Opened 4 years ago

Closed 4 years ago

#9391 closed defect (fixed)

PT TBBs out-of-date

Reported by: arma Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords: flashproxy
Cc: runa, dcf, asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The pluggable transport tor browser bundles still include a vulnerable version of Firefox. We have nobody whose job is to build new versions.

I've disabled the links from https://www.torproject.org/projects/obfsproxy.html.en until we have new versions. Ideally we would also build a plan for how to maintain them going forward too.

Child Tickets

Attachments (1)

HTTPS_Everywhere.jpg (35.8 KB) - added by mrphs 4 years ago.
Screenshot-HTTPS-Everywhere-PT-TBB-vs-TBB

Download all attachments as: .zip

Change History (23)

comment:1 Changed 4 years ago by dcf

Keywords: flashproxy added
Status: newneeds_review

I made bundles based on 2.4.15-beta-1. These use flashproxy 1.2 (a5cdc109), obfsproxy 37c9cbe6, and pyptlib 0.0.3 (cb76e10f).

https://people.torproject.org/~dcf/pt-bundle/2.4.15-beta-1-pt1/

I tested myself that all four bundles run and bootstrap. Phoul and Yawning has positive test results on IRC.

comment:2 Changed 4 years ago by asn

x86_64 works for me!

Let's get an ACK for the Windows and Mac versions and publish them on the website.

comment:3 Changed 4 years ago by dcf

I saw on IRC that new vanilla bundles with 17.0.8esr are coming soon, so I guess we should wait and redo the PT bundles with those when they come out.

Changed 4 years ago by mrphs

Attachment: HTTPS_Everywhere.jpg added

Screenshot-HTTPS-Everywhere-PT-TBB-vs-TBB

comment:4 Changed 4 years ago by mrphs

Tested on OS X 10.8.4
Everything seems okay except I see an extra weird "1" on HTTPS Everywhere icon.
screenshot PT TBB vs TBB is attached

And got rejected from a server:

Aug 07 16:16:15.786 [Warning] Proxy Client: unable to connect to xx.xx.xx.xx:54542 ("server rejected connection")

Considering PT TBBs the only way to connect to Tor network for some users, is there any chance to temporary update the dist with David's new bundles?

comment:5 in reply to:  4 ; Changed 4 years ago by dcf

Replying to mrphs:

Tested on OS X 10.8.4
Everything seems okay except I see an extra weird "1" on HTTPS Everywhere icon.
screenshot PT TBB vs TBB is attached

Hmm, weird. I also saw that number "1" tooltip when testing the x86 bundle on an Ubuntu live CD. I assumed at the time that it was a part of the Unity interface I didn't understand (because I use the meta-1 key combination on my desktop and Unity also uses it).

comment:6 Changed 4 years ago by mrphs

Successfully tested on Win 7
Got rejected from the exact same server again and the interesting part was AVG, founding Flashproxy-client.exe a threat!

comment:8 in reply to:  5 Changed 4 years ago by dcf

Replying to dcf:

Replying to mrphs:

Tested on OS X 10.8.4
Everything seems okay except I see an extra weird "1" on HTTPS Everywhere icon.
screenshot PT TBB vs TBB is attached

Hmm, weird. I also saw that number "1" tooltip when testing the x86 bundle on an Ubuntu live CD. I assumed at the time that it was a part of the Unity interface I didn't understand (because I use the meta-1 key combination on my desktop and Unity also uses it).

I see the tooltip on all platforms now that I'm looking for it. I think it's an HTTPS Everywhere thing. Maybe it's the number of rules loaded for the current page? I saw it go up to 3 at one point and go back down to 1.

comment:9 in reply to:  6 Changed 4 years ago by dcf

Replying to mrphs:

Successfully tested on Win 7
Got rejected from the exact same server again and the interesting part was AVG, founding Flashproxy-client.exe a threat!

Thanks for testing that. I don't have AVG but VirusTotal doesn't detect anything in the 2.4.15-beta-2-pt1 flashproxy-client.exe nor obfsproxy.exe.

https://www.virustotal.com/en/file/5e698b0e759e6adb553c8b1d369be074662446446bcb3db89b9c36bed5f41cff/analysis/
https://www.virustotal.com/en/file/f75a997308b689335aea9705bf7df57eea0636cb7c2eb7d75bcac41389f0f84f/analysis/

comment:10 Changed 4 years ago by dcf

Do we think these bundles are ready to go? I can blog them when they are ready. Should I wait until they are moved to dist or link them from people.torproject.org/~dcf? Here is the previous announcement:

https://blog.torproject.org/blog/pluggable-transports-bundles-2412-alpha-2-pt1-firefox-1706esr

comment:11 Changed 4 years ago by dcf

Blogged here.

Leaving open because we don't yet have a plan for keeping them up to date in the future.

comment:12 Changed 4 years ago by mrphs

And here's the Fa-blog post.

Now that the "Tor 0.2.4.16-rc" is out, Torbutton will start blinking and warning users to update their bundles :/

comment:13 in reply to:  12 ; Changed 4 years ago by dcf

Replying to mrphs:

And here's the Fa-blog post.

Now that the "Tor 0.2.4.16-rc" is out, Torbutton will start blinking and warning users to update their bundles :/

Thanks for the blog post. Here are 2.4.16-beta-1-pt1 packages I built yesterday.

https://people.torproject.org/~dcf/pt-bundle/2.4.16-beta-1-pt1/

comment:14 Changed 4 years ago by arma

I put them up.

You (or somebody) should bug helix (or somebody) to take 2.4.15-beta-2 out of the https://check.torproject.org/RecommendedTBBVersions file. (I asked her to put it in, so your old PT TBB users would stop getting the upgrade flashing thing.)

comment:15 Changed 4 years ago by arma

dcf, do you have an svn account for committing to the website? Do you have a login on www-master aka vescum? We should get you both of these things.

comment:16 in reply to:  13 Changed 4 years ago by mrphs

Replying to dcf:

Thanks for the blog post. Here are 2.4.16-beta-1-pt1 packages I built yesterday.

https://people.torproject.org/~dcf/pt-bundle/2.4.16-beta-1-pt1/

Thank you! Works fine on OS X 10. I'll update my blog post with these bundles.

comment:17 in reply to:  14 Changed 4 years ago by erinn

Replying to arma:

I put them up.

You (or somebody) should bug helix (or somebody) to take 2.4.15-beta-2 out of the https://check.torproject.org/RecommendedTBBVersions file. (I asked her to put it in, so your old PT TBB users would stop getting the upgrade flashing thing.)

Committed & pushed. Will take a while for it to be live, but I don't know how long.

comment:18 in reply to:  11 ; Changed 4 years ago by arma

Replying to dcf:

Leaving open because we don't yet have a plan for keeping them up to date in the future.

How are we doing at this one?

I ask because Firefox 17.0.9 is out, so we will very shortly be having this problem again.

comment:19 Changed 4 years ago by runa

What does it take to build new versions (in terms of hardware, installed packages, free space, memory, etc)? Do we have functional build instructions for all operating systems?

comment:20 in reply to:  19 Changed 4 years ago by runa

Replying to runa:

What does it take to build new versions (in terms of hardware, installed packages, free space, memory, etc)? Do we have functional build instructions for all operating systems?

This ticket contains some documentation: https://trac.torproject.org/projects/tor/ticket/8416

comment:21 in reply to:  18 Changed 4 years ago by dcf

Replying to arma:

Replying to dcf:

Leaving open because we don't yet have a plan for keeping them up to date in the future.

How are we doing at this one?

I ask because Firefox 17.0.9 is out, so we will very shortly be having this problem again.

I started trying to build tbb-3.0, which is the first step in getting pluggable transports into the deterministic build (#9444), which I hope means that the PT bundles will start getting built as a side effect of the tbb-3.0 bundles. I had some trouble in #9752, but I started again on real hardware rather than a VM.

I'm able to build PT bundles this weeks once the vanilla 17.0.9 bundles are ready.

comment:22 Changed 4 years ago by dcf

Resolution: fixed
Status: needs_reviewclosed

Pluggable transports are now part of the normal bundles.
https://blog.torproject.org/blog/tor-browser-36-beta-1-released

Note: See TracTickets for help on using tickets.