Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

investigate and implement improvements to header-based tor2web detection for current active tor2web proxies #6293

Closed
Tracked by #6290
zenmonkeykstop opened this issue Feb 18, 2022 · 5 comments · Fixed by #6304
Closed
Tracked by #6290

investigate and implement improvements to header-based tor2web detection for current active tor2web proxies #6293

zenmonkeykstop opened this issue Feb 18, 2022 · 5 comments · Fixed by #6304
Assignees
@legoktm

Comments

@zenmonkeykstop
Copy link
Contributor

No description provided.

@zenmonkeykstop zenmonkeykstop mentioned this issue Feb 18, 2022
Closed
4 tasks
legoktm added a commit that referenced this issue Feb 23, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
66e7b04 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is a buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to something
like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form submission,
we can detect that it doesn't roundtrip properly and flag the mangling as
Tor2Web usage.

Fixes #6293.
legoktm added a commit that referenced this issue Feb 23, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
5941f75 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is a buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to something
like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form submission,
we can detect that it doesn't roundtrip properly and flag the mangling as
Tor2Web usage.

Fixes #6293.
@legoktm legoktm mentioned this issue Feb 23, 2022
Merged
5 tasks
@legoktm
Copy link
Member

legoktm commented Feb 23, 2022

From poking at it a bit and reviewing the tor2web source code, I came up with #6304, which relies on buggy URL mangling on the /create form. I've marked it as a draft because the UX is pretty bad, you have to click through like 2 forms and only then do we fire the tor2web alert. How bad would it be if the very first "Get started" button was actually a <form> that POST'd to /generate, so we could include the hidden form field and do the detection at the very first step?

@zenmonkeykstop
Copy link
Contributor Author

This is really neat - I'm trying to think of downsides to converting the Get Started button to a POSTed form but none spring to mind. Does it detect tor2web specifically tho, or any proxy that rewrites links? Both are bad, but we might need to make the language more general on the warning page in the latter case.

It would still be good to detect tor2web via headers if possible. It has fewer UX implications and it could happen on the first connection. But this is a great extra defense.

@eaon
Copy link
Contributor

eaon commented Feb 23, 2022

Oh my, I love this! I don't think there's downsides to a POSTed Get Started button - it'd be bad for search engines, but messing with those is an upside in our case anyway.

Does it detect tor2web specifically tho, or any proxy that rewrites links?

Given that it's based on a href= inside an attribute, I'd expect other naïve proxies that do simple substitution to trip over this as well, but realistically speaking, how many of those are configured to access onion services and would they be used for anything other than a service that's essentially the same as Tor2Web? I think it'd be enough to adapt the language on the warning to something along the lines of "If you use a Tor2Web or similar proxy"

@zenmonkeykstop
Copy link
Contributor Author

Yeah I think we're all of the same mind here, will tweak the language in #6300 a little. @legoktm I would say go for it on the change to the Get Started button.

@zenmonkeykstop zenmonkeykstop mentioned this issue Feb 23, 2022
Merged
10 tasks
@legoktm
Copy link
Member

legoktm commented Feb 23, 2022

The rewrites that tor2web do are pretty naive, it's entirely possible that it becomes more robust in the future (e.g. using a proper HTML parser) and we need some other detection mechanism. I think this should catch any similarly naive proxy that wants to make onion services accessible on the clearnet, because they have to hijack any *.onion URL.

legoktm added a commit that referenced this issue Feb 23, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
9623327 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is a buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to something
like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form submission,
we can detect that it doesn't roundtrip properly and flag the mangling as
Tor2Web usage.

Fixes #6293.
legoktm added a commit that referenced this issue Feb 23, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
5383d4a 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is a buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to
something like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form
submission, we can detect that it doesn't roundtrip properly and flag
the mangling as Tor2Web usage.

Since we want to show users the error as soon as possible, we turn the
initial "Get started" button link into a <form> with this special hidden
<input> that POSTs to `/generate`, which will check if Tor2Web mangles
the field and display the warning accordingly.

Fixes #6293.
legoktm added a commit that referenced this issue Feb 24, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
676afd8 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is a buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to
something like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form
submission, we can detect that it doesn't roundtrip properly and flag
the mangling as Tor2Web usage.

Since we want to show users the error as soon as possible, we turn the
initial "Get started" button link into a <form> with this special hidden
<input> that POSTs to `/generate`, which will check if Tor2Web mangles
the field and display the warning accordingly.

Fixes #6293.
legoktm added a commit that referenced this issue Feb 25, 2022
@legoktm
Use Tor2Web's URL mangling to detect it
617d556 
Tor2Web mangles onion URLs to point to the proxy, but its implementation
is buggy and we can use that for detection. In this case, it rewrites
a literal `href="fake.onion"` (inside a hidden form <input>) to
something like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form
submission, we can detect that it doesn't roundtrip properly and flag
the mangling as Tor2Web usage.

Since we want to show users the error as soon as possible, we turn the
initial "Get started" button link into a <form> with this special hidden
<input> that POSTs to `/generate`, which will check if Tor2Web mangles
the field and display the warning accordingly.

Fixes #6293.
@legoktm legoktm self-assigned this Feb 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legoktm legoktm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use Tor2Web's URL mangling to detect it freedomofpress/securedrop
3 participants
@legoktm @eaon @zenmonkeykstop