Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Orbot warning in source interface #3215

Merged
merged 2 commits into from Apr 3, 2018
Merged

Add Orbot warning in source interface #3215

merged 2 commits into from Apr 3, 2018

Conversation

@emkll
Copy link
Contributor

@emkll emkll commented Apr 2, 2018

Status

Ready for review

Description of Changes

If a user accesses the Source interface with Orbot, a warning will appear informing them that the security and privacy properties of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser.

Fixes #3186 .

Testing

  • If visiting with non-Tor browser, "It is recommended to use the Tor Browser ..." should be displayed.
  • If visiting with Tor browser in default configuration, "It is recommended to move the Security Slider to Safest ..." should be displayed.
  • If visiting with Orfox, "It is recommended you use the desktop version of Tor Browser ..." should be displayed.
  • The text displayed in the Orfox scenario should adequately convey the risks of using Orfox as opposed to its desktop counterpart.

Deployment

None

Checklist

If you made changes to the server application code:

  • Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container
@emkll emkll requested a review from Apr 2, 2018
@emkll emkll requested review from heartsucker and redshiftzero as code owners Apr 2, 2018
@codecov-io
Copy link

@codecov-io codecov-io commented Apr 2, 2018

Codecov Report

Merging #3215 into develop will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #3215   +/-   ##
========================================
  Coverage    85.91%   85.91%           
========================================
  Files           34       34           
  Lines         2137     2137           
  Branches       235      235           
========================================
  Hits          1836     1836           
  Misses         247      247           
  Partials        54       54

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9880a30...ff5f311. Read the comment docs.

Copy link
Member

@redshiftzero redshiftzero left a comment

Thank you for implementing this @emkll - this is an important stopgap before an official Android version of Tor Browser is released. A few comments are inline


# Create new profile and driver with the orbot user agent for this test
profile = webdriver.FirefoxProfile()
profile.set_preference("general.useragent.override", orbotUserAgent)

This comment has been minimized.

warning_dismiss_button.click()

def warning_banner_is_hidden():
assert warning_banner.is_displayed() is False

This comment has been minimized.

@redshiftzero

redshiftzero Apr 3, 2018
Member

Since we're defining this function also in the above test, we may as well move it into a helper method warning_banner_is_hidden() and call it here and in the above test with self.warning_banner_is_hidden(). What do you think?

This comment has been minimized.

@emkll

emkll Apr 3, 2018
Author Contributor

Makes sense! Will fix

@@ -16,6 +16,7 @@
<body>
<div class="js-warning warning">{{ gettext('<strong>It is recommended to move the Security Slider to Safest to protect your anonymity:</strong> <a id="disable-js" href="">Learn how to set it to Safest</a>, or ignore this warning to continue.') }} <img id="js-warning-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div>
<div class="use-tor-browser warning">{{ gettext('<strong>It is recommended to use the Tor Browser to access SecureDrop:</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="use-tor-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div>
<div class="orfox-browser warning">{{ gettext('<strong>It is recommended you use the desktop version of Tor Browser to access SecureDrop, as Orfox does not provide the same level of security and anonymity as the desktop versions.</strong> <a id="recommend-tor" href="{tor_browser_url}">Learn how to install it</a>, or ignore this warning to continue.').format(tor_browser_url=url_for('info.recommend_tor_browser')) }} <img id="orfox-browser-close" src="{{ url_for('static', filename='i/font-awesome/times-white.png') }}" width="12px" height="12px"></div>

This comment has been minimized.

@redshiftzero

redshiftzero Apr 3, 2018
Member

Looks great!

screen shot 2018-04-02 at 4 59 36 pm

@@ -1,4 +1,5 @@
var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/;
var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/;

This comment has been minimized.

@redshiftzero

redshiftzero Apr 3, 2018
Member

Question: is this the version of UA in latest Orfox? It looks like they updated the way the UA is formed (to match the latest Firefox for Android ESR), i.e. instead of a string like:

Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0

it's now a string like:

Mozilla/5.0 (Android 7.1.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0

where the only variable parts of the new UA I believe are 7.1.1 (the Android version) and 52.0 (the ESR version). See Tor Check making a similar change here to update how they detect Orfox.

This comment has been minimized.

@emkll

emkll Apr 3, 2018
Author Contributor

Yes, I have the latest version from the Play Store, which corresponds to the latest release on GitHub. The current regex seems to be inline with the link found in your link, here. I can't find any mention of the specific Android version (e.g.: 7.1.1, which sounds like a potentially significant metadata leak).

I enabled access logs locally for the source interface and observed the UAS for Orfox. I am using: version Fennec-52.7.2esr/TorBrowser-7.5.2/Orfox-1.5.1-RC-1, the latest version available on the Play Store. The first access is with a desktop version of Tor Browser, the second set is with Orfox. This seems to match with the regexes found above. Let me know if I misunderstood.

127.0.0.1 - - [03/Apr/2018:15:43:24 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:26 +0000] "GET /static/i/favicon.png HTTP/1.1" 200 2458 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:43:27 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5941 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:22 +0000] "GET / HTTP/1.1" 200 2159 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/css/source.css HTTP/1.1" 200 12562 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:24 +0000] "GET /static/gen/source.js?5806f9e5 HTTP/1.1" 200 30565 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:31 +0000] "GET /static/i/toronion.png HTTP/1.1" 200 5942 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-white.png HTTP/1.1" 200 3160 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/cloud-upload-blue.png HTTP/1.1" 200 4430 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-white.png HTTP/1.1" 200 3493 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/times-white.png HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/comments-blue.png HTTP/1.1" 200 5093 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/font-awesome/fa-globe-black.png HTTP/1.1" 404 2306 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [03/Apr/2018:15:45:32 +0000] "GET /static/i/logo.png HTTP/1.1" 200 44649 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"

This comment has been minimized.

@redshiftzero

redshiftzero Apr 3, 2018
Member

Great, thank you for this careful testing 👍

emkll added 2 commits Mar 29, 2018
- If a user agent matching Orbot accesses the Source interface, a warning will appear informing them that the security and privacy of their browser and device may be affected, and recommend the use of the desktop version of Tor Browser.
- Add functional test which creates a new profile to set the browser's user agent.
Used in the functional test scenarios for Tor browser and Orbot warnning banner functionality on the source interface.
@emkll emkll force-pushed the 3159_orbot_message branch from cc17976 to ff5f311 Apr 3, 2018
@@ -1,4 +1,5 @@
var TBB_UA_REGEX = /Mozilla\/5\.0 \(Windows NT 6\.1; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/;
var ORFOX_UA_REGEX = /Mozilla\/5\.0 \(Android; Mobile; rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/;

This comment has been minimized.

@redshiftzero

redshiftzero Apr 3, 2018
Member

Great, thank you for this careful testing 👍

@redshiftzero redshiftzero merged commit f4efa63 into develop Apr 3, 2018
4 checks passed
4 checks passed
ci/circleci: admin-tests Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: staging-test-with-rebase Your tests passed on CircleCI!
Details
ci/circleci: tests Your tests passed on CircleCI!
Details
@redshiftzero redshiftzero deleted the 3159_orbot_message branch Apr 3, 2018
@redshiftzero redshiftzero added this to the 0.7 milestone Apr 24, 2018
@emkll emkll mentioned this pull request Apr 25, 2018
21 of 21 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants