Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6803 closed defect (fixed)

Firefox 15-based TBB: "proxy server refusing connections" to check.tpo

Reported by: erinn Owned by:
Priority: Very High Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: MikePerry201209, tbb-rebase
Cc: admin@…, nickm Actual Points: 8
Parent ID: Points:
Reviewer: Sponsor:

Description

In the recent alpha testing bundles, Runa and I have both confirmed that on Linux and OSX, going to check.torproject.org results in Firefox claiming that the proxy server is refusing connections. We were both able to browse around to other websites. I know there's some magic communication between torbutton and check.tpo so I'm assuming the problem is there.

I've assigned this a priority of blocker because I cannot release the new bundles until it is fixed, but I hope my decision to do so does not cause you to have a heart attack, Mike.

Child Tickets

Attachments (2)

torbutton-1.4.6.2pre1.xpi (804.0 KB) - added by mikeperry 7 years ago.
Pre-release of Torbutton 1.4.6.2 that fixes the proxy issue for me
wiki.jpg (647 bytes) - added by DeanKolt 6 years ago.
One of the key elements here is located in the source code is the fact that cc and bcc are located within http://www.acheapcarinsurance.net as a part of it's header http://www.bohemjewel.com source code.

Download all attachments as: .zip

Change History (20)

comment:1 Changed 7 years ago by mikeperry

Keywords: MikePerry201209 added

Hrmm.. If this is specific to check.torproject.org, it might actually be due to new code in HTTPS-Everywhere..

comment:2 Changed 7 years ago by mikeperry

Priority: blockercritical

The test to rule out an HTTPS-Everywhere issue could be to install 2.0 instead. https://www.eff.org/https-everywhere.

Either way, I won't really have time to look into this for a while. I also don't think it blocks an alpha release. Just mention it. Maybe someone will figure out at least the offending component/change for us?

comment:3 Changed 7 years ago by runa

I tried HTTPS-Everywhere 2.1 on Linux and still have the same problem with TBB.

comment:4 Changed 7 years ago by mikeperry

Does check load if you attempt to access it directly?

comment:5 Changed 7 years ago by mikeperry

Also, if some check urls work and some don't, that also would be useful info.

Here is the check URL that works for TBB-2.2:
https://check.torproject.org/?lang=en-US&small=1&uptodate=1

It is stored in browser.startup.homepage in about:config.

What value is ending up as your check URL? and what is the value of browser.startup.homepage?

comment:6 Changed 7 years ago by phoul

Cc: admin@… added

comment:7 Changed 7 years ago by erinn

Testing on a both normal and obfsproxy bundles on OSX (32-bit and 64-bit), same result on all:

My argument that this is a blocker is primarily that some people rely on the obfsproxy bundles and they are only available as alpha bundles. While I understand that this doesn't actually affect how TBB works for any site except check.tpo, check.tpo is the first site it goes to and it looks like the bundle doesn't work. We can certainly issue a warning that there's some weird bug here, but I'd really love to get it fixed instead. Is there anything I can do to help with that? Right now I can't even downgrade them to 1.4.6 because of the sandbox exceptions... not a lot of great options.

comment:8 Changed 7 years ago by mikeperry

Actual Points: 2

Ok. Well, I traced this down to our nsIProtocolProxyFilter in Torbutton, which we were using to force our addon updates over Tor for Toggle mode users. Apparently in Firefox 15, it looks like they are now performing some kind of caching on the proxy argument to that filter, so that old proxy settings were getting passed through there from before we changed them based on the env var at startup.

I have no idea why they would cache the variable on a per-domain basis, but simply commenting out the proxy service observer in torbutton was enough to fix it in for me. Since we don't officially support toggle anymore, this hack to disable the filter entirely should be good enough for now.

However, HTTPS-Everywhere relies on the same filter API, so I guess we'll want to keep an eye on that.

