Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#6293 closed defect (fixed)

Disable self when running in Tor browser

Reported by: dcf Owned by: dcf
Priority: Medium Milestone:
Component: Archived/Flashproxy Version:
Severity: Keywords:
Cc: ioerror Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

ioerror tells me that there are anonymity attacks when a Tor user is a flash proxy over their Tor connection, having to do with congestion and intersection.

We should at least detect when being run inside Tor browser and disable.

Child Tickets

Attachments (2)

tbFinger.js (8.0 KB) - added by jct 5 years ago.
Tor Broswer fingerprint - extended version.
check-proxy-running-in-tor-proxy.patch (1.8 KB) - added by jct 5 years ago.
Patch in order to checking if the proxy is running in a Tor Proxy browser and disable it.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 5 years ago by dcf

ioerror, is this the sort of weakness you had in mind when describing this to me? Particularly section 2.3.

On the risks of serving whenever you surf
http://freehaven.net/anonbib/#wpes09-bridge-attack

comment:2 Changed 5 years ago by dcf

As an additional measure to avoid Tor-in-Tor situations (which is not necessarily what ioerror was concerned about), maybe the facilitator should not answer requests from known Tor exits.

comment:3 in reply to:  2 Changed 5 years ago by dcf

Replying to dcf:

As an additional measure to avoid Tor-in-Tor situations (which is not necessarily what ioerror was concerned about), maybe the facilitator should not answer requests from known Tor exits.

Roger offers this command that exports exits for bridges.torproject.org:

cat $HOME/auto-naming/moria1/cached-des* | python $HOME/git/contrib/exitlist <ip>:<port> > exitlist

Changed 5 years ago by jct

Attachment: tbFinger.js added

Tor Broswer fingerprint - extended version.

comment:4 Changed 5 years ago by jct

First part [1], trying to detect that the proxy is running in a Tor Browser:

Here is a candidate script in order to get the Tor Browser fingerprint:

function tor_browser_fingerprint() {
     var isTB = false;     

     try { var t1 = false, resFunction = Components.lookupMethod(this, 'window'); } catch (err) { if( err.message.indexOf("Permission denied") != -1 ) t1 = true;}

     try { var t2 = false, resObject = Components.interfaces.nsITimer; } catch (err) { if( err.message.indexOf("Permission denied") != -1 ) t2 = true;} 

     if ( t1 && t2 && (navigator.userAgent == "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0") &&  (navigator.platform.indexOf("Win32") != -1) && (sessionStorage === null) && (navigator.mimeTypes.length == 0) && ((navigator.plugins.length == 0) || (navigator.plugins.length == 1 && navigator.plugins[0].name == "Shockwave Flash") ) )
          isTB = true;

     return isTB; }

The logic behind this code comes from the design of the Tor Browser: https://www.torproject.org/projects/torbrowser/design/ :

   * Block '''Components.interfaces''' and '''Components.lookupMethod''' 
   * A fixed '''userAgent''' string
   * Regardless of the actual operating system, the browser is reporting the Windows OS
   * Entirely disable DOM storage
   * Not listing the supported MIME types
   * Not allowing plugins or only allowing Flash

I suppose that is enough with checking the userAgent string, but the others may be needed to decrease the amount of false positives.

I'm attaching an extended version of the proposed script (the attached one is a bit more polite and modular, but essentially does the same as the shorter version that is displayed above.

[1] The second part is to detect that the proxy is already in the Tor Network, not checking if it is running in a Tor Browser, but checking if the proxy reported IP matches with a Tor Exit node.

comment:5 in reply to:  4 Changed 5 years ago by dcf

Status: newneeds_revision

Thanks, this is good work.

I'm willing to trade some false positives (and perhaps remove some false negatives) for an even simpler test. Grepping for "Permission denied" in error text strikes me as not robust. Similarly "Shockwave Flash": I don't want to couple this test too closely to the internals of Tor Browser. Checking navigator.platform seems redundant with the user-agent check.

I'll bet that the user-agent comparison already gets us almost all the way there. To that let's add the sessionStorage === null and navigator.mimeTypes.length == 0 tests, and make that the whole of the detection.

Please do the above in the form of a patch against flashproxy.js, and attach the patch to the ticket. The function should be called is_likely_tor_browser or something similar. You can add a call to this function to flashproxy_should_disable.

comment:6 Changed 5 years ago by dcf

I created #7549 to keep track of the facilitator part of this.

Changed 5 years ago by jct

Patch in order to checking if the proxy is running in a Tor Proxy browser and disable it.

comment:7 Changed 5 years ago by jct

Done!

comment:8 Changed 5 years ago by dcf

Resolution: fixed
Status: needs_revisionclosed

Good work. I committed your patch.

comment:9 Changed 5 years ago by dcf

Just bookmarking this page: http://marcorondini.eu/research/resource_uri/.

It tests for Tor Browser by trying to load a script from a resource URL and calling it Tor Browser when the script loads successfully.

<script type="text/javascript" src="resource:///defaults/preferences/%23tor.js" onload="alert('Tor Browser');"></script>

comment:10 in reply to:  9 Changed 5 years ago by dcf

Replying to dcf:

It tests for Tor Browser by trying to load a script from a resource URL

AKA #8725.

Note: See TracTickets for help on using tickets.