Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3580 closed defect (fixed)

tor problem with hotmail

Reported by: spinnaker83 Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerryIteration20110828
Cc: g.koppen@…, ioerror Actual Points: 11
Parent ID: Points: 3
Reviewer: Sponsor:

Description

I am no longer able to view the mail in my hotmail account directly from the browser using Tor.
Excluding the configuration of programs such as Thunderbird or similar, someone has ideas?
The problem occurs after the login phase completed successfully. I see my inbox and folders (sent deleted etc), but clicking doesn't open anything, links are blocked.
This is a known problem?
I need to display the mail directly from my browser
This problem occurs from June 11.
I use Firefox 5.0 + Stable Vidalia Bundle

Child Tickets

Attachments (1)

torbutton-1.4.1pre1.xpi (740.9 KB) - added by mikeperry 8 years ago.
Fix for hotmail. Fix only works for TBB users.

Download all attachments as: .zip

Change History (25)

comment:1 Changed 8 years ago by spinnaker83

Component: WebsiteTor Client

comment:2 Changed 8 years ago by rransom

Component: Tor ClientTor Browser
Owner: changed from phobos to mikeperry
Status: newassigned

comment:3 Changed 8 years ago by cypherpunks

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

comment:4 in reply to:  3 Changed 8 years ago by spinnaker83

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

Hi cypherpunks, I thought the same thing, but unchecking this feature, I risk that the anonymity is compromised? I think so.

comment:5 in reply to:  3 ; Changed 8 years ago by spinnaker83

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

comment:6 in reply to:  5 ; Changed 8 years ago by rransom

Replying to spinnaker83:

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

If you allow web pages to run plugins on your computer, you will have no anonymity. That's why the option is labeled as ‘crucial’ to user anonymity.

comment:7 in reply to:  6 Changed 8 years ago by spinnaker83

Replying to rransom:

Replying to spinnaker83:

Replying to cypherpunks:

Deselecting "Disable plugins during Tor usage (crucial)" in the Torbutton configuration in the "Security Settings"->"Dynamic Content" tab fixes this issue in Firefox 3.6 with Torbutton 1.4.0.

in response to what I have written before, your solution, however, can guarantee the anonymity? Thanks!!

If you allow web pages to run plugins on your computer, you will have no anonymity. That's why the option is labeled as ‘crucial’ to user anonymity.

but in your opinion, is this ticket was "assigned" because the issue is under study, and with the next release could be resolved?

comment:8 Changed 8 years ago by mikeperry

Component: Tor BrowserTorBrowserButton
Milestone: TorBrowserBundle 2.2.x-stable
Priority: normalmajor

comment:9 Changed 8 years ago by mikeperry

Points: 3

If this bug is in fact correct, it sounds like HotMail is requiring flash to function?

If this is true, there's not much we can do about this.. I am going to try to test this myself with a throwaway hotmail account before 2.2.x goes stable.

comment:10 in reply to:  9 Changed 8 years ago by cypherpunks

Replying to mikeperry:

If this bug is in fact correct, it sounds like HotMail is requiring flash to function?

This is not true. HotMail works perfectly well without flash, except that the MSN application to the left in the interface does not work. HotMail nowadays also seems to be fully accessible over HTTPS.

comment:11 Changed 8 years ago by flyingtorman

I am new to TOR and have also had a problem VIEWING the contents of the inbox emails listed. Nothing happens when I click on them.

Any advice for a newbie? Should I just keep checking this ticket (thread)?

comment:12 Changed 8 years ago by Tordilini

I'm having the same problem as the others. Have used Hotmail web interface with Tor for years. Now suddenly I can see the inbox but nothing works when clicked on. I hope this is a high priority to fix. Not being able to use Hotmail accounts with Tor is a big problem for me, as I'm sure it is for others here.

comment:13 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110828 added

comment:14 Changed 8 years ago by mikeperry

There appears to be two separate problems here.

One is that the content policy is mistakenly blocking some javascript from loading, because they are loading it through object tags.

