Project

General

Profile

Feature #17130

Feature #16356: Upgrade to Tor Browser 9.0 (based on Firefox 68)

Unsafe Browser based on Tor Browser 9.0a7 makes connections to the Internet which are not user initiated

Added by intrigeri 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
feature/16356-tor-browser-9.0+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Unsafe Browser

Description

Spotted by our test suite:

Unexpected connections were made:
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=59237, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=45778, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=60285, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=45170, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=50288, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=34249, dport=53, saddr="10.2.1.186", daddr="10.2.1.1"> (FirewallAssertionFailedError)
./features/support/helpers/firewall_helper.rb:109:in `assert_all_connections'
./features/step_definitions/common_steps.rb:465:in `/^all Internet traffic has only flowed through Tor$/'
features/unsafe_browser.feature:65:in `And all Internet traffic has only flowed through Tor'

Is this our test suite setting the bar too high and these requests are actually acceptable?
Or is our test suite setting the bar at the right height and we should fix that in the Unsafe Browser?


Related issues

Related to Tails - Bug #17159: Tor Browser displays an "Update Failed" pop-up Confirmed
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

Associated revisions

Revision 0c7881cf (diff)
Added by segfault 5 months ago

Set app.update.url to localhost (refs: #17130)

Setting it to a domain name causes the Unsafe Browser to send clearnet
DNS requests.

History

#1 Updated by intrigeri 5 months ago

#2 Updated by segfault 5 months ago

  • Assignee set to segfault

#3 Updated by segfault 5 months ago

Those seem to be DNS requests for "non-existent.tails.boum.org", which we set as the update URL.

I got this output from tcpdump:

IP 192.168.122.181.34072 > 192.168.122.1.53: 53132+ A? non-existent.tails.boum.org. (45)

#4 Updated by segfault 5 months ago

I don't think we want the Unsafe Browser to send DNS requests for a Tails-specific domain name via the clearnet. So we should not change the update URL in the Unsafe Browser.

In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn't send DNS requests without user interaction anymore.

#5 Updated by anonym 5 months ago

segfault wrote:

In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn't send DNS requests without user interaction anymore.

If it's still a problem, let's try a local host for app.update.url, like https://127.0.0.1/dev/null.

#6 Updated by segfault 5 months ago

segfault wrote:

In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn't send DNS requests without user interaction anymore.

Now I see DNS requests for aus1.torproject.org:

12:14:47.853183 IP 192.168.122.24.55193 > 192.168.122.1.53: 61062+ A? aus1.torproject.org. (37)
12:14:47.853543 IP 192.168.122.1.53 > 192.168.122.24.55193: 61062 4/0/0 CNAME static.torproject.org., A 95.216.163.36, A 82.195.75.101, A 116.202.120.165 (120)

anonym wrote:

If it's still a problem, let's try a local host for app.update.url, like https://127.0.0.1/dev/null.

Yes, I will try that.

#7 Updated by segfault 5 months ago

segfault wrote:

anonym wrote:

If it's still a problem, let's try a local host for app.update.url, like https://127.0.0.1/dev/null.

Yes, I will try that.

That seems to have solved it.

#8 Updated by segfault 5 months ago

  • Status changed from Confirmed to In Progress

#9 Updated by segfault 5 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)
  • Feature Branch set to feature/16356-tor-browser-9.0+force-all-tests

#10 Updated by intrigeri 5 months ago

  • Assignee set to intrigeri

#11 Updated by intrigeri 5 months ago

  • Type of work changed from Discuss to Code

#12 Updated by intrigeri 5 months ago

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (intrigeri)

Ooh yeah!

#13 Updated by intrigeri 4 months ago

  • Related to Bug #17159: Tor Browser displays an "Update Failed" pop-up added

Also available in: Atom PDF