Opened 4 days ago

Closed 4 days ago

Last modified 14 hours ago

#26365 closed defect (fixed)

Backport AltSvc/SOCKS patch to ESR60

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201806R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Patrick McManus wrote a patch for using Alternate Service with SOCKS that landed in Firefox 62 (https://bugzilla.mozilla.org/show_bug.cgi?id=1463509). This would be useful for us, especially for AltSvc onions. So we'd like to backport to ESR60. Turning this on will require completing our audit of HTTP2 and AltSvc mechanism in particular to make sure it respects FPI.

Child Tickets

Change History (4)

comment:1 Changed 4 days ago by arthuredelstein

Keywords: ff60-esr added

Backporting is a simple cherry-pick. Here it on top of our current tor-browser-60.0.1esr-8.0-1:
https://github.com/arthuredelstein/tor-browser/commit/26365

comment:2 Changed 4 days ago by gk

Keywords: TorBrowserTeam201806R added
Resolution: fixed
Status: newclosed

Looks good. Cherry-picked to tor-browser-60.0.1esr-8.0-1 as commit 8a68f975ee5faa39efa26a79062476ab50dd18ab. It will show up in tomorrow's nightly at http://f4amtbsowhix7rrf.onion/tor-browser-builds/. Note, there are still prefs to be flipped to enable it as we are currently auditing both HTTP/2 and Alt-Svc for tracking risks and they are therefore disabled. In particular you'll want to flip network.http.altsvc.enabled and maybe network.http.altsvc.oe, too. The HTTP/2 related pref is network.http.spdy.enabled.http2.

comment:3 Changed 2 days ago by mahrud

I tested this with my experimental setup and it worked, except it didn't go quite smoothly. Here is what happened:

  1. enabled those flags.
  2. entered https://perfectoid.space/, which is supposed to return a .onion Alt-Svc.
  3. got CAPTCHA and solved it
  4. tab was stuck in loading state indefinitely
  5. entered the .onion address directly in a new tab
  6. both tabs loaded at the same time, perfectoid.space showing alt-gcloud and the .onion showing 400 Bad Request, both as expected.
  7. Afterwards I did not get any CAPTCHA's even after multiple refreshes (with alt-svc disabled, I would still get CAPTCHA's after every few refresh)

My guess is that Tor Browser doesn't realize it needs to make a circuit to an onion service if the .onion name is in the Alt-Svc rather than the URL.

Is there a ticket following HTTP/2 and Alt-Svc audits?

I'm also curious why network.http.spdy.enabled.http2draft is still there and since the Alt-Svc logs are different from Firefox ESR60, I suspect the HTTP/2 and Alt-Svc code is outdated.

comment:4 in reply to:  3 Changed 14 hours ago by gk

Replying to mahrud:

I tested this with my experimental setup and it worked, except it didn't go quite smoothly. Here is what happened:

  1. enabled those flags.
  2. entered https://perfectoid.space/, which is supposed to return a .onion Alt-Svc.
  3. got CAPTCHA and solved it
  4. tab was stuck in loading state indefinitely
  5. entered the .onion address directly in a new tab
  6. both tabs loaded at the same time, perfectoid.space showing alt-gcloud and the .onion showing 400 Bad Request, both as expected.

You mean it showed gclound, right? And not alt-gcloud. Because testing with the latest edition of Firefox nightly that's what I get.

Note: See TracTickets for help on using tickets.