Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  reopened => new


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by rustybird):

 * Attachment "Bug-10394-Disable-HTTPS-Everywhere-addon-updates.patch"
 added.


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by rustybird):

 Here's a small patch.

 I tested it on top of TB 9.0.10 (rezipped omni.ja), with
 `extensions.update.interval` set to `60` seconds, by watching requests via
 `SETEVENTS STREAM` on a tor control port: The eff.org version check ping
 is gone. It's even more obvious if the NoScript ID is added to the patch
 as well, then there's no update traffic at all.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by rustybird):

 * status:  new => needs_review


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security,|  Actual Points:
  TorBrowserTeam202005R, https-everywhere|
Parent ID:   | Points:
 Reviewer:  gk   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-security, TorBrowserTeam201805, https-everywhere => tbb-
 security, TorBrowserTeam202005R, https-everywhere
 * reviewer:   => gk


Comment:

 Nice, thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_information
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, https-everywhere,  |  Actual Points:
  TorBrowserTeam202006R  |
Parent ID:   | Points:
 Reviewer:  gk   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => needs_information


Comment:

 Replying to [comment:40 rustybird]:
 > Here's a small patch.
 >
 > I tested it on top of TB 9.0.10 (rezipped omni.ja), with
 `extensions.update.interval` set to `60` seconds, by watching requests via
 `SETEVENTS STREAM` on a tor control port: The eff.org version check ping
 is gone. It's even more obvious if the NoScript ID is added to the patch
 as well, then there's no update traffic at all.

 The permission path is an interesting idea. I had some hope we could get
 this ticket fixed without carrying yet another patch for it with us but I
 like the UX changes etc. we basically get for free with it. Plus no
 changes needed to the extension whatsoever and no weird console error
 messages either.

 Maybe we could include this patch as part of our "don't block our unsigned
 extensions" patch where HTTPS-Everywhere is the only extensions left
 anyway.

 rustybird: have you checked whether the ruleset updates are unaffected by
 your patch (because those are updates we want to keep getting)?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_information
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, https-everywhere,  |  Actual Points:
  TorBrowserTeam202006R  |
Parent ID:   | Points:
 Reviewer:  gk   |Sponsor:
-+-

Comment (by rustybird):

 Replying to [comment:44 gk]:

 > Maybe we could include this patch as part of our "don't block our
 unsigned extensions" patch where HTTPS-Everywhere is the only extension
 left anyway. Would be easy to make this to an "treat https-e special"
 patch.

 If the [https://lists.torproject.org/pipermail/tbb-
 dev/2017-April/000530.html plan] still is to eventually disable NoScript
 updates too, then it might be simpler to keep the patch separate and later
 add a fixup checking for the NoScript ID as well. Just a thought.

 > rustybird: have you checked whether the ruleset updates are unaffected
 by your patch

 Yes, they still work: There are connections to `www.https-
 rulesets.org:443` and `securedrop.org:443`. And when I start with an old
 HTTPS Everywhere version that includes an outdated ruleset, the `rulesets-
 timestamp` fields in `browser-extension-data/https-everywhere-
 e...@eff.org/storage.js` show that those updates are applied.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, https-everywhere,  |  Actual Points:
  TorBrowserTeam202006R  |
Parent ID:   | Points:
 Reviewer:  gk   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_information => needs_review
 * cc: yawning (removed)


Comment:

 Replying to [comment:45 rustybird]:
 > Replying to [comment:44 gk]:
 >
 > > Maybe we could include this patch as part of our "don't block our
 unsigned extensions" patch where HTTPS-Everywhere is the only extension
 left anyway. Would be easy to make this to an "treat https-e special"
 patch.
 >
 > If the [https://lists.torproject.org/pipermail/tbb-
 dev/2017-April/000530.html plan] still is to eventually disable NoScript
 updates too, then it might be simpler to keep the patch separate and later
 add a fixup checking for the NoScript ID as well. Just a thought.

 Yes, that's still the plan. I am not overly worried about NoScript having
 any impact here. Once we disable updates for NoScript we want to make a
 signature check exception for it, too, because we don't want to be
 affected again by Mozilla messing up their signing certificate renewal.
 So, this would fit into a single patch together with HTTPS-Everywhere
 being exempted and its updates disabled.

 What I *am* worried about is the additional review cost this move would
 imply because I think we should neither disable HTTPS-Everywhere's nor
 NoScript's update mechanism if we can't manage to track their releases and
 check whether those contain any new security issues or fixes for older
 ones.

 > > rustybird: have you checked whether the ruleset updates are unaffected
 by your patch
 >
 > Yes, they still work: There are connections to `www.https-
 rulesets.org:443` and `securedrop.org:443`. And when I start with an old
 HTTPS Everywhere version that includes an outdated ruleset, the `rulesets-
 timestamp` fields in `browser-extension-data/https-everywhere-
 e...@eff.org/storage.js` show that those updates are applied.

 Great, thanks.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, https-everywhere,  |  Actual Points:
  TorBrowserTeam202006R  |
Parent ID:   | Points:
 Reviewer:  gk   |Sponsor:
-+-

Comment (by rustybird):

 Replying to [comment:46 gk]:
 > Once we disable updates for NoScript we want to make a signature check
 exception for it, too, because we don't want to be affected again by
 Mozilla messing up their signing certificate renewal. So, this would fit
 into a single patch together with HTTPS-Everywhere being exempted and its
 updates disabled.

 Ah, makes sense. Squash away!

 > What I *am* worried about is the additional review cost this move would
 imply because I think we should neither disable HTTPS-Everywhere's nor
 NoScript's update mechanism if we can't manage to track their releases and
 check whether those contain any new security issues or fixes for older
 ones.

 For new security issues, the status quo could be preserved by making the
 TB build system default to shipping not necessarily the very latest
 extension release, but the latest on AMO. This would transform AMO from an
 authority that can unilaterally approve updates, to just an additional
 code reviewer (who can be overridden).

 For old security issues, the status quo with `extensions.update.interval
 == 86400` is 24h worst case, so 12h on average until an approved update is
 applied; which comes after however much time AMO approval takes... Hmm,
 how fast could the TB release process actually upload an update, assuming
 it's only an extension version bump and nothing else?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
+--
 Reporter:  StrangeCharm|  Owner:  tbb-team
 Type:  task| Status:  reopened
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201803  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by cypherpunks):

 Ruleset updates are finally here! 🎉 https://www.eff.org/deeplinks/2018/04
 /https-everywhere-introduces-new-feature-continual-ruleset-updates

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by traumschule):

 * keywords:  tbb-security, TorBrowserTeam201805 => tbb-security,
 TorBrowserTeam201805, https-everywhere


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by traumschule):

 Today HTTPS Everywhere requested permission to update itself in TB 8.0a10
 https://share.riseup.net/#Caex1xF8eY8YSUOksRdKkg

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by cypherpunks3):

 Yeah that's #27277

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by legind):

 gk, do you see any problem with simply setting the extension update URL to
 `https://0.0.0.0/` rather than `data:text/plain,`?  This doesn't result an
 the extension load-time error.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Hm. We had this before but ran into scary tor warnings, see: #16427 and
 #13129. We could check, though, whether they still occur. If not, great,
 let's do it. But if so, we should think harder about what to do.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by legind):

 I'm not seeing these warnings in the browser console when testing on the
 latest TB, but perhaps I'm missing something?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:34 legind]:
 > I'm not seeing these warnings in the browser console when testing on the
 latest TB, but perhaps I'm missing something?

 Interesting. Do you get those messages if you use a Torbutton .xpi with
 the update URL changed to `https://0.0.0.0/`? One difference could be that
 this was only problematic for XPCOM extensions but is not an issue anymore
 for WebExtensions. If that's the case, great! Then let's switch to the
 HTTPS URL.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by legind):

 I don't see these warnings when modifying the Tor Button `.xpi`.  Maybe
 they removed this as a warning at some point.  To be clear, I'm just
 looking in the browser console - should I be looking elsewhere as well?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:36 legind]:
 > I don't see these warnings when modifying the Tor Button `.xpi`.  Maybe
 they removed this as a warning at some point.  To be clear, I'm just
 looking in the browser console - should I be looking elsewhere as well?

 {{{
 [09-12 07:23:47] Torbutton INFO: tor SOCKS: https://0.0.0.0/ via
--unknown--:6151cba48e49acf249f6b48fb13ce789
 Sep 12 07:23:47.000 [warn] Rejecting SOCKS request for anonymous
 connection to private address [scrubbed].
 }}}
 is what I get in my terminal. I see the Tor warning in my browser console
 as well if I open `about:addons`, click on Extensions -> Torbutton (More
 button) -> right click -> Find Updates.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201805,  |  Actual Points:
  https-everywhere   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by legind):

 Starting the browser with

 {{{
 ./start-tor-browser --verbose
 }}}

 I can now see

 {{{
 Sep 28 02:48:58.000 [warn] Rejecting SOCKS request for anonymous
 connection to private address [scrubbed].
 }}}

 But I don't see that first line.

 I'm also seeing this when I update the {{{manifest.json}}} file in HTTPS
 Everywhere.  Though for both, I see it only on the first time I click
 {{{Check for Updates}}}, not each subsequent time.  Maybe this is due to
 addon update connection throttling?

 Is the presence of these errors really a blocker on moving forward here?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * cc: Dbryrtfbcbhgf (added)


Comment:

 #21260 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * cc: yawning (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Dbryrtfbcbhgf):

 Replying to [comment:11 yawning]:
 I made a video showing the updater I'm talking about, because I'm still
 not sure that I explained it properly.
 https://www.expirebox.com/download/50307432778945f2330b0e670b718e36.html

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by tom):

 * cc: tom (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  project   | Status:  reopened
 Priority:  Medium|  Milestone:  Chronos: phase two
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by mcs):

 Replying to [comment:4 gk]:
 > We are still getting HTTPS-E updates outside of our updater.

 When we ship a new version of HTTPS-E with a new release of Tor Browser,
 we arrange for it to be "force updated" (files replaced) so that the user
 is left with a known version of HTTPS-E which has been tested with TB.
 Interim updates are still retrieved from addons.mozilla.org using the
 extension update mechanism so users can get updates if desired. We use the
 same approach for NoScript.

 Do we want to do something different? If not, then this bug can be closed.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:   => tbb-security
 * type:  project => task
 * milestone:  Chronos: phase two =>


Old description:



New description:

 Let's think about shipping HTTPS-Everywhere solely via our updater,
 disabling update pings for that extension as well.

--

Comment:

 I think we want to have a ticket about shipping HTTPS-E solely via our
 updater, disabling update pings to EFF. I thought there was already a
 ticket for this but I did not found one and thought this one might fit.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by bugzilla):

 mcs, thanks for the clarification. But,
 > Interim updates are still retrieved from addons.mozilla.org using the
 extension update mechanism
 No. From EFF.
 > so users can get updates if desired.
 What does it mean (desired)? Update Add-ons Automatically is selected by
 default.
 > We use the same approach for NoScript.
 No. But, maybe, it's better to use the same, because recent updates led to
 5.2.0 on alpha, 5.1.x on stable and 5.2.1 on AMO.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by mcs):

 Replying to [comment:7 bugzilla]:
 > mcs, thanks for the clarification. But,
 > > Interim updates are still retrieved from addons.mozilla.org using the
 extension update mechanism
 > No. From EFF.

 Thanks. My mistake.

 > > so users can get updates if desired.
 > What does it mean (desired)? Update Add-ons Automatically is selected by
 default.

 It means users do have a way to disable updates if they want to do so. But
 most will keep the default setting.

 > > We use the same approach for NoScript.
 > No. But, maybe, it's better to use the same, because recent updates led
 to 5.2.0 on alpha, 5.1.x on stable and 5.2.1 on AMO.

 There is a policy question here: should we disable updates for bundled
 extensions. By allowing updates from EFF or AMO, we risk that users may
 get a version of an extension that is somehow incompatible with Tor
 Browser. But by allowing updates we ensure that users will have the latest
 (and hopefully most secure) versions of HTTPS-E and NoScript.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by bugzilla):

 Replying to [comment:6 gk]:
 > we want to have a ticket about shipping HTTPS-E solely via our updater
 Maybe, you mean your update servers instead of AMO, or you'll have to make
 a new release of TBB for every update.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by yawning):

 Replying to [comment:8 mcs]:
 > There is a policy question here: should we disable updates for bundled
 extensions.

 Yes.

 > By allowing updates from EFF or AMO, we risk that users may get a
 version of an extension that is somehow incompatible with Tor Browser.

 #23258, #22974

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+--
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  task  | Status:  reopened
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 +1, as #23772.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
+--
 Reporter:  StrangeCharm|  Owner:  tbb-team
 Type:  task| Status:  assigned
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201711  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * status:  reopened => assigned
 * keywords:  tbb-security => tbb-security, TorBrowserTeam201711


Comment:

 I heard we are close to be able to test that. Hopefully this can already
 happen in the next regular alpha release. Putting it on our radar for
 November.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201711R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  assigned => needs_review
 * keywords:  tbb-security, TorBrowserTeam201711 => tbb-security,
 TorBrowserTeam201711R
 * cc: boklm (added)


Comment:

 `bug_10394_v2` (https://gitweb.torproject.org/user/gk/tor-browser-
 build.git/commit/?h=bug_10394_v2&id=50982eda6d3687aa5bcc2d088546f82c4fa7e53d)
 in my `tor-browser-build` repository has a fix for this bug. Note: this
 breaks at the time of writing the nightly builds. Given that we need to
 get alphas out rather soon, that's okay for now. The potential breakage
 will be addressed in #24179.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
-+-
 Reporter:  StrangeCharm |  Owner:  tbb-
 |  team
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-security, TorBrowserTeam201711R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by boklm):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 This looks good to me. I applied it to master as commit
 50982eda6d3687aa5bcc2d088546f82c4fa7e53d.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
+--
 Reporter:  StrangeCharm|  Owner:  tbb-team
 Type:  task| Status:  reopened
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201711  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * status:  closed => reopened
 * keywords:  tbb-security, TorBrowserTeam201711R => tbb-security,
 TorBrowserTeam201711
 * resolution:  fixed =>
 * cc: legind (added)


Comment:

 Firefox does not like our trick in a WebExtensions context:
 {{{
 1510514437300   addons.webextension.   ERROR   Loading extension
 'null': Reading manifest: Error processing applications.gecko.update_url:
 Error: Access denied for URL data:text/plain,
 1510514437500   addons.xpi-utilsWARNupdateMetadata: Add-on
 https-everywhere-...@eff.org is invalid: Error: Extension is invalid
 (resource://gre/modules/addons/XPIProvider.jsm:963:11) JS Stack trace:
 loadManifestFromWebManifest<@XPIProvider.jsm:963:11 <
 taskimpl_...@task.jsm:319:42 < Handler.prototype.process@Promise-
 backend.js:932:23 < this.promisewalker.walkerl...@promise-backend.js:813:7
 < this.PromiseWalker.scheduleWalkerLoop/<@Promise-backend.js:747:11 <
 syncloadmanifestfromf...@xpiprovider.jsm:1621:5 <
 updatemetad...@xpiproviderutils.js:1785:21 <
 processfilechan...@xpiproviderutils.js:2009:26 <
 this.xpiprovider.checkforchan...@xpiprovider.jsm:3899:34 <
 this.xpiprovider.star...@xpiprovider.jsm:2839:25 <
 callprovi...@addonmanager.jsm:242:12 <
 _startprovi...@addonmanager.jsm:795:5 <
 addonmanagerinternal.star...@addonmanager.jsm:1005:9 <
 this.addonmanagerprivate.star...@addonmanager.jsm:3062:5 <
 ammanager.prototype.obse...@addonmanager.js:65:9
 }}}
 So, we need something better and need to rebuild the alphas.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
+--
 Reporter:  StrangeCharm|  Owner:  tbb-team
 Type:  task| Status:  reopened
 Priority:  Medium  |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201803  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by cypherpunks):

 Hainish says it should hopefully be ready for the 2018.3.27 release:

 > I plan on making this the release that incorporates the `sign-rulesets`
 branch.

 https://github.com/EFForg/https-everywhere/issues/14907

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #10394 [Applications/Tor Browser]: Torbrowser's updater updates HTTPS-everywhere (was: Torbrowser's updater updates HTTPS-everwhere)

[Tor Bug Tracker & Wiki]

#10394: Torbrowser's updater updates HTTPS-everywhere
--+
 Reporter:  StrangeCharm  |  Owner:  tbb-team
 Type:  project   | Status:  reopened
 Priority:  Medium|  Milestone:  Chronos: phase two
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by gk):

 * status:  closed => reopened
 * resolution:  worksforme =>


Comment:

 We are still getting HTTPS-E updates outside of our updater.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs