Backport AltSvc/SOCKS patch to ESR60
Patrick McManus wrote a patch for using Alternate Service with SOCKS that landed in Firefox 62 (https://bugzilla.mozilla.org/show_bug.cgi?id=1463509). This would be useful for us, especially for AltSvc onions. So we'd like to backport to ESR60. Turning this on will require completing our audit of HTTP2 and AltSvc mechanism in particular to make sure it respects FPI.
Activity
Backporting is a simple cherry-pick. Here it on top of our current tor-browser-60.0.1esr-8.0-1: https://github.com/arthuredelstein/tor-browser/commit/26365
Trac:
Keywords: N/A deleted, ff60-esr added
Looks good. Cherry-picked to
tor-browser-60.0.1esr-8.0-1as commit 8a68f975ee5faa39efa26a79062476ab50dd18ab. It will show up in tomorrow's nightly at http://f4amtbsowhix7rrf.onion/tor-browser-builds/. Note, there are still prefs to be flipped to enable it as we are currently auditing both HTTP/2 and Alt-Svc for tracking risks and they are therefore disabled. In particular you'll want to flipnetwork.http.altsvc.enabledand maybenetwork.http.altsvc.oe, too. The HTTP/2 related pref isnetwork.http.spdy.enabled.http2.Trac:
Keywords: N/A deleted, TorBrowserTeam201806R added
Status: new to closed
Resolution: N/A to fixed
I tested this with my experimental setup and it worked, except it didn't go quite smoothly. Here is what happened:
- enabled those flags.
- entered https://perfectoid.space/, which is supposed to return a .onion Alt-Svc.
- got CAPTCHA and solved it
- tab was stuck in loading state indefinitely
- entered the .onion address directly in a new tab
- both tabs loaded at the same time, perfectoid.space showing
alt-gcloudand the .onion showing 400 Bad Request, both as expected. - Afterwards I did not get any CAPTCHA's even after multiple refreshes (with alt-svc disabled, I would still get CAPTCHA's after every few refresh)
My guess is that Tor Browser doesn't realize it needs to make a circuit to an onion service if the .onion name is in the Alt-Svc rather than the URL.
Is there a ticket following HTTP/2 and Alt-Svc audits?
I'm also curious why
network.http.spdy.enabled.http2draftis still there and since the Alt-Svc logs are different from Firefox ESR60, I suspect the HTTP/2 and Alt-Svc code is outdated.Trac:
Username: mahrud-
Replying to mahrud:
I tested this with my experimental setup and it worked, except it didn't go quite smoothly. Here is what happened:
- enabled those flags.
- entered https://perfectoid.space/, which is supposed to return a .onion Alt-Svc.
- got CAPTCHA and solved it
- tab was stuck in loading state indefinitely
- entered the .onion address directly in a new tab
- both tabs loaded at the same time, perfectoid.space showing
alt-gcloudand the .onion showing 400 Bad Request, both as expected.
You mean it showed
gclound, right? And notalt-gcloud. Because testing with the latest edition of Firefox nightly that's what I get. -
Replying to gk:
You mean it showed
gclound, right? And notalt-gcloud. Because testing with the latest edition of Firefox nightly that's what I get.Sorry about the radio silence. I didn't get a notification about your comment.
You're right, sorry about the confusion. Try https://perfectoid.space:8443/ and you'll see "alt-gocloud" first (using exit node), and after that you'll see "alt-gobad" (using onion service).
After I posted my comment I slightly modified the config so that both :443 and :8443 give Alt-Svc to my onion service on their respective ports, but :443 redirects that request to a Cloudflare server (hence displaying the original "gcloud", but still through the onion service), while :8443 serves "alt-gobad".
The :443 port demonstrates the complete onion alt-svc idea: the final result is the same, but safer and ideally faster, whereas :8443 is a proof that the route has changed.
Trac:
Username: mahrud -
Mahrud: Could you double-check whether https://perfectoid.space:8443/ works for you? I tried the latest Firefox beta and nightly and got a "Secure Connection Failed" error.
mentioned in issue #26581 (moved)
mentioned in issue tpo/applications/tor-browser#26581 (closed)