Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

On startup disable connections to google domains. #514

Closed
jumde opened this issue Jul 10, 2018 · 14 comments
Closed

On startup disable connections to google domains. #514

jumde opened this issue Jul 10, 2018 · 14 comments

Comments

@jumde
Copy link
Contributor

@jumde jumde commented Jul 10, 2018

On startup brave connects to the following domains.

bc.googleusercontent.com
clients2.google.com
accounts.google.com

This might be a dupe of #512. Verify after the issue is addressed.

@jumde jumde added the audit-p1 label Jul 10, 2018
@bbondy bbondy added this to Dev channel blockers in Security & Privacy Jul 10, 2018
@bridiver

This comment has been minimized.

Copy link
Collaborator

@bridiver bridiver commented Jul 11, 2018

what are the full urls? These domains are used for different services

@bridiver

This comment has been minimized.

Copy link
Collaborator

@bridiver bridiver commented Jul 11, 2018

for instance, clients2.google.com is used for extension updates so that might be widevine which I believe is expected - cc @bbondy

@bridiver

This comment has been minimized.

Copy link
Collaborator

@bridiver bridiver commented Jul 11, 2018

switches::kDisableDomainReliability should be set to true to disable the domain reliability service

@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Jul 11, 2018

@bridiver I think widevine should only be called once widevine opt in is clicked at least once. So it's unexpected to me to be at startup. If it's from extensions though that code will be changing to always to go to a new server that redirects to the chrome server as needed.

@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Jul 11, 2018

maybe add logging to the system network delegate @bridiver to see full URLs.

@AlexeyBarabash

This comment has been minimized.

Copy link
Contributor

@AlexeyBarabash AlexeyBarabash commented Jul 11, 2018

On Windows it could be helpful to use procmon + filter on network events + brave pdb symbols + look on stack to see what is the point in code issues the request. This hadn't work, could see only kernel stack.

@bridiver

This comment has been minimized.

Copy link
Collaborator

@bridiver bridiver commented Jul 11, 2018

I know at least some of these are domain reliability so I think we should go ahead and disable that before checking again

@bridiver

This comment has been minimized.

Copy link
Collaborator

@bridiver bridiver commented Jul 11, 2018

although I think domain reliability reports shouldn't be sent if metrics reporting is disabled

@bbondy bbondy self-assigned this Jul 12, 2018
bbondy added a commit to brave/brave-core that referenced this issue Jul 12, 2018
Partially addresses brave/brave-browser#514
@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Jul 12, 2018

although I think domain reliability reports shouldn't be sent if metrics reporting is disabled

This was true btw, so it's not on by default. But I added the switch anyway in case it is enabled.

@bbondy bbondy mentioned this issue Jul 12, 2018
3 of 9 tasks complete
@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Jul 12, 2018

PR for disabling the domain reliability service is here:
brave/brave-core#246

These are the only URLs coming up in the system context:

https://laptop-updates.brave.com/extensions
https://laptop-updates.brave.com/extensions
https://laptop-updates.brave.com/extensions
http://192.168.0.28:8008/ssdp/device-desc.xml
http://192.168.0.6:38224/dd.xml
http://sravjvutjzua/
http://azowvogeprliwqi/
http://erumqbzx/
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_0.pb
https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_ext_variation_0.pb
https://safebrowsing.googleapis.com/v4/fullHashes:find?$req=long-hash-here

I applied this patch to log it:

diff --git a/browser/net/brave_static_redirect_network_delegate_helper.cc b/browser/net/brave_static_redirect_network_delegate_helper.cc
index bbc8679..b343369 100644
--- a/browser/net/brave_static_redirect_network_delegate_helper.cc
+++ b/browser/net/brave_static_redirect_network_delegate_helper.cc
@@ -17,6 +17,7 @@ int OnBeforeURLRequest_StaticRedirectWork(
     GURL* new_url,
     const ResponseCallback& next_callback,
     std::shared_ptr<BraveRequestInfo> ctx) {
+  LOG(ERROR) << "===URL: " << request->url();
   GURL::Replacements replacements;
   static URLPattern geo_pattern(URLPattern::SCHEME_HTTPS, kGeoLocationsPattern);
   static URLPattern safeBrowsing_pattern(URLPattern::SCHEME_HTTPS, kSafeBrowsingPrefix);

Could you give extra steps for how to reproduce? Or am I possibly testing the wrong way?
I don't see these:

bc.googleusercontent.com
clients2.google.com
accounts.google.com
@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Jul 12, 2018

@bbondy @bridiver

STR:

  1. Download Brave Binary from: https://github.com/brave/brave-browser-builds/releases
  2. Delete any previous user-profiles
  3. Open Little Snitch
  4. Delete any previous entries for Brave.
  5. Start Brave.

screen shot 2018-07-11 at 8 36 22 pm

bbondy added a commit to brave/brave-core that referenced this issue Jul 12, 2018
This disables connecting to client2.google.com, google.com and googleusercontent.com at startup.  The service is meant to select which google services you need for your region.

Addresses brave/brave-browser#514
bbondy added a commit to brave/brave-core that referenced this issue Jul 12, 2018
This disables connecting to client2.google.com, google.com and googleusercontent.com at startup.  The service is meant to select which google services you need for your region.

Addresses brave/brave-browser#514
bbondy added a commit to brave/brave-core that referenced this issue Jul 12, 2018
This disables connecting to client2.google.com, google.com and googleusercontent.com at startup.  The service is meant to select which google services you need for your region.

Addresses brave/brave-browser#514
bbondy added a commit to brave/brave-core that referenced this issue Jul 12, 2018
This disables connecting to client2.google.com, google.com and googleusercontent.com at startup.  The service is meant to select which google services you need for your region.

Addresses brave/brave-browser#514
@bbondy bbondy mentioned this issue Jul 12, 2018
3 of 9 tasks complete
@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Jul 12, 2018

Should be good to go now with disabling Google URL tracker and domain reliability service.
@bridiver and I tried to disable the gaia thing before but it's not a supported build option. So the code that gets a list of the google accounts from gaia I think would be too much work to block here. Could we maybe do a backlog task for that one and close this out @jumde ?

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Jul 12, 2018

Sounds good. Here is the backlog issue: #527

@btlechowski

This comment has been minimized.

Copy link
Collaborator

@btlechowski btlechowski commented Sep 27, 2018

Verification passes since #512 is also verified and work continues in #527 (@kjozwiak is this acceptable for you?)

Brave 0.55.6 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS Windows 7

I have checked with Fiddler and these are the domains that Brave tries to connect to on startup:

http://www.gstatic.com:443
http://go-updater.brave.com:443
http://accounts.google.com:443
http://clients2.google.com:443
http://brave-core-ext.s3.brave.com:443
http://clients2.googleusercontent.com:443
http://nzwaodwspjvuuh/
http://drqiizsqepxcnhg/
http://ifnnzui/
http://www.googleapis.com:443
http://pdfjs.robwu.nl:443
http://ssl.gstatic.com:443

The work is still in progress: #527, but once it is done, we need to recheck this issue

Verified passed with

Brave 0.55.14 Chromium: 70.0.3538.54 (Official Build) beta(64-bit)
Revision 4f8e578b6680574714e9ed3bb9f02922b4dde40d-refs/branch-heads/3538@{#937}
OS Mac OS X
  • Work on this continues with #527
  • This is what was seen using LittleSnitch on 0.55.14:
    screen shot 2018-10-16 at 3 00 44 pm

Verification Passed on

Brave 0.55.16 Chromium: 70.0.3538.54 (Official Build) (64-bit)
Revision 4f8e578b6680574714e9ed3bb9f02922b4dde40d-refs/branch-heads/3538@{#937}
OS Linux
@bbondy bbondy moved this from Dev channel blockers to Completed in Security & Privacy Oct 30, 2018
@rebron rebron removed this from Completed in Security & Privacy Nov 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.