Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Remove "Automatic .onion redirect" feature #36933

Closed
fmarier opened this issue Mar 19, 2024 · 3 comments · Fixed by brave/brave-core#22697
Closed

[Security] Remove "Automatic .onion redirect" feature #36933

fmarier opened this issue Mar 19, 2024 · 3 comments · Fixed by brave/brave-core#22697
Assignees
@emerick
Labels
feature/tor OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Milestone
1.66.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Mar 19, 2024
edited
Loading

The Automatically redirect .onion sites feature has been a common source of complaints from users who turned it on and then forgot about it.

It also creates a potential privacy leak for which there is no easy fix.

Therefore, I think we should remove this potentially dangerous feature entirely like the Tor Browser.

Design

Screenshot 2024-03-19 at 5 09 47 PM
@diracdeltas diracdeltas added the priority/P2 A bad problem. We might uplift this to the next planned release. label Mar 19, 2024
@rebron rebron assigned emerick and unassigned boocmp Mar 19, 2024
@emerick emerick mentioned this issue Mar 20, 2024
Merged
24 tasks
@emerick emerick added this to the 1.66.x - Nightly milestone Mar 22, 2024
@rebron rebron mentioned this issue Apr 1, 2024
Closed
@stephendonner
Copy link

stephendonner commented Apr 4, 2024
edited
Loading

Verified PASSED using

Brave | 1.66.59 Chromium: 123.0.6312.105 (Official Build) nightly (64-bit)
-- | --
Revision | 2714c7ac837e7b7693b1b56a82effdf57e04fe09
OS | Windows 10 Version 22H2 (Build 19045.4239)

Case 1: Preference removed in brave://settings - PASSED

1.64.113 1.66.59
image image

Case 2: URL-bar behavior - PASSED

Steps:

  1. installed 1.66.59
  2. launched Brave
  3. loaded theguardian.com
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed Private Window with Tor opened https://www.theguardian.com/us with a .onion icon/button in the URL bar
example example
image image

Case 3: Upgrade scenario - PASSED

Steps:

  1. installed 1.64.113
  2. launched Brave
  3. loaded dw.com
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed I landed on https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/en/top-stories/s-9097
  6. shut down Brave
  7. upgraded to 1.66.59 (renamed Brave-Browser profile folder --> Brave-Browser-Nightly
  8. launched 1.66.59
  9. opened brave://settings/privacy
  10. confirmed no Automatically redirect .onion sites preference
  11. loaded dw.com
  12. clicked on the Tor button

Confirmed https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/en/top-stories/s-9097 loaded

example example example example example example example
image image image (3) image (4) image image image

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-Win64 and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 4, 2024
@stephendonner stephendonner mentioned this issue Apr 11, 2024
Closed
@LaurenWags LaurenWags changed the title Remove "Automatic .onion redirect" feature [Security] Remove "Automatic .onion redirect" feature Apr 25, 2024
@MadhaviSeelam MadhaviSeelam added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Apr 26, 2024
@MadhaviSeelam
Copy link

MadhaviSeelam commented Apr 26, 2024
edited
Loading

Verification PASSED using

Brave	1.66.90 Chromium: 124.0.6367.82 (Official Build) beta (64-bit) 
Revision	803a4c629341791205b744969c48b8da9f2cfa4d
OS	Linux

Case 1: "Automatic .onion redirect" Preference removed in brave://settings/privacy - PASSED

Confirmed "Automatic .onion redirect" option is removed in Tor windows seciton and no longer shown

1.65.123 `1.66.90
image image

Case 2: URL-bar behavior - PASSED

Steps:

  1. installed 1.66.59
  2. launched Brave
  3. loaded nytimes.com
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed Private Window with Tor loaded https://www.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion/
example example
image image

Case 3: Upgrade scenario - PASSED

Steps:

  1. installed 1.65.123
  2. launched Brave
  3. loaded https://www.theguardian.com/us
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed I landed on hhttps://www.guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3oqfoprid.onion/us
  6. shut down Brave
  7. upgraded to 1.66.90 (renamed Brave-Browser profile folder --> Brave-Browser-Beta
  8. launched 1.66.90
  9. opened brave://settings/privacy
  10. confirmed no Automatically redirect .onion sites preference
  11. loaded https://www.theguardian.com/us.com`
  12. clicked on the Tor button

Confirmed https://www.guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3oqfoprid.onion/us loaded

step 3 step 5 step 10 step 11 step 12
image image image image image

@stephendonner
Copy link

stephendonner commented Apr 26, 2024
edited
Loading

Verification PASSED using

Brave | 1.66.91 Chromium: 124.0.6367.91 (Official Build) beta (x86_64)
-- | --
Revision | 5c30ebba7e5e93df8fbf633585986e5e907d07e8
OS | macOS Version 11.7.10 (Build 20G1427)

Case 1: Preference removed in brave://settings - PASSED

1.65.123 1.66.91
Screen Shot 2024-04-26 at 2 16 13 PM Screen Shot 2024-04-26 at 1 33 26 PM

Case 2: URL-bar behavior - PASSED

Steps:

  1. installed 1.66.91
  2. launched Brave
  3. loaded brave.com
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed Private Window with Tor opened https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/ with a .onion icon/button in the URL bar
example example
Screen Shot 2024-04-26 at 1 48 37 PM Screen Shot 2024-04-26 at 1 49 41 PM

Case 3: Upgrade scenario - PASSED

Steps:

  1. installed 1.65.123
  2. launched Brave
  3. loaded dw.com
  4. clicked on the Tor icon/button in the URL bar
  5. confirmed I landed on https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/en/top-stories/s-9097
  6. shut down Brave
  7. upgraded to 1.66.91 (renamed Brave-Browser profile folder --> Brave-Browser-Beta)
  8. launched 1.66.91
  9. opened brave://settings/privacy
  10. confirmed no Automatically redirect .onion sites preference
  11. loaded dw.com
  12. clicked on the Tor button

Confirmed https://www.dwnewsgngmhlplxy6o2twtfgjnrnjxbegbwqx6wnotdhkzt562tszfid.onion/en/top-stories/s-9097 loaded

ex. ex. ex. ex. ex.
Screen Shot 2024-04-26 at 2 01 35 PM Screen Shot 2024-04-26 at 2 04 12 PM Screen Shot 2024-04-26 at 2 05 47 PM Screen Shot 2024-04-26 at 2 10 38 PM Screen Shot 2024-04-26 at 2 10 49 PM

@MadhaviSeelam MadhaviSeelam added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Apr 26, 2024
@LaurenWags LaurenWags mentioned this issue May 14, 2024
Closed
@fmarier fmarier mentioned this issue Jul 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emerick emerick

Labels
feature/tor OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include security
Projects
Tor and Private Windows
Status: Completed
Milestone
1.66.x - Release
Development

Successfully merging a pull request may close this issue.

Remove automatic onion redirect option brave/brave-core
8 participants
@fmarier @stephendonner @diracdeltas @emerick @rebron @LaurenWags @boocmp @MadhaviSeelam