Page MenuHomePhabricator

Readying for Tor Browser 9.5 (June 2)
Closed, ResolvedPublic

Description

A release candidate for next Tuesday's stable Tor Browser 9.5 has been announced on tor-qa. Some excerpts from the changelog:

  • Update Tor to 0.4.3.5
  • Bug 19251: Show improved error pages for onion service errors

(Depends on tor 0.4.3.x and needs an ExtendedErrors flag in torrc for the 9150 Socks ports)

  • Bug 30237: Control port module improvements for v3 client authentication

(Might be impossible to make this work with onion-grater while still isolating VMs)

https://blog.torproject.org/new-release-tor-browser-95

Details

Impact
Needs Triage

Event Timeline

rustybird created this task.
rustybird renamed this task from Readying for Tor Browser 9.5 (July 2) to Readying for Tor Browser 9.5 (June 2).May 29 2020, 6:59 PM
Patrick changed the task status from Open to testing-in-next-build-required.Jun 4 2020, 6:04 PM
Patrick claimed this task.
Patrick lowered the priority of this task from High to Normal.
Patrick added a project: Whonix 15.

Thanks!

Update Tor to 0.4.3.5

Done

Bug 19251: Show improved error pages for onion service errors

SocksPort option ExtendedErrors

This is now implemented:

https://gitlab.com/whonix/anon-gw-anonymizer-config/-/commit/d7f2e13ad0a2ca1e4a73ca3baa86c5069546b754

Bug 30237: Control port module improvements for v3 client authentication

onion_client_auth_add

Now implemented too.

https://gitlab.com/whonix/anon-gw-anonymizer-config/-/commit/97ff68a6c49ecef3e79ab10e1a930a4f5e13198d

( https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy )


This is now in Whonix developers repository.

Should this really be whitelisted by default? If you log into an onion service with Tor Browser on a particular VM, you're now suddenly logged into it on all other VMs too!

Good point!

Will undo, comment this out now.

//cc @HulaHoop

Maybe this is bound per connection similar to ephemeral Tor onion services? In that case, other VMs couldn't re-use it.

Maybe this is bound per connection similar to ephemeral Tor onion services?

I'm not familiar with how connections are bound for ephemeral services, but no - you can definitely login across VMs.

onion_client_auth_add Flags=Permanent fails with 553 Unable to store creds for


onion-grater-add onion_authentication

onion-grater-remove onion_authentication

...but that is incomplete.

onion_client_auth_add part is "contributor required".

Making that work would require extensive modifications. Started here but unlikely to finish anytime soon:
https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy#onion_client_auth_add

Tor Browser currently gets confused by onion-grater. When providing the onion service authentication key, Tor Browser does not even ask Tor ControlPort. (Does not show up in onion-grater.) It works with onion-grater --complain (pasthrough without filtering) mode.

We'd need to make Tor Circuit View visible inside Whonix-Workstation but filter the actual relay fingerprints / IPs. All Tor Browser control protocol commands should be processed but relayed back to the workstation redacted.

Requires RegEx knowledge which isn't a strong skill of mine.

RegEx contributor required:

https://www.whonix.org/wiki/Contribute#Regular_Expression_RegEx

What Tor related apps are broken without support for this?

Tor Browser onion authentication prompt:
https://blog.torproject.org/sites/default/files/inline-images/onion-auth%402x.png

Perhaps ricochet, not that it matters currently.