Opened 9 years ago

Closed 8 years ago

#2285 closed defect (fixed)

check.tpo should inform TBB users if they are out of date

Reported by: rransom Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: Applications/Tor Check Version:
Severity: Keywords: MikePerryIteration20111023
Cc: erinn, arma, Sebastian, aagbsn@… Actual Points: 6
Parent ID: Points: 6
Reviewer: Sponsor:

Description

check.torproject.org should list the current versions of all major Tor Project software packages, especially Tor Browser Bundle.

It should also list the release dates of current packages.

Child Tickets

Attachments (3)

2285-tbb-updates-on-check-tpo.patch (3.7 KB) - added by aagbsn 8 years ago.
Provide update notifcations in conjunction with TBB and for older versions of TBB
2285-tbb-updates-on-check-tpo_patch1.patch (3.7 KB) - added by aagbsn 8 years ago.
small=1 behaves like uptodate=1
2285-tbb-updates-on-check-tpo_patch2.patch (3.7 KB) - added by aagbsn 8 years ago.
small=1 behaves like uptodate=0

Download all attachments as: .zip

Change History (39)

comment:1 Changed 9 years ago by ioerror

I'm not sure why we should do this or who will keep it updated.

comment:2 in reply to:  1 ; Changed 9 years ago by rransom

Replying to ioerror:

I'm not sure why we should do this or who will keep it updated.

We should do this because we have no other way to inform users of current and old versions of TBB that a newer version is available.

comment:3 in reply to:  2 ; Changed 8 years ago by mikeperry

Parent ID: #2880

Replying to rransom:

Replying to ioerror:

I'm not sure why we should do this or who will keep it updated.

We should do this because we have no other way to inform users of current and old versions of TBB that a newer version is available.

Instead of a huge list that no one will ever read or even look at, we could pass a version to check.tp.o from TBB, since it is the home page of TBB. Then the verbiage on check.tp.o can still remain concise, perhaps simply displaying an orange onion if your version is out of date.

comment:4 in reply to:  3 ; Changed 8 years ago by rransom

Replying to mikeperry:

Instead of a huge list that no one will ever read or even look at, we could pass a version to check.tp.o from TBB, since it is the home page of TBB. Then the verbiage on check.tp.o can still remain concise, perhaps simply displaying an orange onion if your version is out of date.

That won't work for users of existing TBBs, and it gives check.tpo the ability to log more detailed information about users. We don't want to give whoever controls the check.torproject.org domain name and can get an SSL certificate for it that Firefox will accept the ability to collect that information.

comment:5 in reply to:  4 Changed 8 years ago by mikeperry

Replying to rransom:

Replying to mikeperry:

Instead of a huge list that no one will ever read or even look at, we could pass a version to check.tp.o from TBB, since it is the home page of TBB. Then the verbiage on check.tp.o can still remain concise, perhaps simply displaying an orange onion if your version is out of date.

That won't work for users of existing TBBs, and it gives check.tpo the ability to log more detailed information about users. We don't want to give whoever controls the check.torproject.org domain name and can get an SSL certificate for it that Firefox will accept the ability to collect that information.

I really don't think we're going to get any significant number of upgrades out of this unless the page is significantly different when the version is out of date. I think realistically the number of upgrades even from a scary-colored check.tp.o page will be much less than what we'll get from an apt repo or from thandy.

Also, I don't see how there is significant risk exposure from telling the Tor Project (and SSL MITMs) your software version. You've already done that when you downloaded it using the same SSL cert trust model.. Can you go into more detail on the attack vector here?

Since this is a stop-gap solution until thandy is deployed, I don't think we should make best the enemy of better.

comment:6 in reply to:  3 ; Changed 8 years ago by arma

Replying to mikeperry:

Replying to rransom:

We should do this because we have no other way to inform users of current and old versions of TBB that a newer version is available.

Instead of a huge list that no one will ever read or even look at, we could pass a version to check.tp.o from TBB, since it is the home page of TBB. Then the verbiage on check.tp.o can still remain concise, perhaps simply displaying an orange onion if your version is out of date.

Right, the way noscript passes its version in to the web page it loads so it can either tell you the new features of your new version or "you aren't running the newest version". I agree that it's not a perfect solution, but I think it would work as the stop-gap Mike hopes for.

I also wouldn't object to putting a 'latest TBB version' number on the check page. We can already distinguish TBB requests I believe (is this true?), so we could put it just for them. We could even tell every TBB request that doesn't specify a version that it is out of date.

comment:7 in reply to:  6 Changed 8 years ago by mikeperry

Replying to arma:

Replying to mikeperry:

Replying to rransom:

We should do this because we have no other way to inform users of current and old versions of TBB that a newer version is available.

Instead of a huge list that no one will ever read or even look at, we could pass a version to check.tp.o from TBB, since it is the home page of TBB. Then the verbiage on check.tp.o can still remain concise, perhaps simply displaying an orange onion if your version is out of date.

Right, the way noscript passes its version in to the web page it loads so it can either tell you the new features of your new version or "you aren't running the newest version". I agree that it's not a perfect solution, but I think it would work as the stop-gap Mike hopes for.

I also wouldn't object to putting a 'latest TBB version' number on the check page. We can already distinguish TBB requests I believe (is this true?), so we could put it just for them. We could even tell every TBB request that doesn't specify a version that it is out of date.

We can actually also use Torbutton to implement this better than actually passing the version. On browser startup, it could fetch the recommended version list from check and actually have the browser fetch the yellow page if the version wasn't recommended rather than telling the server the version number explicitly. This may not be substantially better if you don't trust the server.. The yellow page would still be the target for exploit payloads, but at least you wouldn't have an exact version number.

This may also make it easier to go the automatic toggle solution at startup, improving the situation for #2338.

comment:8 Changed 8 years ago by phobos

Owner: changed from nickm to phobos

taking these tickets now that jeremy is doing a rewrite of the html display of check.tpo

comment:9 Changed 8 years ago by mikeperry

See #3337 for the Torbutton piece of this.

comment:10 Changed 8 years ago by mikeperry

I am wondering if we should make the default url for check.torproject.org give the yellow-themed page suggesting a recent Tor Browser Bundle. After we implement #3337, anyone hitting just the front page of check will probably be using an unrecommended browser configuration.

It would be better if we could send them to ip-check.info or something, though.

comment:11 in reply to:  10 ; Changed 8 years ago by arma

Owner: changed from phobos to arma
Status: newaccepted

Replying to mikeperry:

I am wondering if we should make the default url for check.torproject.org give the yellow-themed page suggesting a recent Tor Browser Bundle. After we implement #3337, anyone hitting just the front page of check will probably be using an unrecommended browser configuration.

Good idea. That said, we should give people a little while with the updated version out before we switch the default background.

Also, we will want to think twice about the situation where the user types in check.torproject.org because she finds some instructions on the web to do so, and it tells her to upgrade, when she's actually using the newest TBB but she didn't append the ReportVersions param to the url she typed in.

It would be better if we could send them to ip-check.info or something, though.

Why's that?

comment:12 Changed 8 years ago by arma

Owner: arma deleted
Status: acceptedassigned

comment:13 Changed 8 years ago by arma

Owner: set to phobos

comment:14 in reply to:  11 Changed 8 years ago by mikeperry

Replying to arma:

Good idea. That said, we should give people a little while with the updated version out before we switch the default background.

Also, we will want to think twice about the situation where the user types in check.torproject.org because she finds some instructions on the web to do so, and it tells her to upgrade, when she's actually using the newest TBB but she didn't append the ReportVersions param to the url she typed in.

Hrmm. Perhaps. Maybe we could make the front page respond to our user agent for this case? It won't be long before not too many people are running "Firefox 4.0". Soon they'll upgrade past that. If they do, they'll probably be running the wrong browser. If they claim to be IE or something similar, they definitely will be running the wrong browser.

It would be better if we could send them to ip-check.info or something, though.

Why's that?

