Page MenuHomePhabricator

Readying for Tor Browser 9.5 (June 2)
Closed, ResolvedPublic

Description

A release candidate for next Tuesday's stable Tor Browser 9.5 has been announced on tor-qa. Some excerpts from the changelog:

  • Update Tor to 0.4.3.5
  • Bug 19251: Show improved error pages for onion service errors

(Depends on tor 0.4.3.x and needs an ExtendedErrors flag in torrc for the 9150 Socks ports)

  • Bug 30237: Control port module improvements for v3 client authentication

(Might be impossible to make this work with onion-grater while still isolating VMs)

https://blog.torproject.org/new-release-tor-browser-95

Details

Impact
Needs Triage

Event Timeline

rustybird triaged this task as High priority.May 29 2020, 6:59 PM
rustybird created this task.
rustybird renamed this task from Readying for Tor Browser 9.5 (July 2) to Readying for Tor Browser 9.5 (June 2).May 29 2020, 6:59 PM
Patrick changed the task status from Open to testing-in-next-build-required.Thu, Jun 4, 6:04 PM
Patrick claimed this task.
Patrick lowered the priority of this task from High to Normal.
Patrick added a project: Whonix 15.

Thanks!

Update Tor to 0.4.3.5

Done

Bug 19251: Show improved error pages for onion service errors

SocksPort option ExtendedErrors

This is now implemented:

https://gitlab.com/whonix/anon-gw-anonymizer-config/-/commit/d7f2e13ad0a2ca1e4a73ca3baa86c5069546b754

Bug 30237: Control port module improvements for v3 client authentication

onion_client_auth_add

Now implemented too.

https://gitlab.com/whonix/anon-gw-anonymizer-config/-/commit/97ff68a6c49ecef3e79ab10e1a930a4f5e13198d

( https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy )


This is now in Whonix developers repository.

Should this really be whitelisted by default? If you log into an onion service with Tor Browser on a particular VM, you're now suddenly logged into it on all other VMs too!

Good point!

Will undo, comment this out now.

//cc @HulaHoop

Maybe this is bound per connection similar to ephemeral Tor onion services? In that case, other VMs couldn't re-use it.

Patrick updated the task description. (Show Details)Thu, Jun 4, 6:52 PM

Maybe this is bound per connection similar to ephemeral Tor onion services?

I'm not familiar with how connections are bound for ephemeral services, but no - you can definitely login across VMs.

Patrick closed this task as Resolved.Fri, Jun 5, 8:52 PM

onion_client_auth_add Flags=Permanent fails with 553 Unable to store creds for


onion-grater-add onion_authentication

onion-grater-remove onion_authentication

...but that is incomplete.

onion_client_auth_add part is "contributor required".

Making that work would require extensive modifications. Started here but unlikely to finish anytime soon:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#onion_client_auth_add

Tor Browser currently gets confused by onion-grater. When providing the onion service authentication key, Tor Browser does not even ask Tor ControlPort. (Does not show up in onion-grater.) It works with onion-grater --complain (pasthrough without filtering) mode.

We'd need to make Tor Circuit View visible inside Whonix-Workstation but filter the actual relay fingerprints / IPs. All Tor Browser control protocol commands should be processed but relayed back to the workstation redacted.

Requires RegEx knowledge which isn't a strong skill of mine.

RegEx contributor required:

https://www.whonix.org/wiki/Contribute#Regular_Expression_RegEx

What Tor related apps are broken without support for this?

Tor Browser onion authentication prompt:
https://blog.torproject.org/sites/default/files/inline-images/onion-auth%402x.png

Perhaps ricochet, not that it matters currently.