Opened 8 months ago

Closed 7 weeks ago

Last modified 4 weeks ago

#25405 closed defect (fixed)

cannot use Moat if a meek bridge is configured

Reported by: mcs Owned by: brade
Priority: Medium Milestone:
Component: Applications/Tor Launcher Version:
Severity: Normal Keywords: TorBrowserTeam201808R, tbb-backport
Cc: brade, gk, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

If Tor Browser is configured to use a meek transport (e.g., meek-amazon or meek-azure), the Moat interface cannot be used to request bridges from BridgeDB. The root cause is that Tor Launcher's Moat implementation uses the same meek client programs and configuration as the built-in meek bridges use, which means when Moat starts up it starts an "invisible" firefox that tries to use the profile.meek-http-helper profile (which is already in use).

Ideas for fixing this (from ticket:23136#comment:55):
a) Use a separate browser profile for the meek browser when it is used for Moat (this requires a fix for #12716 and possibly other things inside meek-client-torbrowser).
b) Give up on using the secondary browser and use meek-client to obfs4proxy's meek_lite mode for Moat. This has the downside that the TLS fingerprint will not match Firefox's when doing Moat).
c) Modify Tor Launcher to kill the tor daemon before using Moat. But this might have undesirable side effects because some other part of the browser may be using the Tor network (e.g., for a file download). Also, while Tor Launcher knows how to restart tor if it is killed, it might be difficult to make sure we kill and restart tor in a robust fashion when we are in the middle of configuring settings.

Kathy and I are currently in favor of pursuing a) but could be convinced to do something else.

Child Tickets

Attachments (1)

0001-Bug-25405-cannot-use-Moat-if-a-meek-bridge-is-config.patch (1.6 KB) - added by mcs 7 months ago.
tor-browser-build patch

Download all attachments as: .zip

Change History (13)

Changed 7 months ago by mcs

tor-browser-build patch

comment:1 Changed 7 months ago by mcs

Cc: dcf added
Keywords: TorBrowser201803R added

Kathy and I created a fix that implements option (a) "use a separate browser profile for the meek http helper browser when it is used for Moat." It requires three patches:

  1. A small enhancement to meek-client-torbrowser to allow use of a different http helper browser profile: https://gitweb.torproject.org/user/brade/meek.git/commit/?h=bug25405-01&id=6a70f67dd895d1b9124a08dac06e0cba1b7a30bb
  2. Changes to Tor Launcher to pass the correct path for a new moat-specific profile: https://gitweb.torproject.org/user/brade/tor-launcher.git/commit/?h=bug25405-01&id=2861a871b6d47d257b5ede41bf754144bfd34182
  3. Changes to tor-browser-build to include the moat profile on Windows and Linux (the meek-client-torbrowser code already knows to create it from a template on macOS). Since we don't yet have a tor-browser-build repo (one was requested in #25267), I added this patch as an attachment (0001-Bug-25405-cannot-use-Moat-if-a-meek-bridge-is-config.patch).

comment:2 Changed 7 months ago by gk

Keywords: TorBrowserTeam201803R added; TorBrowser201803R removed

comment:3 Changed 7 months ago by gk

Looks good to me. I'll wait for dcf to ack the meek part and then do a final round of testing.

comment:4 Changed 7 months ago by gk

Keywords: TorBrowserTeam201804R added; TorBrowserTeam201803R removed

Moving reviews to April 2018

comment:5 Changed 7 months ago by gk

Status: newneeds_review

comment:6 Changed 6 months ago by gk

Keywords: TorBrowserTeam201805R added; TorBrowserTeam201804R removed

Moving review tickets to May.

comment:7 Changed 5 months ago by gk

Keywords: TorBrowserTeam201806R added; TorBrowserTeam201805R removed

Moving review tickets to June.

comment:8 Changed 4 months ago by gk

Keywords: TorBrowserTeam201807R added; TorBrowserTeam201806R removed

Moving reviews to July.

comment:9 in reply to:  3 Changed 3 months ago by dcf

Replying to gk:

Looks good to me. I'll wait for dcf to ack the meek part and then do a final round of testing.

I slightly refactored the logic and merged the meek-client-torbrowser patch.
https://gitweb.torproject.org/pluggable-transports/meek.git/diff/?id=488084d89003c524c84e05a2c89917351899b602&id2=502001aed9e40f79807b913b02ea82f7c381e47d

comment:10 Changed 3 months ago by gk

Keywords: TorBrowserTeam201808R added; TorBrowserTeam201807R removed

comment:11 Changed 7 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. We'll test that in 8.5a1. I cherry-picked both patches and they landed on master as commit a5791ec33537b5efefb5c64c240e48d9ce1c8721 (tor-launcher) and commit f237614a4a08f3fa575cb06f0cdd69006a117b8f (tor-browser-build).

comment:12 Changed 4 weeks ago by gk

Keywords: tbb-backport added
Note: See TracTickets for help on using tickets.