[tbb-bugs] #22966 [Applications/Tor Browser]: Nasty MitM possibility with the Firefox blocklist service
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 18 18:29:07 UTC 2017
#22966: Nasty MitM possibility with the Firefox blocklist service
------------------------------------------+----------------------
Reporter: basvd | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Once a day the Firefox/Tor browser will do a call to the Firefox blocklist
service. The URL of this endpoint is (extensions.blocklist.url):
{{{
https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
}}}
Example:
{{{
https://blocklist.addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-
9b0e-13a3a9e97384%7D/52.2.0/Firefox/20170202030101/WINNT_x86-gcc3/en-
US/release/Windows_NT%2010.0/default/default/34/34/1/
}}}
'''1) The browser suppresses bad certificate errors on this URL
'''The Firefox blocklist service suppresses bad certificates errors while
downloading the blocklist.xml. In this way it is quite easy to setup a
MitM attack and remove revoked certificates from the blocklist.xml
Proof of concept;
* Run a webserver listening to
https://blocklists.settings.services.mozilla.com
* Create a fake blocklist XML (/v1/blocklist/etc...)
* Add 12.34.56.78 blocklists.settings.services.mozilla.com to your host
file
* Reset app.update.lastUpdateTime.blocklist-background-update-timer and
change extensions.blocklist.interval
* Wait until Tor calls these blocklist service.
* Check the blocklist.xml inside the Tor installation folder
'''2) Mozilla is able to see Tor user specific information:
'''There is a lot of OS/platform/browser specific information in the URL.
So Mozilla has a lot of statistics about the Tor browser usage. Not
necessary IMHO.
APP_ID
APP_VERSION
PRODUCT
VERSION
BUILD_ID
BUILD_TARGET
OS_VERSION
LOCALE
CHANNEL
PLATFORM_VERSION
DISTRIBUTION
DISTRIBUTION_VERSION
PING_COUNT
TOTAL_PING_COUNT
DAYS_SINCE_LAST_PING
The TOTAL_PING_COUNT (stored in extensions.blocklist.pingCountTotal) is
also interesting. Because this number increments every time you start the
Tor browser. (note: once a day). As you can see the number in the URL
above is 34, what means that the Tor browser was started at least 34
times/days.
'''Technical info:'''
source code: [https://dxr.mozilla.org/mozilla-
central/source/toolkit/mozapps/extensions/nsBlocklistService.js#627
XMLHttpRequest with BadCertHandler]
source code: [https://dxr.mozilla.org/mozilla-
central/source/toolkit/modules/CertUtils.jsm#173 BadCertHandler]:
{{{
/**
* This class implements nsIBadCertListener. Its job is to prevent "bad
cert"
* security dialogs from being shown to the user. It is better to simply
fail
* if the certificate is bad. See bug 304286. <-- :-|
*/
}}}
Another URL with sensitive data is extensions.update.background.url:
{{{
https://versioncheck-
bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID%&version=%ITEM_VERSION%&maxAppVersion=%ITEM_MAXAPPVERSION%&status=%ITEM_STATUS%&appID=%APP_ID%&appVersion=%APP_VERSION%&appOS=%APP_OS%&appABI=%APP_ABI%&locale=%APP_LOCALE%¤tAppVersion=%CURRENT_APP_VERSION%&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%
}}}
'''Related Bugzilla tickets:'''
* [https://bugzilla.mozilla.org/show_bug.cgi?id=366191 Something tries to
MITM Firefox's automatic connection to addons.mozilla.org, resulting in an
annoying expired-certificate dialog]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=304286 Certificate
failures during automatic check for updates should not give user choice to
connect anyway]
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22966>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list