Opened 8 years ago

Closed 7 years ago

Last modified 2 years ago

#4192 closed defect (fixed)

make Tor Browser fail to connect when not launched from Vidalia

Reported by: ioerror Owned by: mikeperry
Priority: Immediate Milestone:
Component: Firefox Patch Issues Version:
Severity: Normal Keywords: security, MikePerryIterationFires20111009
Cc: arma, erinn Actual Points: 1
Parent ID: Points: 1
Reviewer: Sponsor:

Description

It is possible to directly launch Firefox. On Windows users who launch TBB will have two icons in their taskbar/dock like thing - a Vidalia onion and the Browser planet icon. Users who run TBB will "pin" the browser icon and run _that_ directly.

We must prevent this - probably by ensuring that the browser will launch the right things if a user attempts to do this.

Child Tickets

Change History (29)

comment:1 Changed 8 years ago by erinn

Cc: erinn added
Owner: changed from helix to mikeperry
Status: newassigned

I think our best bet here will be to patch Firefox and make it refuse to connect if it is not launched from Vidalia, or doesn't have Torbutton (this one seems more problematic because they could just, you know, install Torbutton), and result in a screen that says something similar to "You are not running Tor! This browser will not connect to the internet. You can only use this browser by clicking Start Tor Browser.exe in the Tor Browser directory." Or some other equally explanatory message.

Assuming Firefox is the right place to do this, I am assigning this to Mike so he can comment.

comment:2 Changed 8 years ago by arma

Priority number one, which I hope will get into the next release, is to make our Firefox, when run any way other than TBB-launches-Vidalia-launches-Firefox, fail closed. So no fetching check.torproject.org, no reading the user's system Firefox profile and executing stuff in it, etc.

Priority number two, which doesn't have to happen immediately but should still be high on the priority list, is to either a) tell the user what went wrong and tell them what to do instead, or b) have Firefox automatically exec to the correct TBB launcher, which in turn would start Firefox correctly. 'b' would seem better than 'a', but I look forward to Mike's analysis of how messy hacking Firefox in each way would be.

comment:3 in reply to:  2 Changed 8 years ago by arma

Replying to arma:

Priority number one, which I hope will get into the next release, is to make our Firefox, when run any way other than TBB-launches-Vidalia-launches-Firefox, fail closed.

We could distinguish by looking for the env vars that we expect to hear from Vidalia, or by having Vidalia use a new command-line switch like --from-vidalia when launching Firefox, or whatever else approach Mike finds acceptable.

comment:4 Changed 8 years ago by erinn

Summary: Serious TBB Launcher bugmake Tor Browser fail to connect when not launched from Vidalia

comment:5 Changed 8 years ago by phobos

I don't think we understand this situation fully. On a system without Firefox installed, when I start the firefox inside TBB, as in App/Firefox/firefox, it starts up and creates a new profile as if it is the system firefox.

On a system with Firefox already installed, I start the firefox inside TBB, as in App/Firefox/firefox, it starts up with my default user profile.

It sounds like we need to do more modification to the firefox we ship, rather than simply repackage it for a portable bundle. Rather than just a display problem of Aurora renamed to TorBrowser, actually rename everything to TorBrowser, and make the application that starts Firefox (such as firefox-bin, say call it torbrowser-bin) look in ../Data/profiles.ini first, rather than assume it's generic firefox.

If we're going to go this far, why not just scrap vidalia and torbutton and build it all into the browser, ala torfox or torora?

comment:6 Changed 8 years ago by phobos

I don't understand why this is a 'security blocker'. It seems the equivalent of "I can drive my car into a wall at high speed!" Clearly the automaker should make this use case impossible to protect me from my own way to use my car.

We explicitly tell people everywhere to run "start tor browser".

comment:7 Changed 8 years ago by mikeperry

Hrmm.. Anything I do here seems like it is going to have to be in C++, or in a new JS XPCOM component. JS would obviously be simpler, make it easier to inform the user, and be free of cross-platform woes, but more of the browser will have loaded by that point.

As for the actual test, I can think of a few options:

  1. TOR_SOCKS_PORT env var check
  2. Check that the profile directory is set as expected
  3. Check that certain about:config prefs are as expected

We want this by Monday?

comment:8 in reply to:  6 ; Changed 8 years ago by mikeperry

Replying to phobos:

I don't understand why this is a 'security blocker'. It seems the equivalent of "I can drive my car into a wall at high speed!" Clearly the automaker should make this use case impossible to protect me from my own way to use my car.

We explicitly tell people everywhere to run "start tor browser".

IUC, the problem is that Windows decides that since it sees the user using this Aurora/TorBrowser thing, it should get added to their dock/frequently used apps ribbon/whatever. Then, much later, the user goes to start Tor back up, and clicks on the browser icon instead of the Vidalia onion in their recent apps dock, and they get it running without Vidalia.

Is this the pattern we're seeing? It sounds like it may be specific to a certain flavor of windows. Do we know which one?

comment:9 in reply to:  8 Changed 8 years ago by rransom

Replying to mikeperry:

Replying to phobos:

I don't understand why this is a 'security blocker'. It seems the equivalent of "I can drive my car into a wall at high speed!" Clearly the automaker should make this use case impossible to protect me from my own way to use my car.

We explicitly tell people everywhere to run "start tor browser".

IUC, the problem is that Windows decides that since it sees the user using this Aurora/TorBrowser thing, it should get added to their dock/frequently used apps ribbon/whatever. Then, much later, the user goes to start Tor back up, and clicks on the browser icon instead of the Vidalia onion in their recent apps dock, and they get it running without Vidalia.

Is this the pattern we're seeing?

This is what ioerror saw someone do. We don't know whether it's a pattern, but it does sound like something a moderately experienced Windows user would do.

It sounds like it may be specific to a certain flavor of windows. Do we know which one?

The ‘Pin to Taskbar’ feature was added in Windows NT 6.1 (marketed as ‘Windows 7’).

comment:10 in reply to:  7 Changed 8 years ago by erinn

Replying to mikeperry:

We want this by Monday?

We want something by Monday. It doesn't need to be the ideal fix though. Let me know if you think there is something I can/should do on my end to help.

comment:11 Changed 8 years ago by tmpname0901

I hope this proposal is not implemented as it will break LAN-wide Tor use.

Vidalia is a convenience, not a necessity. As things stand today a Tor Browser can connect to an instance of Tor that is serving a whole LAN, and work perfectly - no need for local copies of either Vidalia or even Tor itself. I wouldn't want to see this capability be lost.

comment:12 in reply to:  11 Changed 8 years ago by mikeperry

Replying to tmpname0901:

I hope this proposal is not implemented as it will break LAN-wide Tor use.

Vidalia is a convenience, not a necessity. As things stand today a Tor Browser can connect to an instance of Tor that is serving a whole LAN, and work perfectly - no need for local copies of either Vidalia or even Tor itself. I wouldn't want to see this capability be lost.

How do you launch Tor Browser in this case? Do you still manually point it at the TBB profile with -P? Do you set the TOR_SOCKS_PORT and TOR_CONTROL_PORT env vars to keep "New Identity" working? If both of these are the case, you should be fine. Otherwise, please let me know how you launch it.

comment:13 Changed 8 years ago by mikeperry

Keywords: MikePerryIterationFires20111009 added

comment:14 Changed 8 years ago by tmpname0901

I launch the TBB Firefox like this:

export LD_LIBRARY_PATH=$pathname/Lib:$pathname/App/Firefox:$pathname/App/Firefox/components
$pathname/App/Firefox/firefox-bin -no-remote -profile $pathname/Data/profile

So, what I'm using from the TBB is Firefox and the profile (including extensions).

My LAN's server is running a middle node. The traffic from FF simply joins the flow of packets that is already going through the relay. I've verified (using iptables logging) that during a surfing session no DNS or HTTP/HTTPS packets are leaving my local machine. It all goes to the SOCKS port on the LAN's Tor relay.

With the scheme described above there is only a single threat to privacy: my LAN's server monitoring traffic between the LAN client and the Tor relay. As I am the administrator of my LAN's server I am pretty confident that no snooping is being done. :-)


$ diff build-scripts/config/no-polipo-4.0.js build-scripts/config/lan-tor-not-local+vidalia.js
77c77
< user_pref("extensions.torbutton.socks_host", "127.0.0.1");
---

user_pref("extensions.torbutton.socks_host", "192.168.0.1");

81a82,90

user_pref("extensions.torbutton.custom.socks_host", "192.168.0.1");
user_pref("extensions.torbutton.custom.socks_port", 9050);
user_pref("extensions.torbutton.saved.no_proxies_on", "127.0.0.1");
user_pref("extensions.torbutton.saved.socks_host", "192.168.0.1");
user_pref("extensions.torbutton.saved.socks_port", 9050);
user_pref("extensions.torbutton.saved.socks_remote_dns", true);
user_pref("extensions.torbutton.saved.type", 1);
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.startup", true);

comment:15 Changed 8 years ago by tmpname0901

I just thought of one 1 other potential loss of anonymity: sniffing the packets on the LAN wire (fixable with IPSec?). It really comes down to the same remedy as the other potential flaw: trusting the local network.

comment:16 Changed 8 years ago by Sebastian

In reality, this is fixed by giving each computer its own TBB instance. Then you don't have to trust the local network.

comment:17 in reply to:  16 Changed 8 years ago by tmpname0901

Replying to Sebastian:

In reality, this is fixed by giving each computer its own TBB instance. Then you don't have to trust the local network.

I was addressing mikeperry's question re running without a local copy of Vidalia.

The full TBB is indeed a great way to do anonymized web surfing. The point I was trying to make in comment #12 is that it is not the only way to browse via the Tor network, and that a strictly enforced reliance on Vidalia is limiting in some respects.

comment:18 Changed 8 years ago by rransom

I can confirm that when TBB-Firefox is ‘pinned’ to the Windows NT 6.1 taskbar, clicking on the resulting button to start TBB-Firefox runs tbb-firefox.exe with no command-line arguments.

comment:19 Changed 8 years ago by phobos

Perhaps this argues for a single executable version of torbrowser, like torbrowser.exe as a monolithic binary that users can do whatever they want with it.

comment:20 Changed 8 years ago by mikeperry

Actual Points: 1
Points: 1
Resolution: fixed
Status: assignedclosed

Fix is in mikeperry/4192 for torbrowser.git. It just exits. It doesn't prompt.

Tested it on my own build. It is written in JS, so it should work everywhere.

comment:21 Changed 8 years ago by mikeperry

tmpname0901: The check is based on profile contents, not on env var. Your setup should still work. However, you probably want to set the TOR_CONTROL_PORT and TOR_CONTROL_PASSWD environment variables to point at your relay. That will give you the ability to run New Identity. I think you might even be able to set them to junk, if you just want the browser to clear state.

comment:22 Changed 8 years ago by Jehanne

I used to do this; it was a way of keeping my relay up and running while using the Tor-modified version of Firefox, which I was lead to believe was superior to the standard Firefox build. I simply copied a shortcut of the tbb-firefox.exe icon to my desktop. I am not sure why this was such a "big deal" or why you needed disabled this ability.

comment:23 in reply to:  22 Changed 8 years ago by arma

Replying to Jehanne:

I used to do this; it was a way of keeping my relay up and running while using the Tor-modified version of Firefox, which I was lead to believe was superior to the standard Firefox build. I simply copied a shortcut of the tbb-firefox.exe icon to my desktop. I am not sure why this was such a "big deal" or why you needed disabled this ability.

When you copied the shortcut and ran it yourself, you missed out on some of the modifications we made. For example, you missed out on the "keep this profile separate from the other Firefoxes you're running right now" feature. Bad news for you, especially if you didn't realize it worked that way.

comment:24 Changed 8 years ago by Jehanne

Well, I had my homepage set to https://check.torproject.org/ and always got the "Congratulations. Your browser..." Also, the Tor toolbar disabled the sweet "green onion," so I am not sure what I was still "missing out" on, but would certainly like to know. Point is that if the Aurora browser has some fixes that the main Firefox browser does *not* have, it would be good to have that without having to stop my relay, just so that I can enjoy the full-features that are present in the Aurora browser without having to "miss out" by using the standard Firefox browser.

comment:25 Changed 8 years ago by Jehanne

"Displayed" and not "disabled"; that is, "the Tor toolbar displayed the sweet "green onion..." Sorry about the typo.

comment:26 Changed 7 years ago by mo

Resolution: fixed
Status: closedreopened

With the latest Tor Browser (2.3.25-4 on Windows), it is possible to launch Tor Browser again directly by running tbb-firefox.exe. The current patch checks for torbrowser.version, which now seems to be set independently from the configured profile?

comment:27 Changed 7 years ago by mikeperry

Keywords: tbb-rebase-regression added

This is due to moving the prefs from the profile to the Firefox build itself...

comment:28 Changed 7 years ago by mikeperry

Keywords: tbb-rebase-regression removed
Resolution: fixed
Status: reopenedclosed

Moving the regression to #8350.

comment:29 Changed 2 years ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.