Mostly because we can't port Torbutton to Firefox Mobile for Android (because Firefox Mobile decided to break all of the XPCOM APIs we need). However, so long as plugins aren't installed, and so long as users are using Firefox as their dedicated Tor browser, they aren't too bad off on Android. These two properties make things a bit better than the Desktop, as mobile devices tend to be less fingerprintable overall. However, there still are issues if the user never clears cookies, etc.. So maybe we should still warn them.

comment:15 Changed 8 years ago by phobos

Does this design change if we add in Tails versions to the mix?

comment:16 in reply to:  15 ; Changed 8 years ago by mikeperry

Replying to phobos:

Does this design change if we add in Tails versions to the mix?

Hrmm.. It depends on what the tails people want. If they are shipping TorBrowser + some tails mods, they can just use the detection as-is. But maybe they want the ability to tell users their software is too old independent of Tor Browser's version.

comment:17 Changed 8 years ago by mikeperry

Created #3504 for the build eng side of this.

comment:18 in reply to:  16 Changed 8 years ago by mikeperry

Replying to mikeperry:

Replying to phobos:

Does this design change if we add in Tails versions to the mix?

Hrmm.. It depends on what the tails people want. If they are shipping TorBrowser + some tails mods, they can just use the detection as-is. But maybe they want the ability to tell users their software is too old independent of Tor Browser's version.

Turns out the Tails people are a step ahead of us here:
09:42 < anonym> mikeperry: FYI, Tails already has a built-in notification system w.r.t. versions -- if you run an out-dated version of Tails a pop-up will list the vulnerabilities of that version and recommend upgrading

comment:19 Changed 8 years ago by mikeperry

Milestone: Tor Check EnhancementsTorBrowserBundle 2.2.x-stable
Type: enhancementdefect

comment:20 Changed 8 years ago by mikeperry

Keywords: Bounty added

This is very important. We may not actually want to block on the Bounty system to do it, but adding the keyword in case that is the only way it will get done.

comment:21 Changed 8 years ago by mikeperry

Parent ID: #2880

comment:22 Changed 8 years ago by mikeperry

Note to self: Torbutton also needs to do an XMLHTTPRequest of this page if the user has changed their TBB homepage to something other than check.

comment:23 Changed 8 years ago by phobos

My most basic question is, do users know what version they have?

Finding a TBB version is difficult for all I've asked. They all eventually find either the original file they downloaded which has some sort of a version, or they find Vidalia's About page and wonder which one is the TBB version.

comment:24 in reply to:  23 Changed 8 years ago by mikeperry

Replying to phobos:

My most basic question is, do users know what version they have?

Finding a TBB version is difficult for all I've asked. They all eventually find either the original file they downloaded which has some sort of a version, or they find Vidalia's About page and wonder which one is the TBB version.

What if we constructed a URL based on this XMLHTTPRequest and directly gave it to the user? The XMLHTTPRequest could provide a base directory, version, and file suffix. It could also provide a gettor request subject. Torbutton could then display both options to the user in a XUL dialog.

Alternatively (and possibly safer, and more robust in the face of change), torbutton could just load a generic "You are out of date" page after it does the version checking magic. The "You are out of date" page would then have links to the latest TBB version.

comment:25 Changed 8 years ago by mikeperry

Cc: erinn arma added

Ok, I think I have a plan here that should cover all of the above comments.

Backwards compatible upgrade notification plan:
We change TBB (via torbutton) to first fetch the recommended versions from check as an XML document, perhaps via https://check.torproject.org/?GetRecommendedVersions. If Torbutton sees that the user's TBB is present in this list, it fetches a normal check.torproject.org page, possibly https://www.check.torproject.org/?needupdate=false&lang=LANG. However, if Torbutton doesn't see the current TBB version in the list of recommended versions, it fetches https://check.torproject.org/?needupdate=true&lang=LANG.

Since current TBB fetches https://check.torproject.org/?small=1&lamg=LANG, we can notify old TBB users that they need to upgrade by simply redirecting the "small=1" version of the page to the "needupdate=true" page. This way, we can get those old (and almost certainly vulnerably tp firefox exploits by now, for any value of "now") users to upgrade, too.

If the user enters check.torproject.org themselves without any params, it will behave as it does now, without any upgrade recommendations. This avoids the concerns arma had about training the user to go to a url that tells them to install more random software.

