't have to worry about it because we disable EME
  • browser.safebrowsing (aka Shavar) is disabled but would be another thing that polls
  • Same with ABSearch and Tiles

comment:7 Changed 2 years ago by tokotoko

Cc: fdsfgs@… added

comment:8 Changed 14 months ago by arma

An onion service for addons.mozilla.org would be *awesome*, because addons.m.o keeps being the center of attention in various "what if they can mess with the cert" attacks.

Is there any new thinking here? Is somebody waiting for v3 onion services to be a thing? Would they want to set them up with some sort of onionbalance framework, for robustness? It would be nice to have a checklist of desired features/steps, so we can work to check them off, and so we can notice when the list has become empty.

comment:9 Changed 14 months ago by arma

Cc: dgoulet added

cc'ing dgoulet since last i checked he is the keeper of the "what do we need to do before v3 onion services are at feature parity" list.

comment:10 in reply to:  8 Changed 14 months ago by tom

Replying to arma:

Is there any new thinking here? Is somebody waiting for v3 onion services to be a thing? Would they want to set them up with some sort of onionbalance framework, for robustness? It would be nice to have a checklist of desired features/steps, so we can work to check them off, and so we can notice when the list has become empty.

There is no new thinking, and we are not waiting on any features from Tor on this. It's simply not been something the services team at Mozilla has added to their target list yet.

Note: See TracTickets for help on using tickets.