[tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor |Version:
  Browser|   Keywords:  ff52esr, tbb-7.0-must,
 Severity:  Normal   |  TorBrowserTeam201703
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:  Sponsor4 |
-+-
 Testing a build based on ESR 52 and our patches in #20680 it turns our
 that HTTP Authentication data seems to leak to third parties as can be
 seen on the http://ip-check.info test.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,  |  Actual Points:
  TorBrowserTeam201703   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by cypherpunks):

 * keywords:  ff52esr, tbb-7.0-must, TorBrowserTeam201703 => ff52-esr,
 tbb-7.0-must, TorBrowserTeam201703


Comment:

 Seems related to #21755.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,  |  Actual Points:
  TorBrowserTeam201703   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by arthuredelstein):

 In the #20680 branch, I dropped our #13900 patch because ESR52 is supposed
 to isolate HTTP Auth by first party. There is an automated test in ESR52
 from https://bugzilla.mozilla.org/1301523. So I think the http://ip-
 check.info site is detecting that the HTTP Auth credentials are being
 saved to the third party, but it isn't testing if these credentials are
 shared by with first party.

 I wrote a manual test and was able to confirm that first-party isolation
 (double keying) is working. Here's the test:

 First visit https://arthuredelstein.net/auth-test.html. It contains an
 iframe located at `torpat.ch/auth`. Username is "username" and password is
 "password". Once credentials are entered at the prompt, you can reload and
 the credentials will be remembered such that no prompt is shown for a
 second time.

 Next visit https://torpat.ch/auth-test.html. It also has an iframe at the
 same location. If double-keying is working correctly, the browser should
 prompt again for username and password even though the third-party domain
 is the same (torpat.ch).

 Test source: https://github.com/arthuredelstein/auth-test

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_review
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,  |  Actual Points:
  TorBrowserTeam201703R  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by arthuredelstein):

 * keywords:  ff52-esr, tbb-7.0-must, TorBrowserTeam201703 => ff52-esr,
 tbb-7.0-must, TorBrowserTeam201703R
 * status:  new => needs_review


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,  |  Actual Points:
  tbb-7.0-must-alpha |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by gk):

 * status:  needs_review => assigned
 * keywords:  ff52-esr, TorBrowserTeam201704R, tbb-7.0-must-alpha =>
 ff52-esr, TorBrowserTeam201704, tbb-7.0-must-alpha


Comment:

 Replying to [comment:2 arthuredelstein]:
 > In the #20680 branch, I dropped our #13900 patch because ESR52 is
 supposed to isolate HTTP Auth by first party. There is an automated test
 in ESR52 from https://bugzilla.mozilla.org/1301523. So I think the http
 ://ip-check.info site is detecting that the HTTP Auth credentials are
 being saved to the third party, but it isn't testing if these credentials
 are shared by with first party.

 I am not so sure about that. They are saved in Tor Browser 6.5.1 as well
 but still the test passes with it. We are stripping the third party
 headers when we are doing a request. Now, the most likely explanation is
 that the test is showing a red outcome just in case it gets any third
 party headers back. Then this would be indeed no issue for us. What it
 actually does is implementing:

 http://blog.jeremiahgrossman.com/2007/04/tracking-users-without-
 cookies.html

 using things like http://Session:483452...@ipcheck.info/auth.css.php in a
 stylesheet link from ip-check.info to work without JS as well.

 Do you think you could come up with a test for that scenario, too, to be
 extra sure that nothing is sneaking in?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,  |  Actual Points:
  tbb-7.0-must-alpha |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by arthuredelstein):

 Replying to [comment:6 gk]:
 > Replying to [comment:2 arthuredelstein]:
 > > In the #20680 branch, I dropped our #13900 patch because ESR52 is
 supposed to isolate HTTP Auth by first party. There is an automated test
 in ESR52 from https://bugzilla.mozilla.org/1301523. So I think the http
 ://ip-check.info site is detecting that the HTTP Auth credentials are
 being saved to the third party, but it isn't testing if these credentials
 are shared by with first party.
 >
 > I am not so sure about that. They are saved in Tor Browser 6.5.1 as well
 but still the test passes with it. We are stripping the third party
 headers when we are doing a request.

 You're right, I misspoke here. I should have said, the ip-check site is
 detecting if third-party credentials are sent back at all, but it isn't
 testing if these credentials are sent back under a different first party.

 > Now, the most likely explanation is that the test is showing a red
 outcome just in case it gets any third party headers back. Then this would
 be indeed no issue for us. What it actually does is implementing:
 >
 > http://blog.jeremiahgrossman.com/2007/04/tracking-users-without-
 cookies.html
 >
 > using things like http://Session:483452...@ipcheck.info/auth.css.php in
 a stylesheet link from ip-check.info to work without JS as well.
 >
 > Do you think you could come up with a test for that scenario, too, to be
 extra sure that nothing is sneaking in?

 So my test from comment:2 is already testing if any third-party headers
 are received back under a new first party. Are you interested in testing
 the silent authentication scenario (with and without JS), or is there some
 other characteristic of that demo you would like to test?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,  |  Actual Points:
  tbb-7.0-must-alpha |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by gk):

 Replying to [comment:7 arthuredelstein]:
 > Replying to [comment:6 gk]:
 > > Do you think you could come up with a test for that scenario, too, to
 be extra sure that nothing is sneaking in?
 >
 > So my test from comment:2 is already testing if any third-party headers
 are received back under a new first party. Are you interested in testing
 the silent authentication scenario (with and without JS), or is there some
 other characteristic of that demo you would like to test?

 If you think there is no loophole where this kind of feature abuse can
 subvert our defenses then feel free to close this ticket without adding a
 particular test for the ip-check scenario.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha,|  Actual Points:
  TorBrowserTeam201705   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by gk):

 * cc: ezio, arthuredelstein (added)
 * status:  assigned => needs_information


Comment:

 #22187 is a duplicate. Arthur: where are we with this ticket? IIRC you
 still wanted to work on something before closing it?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:
 |  needs_information
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha,|  Actual Points:
  TorBrowserTeam201705   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by arthuredelstein):

 I think further loopholes are unlikely, but I think I should look for them
 nonetheless, just in case.

 So I think, in the interest of getting as many patches as possible into
 the alpha, I should postpone working on this again until after the alpha
 deadline.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:
 |  arthuredelstein
 Type:  defect   | Status:
 |  assigned
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201705,  |  Actual Points:
  tbb-7.0-must   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by gk):

 * cc: tbb-team (added)
 * status:  needs_information => assigned
 * owner:  tbb-team => arthuredelstein


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

[Tor Bug Tracker & Wiki]

#21756: HTTP Authentication data is still sent to third parties with ESR 52 
based
Tor Browser
-+-
 Reporter:  gk   |  Owner:
 |  arthuredelstein
 Type:  defect   | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  invalid
 Keywords:  ff52-esr, tbb-7.0-must,  |  Actual Points:
  tbb-7.0-frequent, TorBrowserTeam201708 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by gk):

 * status:  assigned => closed
 * resolution:   => invalid


Comment:

 I talked to the JonDos people (who build the ip-check.info-test) and we
 think we are in agreement that this was a test error. So, closing this
 ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs