Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201808 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor8
-+-
Changes (by gk):

 * sponsor:  Sponsor4 => Sponsor8


Comment:

 This started out as a potential Sponsor4 item but is actually Sponsor8.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201808 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by sysrqb):

 * status:  reopened => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:36 traumschule]:
 > a user in #tor-mobile reported #27822 so i reopen this and remove the
 closed parent

 Thanks traumschule. I'd prefer opening a new ticket for this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  reopened
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201808 |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by traumschule):

 * status:  closed => reopened
 * resolution:  fixed =>
 * parent:  #26531 =>


Comment:

 a user in #tor-mobile reported #27822 so i reopen this and remove the
 closed parent

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201808 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by towiw):

 @sysrqb: I tested it and I can confirm that it does not leak DNS anymore.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:  closed
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201808 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by gk):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 We are done here, thanks for the nice work done, sysrqb!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201807 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by sysrqb):

 Replying to [comment:29 toproxy]:
 > Tor browser for Android compiled from esr60.1 branch in
 [https://git.torproject.org/user/sysrqb/tor-browser.git sysrqb's Tor
 browser repository] is leaking domains of visited websites. Orfox has the
 same proxy config values as TBA but Orfox does not leak DNS. So I've
 decided to test Firefox 52 and found that Firefox 52 leaks DNS just like
 TBA based on esr60. Were not all Orfox patches added to TBA?
 >
 >
 > It appears that this proxy-bypass happens after websites are completely
 loaded. And another thing to note is DNS requests for resources within
 websites are not leaked but that's not always the case.

 Hrm. I think that may be an old build. I'll upload a new one, and I hope
 you can test that and confirm it does not leak.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201807 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by sysrqb):

 Replying to [comment:28 n8fr8]:
 > I thought @amoghbl had found and patched all of these cases. We
 definitely focused on checking for DNS leaks in the past, using a variety
 of web based DNS leak test tools.
 >
 > The goal has been to directly proxy everything using HTTP and SOCKs, and
 not rely on the Android OS proxy subsystems at all, since they are not
 reliable, especially on WAN networks.
 >
 > This is also all related to the fact that there are 3 different HTTP
 packages in use within Fennec, making standardized proxying hard.

 I agree. There were a lot of conflicts when I was applying the proxy-safe
 Orfox patches, so I did a lot of patching by hand. I wanted to be sure we
 didn't miss any new instances of proxy-bypass, so auditing the current
 code seemed like a good idea.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201807 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by sysrqb):

 Replying to [comment:26 gk]:
 > Replying to [comment:24 sysrqb]:
 > > In addition, I went down the rabbit hole: "What does Android *do* when
 you ask it to establish a connection using a proxy". The result of this
 long and windy path is "it seems safe", but only when the Java/Dalvik/ART
 VM uses the default AOSP configuration.
 > >
 > > I'll attempt succinctly explaining proxy safety on Android here, but
 we should seriously consider using Necko for all networking calls in the
 future (which means exposing necko via jni). I believe GeckoView is
 already considering this - but how hard could it be? :)
 >
 > Yes, please. Do you have a ticket for GeckoView tracking this work? I
 looked a bit around but did not find anything.

 No, I dont, I'll ask the devs if they have an open bugzilla ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201807 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by toproxy):

 Tor browser for Android compiled from esr60.1 branch in
 [https://git.torproject.org/user/sysrqb/tor-browser.git sysrqb's Tor
 browser repository] is leaking domains of visited websites. Orfox has the
 same proxy config values as TBA but Orfox does not leak DNS. So I've
 decided to test Firefox 52 and found that Firefox 52 leaks DNS just like
 TBA based on esr60. Were not all Orfox patches added to TBA?


 It appears that this proxy-bypass happens after websites are completely
 loaded. And another thing to note is DNS requests for resources within
 websites are not leaked but that's not always the case.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201807 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by n8fr8):

 I thought @amoghbl had found and patched all of these cases. We definitely
 focused on checking for DNS leaks in the past, using a variety of web
 based DNS leak test tools.

 The goal has been to directly proxy everything using HTTP and SOCKs, and
 not rely on the Android OS proxy subsystems at all, since they are not
 reliable, especially on WAN networks.

