Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tor settings not fully isolated in HTTPS by Default #28540

Closed
arthuredelstein opened this issue Feb 15, 2023 · 7 comments · Fixed by brave/brave-core#17236
Closed

Tor settings not fully isolated in HTTPS by Default #28540

arthuredelstein opened this issue Feb 15, 2023 · 7 comments · Fixed by brave/brave-core#17236
Assignees
@arthuredelstein
Labels
feature/tor OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude
Milestone
1.50.x - Release

Comments

@arthuredelstein
Copy link

HTTPS by Default is leaking some fallback settings into Tor Mode. We should fix this to ensure that if a fallback occurs in a normal window, it doesn't occur in the Tor Window.
@arthuredelstein arthuredelstein self-assigned this Feb 15, 2023
@arthuredelstein arthuredelstein mentioned this issue Feb 15, 2023
Merged
25 tasks
@brave-builds brave-builds added this to the 1.50.x - Nightly milestone Feb 17, 2023
@stephendonner
Copy link

@arthuredelstein should this be QA/Yes? If so, please add it and a test plan. Thanks!

@stephendonner
Copy link

Thanks for adding QA/Yes, @arthuredelstein - mind putting in a test plan, too? 🙏

@LaurenWags
Copy link
Member

LaurenWags commented Mar 14, 2023
edited
Loading

Adding QA/Blocked for now - @kjozwiak to provide additional information/direction.

@kjozwiak kjozwiak mentioned this issue Mar 28, 2023
Closed
@LaurenWags
Copy link
Member

LaurenWags commented Mar 28, 2023
edited
Loading

@kjozwiak provided additional information to @brave/qa-team via:

So have removed QA/Blocked based on the above.

@stephendonner stephendonner added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Mar 31, 2023
@stephendonner
Copy link

stephendonner commented Mar 31, 2023
edited
Loading

Verification PASSED using

Brave 1.50.110 Chromium: 112.0.5615.49 (Official Build) (x86_64)
Revision bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS macOS Version 11.7.5 (Build 20G1225)

Shared Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://flags
  4. enabled both HTTPS flags
  5. clicked on Relaunch
  6. opened brave://settings/shields

Confirmed Upgrade connections to HTTPS was set to Standard

brave://flags brave://settings/shields
Screen Shot 2023-03-31 at 11 05 44 AM Screen Shot 2023-03-31 at 11 07 56 AM

insecure.arthuredelstein.net - PASSED

Upgrade connections to HTTPS - Strict - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. changed Upgrade connections to HTTPS to Strict
  5. loaded http://insecure.arthuredelstein.net
  6. confirmed it loads without warning
  7. opened a new Private window with Tor
  8. loaded http://insecure.arthuredelstein.net
  9. confirmed I got the interstitial-warning dialog
  10. confirmed I could click through

Confirmed I got an interstitial page, allowing me to click through to load the content

example example example example
Screen Shot 2023-03-31 at 3 39 34 PM Screen Shot 2023-03-31 at 3 40 02 PM Screen Shot 2023-03-31 at 3 40 11 PM Screen Shot 2023-03-31 at 3 40 21 PM

Upgrade connections to HTTPS - Disabled - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. changed Upgrade connections to HTTPS to Disabled
  5. loaded http://insecure.arthuredelstein.net
  6. confirmed it loads without warning
  7. opened a new Private window with Tor
  8. loaded http://insecure.arthuredelstein.net
  9. confirmed I got the interstitial-warning dialog
  10. confirmed I could click through

Confirmed I got an interstitial page, allowing me to click through to load the content

example example example example example
Screen Shot 2023-03-31 at 9 34 35 AM Screen Shot 2023-03-31 at 9 35 08 AM Screen Shot 2023-03-31 at 9 36 17 AM Screen Shot 2023-03-31 at 9 36 42 AM Screen Shot 2023-03-31 at 9 41 58 AM

Upgrade connections to HTTPS - Standard - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. confirmed Upgrade connections to HTTPS is set to Standard
  5. loaded http://insecure.arthuredelstein.net
  6. confirmed it loads without warning
  7. opened a new Private window with Tor
  8. loaded http://insecure.arthuredelstein.net
  9. confirmed I got the interstitial-warning dialog
  10. confirmed I could click through

Confirmed I got an interstitial page, allowing me to click through to load the content

example example example example example
Screen Shot 2023-03-31 at 3 44 32 PM Screen Shot 2023-03-31 at 3 45 08 PM Screen Shot 2023-03-31 at 3 45 31 PM Screen Shot 2023-03-31 at 3 45 36 PM Screen Shot 2023-03-31 at 3 45 47 PM

upgradable.arthuredelstein.net - PASSED

Upgrade connections to HTTPS - Strict - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. changed Upgrade connections to HTTPS to Strict
  5. loaded http://upgradable.arthuredelstein.net
  6. confirmed it loads without warning
  7. opened a new Private window with Tor
  8. loaded http://upgradable.arthuredelstein.net
  9. examine the loaded URL

Confirmed normal windows follow the preference, but Private windows with Tor auto-upgrade to https://upgradable.arthuredelstein.net/

example example example example example
Screen Shot 2023-03-31 at 4 03 05 PM Screen Shot 2023-03-31 at 4 05 35 PM Screen Shot 2023-03-31 at 4 05 43 PM Screen Shot 2023-03-31 at 4 07 00 PM Screen Shot 2023-03-31 at 4 07 14 PM