The second I still don't fully understand, but it is definitely related to how we disable actual plugins in the page. If I disable all plugins via both the plugin manager and NoScript, but allow them in the page, hotmail seems to work fine..

comment:15 Changed 8 years ago by mikeperry

Cc: gk added

Hrmm. It appears that docShell.allowPlugins being set to false causes the site to fail to load https://gfx7.hotmail.com/mail/16.0.1770.0804/i0a.mozilla.js. This file appears to be essential in navigating the Inbox (via the InboxActions class).

gk - out of curiosity, have you guys noticed this bug? How do you disable plugins?

comment:16 Changed 8 years ago by mikeperry

Cc: g.koppen@… added; gk removed

Woops, wrong gk.

Georg - out of curiosity, have you guys noticed this bug? Do you use docShell.allowPlugins in JonDos?

comment:17 Changed 8 years ago by mikeperry

Arg. I think I've gotten to the bottom of this, but there won't be an easy fix.

It turns out that allowPlugins is also implemented as a content policy that blocks object tags from loading. This is *also* blocking the scripts in question from loading..

So we need to patch firefox to somehow provide us with the proper contentType in the content policy. This is probably impossible, because it won't know that it's actually a script and not a plugin until after the load...

comment:18 Changed 8 years ago by mikeperry

FYI: The content policy that is blocking these scripts lives in embedding/browser/webBrowser/nsWebBrowserContentPolicy.cpp in PerformPolicyCheck().

comment:19 in reply to:  16 Changed 8 years ago by gk

Replying to mikeperry:

Woops, wrong gk.

Nope. It's me as well :)

Georg - out of curiosity, have you guys noticed this bug? Do you use docShell.allowPlugins in JonDos?

We have not as we do not block/handle a lot of dangerous JavaScript in our extension yet. We advise the user to have NoScript installed (in order to secure the web browsing additionally) and therefore the plugin and other JS related stuff did not make it on the top of my ToDo list yet. The only exemption up to now is window.name.

comment:20 Changed 8 years ago by mikeperry

Some more details:

Hotmail indeed appears to be loading the scripts as object tags, perhaps as some kind of performance hack to get the browser to cache all the scripts that may be used on various pieces of the site without actually parsing and interpreting them on every page (they are 100's of K each). It appears to convert the object tags that it wants interpreted into script tags though DOM manipulation on a given page. I am not sure exactly where it does this.

docShell.allowPlugins does in fact trigger that content policy check mentioned above. Disabling that check in the source and rebuilding Firefox does in fact fix the problem for hotmail..

The downside is that there is no clear way to allow these objects without risking loading all plugins.

We can potentially disable Torbutton's plugin protections on Tor Browser and let it fall back to NoScript, but I feel like this is a dangerous default configuration. Perhaps once we implement #3547 we can do that.

comment:21 Changed 8 years ago by ioerror

Perhaps it would be useful to email the Hotmail security team and let them know that this isn't going to work very well for people who need security and privacy through anonymity?

comment:22 Changed 8 years ago by mikeperry

Cc: ioerror added

It turns out the plugin manager added in FF3.6 *can* in fact disable plugins from script. getPluginTags() will allow you to change properties of the objects it enumerates. When these properties are updated, the actual plugin statuses are changed! I did not expect this.

http://forums-test.mozillazine.org/viewtopic.php?f=19&t=1717485

Now, the downside is that we can not control specific tabs with this API, so it is only safe to fix this in TBB..

comment:23 Changed 8 years ago by mikeperry

Resolution: fixed
Status: assignedclosed

This is fixed in origin/master. Attaching a test xpi, but note it will only work in TBB.

comment:24 Changed 8 years ago by mikeperry

Actual Points: 11

Changed 8 years ago by mikeperry

Attachment: torbutton-1.4.1pre1.xpi added

Fix for hotmail. Fix only works for TBB users.

Note: See TracTickets for help on using tickets.