 This is also all related to the fact that there are 3 different HTTP
 packages in use within Fennec, making standardized proxying hard.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201806 |
Parent ID:  #26531   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by gk):

 Replying to [comment:24 sysrqb]:
 > In addition, I went down the rabbit hole: "What does Android *do* when
 you ask it to establish a connection using a proxy". The result of this
 long and windy path is "it seems safe", but only when the Java/Dalvik/ART
 VM uses the default AOSP configuration.
 >
 > I'll attempt succinctly explaining proxy safety on Android here, but we
 should seriously consider using Necko for all networking calls in the
 future (which means exposing necko via jni). I believe GeckoView is
 already considering this - but how hard could it be? :)

 Yes, please. Do you have a ticket for GeckoView tracking this work? I
 looked a bit around but did not find anything.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201806 |
Parent ID:  #5709| Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by sysrqb):

 In addition, I went down the rabbit hole: "What does Android *do* when you
 ask it to establish a connection using a proxy". The result of this long
 and windy path is "it seems safe", but only when the Java/Dalvik/ART VM
 uses the default AOSP configuration.

 I'll attempt succinctly explaining proxy safety on Android here, but we
 should seriously consider using Necko for all networking calls in the
 future (which means exposing necko via jni). I believe GeckoView is
 already considering this - but how hard could it be? :)

 As an example, let's look at [[https://dxr.mozilla.org/mozilla-
 
esr60/source/mobile/android/base/java/org/mozilla/gecko/updater/UpdateService.java#388|Fennec's
 Updater download]] logic. Fennec uses the wrapper
 `org.mozilla.gecko.util.ProxySelector.openConnectionWithProxy(java.net.URI)`
 most places. This provides [[https://dxr.mozilla.org/mozilla-
 
esr60/source/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/ProxySelector.java#31|a
 central location]] where Fennec decides if a connection should be
 establishing via a proxy or if the connection should be direct. When
 `openConnectionWithProxy()` is called, Fennec asks the Dalvik/Art system
 for the currently configured proxies. From the list of returned proxies,
 Fennec chooses the first one. (Unfortunately, it seems like Fennec doesn't
 configure a proxy, it must be configured somewhere else).

 `openConnectionWithProxy()` calls
 `java.net.URL::openConnection(java.net.Proxy)`. This is the entrance into
 the Android SDK.
 
[[https://developer.android.com/reference/java/net/URL.html#openConnection(java.net.Proxy)|openConnection()]]
 establishes the
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#1038|initial
 connection]] by passing the request onto another library. The protocol
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#226|handler]]
 is dynamically found when the URL object is
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#604|instantiated]]
 (and statically cached after that). It retrieves a list of protocol
 handlers from the
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#1190|system
 properties]]. This list may be
 
[[https://developer.android.com/reference/java/lang/System.html#getProperties()|empty]].
 If the list is empty, or the system doesn't have a handler for the
 specific protocol, then it checks a set of
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#1225|default
 handlers]]. For the sake of simplicity, let's assume we're requesting a
 connection using the `http` protocol. That protocol defaults to using
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#1286|com.android.okhttp.HttpHandler]].
 At this point, we go into the `okhttp` library with a call into its
 
[[https://android.googlesource.com/platform/libcore/+/master/ojluni/src/main/java/java/net/URL.java#1055|URLStreamHandler:openConnection()]]
 method. This brings us
 
[[https://android.googlesource.com/platform/external/okhttp/+/master/android/main/java/com/squareup/okhttp/HttpHandler.java#68|here]].

 The `HttpHandler` instantiates a helper `OkHttpClient` client which is
 responsible for the connection. The proxy is
 
[[https://android.googlesource.com/platform/external/okhttp/+/master/android/main/java/com/squareup/okhttp/HttpHandler.java#93|explicitly]]
 
[[https://android.googlesource.com/platform/external/okhttp/+/master/android/main/java/com/squareup/okhttp/HttpHandler.java#68|set]],
 as well. From here, the newly instantiated connection is returned down the
 stack. The requested connect is established when the caller requests the
 [[https://android.googlesource.com/platform/external/okhttp/+/master
 /okhttp-
 

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201806 |
Parent ID:  #5709| Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-

Comment (by sysrqb):

 (Oh, for completeness,
 `mobile/android/thirdparty/com/leanplum/internal/WebSocketClient.java` is
 problematic, too - but we should not include leanplum).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  sysrqb
 Type:  defect   | Status:
 |  accepted
 Priority:  Very High|  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-   |  Actual Points:
  proxy-bypass, TorBrowserTeam201806 |
Parent ID:  #5709| Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by sysrqb):

 * status:  new => accepted
 * owner:  tbb-team => sysrqb


Comment:

 Auditing the code for network connections. On my first pass I see Mozilla
 already plugged many proxy-bypass calls. Most of the remaining instances
 are within the Firefox Accounts code. The telemetry code and mozstumbler
 have bypass bugs, too. We don't use telemetry, so that should not be a
 problem, but we will plug this hole when we patch the FxA bug. We should
 exclude mozstumbler at compile-time.

