Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a setting for allowing .onion requests in normal windows #33735

Closed
fmarier opened this issue Oct 18, 2023 · 9 comments · Fixed by brave/brave-core#21106
Closed

Add a setting for allowing .onion requests in normal windows #33735

fmarier opened this issue Oct 18, 2023 · 9 comments · Fixed by brave/brave-core#21106
Assignees
@fmarier
Labels
feature/tor OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Milestone
1.62.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Oct 18, 2023
edited
Loading

In #32108, we blocked all network requests to .onion URLs outside of Tor windows. Such network request will fail due to the need to use the tor proxy in order to resolve and connect to them, but before failing they will leak the name of the Onion services to the DNS resolver.

One use case we had not anticipated however was people installing the tor daemon on their (likely OpenWRT or Pi-hole-based) router and then letting all local clients resolve and connect to .onion normally outside of Tor windows (or in fact outside of Brave too).

The proposed fix is to add a setting in brave://settings/privacy under Tor windows:

Only resolve .onion addresses in Tor windows
Onion services will not be available outside of Tor windows.

The toggle will be on by default, in line with the RFC 7686 recommendation:

Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup.

In addition, we should add a devtools console warning pointing to this setting when we block a network request for this reason.
@fmarier fmarier mentioned this issue Oct 18, 2023
Closed
@diracdeltas diracdeltas added the priority/P3 The next thing for us to work on. It'll ride the trains. label Oct 19, 2023
@fmarier fmarier self-assigned this Nov 1, 2023
fmarier added a commit to fmarier/brave-testing that referenced this issue Nov 1, 2023
@fmarier
Add test page for brave/brave-browser#33735
4c3ca32
@fmarier fmarier mentioned this issue Nov 3, 2023
Closed
@fmarier
Copy link
Member Author

fmarier commented Nov 13, 2023

Noting that this is a problem with cURL as well and that this transparent proxying of .onion services is considered "ill-advised".

We'll still add the setting for users who want this use-case to work, but the default behavior will remain the same.

@hisenb3rg
Copy link

Hi, do we have any ETA on this?

It is really annoying because I cannot use Brave if it updates (at restart)... there's no way to pin to last version when this worked...

@fmarier
Copy link
Member Author

fmarier commented Nov 21, 2023

@jurglic I am currently working on this and I expect it will ship with Brave 1.62.

@fmarier fmarier mentioned this issue Nov 23, 2023
Merged
25 tasks
fmarier added a commit to brave/brave-core that referenced this issue Nov 24, 2023
@fmarier
Add setting to restrict .onion to Tor windows (fixes brave/brave-brow…
a730280 
…ser#33735)
@brave-builds brave-builds added this to the 1.62.x - Nightly milestone Nov 28, 2023
@stephendonner
Copy link

stephendonner commented Dec 4, 2023
edited
Loading

Verification PASSED using

Brave | 1.62.93 Chromium: 120.0.6099.35 (Official Build) beta (x86_64)
-- | --
Revision | 2032da61e85b8d826ab474ee36fee9a9cee09907
OS | macOS Version 11.7.10 (Build 20G1427)

Steps:

  1. installed 1.62.93
  2. launched Brave
  3. skipped onboarding
  4. opened brave://settings/privacy and confirmed that Only resolve .onion in Tor windows was Enabled by defaullt
  5. opened the developer tools and focused the Console pane
  6. loaded https://fmarier.github.io/brave-testing/onion-subresource-33735.html and confirmed the broken image
  7. confirmed the error for onion16.png is net::ERR_BLOCKED_BY_CLIENT
  8. opened brave://settings/privacy and disabled Only resolve .onion in Tor windows
  9. cleared the devtools console
  10. force-refreshed the page and confirmed broken image
  11. confirmed the error for onion16.png is now net::ERR_NAME_NOT_RESOLVED
  12. repeated the above steps in a Private Window with Tor window (12a = pref on, 12b = pref off)

Confirmed that the image loads in a Tor window, regardless of the Only resolve .onion in Tor windows preference

Also confirmed the Learn more link which points to https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-

step 4 step 6 step 7 step 8 steps 10-11 step 12a step 12b Learn more, a Learn more, b
Screen Shot 2023-12-04 at 9 29 15 AM Screen Shot 2023-12-04 at 9 30 40 AM Screen Shot 2023-12-04 at 9 30 56 AM Screen Shot 2023-12-04 at 9 31 25 AM Screen Shot 2023-12-04 at 9 32 01 AM Screen Shot 2023-12-04 at 9 33 36 AM Screen Shot 2023-12-04 at 9 36 02 AM Screen Shot 2023-12-04 at 9 55 26 AM Screen Shot 2023-12-04 at 9 55 31 AM

