Opened 6 months ago

Closed 3 months ago

#29916 closed defect (fixed)

Group Policies for Firefox can bypass Tor Browser's proxy settings

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-proxy-bypass, tbb-8.5, TorBrowserTeam201905, GeorgKoppen201905
Cc: pospeselr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Assuming your Windows environment has a Firefox group policy (GPO) that specifies e.g. using system proxy settings then Tor Browser happily follows that and is ignoring its own proxy settings without notifying users.

What should actually happen is that Tor Browser is ignoring those Firefox GPO settings instead.

This got tested with Tor Browser 8.0.8 on Win10 1709.

Thanks to Kit Chung for this report.

Child Tickets

Change History (15)

comment:1 Changed 6 months ago by tom

Hm. I haven't found this code yet. This is referring to the Windows Group Policy mechanism, and not the Firefox policy mechanism, right?

I think we should wire up both to be ignored when MOZ_PROXY_BYPASS_PROTECTION is enabled

comment:2 in reply to:  1 Changed 6 months ago by gk

Replying to tom:

Hm. I haven't found this code yet. This is referring to the Windows Group Policy mechanism, and not the Firefox policy mechanism, right?

Good question: I'd say, yes, but I am not sure as I don't know much about group policies. The report says "If a GPO policy tells Firefox to use system proxy setting" and says, that a specific key is written to the registry which seems to cause Tor Browser to ignore its own proxy settings.

I think we should wire up both to be ignored when MOZ_PROXY_BYPASS_PROTECTION is enabled

Agreed.

comment:3 Changed 6 months ago by pospeselr

Cc: pospeselr added

comment:4 Changed 6 months ago by tom

I think this is talking specifically about the Firefox Enterprise Policy report we recently enabled in #29445

comment:5 Changed 6 months ago by tom

As far as I can tell, the only way to bypass the proxy settings is by putting a policies.json file containing the relevant setting inside Tor Browser's data directory (on desktop) or the package directory (on mobile).

Can the original poster confirm/clarify that is what they did?

Perhaps we want to prevent this out of an abundance of caution; but if you can do this you can generally bypass lots of Tor Browser security mechanisms.

comment:6 Changed 6 months ago by tom

I did find another way to control this besides the policy file. I believe that we should revert #29445, set browser.policies.testing.disallowEnterprise to true, not support enteprise policies in any way shape or form, and test a release and alpha build to ensure the proxy can't be bypassed.

comment:7 in reply to:  6 Changed 6 months ago by gk

Keywords: tbb-8.5-must-alpha added
Status: newneeds_information

Replying to tom:

I did find another way to control this besides the policy file. I believe that we should revert #29445, set browser.policies.testing.disallowEnterprise to true, not support enteprise policies in any way shape or form, and test a release and alpha build to ensure the proxy can't be bypassed.

Hm, so browser.policies.testing.disallowEnterprise set to true *alone* does not solve our problems here? Or is it just too risky relying just on that pref alone? Because *if* folks know what they are doing and want to have policy support why not allowing that feature? If the pref alone is not enough that sounds like a bug with the pref handling which should get fixed independently of this ticket.

comment:8 Changed 6 months ago by tom

No, the pref should be enough. I was suggesting revert the other one to carry one less customization.

Policy support will be screwy though. As this issue illustrates, if you enable policy support, you will pick up a policy for Firefox, if it's present in certain locations, rather than a Tor Browser-specific policy. If we wanted to support policies we probably should require them to be TB-specific.

comment:9 in reply to:  8 ; Changed 6 months ago by gk

Keywords: TorBrowserTeam201904R added; TorBrowserTeam201904 removed
Status: needs_informationneeds_review

Replying to tom:

No, the pref should be enough. I was suggesting revert the other one to carry one less customization.

Policy support will be screwy though. As this issue illustrates, if you enable policy support, you will pick up a policy for Firefox, if it's present in certain locations, rather than a Tor Browser-specific policy. If we wanted to support policies we probably should require them to be TB-specific.

Fair enough. I've pushed bug_29916 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_29916) to make the changes you suggested and have them up for review. However, I am still not convinced that this is the whole picture. In particular, I feel those changes *do not* explain how the registry-based bypass is working, given that the pref is only checked at one place and areEnterpriseOnlyPoliciesAllowed() results in false for the stable series, yet the bug report was made against 8.0.x.

comment:10 Changed 6 months ago by gk

Keywords: GeorgKoppen201904 added

comment:11 in reply to:  9 ; Changed 6 months ago by tom

Replying to gk:

However, I am still not convinced that this is the whole picture. In particular, I feel those changes *do not* explain how the registry-based bypass is working, given that the pref is only checked at one place and areEnterpriseOnlyPoliciesAllowed() results in false for the stable series, yet the bug report was made against 8.0.x.

I also can't explain this, and agree. But the patch looks good to me.

comment:12 in reply to:  11 Changed 6 months ago by gk

Keywords: TorBrowserTeam201904 tbb-8.5 added; TorBrowserTeam201904R tbb-8.5-must-alpha removed
Status: needs_reviewneeds_information

Replying to tom:

Replying to gk:

However, I am still not convinced that this is the whole picture. In particular, I feel those changes *do not* explain how the registry-based bypass is working, given that the pref is only checked at one place and areEnterpriseOnlyPoliciesAllowed() results in false for the stable series, yet the bug report was made against 8.0.x.

I also can't explain this, and agree. But the patch looks good to me.

Thanks. Pushed to tor-browser-60.6.1esr-8.5-1 (commit e95c515352094f6c3d943a3313628c370feb18f2 and 6e730d5184f8d74860488f8fa998bd1e0023281f) to get the changes in our next nightly build. Setting to needs_information to figure out a way to repro the original bug report. I'll try to ask the reporter for steps to reproduce and whether they can still reproduce the problem with the fixes (whcih we have so far) committed.

comment:13 Changed 4 months ago by gk

Keywords: TorBrowserTeam201905 added; TorBrowserTeam201904 removed

Moving tickets to May

comment:14 Changed 4 months ago by gk

Keywords: GeorgKoppen201905 added; GeorgKoppen201904 removed

Move my tickets.

comment:15 Changed 3 months ago by gk

Resolution: fixed
Status: needs_informationclosed

Let's track the remaining things in #30575.

Note: See TracTickets for help on using tickets.