Upgrade connections to HTTPS - Disabled - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. changed Upgrade connections to HTTPS to Disabled
  5. loaded http://upgradable.arthuredelstein.net
  6. confirmed it loads without warning and Shields reads Don't upgrade HTTP connections in brave://settings/shields
  7. opened a new Private window with Tor
  8. loaded http://upgradable.arthuredelstein.net
  9. examined the loaded URL

Confirmed normal windows follow the preference, but Private windows with Tor auto-upgrade to https://upgradable.arthuredelstein.net/

Confirmed we don't auto-upgrade connects to HTTPS, when set to Disabled

example example example example
Screen Shot 2023-03-31 at 3 51 49 PM Screen Shot 2023-03-31 at 3 52 12 PM Screen Shot 2023-03-31 at 3 54 12 PM Screen Shot 2023-03-31 at 3 57 05 PM

Upgrade connections to HTTPS - Standard - PASSED

Steps:

  1. installed 1.50.110
  2. launched Brave
  3. opened brave://settings/shields
  4. confirmed Upgrade connections to HTTPS is Standard
  5. loaded http://upgradable.arthuredelstein.net
  6. confirmed it loads without warning
  7. opened a new Private window with Tor
  8. loaded http://upgradable.arthuredelstein.net

Confirmed normal windows follow the preference, but Private windows with Tor auto-upgrade to https://upgradable.arthuredelstein.net/

example example example
Screen Shot 2023-03-31 at 4 22 21 PM Screen Shot 2023-03-31 at 4 24 01 PM Screen Shot 2023-03-31 at 4 24 51 PM

@MadhaviSeelam
Copy link

MadhaviSeelam commented Mar 31, 2023
edited
Loading

Verification PASSED using

Brave | 1.50.110 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Testcase: Set Global settings for Https Default - PASSED

Case 1: Upgrade connections to HTTPS - Standard; default setting via Normal window - PASSED

  1. Install 1.50.110
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
    loaded http://insecure.arthuredelstein.net
  5. loaded http://http.badssl.com
  6. loaded http://upgradable.arthuredelstein.net
  7. confirmed Upgrade connections to HTTPS option is displayed as default in the Normal window
  8. opened a New private window with Tor for above sites

Confirmed since Tor windows always use Strict mode and Normal window setting is Standard

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image image image image image

Case 2: Upgrade connections to HTTPS - Strict - PASSED via Normal window -

  1. new profile
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
  5. selected Strict in the Upgrade connections to HTTPS
  6. loaded http://insecure.arthuredelstein.net
  7. loaded http://http.badssl.com
  8. loaded http://upgradable.arthuredelstein.net
  9. opened a New private window with Tor for above sites

Confirmed following since Tor windows always use Strict mode and Normal window setting is Strict

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image image image image image

Case 3: Upgrade connections to HTTPS - Disabled - PASSED

  1. new profile
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
  5. selected Disabled in the Upgrade connections to HTTPS
  6. loaded http://insecure.arthuredelstein.net
  7. loaded http://http.badssl.com
  8. loaded http://upgradable.arthuredelstein.net
  9. opened a New private window with Tor for above sites

Confirmed since Tor windows always use Strict mode and global setting is Disabled

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image image image image image

@MadhaviSeelam MadhaviSeelam added QA Pass-Win64 and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 3, 2023
@btlechowski btlechowski added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Apr 3, 2023
@btlechowski
Copy link

btlechowski commented Apr 4, 2023
edited
Loading

Verification passed on

Brave 1.50.93 Chromium: 111.0.5563.64 (Official Build) beta (64-bit)
Revision c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995}
OS Ubuntu 18.04 LTS

Testcase: Set Global settings for Https Default - PASSED

Case 1: Upgrade connections to HTTPS - Standard; default setting via Normal window - PASSED

  1. Install 1.50.x
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
  5. loaded http://insecure.arthuredelstein.net
  6. loaded http://http.badssl.com
  7. loaded http://upgradable.arthuredelstein.net
  8. confirmed Upgrade connections to HTTPS option is displayed as default in the Normal window
  9. opened a New private window with Tor for above sites

Confirmed since Tor windows always use Strict mode and Normal window setting is Standard

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image image image image image

Case 2: Upgrade connections to HTTPS - Strict - PASSED via Normal window -

  1. new profile
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
  5. selected Strict in the Upgrade connections to HTTPS
  6. loaded http://insecure.arthuredelstein.net
  7. loaded http://http.badssl.com
  8. loaded http://upgradable.arthuredelstein.net
  9. opened a New private window with Tor for above sites

Confirmed following since Tor windows always use Strict mode and Normal window setting is Strict

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image image image image image

Case 3: Upgrade connections to HTTPS - Disabled - PASSED

  1. new profile
  2. launched Brave
  3. enabled #Use HTTPS by Default in brave://flags
  4. visited brave://settings/shields
  5. selected Disabled in the Upgrade connections to HTTPS
  6. loaded http://insecure.arthuredelstein.net
  7. loaded http://http.badssl.com
  8. loaded http://upgradable.arthuredelstein.net
  9. opened a New private window with Tor for above sites

Confirmed since Tor windows always use Strict mode and global setting is Disabled

step 3 step 4 step insecure.arthuredelstein.net http://http.badssl.com/ upgradable.arthuredelstein.net
image
image
image
image
image

@btlechowski btlechowski added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arthuredelstein arthuredelstein

Labels
feature/tor OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude
Projects
None yet
Milestone
1.50.x - Release
Development

Successfully merging a pull request may close this issue.

Don't let HTTP upgrade settings from normal windows leak into Tor mode brave/brave-core
6 participants
@arthuredelstein @stephendonner @LaurenWags @btlechowski @brave-builds @MadhaviSeelam