make Tor Browser fail to connect when not launched from Vidalia
It is possible to directly launch Firefox. On Windows users who launch TBB will have two icons in their taskbar/dock like thing - a Vidalia onion and the Browser planet icon. Users who run TBB will "pin" the browser icon and run that directly.
We must prevent this - probably by ensuring that the browser will launch the right things if a user attempts to do this.
Activity
I think our best bet here will be to patch Firefox and make it refuse to connect if it is not launched from Vidalia, or doesn't have Torbutton (this one seems more problematic because they could just, you know, install Torbutton), and result in a screen that says something similar to "You are not running Tor! This browser will not connect to the internet. You can only use this browser by clicking Start Tor Browser.exe in the Tor Browser directory." Or some other equally explanatory message.
Assuming Firefox is the right place to do this, I am assigning this to Mike so he can comment.
Trac:
Owner: helix to mikeperry
Cc: arma to arma, erinn
Status: new to assigned
Priority number one, which I hope will get into the next release, is to make our Firefox, when run any way other than TBB-launches-Vidalia-launches-Firefox, fail closed. So no fetching check.torproject.org, no reading the user's system Firefox profile and executing stuff in it, etc.
Priority number two, which doesn't have to happen immediately but should still be high on the priority list, is to either a) tell the user what went wrong and tell them what to do instead, or b) have Firefox automatically exec to the correct TBB launcher, which in turn would start Firefox correctly. 'b' would seem better than 'a', but I look forward to Mike's analysis of how messy hacking Firefox in each way would be.
-
Replying to arma:
Priority number one, which I hope will get into the next release, is to make our Firefox, when run any way other than TBB-launches-Vidalia-launches-Firefox, fail closed.
We could distinguish by looking for the env vars that we expect to hear from Vidalia, or by having Vidalia use a new command-line switch like --from-vidalia when launching Firefox, or whatever else approach Mike finds acceptable.
I don't think we understand this situation fully. On a system without Firefox installed, when I start the firefox inside TBB, as in App/Firefox/firefox, it starts up and creates a new profile as if it is the system firefox.
On a system with Firefox already installed, I start the firefox inside TBB, as in App/Firefox/firefox, it starts up with my default user profile.
It sounds like we need to do more modification to the firefox we ship, rather than simply repackage it for a portable bundle. Rather than just a display problem of Aurora renamed to TorBrowser, actually rename everything to TorBrowser, and make the application that starts Firefox (such as firefox-bin, say call it torbrowser-bin) look in ../Data/profiles.ini first, rather than assume it's generic firefox.
If we're going to go this far, why not just scrap vidalia and torbutton and build it all into the browser, ala torfox or torora?
Hrmm.. Anything I do here seems like it is going to have to be in C++, or in a new JS XPCOM component. JS would obviously be simpler, make it easier to inform the user, and be free of cross-platform woes, but more of the browser will have loaded by that point.
As for the actual test, I can think of a few options:
- TOR_SOCKS_PORT env var check
- Check that the profile directory is set as expected
- Check that certain about:config prefs are as expected
We want this by Monday?
-
Replying to phobos:
I don't understand why this is a 'security blocker'. It seems the equivalent of "I can drive my car into a wall at high speed!" Clearly the automaker should make this use case impossible to protect me from my own way to use my car.
We explicitly tell people everywhere to run "start tor browser".
IUC, the problem is that Windows decides that since it sees the user using this Aurora/TorBrowser thing, it should get added to their dock/frequently used apps ribbon/whatever. Then, much later, the user goes to start Tor back up, and clicks on the browser icon instead of the Vidalia onion in their recent apps dock, and they get it running without Vidalia.
Is this the pattern we're seeing? It sounds like it may be specific to a certain flavor of windows. Do we know which one?
Replying to mikeperry:
Replying to phobos:
I don't understand why this is a 'security blocker'. It seems the equivalent of "I can drive my car into a wall at high speed!" Clearly the automaker should make this use case impossible to protect me from my own way to use my car.
We explicitly tell people everywhere to run "start tor browser".
IUC, the problem is that Windows decides that since it sees the user using this Aurora/TorBrowser thing, it should get added to their dock/frequently used apps ribbon/whatever. Then, much later, the user goes to start Tor back up, and clicks on the browser icon instead of the Vidalia onion in their recent apps dock, and they get it running without Vidalia.
Is this the pattern we're seeing?
This is what ioerror saw someone do. We don't know whether it's a pattern, but it does sound like something a moderately experienced Windows user would do.
It sounds like it may be specific to a certain flavor of windows. Do we know which one?
The ‘Pin to Taskbar’ feature was added in Windows NT 6.1 (marketed as ‘Windows 7’).
I hope this proposal is not implemented as it will break LAN-wide Tor use.
Vidalia is a convenience, not a necessity. As things stand today a Tor Browser can connect to an instance of Tor that is serving a whole LAN, and work perfectly - no need for local copies of either Vidalia or even Tor itself. I wouldn't want to see this capability be lost.
Trac:
Username: tmpname0901-
Replying to tmpname0901:
I hope this proposal is not implemented as it will break LAN-wide Tor use.
Vidalia is a convenience, not a necessity. As things stand today a Tor Browser can connect to an instance of Tor that is serving a whole LAN, and work perfectly - no need for local copies of either Vidalia or even Tor itself. I wouldn't want to see this capability be lost.
How do you launch Tor Browser in this case? Do you still manually point it at the TBB profile with -P? Do you set the TOR_SOCKS_PORT and TOR_CONTROL_PORT env vars to keep "New Identity" working? If both of these are the case, you should be fine. Otherwise, please let me know how you launch it.
-
I launch the TBB Firefox like this:
export LD_LIBRARY_PATH=
pathname/Lib:pathname/App/Firefox:$pathname/App/Firefox/components $pathname/App/Firefox/firefox-bin -no-remote -profile $pathname/Data/profileSo, what I'm using from the TBB is Firefox and the profile (including extensions).
My LAN's server is running a middle node. The traffic from FF simply joins the flow of packets that is already going through the relay. I've verified (using iptables logging) that during a surfing session no DNS or HTTP/HTTPS packets are leaving my local machine. It all goes to the SOCKS port on the LAN's Tor relay.
With the scheme described above there is only a single threat to privacy: my LAN's server monitoring traffic between the LAN client and the Tor relay. As I am the administrator of my LAN's server I am pretty confident that no snooping is being done. :-)
$ diff build-scripts/config/no-polipo-4.0.js build-scripts/config/lan-tor-not-local+vidalia.js 77c77 < user_pref("extensions.torbutton.socks_host", "127.0.0.1");
user_pref("extensions.torbutton.socks_host", "192.168.0.1"); 81a82,90 user_pref("extensions.torbutton.custom.socks_host", "192.168.0.1"); user_pref("extensions.torbutton.custom.socks_port", 9050); user_pref("extensions.torbutton.saved.no_proxies_on", "127.0.0.1"); user_pref("extensions.torbutton.saved.socks_host", "192.168.0.1"); user_pref("extensions.torbutton.saved.socks_port", 9050); user_pref("extensions.torbutton.saved.socks_remote_dns", true); user_pref("extensions.torbutton.saved.type", 1); user_pref("extensions.torbutton.settings_method", "custom"); user_pref("extensions.torbutton.startup", true);
Trac:
Username: tmpname0901 -
Replying to Sebastian:
In reality, this is fixed by giving each computer its own TBB instance. Then you don't have to trust the local network.
I was addressing mikeperry's question re running without a local copy of Vidalia.
The full TBB is indeed a great way to do anonymized web surfing. The point I was trying to make in comment #12 (closed) is that it is not the only way to browse via the Tor network, and that a strictly enforced reliance on Vidalia is limiting in some respects.
Trac:
Username: tmpname0901