Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:  wontfix
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by cypherpunks):

 Even with #23362?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:  wontfix
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-
Changes (by yawning):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 There is no sensible way.  Even in a separate container, a firefox process
 should never get access to the network interface.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-
Changes (by mcs):

 * cc: brade, mcs (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by arma):

 Seems like using meek_lite is an obvious intermediate step.

 Assuming we're going to continue working towards getting this sandbox
 thing in the hands of normal users. That's a great question for GeKo.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by yawning):

 At least some current Tor Browser builds use a version of obfs4proxy that
 predates meek_lite, so using meek_lite would need that to be bumped up
 (trivial), and special cases in the code to handle old versions of the
 browser.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by yawning):

 I assume meek with firefox running as a helper will be affected by #20283
 since it is an upstream issue, and I just removed `/proc` from the tor
 container.

 Fixing this the right way is also going to be tricky since I'm fairly sure
 the tor container won't be able to see sockets from the meek container,
 and PTs don't support AF_LOCAL yet, so `sandboxed-tor-browser` probably
 will need to shuffle bytes back and forth between the two.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-
Changes (by dcf):

 * keywords:   => meek


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #20781 [Applications/Tor Browser Sandbox]: Figure out how to sandbox meek in a sensible way.

[Tor Bug Tracker & Wiki]

#20781: Figure out how to sandbox meek in a sensible way.
--+-
 Reporter:  yawning   |  Owner:  yawning
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+-
 Right now `sandboxed-tor-browser` does not support meek at all.  This is
 suboptimal since it is popular.

 There's two ways forward from my perspective:

  * The correct fix would be to add code to spin up another sandbox
 container (since I do not think that even a neutered firefox process
 should live in the tor sandbox), for the meek helper firefox instance.

  * The quick and dirty way would be to use `meek_lite` since obfs4proxy is
 allowed, and shipped versions contain the code.  The downside is that it
 is even more distinct than meek usually is.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs