Feature #17130

Unsafe Browser based on Tor Browser 9.0a7 makes connections to the Internet which are not user initiated

Added by intrigeri 2019-10-08 09:31:25 . Updated 2019-10-09 07:08:17 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Tails_4.0
Start date:
Due date:
% Done:

0%

Feature Branch:
feature/16356-tor-browser-9.0+force-all-tests
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Unsafe Browser
Deliverable for:

Description

Spotted by our test suite:

Unexpected connections were made:
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=59237, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=45778, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=60285, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=45170, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=50288, dport=53, saddr="10.2.1.186", daddr="10.2.1.1">
  #<OpenStruct mac_saddr="50:54:00:23:e9:fd", mac_daddr="52:54:00:9e:0d:2a", protocol="udp", sport=34249, dport=53, saddr="10.2.1.186", daddr="10.2.1.1"> (FirewallAssertionFailedError)
./features/support/helpers/firewall_helper.rb:109:in `assert_all_connections'
./features/step_definitions/common_steps.rb:465:in `/^all Internet traffic has only flowed through Tor$/'
features/unsafe_browser.feature:65:in `And all Internet traffic has only flowed through Tor'

Is this our test suite setting the bar too high and these requests are actually acceptable?
Or is our test suite setting the bar at the right height and we should fix that in the Unsafe Browser?

Subtasks

Related issues

Related to Tails - Bug #17159: Tor Browser displays an "Update Failed" pop-up Confirmed
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by intrigeri 2019-10-08 09:31:44

#2 Updated by segfault 2019-10-08 10:18:46

  • Assignee set to segfault

#3 Updated by segfault 2019-10-08 10:46:20

Those seem to be DNS requests for “non-existent.tails.boum.org”, which we set as the update URL.

I got this output from tcpdump:

IP 192.168.122.181.34072 > 192.168.122.1.53: 53132+ A? non-existent.tails.boum.org. (45)

#4 Updated by segfault 2019-10-08 10:57:04

I don’t think we want the Unsafe Browser to send DNS requests for a Tails-specific domain name via the clearnet. So we should not change the update URL in the Unsafe Browser.

In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn’t send DNS requests without user interaction anymore.

#5 Updated by anonym 2019-10-08 11:37:03

segfault wrote:
> In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn’t send DNS requests without user interaction anymore.

If it’s still a problem, let’s try a local host for app.update.url, like https://127.0.0.1/dev/null.

#6 Updated by segfault 2019-10-08 12:17:45

segfault wrote:
> In e43247dd2558dd391342855796e18c3186a43807 intrigeri says that enabling app.update.disabledForTesting should be enough to disable updates. So I will remove the app.update.url pref and will test if the update check is still disabled and the Unsafe Browser doesn’t send DNS requests without user interaction anymore.

Now I see DNS requests for aus1.torproject.org:

12:14:47.853183 IP 192.168.122.24.55193 > 192.168.122.1.53: 61062+ A? aus1.torproject.org. (37)
12:14:47.853543 IP 192.168.122.1.53 > 192.168.122.24.55193: 61062 4/0/0 CNAME static.torproject.org., A 95.216.163.36, A 82.195.75.101, A 116.202.120.165 (120)

anonym wrote:
> If it’s still a problem, let’s try a local host for app.update.url, like https://127.0.0.1/dev/null.

Yes, I will try that.

#7 Updated by segfault 2019-10-08 14:57:04

segfault wrote:
> anonym wrote:
> > If it’s still a problem, let’s try a local host for app.update.url, like https://127.0.0.1/dev/null.
>
> Yes, I will try that.

That seems to have solved it.

#8 Updated by segfault 2019-10-08 14:57:21

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|0c7881cff8f2d6542efdd7870e0281397546c3bd.

#9 Updated by segfault 2019-10-08 14:57:45

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (segfault)
  • Feature Branch set to feature/16356-tor-browser-9.0+force-all-tests

#10 Updated by intrigeri 2019-10-09 06:26:25

  • Assignee set to intrigeri

#11 Updated by intrigeri 2019-10-09 07:06:11

  • Type of work changed from Discuss to Code

#12 Updated by intrigeri 2019-10-09 07:08:17

  • Status changed from Needs Validation to Resolved
  • Assignee deleted (intrigeri)

Ooh yeah!

#13 Updated by intrigeri 2019-10-17 08:12:49

  • related to Bug #17159: Tor Browser displays an "Update Failed" pop-up added