Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#23127 closed defect (invalid)

Resource URI Leak!

Reported by: cypherpunks Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (15)

comment:1 Changed 3 years ago by gk

Status: newneeds_information

How can I reproduce this? I just took a clean Tor Browser on Linux and there are no leaks visible on the browserleaks website.

comment:2 Changed 3 years ago by cypherpunks

Try latest TB on Windows, then go to ​https://browserleaks.com/firefox .
What I see is this:

Summary
Platform Detection ✔Windows
Default Locale ✔ en-US – English (US)
Update Locale × No
Tor Browser ✔7.0.2
Firefox Build
Firefox Official Build × No
Firefox Release Build ✔ Yes
Firefox ESR Channel × No
Firefox Beta Channel × No
Firefox Developer Edition × No
Firefox Nightly Build × No
Firefox GTK Build × No
PDF.js × No

Default Preferences
Filename Items Hash
✔ firefox.js 581 XX
✔ firefox-branding.js 11 XX
✔ firefox-l10n.js 2 XX
✔ webide-prefs.js 25 XX
✔ greprefs.js 1912 XX
✔ 000-tor-browser.js 224 XX
× 000-tor-browser.js – –
Total 2755 XX

(No script = allow only browserleaks.com)

comment:3 Changed 3 years ago by cypherpunks

And here's a report of MozillaFirefox+ADDON(above);

Summary
Platform Detection × No
Default Locale × No
Update Locale × No
Tor Browser × No
Firefox Build
Firefox Official Build × No
Firefox Release Build × No
Firefox ESR Channel × No
Firefox Beta Channel × No
Firefox Developer Edition × No
Firefox Nightly Build × No
Firefox GTK Build × No
PDF.js × No
Default Preferences
Filename Items Hash
× firefox.js – –
× firefox-branding.js – –
× firefox-l10n.js – –
× webide-prefs.js – –
× greprefs.js – –
× services-sync.js – –
× 000-tor-browser.js – –
Total – –

============
Summary:
Tor Browser should include this add-on to internal level to eliminate all data reading.

comment:4 Changed 3 years ago by cypherpunks

ADDON settings.

Block access to resource:// CHECKED
Block web-exposed chrome:// CHECKED
Uniformly filter redir CHECKED

Exposed res:// EMPTY
Exposed chr:// EMPTY

Restrict about: CHECKED
Enable debug: NOT CHECKED

Update button: PRESSED

comment:5 Changed 3 years ago by cypherpunks

Set extensions.torbutton.resource_and_chrome_uri_fingerprinting to true and now spamming this?

comment:6 Changed 3 years ago by cypherpunks

  1. Install TBB on a fresh Windows.
  2. COnnect to Tor(1st time).
  3. When the TBB opened, go to add-ons and disable 2 Tor Addons.
  4. Close TBB.
  1. Open TBB's firefox.exe
  2. "about:preferences#advanced" -> Network -> Settings.

Set a Tor proxy(in my case, my own tor hosted on network).
(by the way, many people use my method to use their own proxy such as Privoxy)

  1. Visit some .onion to make sure Tor is working.
  2. Then, try test above.

@cypherpunks
"about:config -> extensions.torbutton.resource_and_chrome_uri_fingerprinting"
Above name is not found on my config.
...Should I add this name:value pair? But where is this documented?

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:7 Changed 3 years ago by cypherpunks

extensions.torbutton.

Hmm, since I don't use "TorButton"(because I use my network's Tor), this addon can't help me.

Suggestion:

  1. Can you split the torbutton to "tor info button"(which I'll disable) and "tor security"(which I'll keep, doesn't interfere with tor.exe)?
  2. Or add this config to TBB's firefox directly.

comment:8 Changed 3 years ago by cypherpunks

Tor Browser with ADDON:

Summary
Platform Detection × No
Default Locale × No
Update Locale × No
Tor Browser × No
Firefox Build
Firefox Official Build × No
Firefox Release Build × No
Firefox ESR Channel × No
Firefox Beta Channel × No
Firefox Developer Edition × No
Firefox Nightly Build × No
Firefox GTK Build × No
PDF.js × No
Default Preferences
Filename Items Hash
× firefox.js – –
× firefox-branding.js – –
× firefox-l10n.js – –
× webide-prefs.js – –
× greprefs.js – –
× services-sync.js – –
× 000-tor-browser.js – –
Total – –

Hell yeah!

comment:9 Changed 3 years ago by cypherpunks

Status: needs_informationneeds_revision

comment:10 Changed 3 years ago by gk

Resolution: invalid
Status: needs_revisionclosed

Ah, you are not using Tor Browser. So, this is not a Tor Browser bug then. Our defense against URI leaks is currently implemented in Torbutton. That said you can still use Torbutton and point your Tor Browser to a different Tor instance.

comment:11 Changed 3 years ago by cypherpunks

Resolution: invalid
Status: closedreopened

Did you tried above step? If you enable TorButton, Tor browser simply won't run.

comment:12 Changed 3 years ago by cypherpunks

And I'm TBB user since v6. I am using Tor Browser.

comment:13 Changed 3 years ago by cypherpunks

Ok I enabled "Tor Button" and restart the browser.
It now greets me with "Unable to find the proxy server".

I've look at network settings. My proxy settings are there, but TB stopped using it anymore.

That's why I had to disable it to use other Tor proxy. Do you understand?

"Tor Button" - Security = High.

"Tor Button" could split into two.

  1. "Tor Button" to control Tor
  2. "Tor Security" to enahance/configure extra security

comment:14 in reply to:  13 Changed 3 years ago by gk

Resolution: invalid
Status: reopenedclosed

Replying to cypherpunks:

Ok I enabled "Tor Button" and restart the browser.
It now greets me with "Unable to find the proxy server".

I've look at network settings. My proxy settings are there, but TB stopped using it anymore.

That's why I had to disable it to use other Tor proxy. Do you understand?

I think so. But then this is a different bug and you should figure out what's wrong with the non-standard Tor Browser configuration. If you believe that's because of a bug please file a different ticket.

"Tor Button" - Security = High.

"Tor Button" could split into two.

  1. "Tor Button" to control Tor
  2. "Tor Security" to enahance/configure extra security

Torbutton is not starting/stopping Tor the controller in the browser is Tor Launcher.

Note: See TracTickets for help on using tickets.