Opened 2 weeks ago

Closed 12 days ago

#32321 closed defect (fixed)

https://mitmdetection.services.mozilla.com/ is contacted over catch-all circuit

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-9.0-issues, tbb-9.0.1-can, tbb-linkability, TorBrowserTeam201910R, GeorgKoppen201910
Cc: Actual Points: 0.1
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

If one triggers a MitM-warning (e.g. on https://mitm-software.badssl.com/) what seems to be a background request is sent over the catch-all circuit to https://mitmdetection.services.mozilla.com:

[10-25 07:50:12] Torbutton INFO: tor SOCKS: https://mitmdetection.services.mozilla.com/ via
--unknown--:3c6a3286392291d7459b9e131ebc8f73

Either we properly do FPI here OR we just omit contacting Mozilla here at all (I think the latter sounds fine).

Reported on our blog.

Child Tickets

Change History (5)

comment:1 Changed 2 weeks ago by gk

It seems security.certerrors.mitm.priming.enabled is the pref we need to take care of here.

comment:2 Changed 13 days ago by gk

Actual Points: 0.1
Keywords: TorBrowserTeam201910R added
Points: 0.1
Status: newneeds_review

I think it's fine do disable that ping to Mozilla right now. We should think generally about improving our certificate error pages though. #19119 has some ideas here.

bug_32321 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_32321&id=a04d0f9b5976bf2802aa5bd78bcce4d2855b3995) has a patch for review.

comment:3 Changed 13 days ago by gk

Keywords: GeorgKoppen201910 added

comment:4 Changed 12 days ago by mcs

r=mcs
Looks good to me.

comment:5 Changed 12 days ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Cherry-picked onto tor-browser-68.2.0esr-9.5-1 (commit 15c35b79675acbfb5949aae6d18630ce20050891) and tor-browser-68.2.0esr-9.0-1 (commit a467e27614c9632cd847a3fd3d1487ae57a87cc2).

Note: See TracTickets for help on using tickets.