Patrick McManus wrote a patch for using Alternate Service with SOCKS that landed in Firefox 62 (https://bugzilla.mozilla.org/show_bug.cgi?id=1463509). This would be useful for us, especially for AltSvc onions. So we'd like to backport to ESR60. Turning this on will require completing our audit of HTTP2 and AltSvc mechanism in particular to make sure it respects FPI.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items 0
Show closed items
No child items are currently assigned. Use child items to break down this issue into smaller parts.
Linked items 0
Link issues together to show that they're related.
Learn more.
Looks good. Cherry-picked to tor-browser-60.0.1esr-8.0-1 as commit 8a68f975ee5faa39efa26a79062476ab50dd18ab. It will show up in tomorrow's nightly at http://f4amtbsowhix7rrf.onion/tor-browser-builds/. Note, there are still prefs to be flipped to enable it as we are currently auditing both HTTP/2 and Alt-Svc for tracking risks and they are therefore disabled. In particular you'll want to flip network.http.altsvc.enabled and maybe network.http.altsvc.oe, too. The HTTP/2 related pref is network.http.spdy.enabled.http2.
Trac: Keywords: N/Adeleted, TorBrowserTeam201806R added Status: new to closed Resolution: N/Ato fixed
both tabs loaded at the same time, perfectoid.space showing alt-gcloud and the .onion showing 400 Bad Request, both as expected.
Afterwards I did not get any CAPTCHA's even after multiple refreshes (with alt-svc disabled, I would still get CAPTCHA's after every few refresh)
My guess is that Tor Browser doesn't realize it needs to make a circuit to an onion service if the .onion name is in the Alt-Svc rather than the URL.
Is there a ticket following HTTP/2 and Alt-Svc audits?
I'm also curious why network.http.spdy.enabled.http2draft is still there and since the Alt-Svc logs are different from Firefox ESR60, I suspect the HTTP/2 and Alt-Svc code is outdated.
You mean it showed gclound, right? And not alt-gcloud. Because testing with the latest edition of Firefox nightly that's what I get.
Sorry about the radio silence. I didn't get a notification about your comment.
You're right, sorry about the confusion. Try https://perfectoid.space:8443/ and you'll see "alt-gocloud" first (using exit node), and after that you'll see "alt-gobad" (using onion service).
After I posted my comment I slightly modified the config so that both :443 and :8443 give Alt-Svc to my onion service on their respective ports, but :443 redirects that request to a Cloudflare server (hence displaying the original "gcloud", but still through the onion service), while :8443 serves "alt-gobad".
The :443 port demonstrates the complete onion alt-svc idea: the final result is the same, but safer and ideally faster, whereas :8443 is a proof that the route has changed.
Mahrud: Could you double-check whether https://perfectoid.space:8443/ works for you? I tried the latest Firefox beta and nightly and got a "Secure Connection Failed" error.