Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent connections to google domains on start-up #663

Closed
jumde opened this issue Jul 31, 2018 · 19 comments · Fixed by brave/brave-core#562
Closed

Prevent connections to google domains on start-up #663

jumde opened this issue Jul 31, 2018 · 19 comments · Fixed by brave/brave-core#562

Comments

@jumde
Copy link
Contributor

@jumde jumde commented Jul 31, 2018

Test Plan

Please follow the test plan outlined under #663 (comment).

Original Reported Issue

Disabling connections to domains from gaia is tracked here: #527

These are not gaia domains

- clients2.google.com
- ssl.gstatic.com
  • accounts.google.com
@jumde jumde added the audit-release label Jul 31, 2018
@jumde jumde added this to Release channel blockers in Security & Privacy Jul 31, 2018
@diracdeltas

This comment has been minimized.

Copy link
Member

@diracdeltas diracdeltas commented Jul 31, 2018

i also see it trying to connect to gstatic over HTTP, maybe because i denied the HTTPS connection

@bbondy bbondy added this to the Releasable builds 0.55.x milestone Aug 10, 2018
@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Aug 16, 2018

No connections are made to the google domains on browser-laptop on startup

@simonhong simonhong self-assigned this Aug 20, 2018
@simonhong

This comment has been minimized.

Copy link
Collaborator

@simonhong simonhong commented Aug 20, 2018

What is gstatic.com - https://superuser.com/a/64724

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Aug 20, 2018

Is there a resource that we need from gstatic at brave-core startup?

@bbondy bbondy added this to Security in 0.55.x - Release Sep 9, 2018
@diracdeltas diracdeltas moved this from Release channel blockers to Beta channel ASAP in Security & Privacy Sep 27, 2018
@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Sep 28, 2018

clients2.google.com is used for updates for extensions we don't support.
One extension is PDFJS which automatically gets installed.
So I think that one is expected.

@jumde could you update comment 0 if you agree that client2.google.com should be removed, and then also could you give the full URL for the request to ssl.gstatic.com?

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Sep 28, 2018

@bbondy - Could we proxy requests to clients2.google.com?

Here are the details for the gstatic url:

screen shot 2018-09-28 at 11 38 41 am

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Sep 28, 2018

On Brave-Browser-Beta I'm seeing additional requests to google domains, are these expected?

screen shot 2018-09-28 at 11 50 22 am

@bbondy

This comment has been minimized.

Copy link
Member

@bbondy bbondy commented Sep 29, 2018

@bbondy - Could we proxy requests to clients2.google.com?

If we have a proxy setup, you can give me the new urls and I can send requests there instead.

@bbondy bbondy moved this from Beta channel ASAP to Release channel blockers in Security & Privacy Oct 1, 2018
@NejcZdovc

This comment has been minimized.

Copy link
Member

@NejcZdovc NejcZdovc commented Oct 3, 2018

reopening, because probably it was closed by mistake with a commit, where PR is open

@NejcZdovc NejcZdovc reopened this Oct 3, 2018
@simonhong simonhong removed their assignment Oct 4, 2018
bbondy added a commit to brave/brave-core that referenced this issue Oct 4, 2018
…ated UI in preferences (#562)

* disable translation service, disable TranslateURLFetcher, hide associated UI in preferences

Fix brave/brave-browser#663

* use comments

* unit test
bbondy added a commit to brave/brave-core that referenced this issue Oct 4, 2018
…ated UI in preferences (#562)

* disable translation service, disable TranslateURLFetcher, hide associated UI in preferences

Fix brave/brave-browser#663

* use comments

* unit test
bbondy added a commit to brave/brave-core that referenced this issue Oct 4, 2018
…ated UI in preferences (#562)

* disable translation service, disable TranslateURLFetcher, hide associated UI in preferences

Fix brave/brave-browser#663

* use comments

* unit test
@bbondy bbondy removed this from Security in 0.55.x - Release Oct 4, 2018
@kjozwiak

This comment has been minimized.

Copy link
Member

@kjozwiak kjozwiak commented Oct 9, 2018

@bbondy @jumde if there's something particular that QA should be verifying in this issue, can you please add some test cases and add the "QA/Yes" label. If there's nothing that needs checking/verifying, please label this as QA/No. Thanks!

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Oct 9, 2018

@kjozwiak - Issue for proxying requests for clients2.google.com through a brave proxy is logged here: brave/devops#320

Test Plan

  1. Open Brave with a new profile.
  2. Navigate to different settings page, tor-window, guest window
  3. Using Little Snitch/Fiddler/netstat confirm that Brave is not connecting to any google domains except clients2.google.com
@kjozwiak

This comment has been minimized.

