tor problem with hotmail

changed milestone to %TorBrowserBundle 2.2.x-stable

added MikePerryIteration20110828 actualpoints::11 component::torbrowserbutton milestone::TorBrowserBundle 2.2.x-stable owner::mikeperry points::3 priority::high reporter::spinnaker83 resolution::fixed status::closed type::defect labels

Trac:
Username: spinnaker83
Component: Website to Tor Client

Trac:
Owner: phobos to mikeperry
Status: new to assigned
Component: Tor Client to Tor Browser

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

Hi cypherpunks, I thought the same thing, but unchecking this feature, I risk that the anonymity is compromised? I think so.

Trac:
Username: spinnaker83

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0. in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

Trac:
Username: spinnaker83

Replying to spinnaker83:

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0. in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

If you allow web pages to run plugins on your computer, you will have no anonymity. That's why the option is labeled as ‘crucial’ to user anonymity.

Replying to rransom:

Replying to spinnaker83:

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0. in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

If you allow web pages to run plugins on your computer, you will have no anonymity. That's why the option is labeled as ‘crucial’ to user anonymity.

but in your opinion, is this ticket was "assigned" because the issue is under study, and with the next release could be resolved?

Trac:
Username: spinnaker83

Trac:
Priority: normal to major
Milestone: N/A to TorBrowserBundle 2.2.x-stable
Component: Tor Browser to TorBrowserButton

If this bug is in fact correct, it sounds like HotMail is requiring flash to function?

If this is true, there's not much we can do about this.. I am going to try to test this myself with a throwaway hotmail account before 2.2.x goes stable.

Trac:
Points: N/A to 3

Replying to mikeperry:

If this bug is in fact correct, it sounds like HotMail is requiring flash to function?

This is not true. HotMail works perfectly well without flash, except that the MSN application to the left in the interface does not work. HotMail nowadays also seems to be fully accessible over HTTPS.

I am new to TOR and have also had a problem VIEWING the contents of the inbox emails listed. Nothing happens when I click on them.

Any advice for a newbie? Should I just keep checking this ticket (thread)?

Trac:
Username: flyingtorman

I'm having the same problem as the others. Have used Hotmail web interface with Tor for years. Now suddenly I can see the inbox but nothing works when clicked on. I hope this is a high priority to fix. Not being able to use Hotmail accounts with Tor is a big problem for me, as I'm sure it is for others here.

Trac:
Username: Tordilini

Trac:
Keywords: N/A deleted, MikePerryIteration20110828 added

There appears to be two separate problems here.

One is that the content policy is mistakenly blocking some javascript from loading, because they are loading it through object tags.

The second I still don't fully understand, but it is definitely related to how we disable actual plugins in the page. If I disable all plugins via both the plugin manager and NoScript, but allow them in the page, hotmail seems to work fine..

Hrmm. It appears that docShell.allowPlugins being set to false causes the site to fail to load https://gfx7.hotmail.com/mail/16.0.1770.0804/i0a.mozilla.js. This file appears to be essential in navigating the Inbox (via the InboxActions class).

gk - out of curiosity, have you guys noticed this bug? How do you disable plugins?

Trac:
Cc: N/A to gk

Woops, wrong gk.

Georg - out of curiosity, have you guys noticed this bug? Do you use docShell.allowPlugins in JonDos?

Trac:
Cc: gk to g.koppen@jondos.de

Arg. I think I've gotten to the bottom of this, but there won't be an easy fix.

It turns out that allowPlugins is also implemented as a content policy that blocks object tags from loading. This is also blocking the scripts in question from loading..

So we need to patch firefox to somehow provide us with the proper contentType in the content policy. This is probably impossible, because it won't know that it's actually a script and not a plugin until after the load...

FYI: The content policy that is blocking these scripts lives in embedding/browser/webBrowser/nsWebBrowserContentPolicy.cpp in PerformPolicyCheck().

Replying to mikeperry:

Woops, wrong gk.

Nope. It's me as well :)

Georg - out of curiosity, have you guys noticed this bug? Do you use docShell.allowPlugins in JonDos?

We have not as we do not block/handle a lot of dangerous JavaScript in our extension yet. We advise the user to have NoScript installed (in order to secure the web browsing additionally) and therefore the plugin and other JS related stuff did not make it on the top of my ToDo list yet. The only exemption up to now is window.name.

Some more details:

Hotmail indeed appears to be loading the scripts as object tags, perhaps as some kind of performance hack to get the browser to cache all the scripts that may be used on various pieces of the site without actually parsing and interpreting them on every page (they are 100's of K each). It appears to convert the object tags that it wants interpreted into script tags though DOM manipulation on a given page. I am not sure exactly where it does this.

docShell.allowPlugins does in fact trigger that content policy check mentioned above. Disabling that check in the source and rebuilding Firefox does in fact fix the problem for hotmail..

The downside is that there is no clear way to allow these objects without risking loading all plugins.

We can potentially disable Torbutton's plugin protections on Tor Browser and let it fall back to NoScript, but I feel like this is a dangerous default configuration. Perhaps once we implement #3547 (closed) we can do that.

Perhaps it would be useful to email the Hotmail security team and let them know that this isn't going to work very well for people who need security and privacy through anonymity?

It turns out the plugin manager added in FF3.6 can in fact disable plugins from script. getPluginTags() will allow you to change properties of the objects it enumerates. When these properties are updated, the actual plugin statuses are changed! I did not expect this.

http://forums-test.mozillazine.org/viewtopic.php?f=19&t=1717485

Now, the downside is that we can not control specific tabs with this API, so it is only safe to fix this in TBB..

Trac:
Cc: g.koppen@jondos.de to g.koppen@jondos.de, ioerror