Opened 17 months ago

Last modified 3 weeks ago

#26529 needs_information defect

TBA - Notify user about possible proxy-bypass before opening external app

Reported by: sysrqb Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, tbb-proxy-bypass, tbb-parity, TorBrowserTeam201910, tbb-backport
Cc: igt0, gk, antonela Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor8

Description

igt0 and I already discussed this, but I don't see a ticket for this. Torbutton currently does this when the user asks Tor Browser to open a file. I doubt we can continue relying on Ci.nsIHelperAppWarningDialog for this, so we'll likely need another method for catching this action.

I'm putting this into torbutton's component category for now, because that is where we catch this situation on desktop, but we may need to implement something directly within fennec, on mobile.

Child Tickets

Change History (20)

comment:1 Changed 17 months ago by sysrqb

Parent ID: #24855

comment:2 Changed 13 months ago by gk

Component: Applications/TorbuttonApplications/Tor Browser
Keywords: tbb-torbutton added
Owner: set to tbb-team

comment:3 Changed 12 months ago by sysrqb

See ticket:27701#comment:5 (along with the other comments) for some more info on this.

comment:4 Changed 12 months ago by gk

Keywords: TorBrowserTeam201811 added

comment:5 Changed 11 months ago by gk

Keywords: TorBrowserTeam201812 added; TorBrowserTeam201811 removed

comment:6 Changed 11 months ago by gk

Keywords: TBA-a3 added

Setting tag for third Tor Browser for Android alpha milestone.

comment:7 Changed 11 months ago by gk

Sponsor: Sponsor8

Adding Sponsor8 tag.

comment:8 Changed 10 months ago by gk

Keywords: TorBrowserTeam201901 added; TorBrowserTeam201812 removed

Moving tickets to Jan 2019.

comment:9 Changed 9 months ago by gk

Keywords: TorBrowserTeam201902 added; TorBrowserTeam201901 removed

Moving tickets to February.

comment:10 Changed 8 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving remaining tickets to March.

comment:11 Changed 8 months ago by gk

Keywords: tbb-8.5 added

Tickets on our radar for 8.5

comment:12 Changed 8 months ago by gk

Keywords: tbb-parity added

Introducing tbb-parity.

comment:13 Changed 7 months ago by gk

Keywords: TorBrowserTeam201904 added; TorBrowserTeam201903 removed

Moving tickets to April.

comment:14 Changed 5 months ago by gk

Parent ID: #24855

We have tbb-parity now, unparenting.

comment:15 Changed 6 weeks ago by mikeperry

Keywords: tbb-proxy-bypass added

In mobile/android/base/java/org/mozilla/gecko/notifications/NotificationHelper.java, we might be able to intercept that intent launcher.

I also think that this should be tagged as tbb-proxy-bypass, because if you look at that code, it appears that external apps can be launched without *any* interaction. That is equivalent to TBA itself leaking, IMO. There is literally nothing the user can do to stop a malicious website from exploiting that.

comment:16 Changed 4 weeks ago by gk

Keywords: TorBrowserTeam201910R added; TorBrowserTeam201904 removed
Status: newneeds_review

comment:17 Changed 4 weeks ago by gk

Keywords: TorBrowserTeam201910 added; TorBrowserTeam201910R removed
Status: needs_reviewneeds_information

Looks good to me. I've applied the patch to tor-browser-68.2.0esr-9.5-1 (commit 6dc05e67cdbbb0a74f2c24387a3ea7443e08b57c).

Two things I am unsure about:
1)

 * launches a file during private browsing. The dialog appears to notify the user that a clicked
 * link will open in an external application, potentially leaking their browsing history.
 */

That's not the same as explaining possible proxy bypass/anonymity losses. We spent quite some time trying to get the message right for desktop. Do we want to do that as well in this case?

2) Are we confident we have caught all possible issues here? There seems to be a variety of potentially problematic code paths.

comment:18 in reply to:  17 Changed 3 weeks ago by sysrqb

Cc: antonela added

Replying to gk:

Looks good to me. I've applied the patch to tor-browser-68.2.0esr-9.5-1 (commit 6dc05e67cdbbb0a74f2c24387a3ea7443e08b57c).

Two things I am unsure about:
1)

 * launches a file during private browsing. The dialog appears to notify the user that a clicked
 * link will open in an external application, potentially leaking their browsing history.
 */

That's not the same as explaining possible proxy bypass/anonymity losses. We spent quite some time trying to get the message right for desktop. Do we want to do that as well in this case?

On Desktop, our English text is "Some types of files can cause applications to connect to the Internet without using Tor." and "To be safe, you should only open downloaded files while offline, or use a Tor Live CD such as Tails.".

On Android, it says: "This link will open in &formatS;. Are you sure you want to exit Private Browsing?" where &formatS; is replaced with the target app name. I think using a message like the one on desktop is a better idea.

I'm adding Anto. We should think about how we should phrase this.

2) Are we confident we have caught all possible issues here? There seems to be a variety of potentially problematic code paths.

I think this deserves another round of auditing. I don't know.

comment:19 Changed 3 weeks ago by gk

I am leaving this ticket open then. I you feel strongly to tackle the remaining issues in new tickets, please do so and close this one.

comment:20 Changed 3 weeks ago by gk

Keywords: tbb-backport added; tbb-torbutton TBA-a3 tbb-8.5 removed
Note: See TracTickets for help on using tickets.