Add Orbot warning in source interface #3215
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## develop #3215 +/- ##
========================================
Coverage 85.91% 85.91%
========================================
Files 34 34
Lines 2137 2137
Branches 235 235
========================================
Hits 1836 1836
Misses 247 247
Partials 54 54Continue to review full report at Codecov.
|
redshiftzero
suggested changes
Apr 3, 2018
There was a problem hiding this comment.
Thank you for implementing this @emkll - this is an important stopgap before an official Android version of Tor Browser is released. A few comments are inline
|
|
||
| # Create new profile and driver with the orbot user agent for this test | ||
| profile = webdriver.FirefoxProfile() | ||
| profile.set_preference("general.useragent.override", orbotUserAgent) |
| warning_dismiss_button.click() | ||
|
|
||
| def warning_banner_is_hidden(): | ||
| assert warning_banner.is_displayed() is False |
There was a problem hiding this comment.
Since we're defining this function also in the above test, we may as well move it into a helper method warning_banner_is_hidden() and call it here and in the above test with self.warning_banner_is_hidden(). What do you think?
| @@ -16,6 +16,7 @@ | |||
| <body> | |||
| <div class="js-warning warning">{{ gettext('<strong>It is recommended to move the Security Slider to Safest to protect your anonymity:</strong> <a id="disable-js" href="">Learn how to set it to Safest</a>, or ignore this warning to continue.') }} <img id="js-warning-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> | |||
| <div class="use-tor-browser warning">{{ gettext('<strong>It is recommended to use the Tor Browser to access SecureDrop:</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="use-tor-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> | |||
| <div class="orfox-browser warning">{{ gettext('<strong>It is recommended you use the desktop version of Tor Browser to access SecureDrop, as Orfox does not provide the same level of security and anonymity as the desktop versions.</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="orfox-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> | |||
| @@ -1,4 +1,5 @@ | |||
| var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
| var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
There was a problem hiding this comment.
Question: is this the version of UA in latest Orfox? It looks like they updated the way the UA is formed (to match the latest Firefox for Android ESR), i.e. instead of a string like:
Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0
it's now a string like:
Mozilla/5.0 (Android 7.1.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0
where the only variable parts of the new UA I believe are 7.1.1 (the Android version) and 52.0 (the ESR version). See Tor Check making a similar change here to update how they detect Orfox.
There was a problem hiding this comment.
Yes, I have the latest version from the Play Store, which corresponds to the latest release on GitHub. The current regex seems to be inline with the link found in your link, here. I can't find any mention of the specific Android version (e.g.: 7.1.1, which sounds like a potentially significant metadata leak).
I enabled access logs locally for the source interface and observed the UAS for Orfox. I am using: version Fennec-52.7.2esr/TorBrowser-7.5.2/Orfox-1.5.1-RC-1, the latest version available on the Play Store. The first access is with a desktop version of Tor Browser, the second set is with Orfox. This seems to match with the regexes found above. Let me know if I misunderstood.
127.0.0.1 - - [03/Apr/2018:15:43:24 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/i/favicon.png HTTP/1.1" 200 2458 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5941 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:22 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:31 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5942 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
There was a problem hiding this comment.
Great, thank you for this careful testing 👍
- If a user agent matching Orbot accesses the Source interface, a warning will appear informing them that the security and privacy of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser. - Add functional test which creates a new profile to set the browser's user agent.
Used in the functional test scenarios for Tor browser and Orbot warnning banner functionality on the source interface.
emkll
force-pushed
the
3159_orbot_message
branch
from
cc17976
to
ff5f311
Compare
redshiftzero
approved these changes
Apr 3, 2018
| @@ -1,4 +1,5 @@ | |||
| var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
| var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
There was a problem hiding this comment.
Great, thank you for this careful testing 👍
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
If a user accesses the Source interface with Orbot, a warning will appear informing them that the security and privacy properties of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser.
Fixes #3186 .
Testing
Deployment
None
Checklist
If you made changes to the server application code:
make ci-lint) and tests (make -C securedrop test) pass in the development container