drag-n-drop bypasses tor on Unity
Requests for drag-and-drop thumbnails in Tor Browser is not sent through the Tor network, but instead plain-text HTTP request.
How to reproduce:
- Download and start Tor Browser Bundle version 2.2.34-2 (current, this one)
- Start up Wireshark and start logging your network interactively
- Using the Tor Browser, visit "www.gnome.org" (or any other HTTP site)
- See Wireshark sending all traffic encrypted to various Tor nodes
- When the site have loaded, drag the big image on the site
- See Wireshark logging a DNS request for "www.gnome.org" with reply
- See Wireshark logging a HTTP HEAD request for "/wp-content/uploads/2011/09/gnome-3.2.png" on host "www.gnome.org", sending this directly unencrypted to the IP returned from the DNS request.
Activity
I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.
Which OS are you using? Did you drag the image over a program other than TBB-Firefox?
Trac:
Cc: N/A to erinn, ioerror, phobos, Sebastian
Priority: normal to blocker
Status: new to needs_informationReplying to rransom:
I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.
Which OS are you using? Did you drag the image over a program other than TBB-Firefox?
OS: Ubuntu 11.10, with all updates installed. Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature. 32-bit version of everything.
And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.
I can partially confirm this behavior
Replying to cypherpunks:
Replying to rransom:
I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.
Which OS are you using? Did you drag the image over a program other than TBB-Firefox?
OS: Ubuntu 11.10, with all updates installed. Ubuntu 11.10 64-bit. Not all updates are installed.
Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature. 32-bit version of everything.
64-bit version here.
And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.
I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.
Replying to aagbsn:
I can partially confirm this behavior
Replying to cypherpunks:
Replying to rransom:
I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.
Which OS are you using? Did you drag the image over a program other than TBB-Firefox?
OS: Ubuntu 11.10, with all updates installed. Ubuntu 11.10 64-bit. Not all updates are installed. I updated and tried again.
Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature. 32-bit version of everything.
64-bit version here.
And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.
I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.
I tried dragging and hovering the image over a few different applications (terminals, wireshark, firefox, file browser, and the desktop) and was not able to recreate this issue by just hovering.
I tested with images-as-links as well as plain images (e.g. right-click and select 'view image', then try to drag that somewhere)
Can you confirm that these steps should reproduce the issue?
Trac:
Cc: erinn, ioerror, phobos, Sebastian to erinn, ioerror, phobos, Sebastian, g.koppen@jondos.deReplying to aagbsn:
Replying to aagbsn:
I can partially confirm this behavior
Replying to cypherpunks:
Replying to rransom:
I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.
Which OS are you using? Did you drag the image over a program other than TBB-Firefox?
OS: Ubuntu 11.10, with all updates installed. Ubuntu 11.10 64-bit. Not all updates are installed. I updated and tried again.
Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature. 32-bit version of everything.
64-bit version here.
And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.
I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.
I tried dragging and hovering the image over a few different applications (terminals, wireshark, firefox, file browser, and the desktop) and was not able to recreate this issue by just hovering.
I tested with images-as-links as well as plain images (e.g. right-click and select 'view image', then try to drag that somewhere)
Can you confirm that these steps should reproduce the issue?
I tried switching to "Ubuntu 2D" during the log in and repeated the steps, but this time no DNS or HTTP request was made. I switched back to the normal Ubuntu desktop (unity) and now both DNS and HTTP request was made as soon as I begun dragging the image.
Apparently it depends on which window manager or other applications that are running.
Replying to cypherpunks:
I tried switching to "Ubuntu 2D" during the log in and repeated the steps, but this time no DNS or HTTP request was made. I switched back to the normal Ubuntu desktop (unity) and now both DNS and HTTP request was made as soon as I begun dragging the image.
Apparently it depends on which window manager or other applications that are running.
Yep. I can confirm this is the case. I installed VirtualBox extensions (to get 3d support) and can verify that as soon as I drag a picture, the dns+http request bypasses Tor.
There also appears to be an issue where you can also get proxy bypass even without using Unity when you release the dragged image into any non-Tor apps that decide to treat it as a url and download it. At least on my system.
Does this mean we should break these urls? Turn them into tor:// and tors:// urls? Or remove Drag and Drop entirely? Something tells me Unity might be dumb enough to still do a non-tor DNS query even without a valid scheme...
Replying to mikeperry:
There also appears to be an issue where you can also get proxy bypass even without using Unity when you release the dragged image into any non-Tor apps that decide to treat it as a url and download it. At least on my system.
Does this mean we should break these urls? Turn them into tor:// and tors:// urls? Or remove Drag and Drop entirely? Something tells me Unity might be dumb enough to still do a non-tor DNS query even without a valid scheme...
What about other url types? ftp://? Can drag-n-drop be proxied by rewriting the URL to file:// in the browser cache?
-
We don't use a disk cache by default..
Btw, do either of you guys have any ubuntu system addons installed? I am wondering how it is that unity is intercepting the drag event before the image is dropped anywhere... This could be a symptom of #2255 (closed) for the Unity crowd.
Replying to mikeperry:
We don't use a disk cache by default..
Btw, do either of you guys have any ubuntu system addons installed? I am wondering how it is that unity is intercepting the drag event before the image is dropped anywhere... This could be a symptom of #2255 (closed) for the Unity crowd.
If you mean system wide browser add-ons/plugins, nothing installed besides what is in the default installation. Also, no plugins and only the extensions "HTTPS Everywhere", "Torbutton" and "NoScript" show up in Tools->Add-ons.
Isn't it the window manager that handles all drag requests? For example when you drag something all the application launcher icons change color depending on if they accept the object dragged or not.
-
This is at best going to require XPCOM hooks, at worst it will require a patch to Firefox..
Trac:
Keywords: N/A deleted, MikePerryIteration20111211 added
Points: N/A to 8
Status: needs_information to accepted
Cc: erinn, ioerror, phobos, Sebastian, g.koppen@jondos.de to g.koppen@jondos.de
Priority: blocker to critical -
Ok.. some good news and some bad news..
Good news is I can intercept this in XPCOM and pop up a dialog before the drag begins.
The bad news is that if you click OK on the dialog, you lose the object you were dragging.. Unless you use the keyboard to accept the dialog...
Does this mean we just disable drag and drop entirely and call it a day?
Trac:
Cc: g.koppen@jondos.de to g.koppen@jondos.de, rransom -
Ok, after banging on this for a while, it seems that most methods of disabling image drag and drop also break the ability to move tabs around, and to drag links between TBB tabs and windows.
However, it looks that if we override the aActionType parameter to always be 0, we can still allow in-Firefox drags while blocking drags to other apps. Hurray!
The question is, does Unity give us the reach-around and manage to find the url still?
Can anyone who has a Unity setup please test the attached XPI with wireshark and image+url dragging?
Trac:
Cc: g.koppen@jondos.de, rransom to g.koppen@jondos.de, rransom, aagbsn mentioned in issue #4722 (closed)