Opened 4 weeks ago

Last modified 6 days ago

#30575 needs_information defect

"unable to connect" if Firefox GPOs configure proxy settings

Reported by: kT3Ycp9jwm Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-proxy-bypass, TorBrowserTeam201906, GeorgKoppen201906
Cc: tom, pospeselr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am using Tor browser on a Microsoft Active Directory joined computer.
Domain admins set up Group Policy Objects configuring Firefox to use a proxy auto-configuration script.
That setting from GPO overrides automatic Tor Browser setting to use localhost:9150 and when I try to navigate I get "Unable to connect" error page.
Tor Browser connection settings are locked by the GPO, as it is in the installed version of Firefox, and I cannot change them manually.

Child Tickets

Attachments (3)

connection_settings.PNG (38.5 KB) - added by kT3Ycp9jwm 4 weeks ago.
Tor Browser connection settings screenshot
unable_to_connect.PNG (40.2 KB) - added by kT3Ycp9jwm 4 weeks ago.
"Unable to connect" error page
tor_network_settings.PNG (15.4 KB) - added by kT3Ycp9jwm 4 weeks ago.
Tor network settings

Download all attachments as: .zip

Change History (18)

Changed 4 weeks ago by kT3Ycp9jwm

Attachment: connection_settings.PNG added

Tor Browser connection settings screenshot

Changed 4 weeks ago by kT3Ycp9jwm

Attachment: unable_to_connect.PNG added

"Unable to connect" error page

comment:1 Changed 4 weeks ago by cypherpunks

Mozilla also doesn't know how Firefox works, see ticket:29916#comment:11.
Tor Browser 8.5 is still not portable. Sorry for that.

comment:2 Changed 4 weeks ago by gk

Cc: tom added
Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Status: newneeds_information

Hm. Did that work before and just Tor Browser 8.5 breaks now? The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916. We therefore set: browser.policies.testing.disallowEnterprise to true. Does flipping that pref get things working for you again? Where does the PAC file actually point to?

comment:3 in reply to:  2 Changed 4 weeks ago by kT3Ycp9jwm

Replying to gk:

Hm. Did that work before and just Tor Browser 8.5 breaks now?

no, it never worked since the policy was deployed (some months ago, but could manage to report it just today)

I use it as a local account, who does not get the policy

The problem with GPOs is that it seems Tor Browser is happily following whatever the GPO is telling it. That means this could lead to a proxy bypass, see: #29916. We therefore set: browser.policies.testing.disallowEnterprise to true.

just checked: it's already set to true, as default value

Does flipping that pref get things working for you again?

unfortunately not

Where does the PAC file actually point to?

proxy.pac is on an internal server domain.local/proxy.pac

I am using Tor Browser 8.5 (based on Mozilla Firefox 60.7.0esr) (32-bit), updated today just before taking screenshots

comment:4 Changed 4 weeks ago by gk

So, Tor Browser has some built-in capabilities to deal with proxy requirements in e.g. enterprise networks. I wonder what happens if you try that out. Could you figure out the actual ip address:port being used (and the proxy type)? Then there is "Tor Network Settings..." -> "I use a proxy to connect to the Internet" behind the onion button on the toolbar where you could enter those settings.

comment:5 Changed 4 weeks ago by kT3Ycp9jwm

in our proxy.pac the function FindProxyForURL(url, host) terminates with

return "PROXY proxy.*******.local:8080";

so I set Tor Browser as in the tor_network_settings.PNG attached

Changed 4 weeks ago by kT3Ycp9jwm

Attachment: tor_network_settings.PNG added

Tor network settings

comment:6 Changed 4 weeks ago by gk

Keywords: TorBrowserTeam201905 GeorgKoppen201905 tbb-proxy-bypass added
Priority: MediumHigh
Status: needs_informationnew

I suspect that did not work? I guess you could try selecting the SOCKS proxy option (instead of the HTTP/HTTPS one) in that case.

But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way (even if it seems to fail closed). I try to figure out what's up here.

comment:7 in reply to:  6 Changed 4 weeks ago by kT3Ycp9jwm

Replying to gk:

But either way, I think the underlying bug is that Tor Browser is affected by this Firefox policy at all and its proxy settings can get changed that way

Yes, I think this is the point

Using a local account, who does NOT receive the GPO, Tor Browser works.
Using a domain user, who receives the GPO, Tor Browser does NOT work.

Tor network settings (behind the onion button) are the same in both cases, so I think they are ok.
The difference is in the connection settings (Menu --> Options --> Network proxy --> Settings): when the GPO applies, proxy settings are hijacked and I cannot revert them because they're locked.

comment:8 Changed 4 weeks ago by gk

Status: newneeds_information

Okay, I tried for a while to set up a testing environment on my local computer and have the group policy editor used to lock down the proxy configurations in Firefox. However, this policy is neither applied to Firefox nor Tor Browser for me. I took the policy templates from https://github.com/mozilla/policy-templates/releases and copied them over to C:\Windows\PolicyDefinitions and then started the policy editor and activated the proxy option. What else do I need to do to get this going? Do I need some other tool making sure the respective users are under that policy or what am I missing here?

comment:9 in reply to:  8 ; Changed 3 weeks ago by kT3Ycp9jwm

did you apply the GPO to a OU containing both user and computer?

comment:10 in reply to:  9 Changed 3 weeks ago by gk

Status: needs_informationnew

Replying to kT3Ycp9jwm:

did you apply the GPO to a OU containing both user and computer?

No, I think that's the piece I still need to figure out, thanks.

comment:11 Changed 10 days ago by gk

Some cypherpunks mentioned that comment:13:ticket:18101 could be promising her.

comment:12 Changed 9 days ago by gk

Status: newneeds_information

kT3Ycp9jwm: Could you test whether the following bundle fixes the problem for you? It should just disable looking for any GPO and loading associated policies:

https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe
https://people.torproject.org/~gk/testbuilds/torbrowser-install-win64-30575_en-US.exe.asc

comment:13 Changed 6 days ago by gk

Cc: pospeselr added

comment:14 Changed 6 days ago by gk

Keywords: TorBrowserTeam201906 added; TorBrowserTeam201905 removed

Moving tickets to June

comment:15 Changed 6 days ago by gk

Keywords: GeorgKoppen201906 added; GeorgKoppen201905 removed

Moving my tickets to June

Note: See TracTickets for help on using tickets.