New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Orbot warning in source interface #3215
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #3215 +/- ##
========================================
Coverage 85.91% 85.91%
========================================
Files 34 34
Lines 2137 2137
Branches 235 235
========================================
Hits 1836 1836
Misses 247 247
Partials 54 54 Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for implementing this @emkll - this is an important stopgap before an official Android version of Tor Browser is released. A few comments are inline
|
||
# Create new profile and driver with the orbot user agent for this test | ||
profile = webdriver.FirefoxProfile() | ||
profile.set_preference("general.useragent.override", orbotUserAgent) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clever!
warning_dismiss_button.click() | ||
|
||
def warning_banner_is_hidden(): | ||
assert warning_banner.is_displayed() is False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we're defining this function also in the above test, we may as well move it into a helper method warning_banner_is_hidden()
and call it here and in the above test with self.warning_banner_is_hidden()
. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense! Will fix
@@ -16,6 +16,7 @@ | |||
<body> | |||
<div class="js-warning warning">{{ gettext('<strong>It is recommended to move the Security Slider to Safest to protect your anonymity:</strong> <a id="disable-js" href="">Learn how to set it to Safest</a>, or ignore this warning to continue.') }} <img id="js-warning-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> | |||
<div class="use-tor-browser warning">{{ gettext('<strong>It is recommended to use the Tor Browser to access SecureDrop:</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="use-tor-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> | |||
<div class="orfox-browser warning">{{ gettext('<strong>It is recommended you use the desktop version of Tor Browser to access SecureDrop, as Orfox does not provide the same level of security and anonymity as the desktop versions.</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="orfox-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -1,4 +1,5 @@ | |||
var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: is this the version of UA in latest Orfox? It looks like they updated the way the UA is formed (to match the latest Firefox for Android ESR), i.e. instead of a string like:
Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0
it's now a string like:
Mozilla/5.0 (Android 7.1.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0
where the only variable parts of the new UA I believe are 7.1.1 (the Android version) and 52.0 (the ESR version). See Tor Check making a similar change here to update how they detect Orfox.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I have the latest version from the Play Store, which corresponds to the latest release on GitHub. The current regex seems to be inline with the link found in your link, here. I can't find any mention of the specific Android version (e.g.: 7.1.1, which sounds like a potentially significant metadata leak).
I enabled access logs locally for the source interface and observed the UAS for Orfox. I am using: version Fennec-52.7.2esr/TorBrowser-7.5.2/Orfox-1.5.1-RC-1
, the latest version available on the Play Store. The first access is with a desktop version of Tor Browser, the second set is with Orfox. This seems to match with the regexes found above. Let me know if I misunderstood.
127.0.0.1 - - [03/Apr/2018:15:43:24 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/i/favicon.png HTTP/1.1" 200 2458 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5941 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:22 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:31 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5942 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thank you for this careful testing 👍
- If a user agent matching Orbot accesses the Source interface, a warning will appear informing them that the security and privacy of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser. - Add functional test which creates a new profile to set the browser's user agent.
Used in the functional test scenarios for Tor browser and Orbot warnning banner functionality on the source interface.
cc17976
to
ff5f311
Compare
@@ -1,4 +1,5 @@ | |||
var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; | |||
var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thank you for this careful testing 👍
Status
Ready for review
Description of Changes
If a user accesses the Source interface with Orbot, a warning will appear informing them that the security and privacy properties of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser.
Fixes #3186 .
Testing
Deployment
None
Checklist
If you made changes to the server application code:
make ci-lint
) and tests (make -C securedrop test
) pass in the development container