Opened 7 years ago

Closed 4 years ago

#7446 closed defect (fixed)

TorButton should not fixup .onion domains

Reported by: sjmurdoch Owned by: cypherpunks
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-firefox-patch, tbb-pref, tbb-isec-report, tbb-5.0-regression, TorBrowserTeam201509
Cc: g.koppen@…, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I received the following email, which might be worth investigating:

Sorry to bother you with this, but didn't know who else to contact.

Defaults (about:config) for TorBrowser should include:

browser.fixup.alternate.enabled;false

to prevent injecting www. & .com on timed-out sites.

Thanks for all your great work; it means a lot to a lot of people.

Child Tickets

Attachments (1)

dont_fixup_onions.patch (1.0 KB) - added by garrettr 6 years ago.
Don't run the "alternate URI" fixup logic for .onion URI's

Download all attachments as: .zip

Change History (20)

comment:1 Changed 7 years ago by mikeperry

Component: TorbuttonTorBrowserButton
Owner: set to mikeperry

I don't understand what we should be worried about here. As far as I can tell, fixup is *not* applied if the URL already had what appeared to be a valid TLD suffix...

comment:2 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:3 in reply to:  1 Changed 7 years ago by rransom

Replying to mikeperry:

I don't understand what we should be worried about here. As far as I can tell, fixup is *not* applied if the URL already had what appeared to be a valid TLD suffix...

I have seen it applied to .onion hostnames.

comment:4 Changed 7 years ago by mikeperry

Component: TorBrowserButtonFirefox Patch Issues
Priority: normalmajor

.onion does sound like a more serious problem. Would adding .onion to the list of TLD's Firefox decides not to fixup be an acceptable solution? Or should we consider that a separate ticket/issue?

comment:5 Changed 7 years ago by Casemon

Yes, this is relation to .onion hostnames getting fixed up.

GIven how many .onion sites require an longer time to load, seems a reasonable fix to add .onion to the list of TLDs firefox does not fixup.

comment:6 Changed 7 years ago by mo

I still see Tor Browser adding www. to .onion's when they time out (which happens quite often with hidden services).

comment:7 Changed 7 years ago by mikeperry

Owner: changed from mikeperry to cypherpunks
Priority: majornormal
Status: newassigned
Summary: TorButton should set browser.fixup.alternate.enabled to falseTorButton should not fixup .onion domains

This doesn't strike me as a security or privacy issue per-se. Patches welcome.

comment:8 Changed 6 years ago by ioerror

I think this is a rather bad security issue if we consider the SecureDrop use case:

https://github.com/freedomofpress/securedrop/issues/196

Changed 6 years ago by garrettr

Attachment: dont_fixup_onions.patch added

Don't run the "alternate URI" fixup logic for .onion URI's

comment:9 Changed 6 years ago by mikeperry

I just tested a few alternate .onion domains, some that simply don't exist and some that were invalid. In neither case did TBB seem to attempt a fixup to .com...

comment:10 Changed 6 years ago by mikeperry

FWIW, I was testing on a FF24esr-based build. It's possible the fixup behavior has changed since FF17.

comment:11 Changed 5 years ago by erinn

Keywords: tbb-firefox-patch added

comment:12 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser

comment:13 Changed 5 years ago by mikeperry

Keywords: tbb-pref isec-audit added

comment:14 Changed 5 years ago by mikeperry

Keywords: tbb-isec-report added; isec-audit removed

comment:15 Changed 5 years ago by intrigeri

Cc: intrigeri added

comment:16 Changed 4 years ago by mikeperry

Keywords: tbb-5.0-regression TorBrowserTeam201508 added

I just noticed a fixup happen in TBB 5.0 for a .onion domain. Either the behavior changed again in FF38, or this is extremely erratic. In any case, it seems like we should either disable it or apply garrett's patch.

comment:17 Changed 4 years ago by mcs

I was not able to get fixups to happen with .onion domains in my 5.5a1 build. For regular domains, e.g., "store.apple", I could only get fixups to occur (e.g., add "www" prefix) when I hacked my browser to not use a proxy. Maybe there is some difference in DNS failure modes with Tor that causes the fixup code to not be executed most of the time.

In any case, I am not a fan of this feature. I always run with browser.fixup.alternate.enabled = false and would vote for making that the default in Tor Browser.

I wonder if anyone relies on this feature? Since we have keyword.enabled = true by default, single words will trigger a search. Is there a common situation where the fixup behavior is useful?

comment:18 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201509 added; TorBrowserTeam201508 removed

Move remaining August tickets to September.

comment:19 Changed 4 years ago by mikeperry

Resolution: fixed
Status: assignedclosed

Ok, I flipped the pref to disable fixup for 5.0.3 and 5.5a3. Pushed.

Note: See TracTickets for help on using tickets.