Opened 3 years ago

Closed 3 years ago

#21683 closed task (fixed)

Make sure safebrowsing is still disabled in ESR 52

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: ff52-esr, tbb-proxy-bypass, tbb-7.0-must-alpha, TorBrowserTeam201705R
Cc: fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description (last modified by gk)

Safebrowsing prefs got renamed and features got added. We should make sure Safebrowsing is still disablled in ESR 52, though. For starters we could set

browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.downloads.remote.enabled = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.blockedURIs.enabled = false

Child Tickets

Change History (12)

comment:1 Changed 3 years ago by cypherpunks

enabled? o_0

comment:2 Changed 3 years ago by gk

Description: modified (diff)
Summary: Make sure safebrowsing is still enabled in ESR 52Make sure safebrowsing is still disabled in ESR 52

No, I meant "disabled", thanks.

comment:3 Changed 3 years ago by tokotoko

Cc: fdsfgs@… added

comment:4 Changed 3 years ago by cypherpunks

Keywords: tbb-proxy-bypass added

Here is what violates proxy obedience! See ticket:11254#comment:8

browser.safebrowsing.downloads.enabled: enables application reputation checks for downloaded files
browser.safebrowsing.downloads.remote.enabled: enables remote lookups (requires the previous pref)

https://wiki.mozilla.org/Security/Download_Protection

comment:5 Changed 3 years ago by cypherpunks

Priority: MediumHigh
Severity: NormalMajor
Status: newneeds_information

https://bugzilla.mozilla.org/show_bug.cgi?id=134105#c154
Is that a joke or what?! Lamers from Mozilla say they can't reproduce DNS leaks anymore. So they are waiting for TTP to explain them what else needs to be fixed to resolve that 15 years old bug!

comment:6 Changed 3 years ago by gk

Keywords: tbb-7.0-must added

More tickets for 7.0.

comment:7 Changed 3 years ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting more tickets on our alpha radar.

comment:8 Changed 3 years ago by cypherpunks

F*ck! This crap makes local DNS requests even if all prefs are disabled!

comment:9 Changed 3 years ago by gk

The value of browser.safebrowsing.provider.mozilla.updateURL is visible in my logs.

comment:10 Changed 3 years ago by gk

Keywords: TorBrowserTeam201705R added
Status: needs_informationneeds_review

bug_21683 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_21683&id=92aaa8dfa72ddafc2a83e28863ecab3204b3a913) has a patch for review. I set the URLs to "" as a defense in depth.

comment:11 Changed 3 years ago by mcs

r=brade, r=mcs
Looks good to us. We also saw the following URL-based prefs but maybe they are only used for secondary queries?

browser.safebrowsing.provider.google.gethashURL
browser.safebrowsing.provider.google4.gethashURL
browser.safebrowsing.provider.mozilla.gethashURL

comment:12 in reply to:  11 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to mcs:

r=brade, r=mcs
Looks good to us. We also saw the following URL-based prefs but maybe they are only used for secondary queries?

browser.safebrowsing.provider.google.gethashURL
browser.safebrowsing.provider.google4.gethashURL
browser.safebrowsing.provider.mozilla.gethashURL

I think so. But, however, I set them to "" as well in commit e6b28367e061f9b6912c3b150383255bdff0ef5c tor-browser-52.1.0esr-7.0-2 as this makes things more clear and doesn't hurt.

Note: See TracTickets for help on using tickets.