Sound like a plan?

All we need to get started on this is a way to pull the version list produced by #3504.

comment:26 Changed 8 years ago by mikeperry

Cc: Sebastian added

Ok, I simplified this a bit more and implemented #3337 in origin/master of Torbutton.

Torbutton fetches the url https://check.torproject.org/RecommendedTBBVersions at TBB startup. It expects that file to be a JSON list of TBB versions. See http://fscked.org/transient/torbutton/versions for an example. That file does not have to be served by the web service, it can just exist on disk and get updated via cron or something.

If the TBB version is in that list, torbutton will fetch:
https://check.torproject.org/?lang=LANG&small=1&uptodate=1

If the TBB version is not in that list, torbutton will fetch:
https://check.torproject.org/?lang=LANG&small=1&uptodate=0

The service should display the uptodate=0 version of the page if small=1 is present, but the uptodate parameter is missing, to encourage super-retro TBB users to upgrade.

The uptodate=0 version of the page should be visually different (yellow text?) from the uptodate=1 version. It should contain a link to the proper localized version of https://www.torproject.org/projects/torbrowser.html.en.

Note the fun juggling we will have to do with converting the TBB locale string into the website locale string for the link to the torbrowser page. Perhaps splitting off the country code is enough in all cases, but who knows.

Also, perhaps we should keep the message as simple as possible so we can populate the translations with google translate? Or is that just too crazy?

comment:27 Changed 8 years ago by mikeperry

If you would like to test Torbutton origin/master from git, you should be able to install it into a TBB 2.2.32-2 or above and it will begin doing its magic. Set the about:config pref extensions.torbutton.versioncheck_url to the url of your testing service.

comment:28 Changed 8 years ago by Sebastian

We could also put the contents of the tbb versions file into a comment of the check website. That would mean even if the version check page gets blocked by fingerprinting it for example, that torbutton can still use that information to maybe reload the check page with the update warning or do otherwise

comment:29 in reply to:  28 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110925 added; Bounty removed
Owner: changed from phobos to mikeperry
Points: 6

Replying to Sebastian:

We could also put the contents of the tbb versions file into a comment of the check website. That would mean even if the version check page gets blocked by fingerprinting it for example, that torbutton can still use that information to maybe reload the check page with the update warning or do otherwise

No offense, but I refuse to over-engineer this. Any real solutions will have to use thandy. Consider this solution a tourniquet + ice bath to stop the bleeding of an severed limb and preserve it until the hospital can actually save the patient.

comment:30 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110925 removed

comment:31 Changed 8 years ago by aagbsn

Cc: aagbsn@… added

comment:32 Changed 8 years ago by mikeperry

aagbsn - https://check.extc.org/?small=1 should display the same page as https://check.extc.org/?small=1&uptodate=0. Looks like right now it displays https://check.extc.org/?small=1&uptodate=1

Really old TBB users (those using Torbuttons without #3337 implemented) will be fetching only small=1 with no uptodate parameter. We want them to get a notice to upgrade, too.

Changed 8 years ago by aagbsn

Provide update notifcations in conjunction with TBB and for older versions of TBB

comment:33 Changed 8 years ago by mikeperry

aagbsn - Does torcheck have prefs? This morning I discovered #4161, which breaks the "small=1" => uptodate=0 case.

Can you split this into two patches, one that has "small=1" behave as if "uptodate=1" was set, and then a second one to fix it to behave as though "uptodate=0" was set?

We will apply the second patch once Torbutton 1.4.4 is released.

comment:34 Changed 8 years ago by mikeperry

Summary: check.tpo should list current versions of Tor Project softwarecheck.tpo should inform TBB users if they are out of date

Changed 8 years ago by aagbsn

small=1 behaves like uptodate=1

Changed 8 years ago by aagbsn

small=1 behaves like uptodate=0

comment:35 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20111023 added

comment:36 Changed 8 years ago by mikeperry

Actual Points: 6
Resolution: fixed
Status: assignedclosed

At long last, the witch is dead. aagbsn - thanks for the help.

Note: See TracTickets for help on using tickets.