Resource URI Leak!
https://browserleaks.com/firefox
re/gre/greprefs.js is leaking! Include https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/ to TBB!
Activity
Try latest TB on Windows, then go to https://browserleaks.com/firefox . What I see is this:
Summary Platform Detection
Default Preferences Filename Items Hash
(No script = allow only browserleaks.com)
And here's a report of MozillaFirefox+ADDON(above);
Summary Platform Detection × No Default Locale × No Update Locale × No Tor Browser × No Firefox Build Firefox Official Build × No Firefox Release Build × No Firefox ESR Channel × No Firefox Beta Channel × No Firefox Developer Edition × No Firefox Nightly Build × No Firefox GTK Build × No PDF.js × No Default Preferences Filename Items Hash × firefox.js – – × firefox-branding.js – – × firefox-l10n.js – – × webide-prefs.js – – × greprefs.js – – × services-sync.js – – × 000-tor-browser.js – – Total – –
============ Summary: Tor Browser should include this add-on to internal level to eliminate all data reading.
-
Install TBB on a fresh Windows.
-
COnnect to Tor(1st time).
-
When the TBB opened, go to add-ons and disable 2 Tor Addons.
-
Close TBB.
-
Open TBB's firefox.exe
-
"about:preferences#advanced" -> Network -> Settings. Set a Tor proxy(in my case, my own tor hosted on network). (by the way, many people use my method to use their own proxy such as Privoxy)
-
Visit some .onion to make sure Tor is working.
-
Then, try test above.
@cypherpunks "about:config -> extensions.torbutton.resource_and_chrome_uri_fingerprinting" Above name is not found on my config. ...Should I add this name:value pair? But where is this documented?
-
extensions.torbutton.
Hmm, since I don't use "TorButton"(because I use my network's Tor), this addon can't help me.
Suggestion:
- Can you split the torbutton to "tor info button"(which I'll disable) and "tor security"(which I'll keep, doesn't interfere with tor.exe)?
- Or add this config to TBB's firefox directly.
Tor Browser with ADDON:
Summary Platform Detection × No Default Locale × No Update Locale × No Tor Browser × No Firefox Build Firefox Official Build × No Firefox Release Build × No Firefox ESR Channel × No Firefox Beta Channel × No Firefox Developer Edition × No Firefox Nightly Build × No Firefox GTK Build × No PDF.js × No Default Preferences Filename Items Hash × firefox.js – – × firefox-branding.js – – × firefox-l10n.js – – × webide-prefs.js – – × greprefs.js – – × services-sync.js – – × 000-tor-browser.js – – Total – –
Hell yeah!
Ah, you are not using Tor Browser. So, this is not a Tor Browser bug then. Our defense against URI leaks is currently implemented in Torbutton. That said you can still use Torbutton and point your Tor Browser to a different Tor instance.
Trac:
Resolution: N/A to invalid
Status: needs_revision to closedOk I enabled "Tor Button" and restart the browser. It now greets me with "Unable to find the proxy server".
I've look at network settings. My proxy settings are there, but TB stopped using it anymore.
That's why I had to disable it to use other Tor proxy. Do you understand?
"Tor Button" - Security = High.
"Tor Button" could split into two.
- "Tor Button" to control Tor
- "Tor Security" to enahance/configure extra security
-
Replying to cypherpunks:
Ok I enabled "Tor Button" and restart the browser. It now greets me with "Unable to find the proxy server".
I've look at network settings. My proxy settings are there, but TB stopped using it anymore.
That's why I had to disable it to use other Tor proxy. Do you understand?
I think so. But then this is a different bug and you should figure out what's wrong with the non-standard Tor Browser configuration. If you believe that's because of a bug please file a different ticket.
"Tor Button" - Security = High.
"Tor Button" could split into two.
- "Tor Button" to control Tor
- "Tor Security" to enahance/configure extra security
Torbutton is not starting/stopping Tor the controller in the browser is Tor Launcher.
Trac:
Resolution: N/A to invalid
Status: reopened to closed