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 4, 2023
@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.62.104 Chromium: 120.0.6099.71 (Official Build) beta (64-bit)
-- | --
Revision | e2b266991247b909fa88520bb12d018223872d29
OS | Windows 11 Version 22H2 (Build 22621.2715)
  1. installed 1.62.104
  2. launched Brave
  3. skipped onboarding
  4. opened brave://settings/privacy and confirmed that Only resolve .onion in Tor windows was Enabled by defaullt
  5. opened the developer tools and focused the Console pane
  6. loaded https://fmarier.github.io/brave-testing/onion-subresource-33735.html and confirmed the broken image
  7. confirmed the error for onion16.png is net::ERR_BLOCKED_BY_CLIENT
  8. opened brave://settings/privacy and disabled Only resolve .onion in Tor windows
  9. cleared the devtools console
  10. force-refreshed the page and confirmed broken image
  11. confirmed the error for onion16.png is now net::ERR_NAME_NOT_RESOLVED
  12. repeated the above steps in a Private Window with Tor window pref = on
    13 repeated above steps in a Private Window with Tor window with pref = off
step 4 step 6-7 step 8 step 11
image image image image
step 12a step 12b step 13 a step 13b
image image image image

@LaurenWags LaurenWags added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Dec 19, 2023
@LaurenWags
Copy link
Member

LaurenWags commented Dec 19, 2023
edited
Loading

Verified with

Brave	1.62.112 Chromium: 120.0.6099.115 (Official Build) beta (64-bit) 
Revision	ae1e179b9884b2de2f4ba0bdea7da3beaad93ffa
OS	Linux

Steps:

  1. installed 1.62.x
  2. launched Brave
  3. skipped onboarding
  4. opened brave://settings/privacy and confirmed that Only resolve .onion in Tor windows was Enabled by default
  5. opened the developer tools and focused the Console pane
  6. loaded https://fmarier.github.io/brave-testing/onion-subresource-33735.html and confirmed the broken image
  7. confirmed the error for onion16.png is net::ERR_BLOCKED_BY_CLIENT
  8. opened brave://settings/privacy and disabled Only resolve .onion in Tor windows
  9. cleared the devtools console
  10. force-refreshed the page and confirmed broken image
  11. confirmed the error for onion16.png is now net::ERR_NAME_NOT_RESOLVED
  12. repeated the above steps in a Private Window with Tor window (12a = pref on, 12b = pref off)
step 4 step 6 step 7 step 8 steps 10-11
4 6 7 8 10

Confirmed that the image loads in a Tor window, regardless of the Only resolve .onion in Tor windows preference

Pref On step 12a Pref Off step 12b
1 2 3 4

Also confirmed that the first setting under Tor windows in brave://settings/privacy has a Learn more link which directs to https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-

Learn more Learn more
5 6

@LaurenWags LaurenWags added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 19, 2023
@king-11
Copy link

king-11 commented Jan 21, 2024
edited
Loading

thanks for this feature. I am having trouble in finding a a way to add proxy configuration to redirect onion URL resolution to tor service running locally using a .pac file like this:

function FindProxyForURL(url, host)
{
  if (shExpMatch(host, "*.onion"))
  {
    return "SOCKS5 127.0.0.1:9050";
  }
  return "DIRECT";
}

function FindProxyForURLEx(url, host) {
  return FindProxyForURL(url, host);
}

@fmarier
Copy link
Member Author

fmarier commented Jan 22, 2024

@king-11 You may want to file a separate issue for this since it's either a separate feature request, or a bug for something that should already work as part of the PAC support.

@king-11
Copy link

king-11 commented Jan 23, 2024

Sure thanks @fmarier

@LaurenWags LaurenWags mentioned this issue Jan 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
feature/tor OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Projects
Tor and Private Windows
Status: Completed
Milestone
1.62.x - Release
Development

Successfully merging a pull request may close this issue.

Add setting to restrict the resolution of .onion to Tor Windows brave/brave-core
8 participants
@hisenb3rg @fmarier @stephendonner @diracdeltas @LaurenWags @brave-builds @king-11 @MadhaviSeelam