I should be able publish a Torbutton release with this fix today or tomorrow.

comment:9 Changed 7 years ago by erinn

Cc: nickm added

Sorry to pour gasoline on your fire, Mike, but we have a very urgent set of releases for 0.2.2.x and 0.2.3.x (see #6811 for more info). I have to release new packages ASAP... Nick and I are currently trying to decide whether it's worth delaying the 0.2.3.x TBBs for your new Torbutton. I'm not trying to pressure you one way or another, but do you have a better timeframe in mind? I'd like to avoid doing two urgent releases back to back if possible, but I probably can't delay for very long. ("Not very long" = tomorrow morning GMT, let's say before 11am.) Adding Nick to Cc in case he wants to be kept in the loop or thinks I am crazy with that timing.

comment:10 Changed 7 years ago by mikeperry

Summary: torbutton 1.4.6.1 "proxy server refusing connections" to check.tpoFirefox 15-based TBB: "proxy server refusing connections" to check.tpo

I should be able publish a Torbutton release with this fix today or tomorrow. In the past, torbutton releases take just shy of a day of wallclock to complete at best. Exact timing depends on how fast the transifex update runs or if I skip it.

Do we need a TBB-beta series that has obfsproxy, tor 0.2.3.x, and FF 10.x ESR? Can we build all three of TBB-alpha, TBB-beta, and TBB-stable? It is starting to sound like need to..

If you able to create a TBB-beta with FF 10.x-ESR before tomorrow, perhaps that is the best route for the immediate term. Then we can work on fixing this for the next TBB-alpha build after that.

comment:11 Changed 7 years ago by mikeperry

Man. I just realized I misdiagnosed this bug. It is not the proxy filter. It's something else FF15-specific. Fixing this by today just became less likely. We might want to make a TBB-beta branch if we need to start building a new TBB release sooner than tomorrow.

comment:12 Changed 7 years ago by mikeperry

Ok, more analysis: Something in FF15 definitely is caching proxy settings by url. Manually altering my proxy settings to new values allows previously loaded urls to still use the old proxy settings. Wow, good thing we jumped off the toggle ship early.

So the reason check.tp.o is failing is because the browser homepage is actually attempting to load *before* we set new proxy settings from our env vars, which causes it to use the original proxy settings (the previously set, now broken ones) for all subsequent loads.

I can try moving our proxy settings updates to an early-loaded XPCOM component and see if that helps...

The good news is that since they don't use a randomized socks port, I think our Windows builds should be fine...

comment:13 Changed 7 years ago by erinn

I don't think right now is the time to make (or discuss) a third branch of TBB.

How about this: I'll set the Linux and OSX bundles to use fixed ports for now. Then we get all of our security updates, the bundles work properly (albeit very slightly differently than they did before), I don't have to make yet another branch of TBB, and you get some more time for Torbutton. Sound good?

comment:14 in reply to:  13 Changed 7 years ago by erinn

Replying to erinn:

I'll set the Linux and OSX bundles to use fixed ports for now. Then we get all of our security updates, the bundles work properly (albeit very slightly differently than they did before), I don't have to make yet another branch of TBB, and you get some more time for Torbutton. Sound good?

I ended up doing this. I think it's mostly win-win, except for the few people who find it conflicts with any Tor they already have running. Let's revisit the three-branch discussion once Torbutton's done?

Changed 7 years ago by mikeperry

Attachment: torbutton-1.4.6.2pre1.xpi added

Pre-release of Torbutton 1.4.6.2 that fixes the proxy issue for me

comment:15 Changed 7 years ago by mikeperry

Actual Points: 26

Ok. That test xpi seems to fix the issue for me. Would be great if someone could confirm.

I will start the release process in the meantime.

comment:16 Changed 7 years ago by mikeperry

In case anyone was waiting for a signed official copy, you can now get them at https://www.torproject.org/dist/torbutton/torbutton-1.4.6.2.xpi and https://www.torproject.org/dist/torbutton/torbutton-1.4.6.2.xpi.asc.

Not sure how long I'm going to wait until I sign that copy for updates.. Maybe a couple hours?

comment:17 Changed 7 years ago by mikeperry

Actual Points: 68
Resolution: fixed
Status: newclosed

I guess this was fixed.

comment:18 Changed 7 years ago by mikeperry

Component: TorbuttonTorBrowserButton
Keywords: tbb-rebase added

Changed 6 years ago by DeanKolt

Attachment: wiki.jpg added

One of the key elements here is located in the source code is the fact that cc and bcc are located within http://www.acheapcarinsurance.net as a part of it's header http://www.bohemjewel.com source code.

Note: See TracTickets for help on using tickets.