Facebook TorHS doesn't work over Tor2web

[fpietrosanti]

It seems that Facebook TorHS facebookcorewwwi.onion is not working over Tor2web.

Some random dirty redirect things happens, that's probably due to the fact that Facebook is the first ever TorHS that works over https.

Tor2web should detect the redirect from http://facebookcorewwwi.onion to https://facebookcorewwwi.onion and connect accordingly over TLS .

[glamrock]

True, but I can't think of a use-case where they'd need to use Tor2web for a website that is already available as a clearnet website.

[fpietrosanti]

@glamrock @wowaname Yeah, they probably would better place a landing page if accessed over Tor2web that explain the possibility to acces over .onion or directly on https://facebook.com .
I'm having an email exchange about that with Alec, the FB's tech lead for their .onion project.

Btw there is a bug in Tor2web preventing access to "https" resources on .onion, so this will need to be fixed anyhow

[juhanurmi]

Hi dudes,

I looked the code and the problem might be generally with all HTTP 302 redirects.

Simple test:

$ curl -A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" -i --insecure --cookie "disclaimer_accepted=true" https://msydqstlz2kzerdg.tor2web.fi/
HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Thu, 13 Nov 2014 06:34:57 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Location: https://zxjfcvfvhqfqsrpz.tor2web.fi/search/
Server: Apache/2.2.22 (Debian)

In this case it should work similarly to:

$ curl -i http://msydqstlz2kzerdg.onion/
HTTP/1.1 302 FOUND
Date: Thu, 13 Nov 2014 06:36:41 GMT
Server: Apache/2.2.22 (Debian)
Location: http://msydqstlz2kzerdg.onion/search/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=utf-8

Furthermore, why zxjfcvfvhqfqsrpz? Tor2web is selecting it from somewhere.

I tried to understand this problem by putting debug prints all over the t2w.py. I noticed that getRequestHostname seems to be returning this zxjfcvfvhqfqsrpz but I don't understand the underlying logic. There is some kind of redirect loop too; when I start Tor2web it is flooding debug prints that host is zxjfcvfvhqfqsrpz.

This bug need higher priority. I am willing to help.

[juhanurmi]

Even worse: Tor2web is kind of working and replacing URLs in the site with other domains URLs.

For example, https://skunksworkedp2cg.tor2web.fi/sites.html showed a list of URLs all pointing to https://zxjfcvfvhqfqsrpz.tor2web.fi/

I took down the Tor2web.fi. Obviously it is redirecting to users to wrong sites and we don't even understand how it is selecting the site.

As said, this bug needs higher priority and I am willing to help.

[evilaliv3]

ok the bug related to wrong url rewirting should be fixed. @juhanurmi can you please confirm it?

[juhanurmi]

Yes, excellent work. The bug is fixed. Thank you @evilaliv3 !

[evilaliv3]

here we go! my testing environment is working! https://facebookcorewwwi.tor2web.gov:8443/

as i've switched to txsocksx i've to see how to deal with adding txsocksx two patchs:

1. one for supporting optimistic data
2. one for supporting our custom Tor error codes

[evilaliv3]

@alecmuffett: we are ready to spawn a tor2web package that will permit HTTPS hidden services to be accessed onto tor2web, and so also facebook. when do you plan to apply the block? let's coordinate with the public announcement!

[evilaliv3]

as already discussed with @hellais finally i've decided to not use txsocksx and to rip a little wrapping class from txsocks in order to have the following wrapping SOCKS(TLS(HTTPClient)) for TLS Connection. the reason is that our current socks implementation is a little more optimized for tor2web and includes Tor custom errors handling and support for optimistic data.

in order to close the ticket as suggested by @hellais i'm going to implement a TOFU cache on SSL certificates in order to betterly protect users.

[evilaliv3]

with commit a66c19a i've implemented a configurable TOFU cache reasonably set to 100 certificates by default config.

[evilaliv3]

facebook is applyinh the Tor2web specific block!

going to release th HTTPS version of tor2web and preparing for the announcement!

[juhanurmi]

It would be great if Facebook would just redirect Tor2web users to facebook.com instead of this block feature.

[alecmuffett]

Hi Juha,

We may improve the block page in future - eg: make it more attractive,
internationalised, etc; regarding the "no link" my thinking was that if
someone has arrived at facebookcorewwwi.tor2web.org and been told that
doing so is "secure" then there is a distinct error in play. Providing a
link - perhaps a potentially spoofable link - to the ".com" site might
not be what the user actually needs. Perhaps they intended (even, need?)
to go to the Onion.

As such I thought it was wisest to leave the matter to the user's
discretion to resolve.

[evilaliv3]

as the release 3.1.30 is out and things seem to work we can consider this ticket closed :)

cheers lovely people!

https://lists.torproject.org/pipermail/tor-talk/2014-November/035742.html