Copy link
Member

@kjozwiak kjozwiak commented Oct 9, 2018

Awesome, thanks @jumde! 👍

@jumde

This comment has been minimized.

Copy link
Contributor Author

@jumde jumde commented Oct 9, 2018

Charles proxy works well for Linux. Set up instructions - https://www.charlesproxy.com/documentation/installation/apt-repository/

@srirambv

This comment has been minimized.

Copy link
Collaborator

@srirambv srirambv commented Oct 16, 2018

Verification Passed on

Brave 0.55.14 Chromium: 70.0.3538.54 (Official Build) beta(64-bit)
Revision 4f8e578b6680574714e9ed3bb9f02922b4dde40d-refs/branch-heads/3538@{#937}
OS Linux
  • Verified steps from #663 (comment) for Normal/Private/Guest/Tor windows
  • image

Verified passed with:

Brave 0.55.14 Chromium: 70.0.3538.54 (Official Build) beta(64-bit)
Revision 4f8e578b6680574714e9ed3bb9f02922b4dde40d-refs/branch-heads/3538@{#937}
OS Mac OS X

*Verified Normal, Private, Guest, and Tor windows
screen shot 2018-10-16 at 3 17 56 pm

Verification passed on

Brave 0.55.14 Chromium: 70.0.3538.54 (Official Build) beta(64-bit)
Revision 4f8e578b6680574714e9ed3bb9f02922b4dde40d-refs/branch-heads/3538@{#937}
OS Windows 7

*Verified Normal, Private, Guest, and Tor windows using Fiddler

@diracdeltas

This comment has been minimized.

Copy link
Member

@diracdeltas diracdeltas commented Oct 17, 2018

I verified this using net-internals on 0.55.16 and found some residual google connections on startup, so am reopening:

https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/translate_ranker_20180123.model, https://clients1.google.com/tbproxy/af/query?, https://ssl.gstatic.com/safebrowsing/csd/client_model_v5_variation_0.pb, https://www.gstatic.com/chrome/config/plugins_3/plugins_mac.json, and https://www.googleapis.com/chromewebstore/v1.1/items/verify

@diracdeltas diracdeltas reopened this Oct 17, 2018
@diracdeltas

This comment has been minimized.

Copy link
Member

@diracdeltas diracdeltas commented Oct 17, 2018

So re-reading the history of this issue, I think what happened was PJ did verify there were still google domains unblocked (#663 (comment)), it was decided to address those in a follow-up issue using a proxy server (brave/devops#320), but the proxy issue wasn't marked as release/blocking for 0.55 so it didn't get started in time. :(

diracdeltas added a commit to diracdeltas/brave-core that referenced this issue Oct 17, 2018
needed for
brave/brave-browser#663 (comment)

PDFJS is not directly installed from CWS as of
brave/brave-core-crx-packager#29

marked WIP since my build is still going
@diracdeltas diracdeltas mentioned this issue Oct 17, 2018
6 of 18 tasks complete
@diracdeltas

This comment has been minimized.

Copy link
Member

@diracdeltas diracdeltas commented Oct 17, 2018

for future reference, chrome://net-internals is more useful than little snitch because it shows the request path and response code and works cross-platform

  1. download brave
  2. open it with these command line flags --log-net-log=/path/to/somefile.json --net-log-capture-mode=IncludeSocketBytes. for instance on my mac it's open /Applications/Brave\ Browser.app --args --log-net-log=/Users/yan/chromelog4.json --net-log-capture-mode=IncludeSocketBytes
  3. close brave, open brave, go to chrome://net-internals and pick the option to import the JSON file from step 2
  4. inspect requests that say URL_REQUEST and you can actually see what they are sent to

note requests that return 307 are not actually sent over the network

pilgrim-brave added a commit to brave/brave-core that referenced this issue Oct 18, 2018
@pilgrim-brave pilgrim-brave mentioned this issue Oct 18, 2018
0 of 18 tasks complete
@diracdeltas

This comment has been minimized.

diracdeltas added a commit to diracdeltas/brave-core that referenced this issue Oct 18, 2018
@bbondy bbondy added this to Security in 0.55.x - Release Oct 18, 2018
@diracdeltas

This comment has been minimized.

Copy link
Member

@diracdeltas diracdeltas commented Oct 18, 2018

verified except for #1715. tracking that in its own issue.

@bbondy bbondy removed this from Security in 0.55.x - Release Oct 18, 2018
@bbondy bbondy moved this from Release channel blockers to Completed in Security & Privacy Oct 30, 2018
@rebron rebron removed this from Completed in Security & Privacy Nov 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.