 The main problem is in
 
`mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java`.
 After many layers, I believe the bypass happens in
 
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java`.
 In addition, both
 
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLConnectionSocketFactory.java`
 and
 
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java`
 leak. These should be solved in #22170.

 || File || Analysis ||
 ||
 
mobile/android/base/java/org/mozilla/gecko/telemetry/TelemetryUploadService.java
 || Proxy-bypass by  BaseResource ||
 ||
 
mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java
 || Proxy-bypass in makeConnection(), check UAS passed into constructor ||
 ||
 
mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/UdpDataSource.java
 || Proxy-bypass, creates UDP socket ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/FxAccountClient20.java
 ||  Check FxAccount UserAgent, Check how now() is used, Proxy-bypass using
 BaseResource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/oauth/FxAccountOAuthClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/profile/FxAccountProfileClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient20.java
 || Proxy-bypass using BaseResource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/push/autopush/AutopushClient.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/MetaGlobal.java
 || Likely Proxy-bypass, Check SyncStorageRecordRequest ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRecordRequest.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRequest.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java
 || Possible Proxy-bypass via
 ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.createSocket() ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/downloaders/BatchingDownloader.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/uploaders/RecordUploadRunnable.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/EnsureCrypto5KeysStage.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/FetchInfoCollectionsStage.java
 || Likely Proxy-bypass ||
 ||
 
mobile/android/services/src/main/java/org/mozilla/gecko/tokenserver/TokenServerClient.java
 || Proxy-bypass via Resource ||
 ||
 
mobile/android/stumbler/java/org/mozilla/mozstumbler/service/utils/AbstractCommunicator.java
 || Proxy-bypass by URL.openConnection() ||

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android (was: Ensure proxy safety on Android when switching to ESR 52)

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must,|  Actual Points:
  TorBrowserTeam201803, tbb-proxy-bypass |
Parent ID:  #5709| Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by sysrqb):

 * keywords:  ff52-esr, tbb-mobile, tbb-7.0-must, TorBrowserTeam201803 =>
 tbb-mobile, tbb-7.0-must, TorBrowserTeam201803, tbb-proxy-bypass


Old description:

> Mike mentions in #21625:
> {{{
> Android stuff that definitely leaks that we should fix (missing proxy
> params to HttpUrlConnection - these need to use the buildHttpConnection
> helper to get a proxy):
>  * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
>  *
> mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
>  *
> mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
>  * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java
> }}}

New description:

 Mike mentions in #21625:
 {{{
 Android stuff that definitely leaks that we should fix (missing proxy
 params to HttpUrlConnection - these need to use the buildHttpConnection
 helper to get a proxy):
  * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
  *
 mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
  *
 mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
  * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java
 }}}

 Blocker of releasing TBA.

--

Comment:

 We're past ESR 52, this is for whatever release we choose (probably 60).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android when switching to ESR 52

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android when switching to ESR 52
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  ff52-esr, tbb-mobile, tbb-7.0-must,  |  Actual Points:
  TorBrowserTeam201802   |
Parent ID:  #19675   | Points:
 Reviewer:   |Sponsor:
 |  Sponsor4
-+-
Changes (by sysrqb):

 * parent:  19675 => #19675


Comment:

 This may be a dup of #22170 and maybe #19077, #19076. It may be smart
 making this a parent of those.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android when switching to ESR 52

[Tor Bug Tracker & Wiki]

#21863: Ensure proxy safety on Android when switching to ESR 52
-+-
 Reporter:  gk   |  Owner:  tbb-team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor |Version:
  Browser|   Keywords:  ff52-esr, tbb-mobile,
 Severity:  Normal   |  TorBrowserTeam201704, tbb-7.0-must
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:  Sponsor4 |
-+-
 Mike mentions in #21625:
 {{{
 Android stuff that definitely leaks that we should fix (missing proxy
 params to HttpUrlConnection - these need to use the buildHttpConnection
 helper to get a proxy):
  * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
  *
 mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
  *
 mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
  * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs