icloud: Did Not Connect: Potential Security Issue [RFP bug: 1621729, 1618537]

[RupertEverton]

Browser: Firefox 93.0 Affected website: https://www.icloud.com/ Screenshot: https://i.ibb.co/ZXxBkRn/screenshot.png Error:

Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to idmsa.apple.com because this website requires a secure connection.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.

This error manifested only after implementing user.js I have tried setting the following parameters to false, without however resolving the issue:

user_pref("privacy.resistFingerprinting", false);
user_pref("privacy.resistFingerprinting.letterboxing", false);

Thank you in advance for your help.

[rusty-snake]

What's under Advanced…?

My guess goes to https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L472-L616

Did you tested

https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L606-L609

I get only a X-Frame-Options: deny error page. Maybe https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L956-L959

[Thorin-Oakenpants]

its RFP's timing protections

Uncaught TypeError: can't access property "startTime", d[(d.length - 1)] is undefined

There's a bugzilla somewhere... https://bugzilla.mozilla.org/show_bug.cgi?id=1621729

[RupertEverton]

What's under Advanced…?

If I click on it, nothing happens.

https://bugzilla.mozilla.org/show_bug.cgi?id=1621729

Ah I see it's almost 2 years old. But why am I still unable to use iCloud after setting privacy.resistFingerprinting to false?

[RupertEverton]

https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L606-L609

Did not help.

[Thorin-Oakenpants]

try the other two items rusty said - icloud is specifically listed under item 1601 and IDK about FPI, but if icloud uses some sort of cross-domain login flow (likely with apple.something) then FPI would also probably break logging in (IDK as I don't have an icloud account)

If you don;t want FPI, switch to dFPI (just as good), see #1080 and our override recipes. If 1601 breaks too much for you, change it. But that still doesn't solve the RFP issue. If only icloud is causing you grief, then perhaps just use that site in a secondary browser

[RupertEverton]

try the other two items rusty said

I changed the following parameters listed in the two portions suggested by rusty and got a different error:

user_pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
user_pref("privacy.firstparty.isolate", false);
user_pref("security.ssl.require_safe_negotiation", false);
user_pref("security.tls.enable_0rtt_data", false);
user_pref("security.OCSP.require", false);
user_pref("security.pki.sha1_enforcement_level", 0);
user_pref("security.cert_pinning.enforcement_level", 0);
user_pref("security.remote_settings.crlite_filters.enabled", false);
user_pref("security.mixed_content.block_display_content", false);
user_pref("browser.ssl_override_behavior", 0);
user_pref("browser.xul.error_pages.expert_bad_cert", false);

Firefox Can’t Open This Page

To protect your security, idmsa.apple.com will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.

Learn more…

Open Site in New Window

However, the new windows is just white and doesn't do anything.

If you don;t want FPI, switch to dFPI (just as good), see #1080 and our override recipes.

Which recipe should I follow?

If 1601 breaks too much for you, change it.

I changed user_pref("network.http.referer.XOriginPolicy", 2); to 0 (always) and the error persisted. Is there something I'm missing?

Thank you

[rusty-snake]

1. Do not use frame,redirect=click2load.html in uB (for that site)
2. Disable RFP (letterboxing don't care)
3. Set XOriginPolicy=0 (XOriginTrimmingPolicy don't care)

[Thorin-Oakenpants]

Don't change everything. How are you changing them? By directly changing the value in the user.js, or using OVERRIDES?

You just need to change one item at a time. Restart and retest. You do this by adding OVERRIDES - see the wiki page

rusty was only talking about TWO prefs (and RFP we know about)

// my overrides: make icloud work
user_pref("network.http.referer.XOriginPolicy", 0); // 1601
user_pref("privacy.firstparty.isolate", false); // 4001
user_pref("privacy.resistFingerprinting", false); // 4501

Replace your user.js with a new copy of user.js. Close Firefox, add the overrides above to the bottom of the user.js. Restart Firefox.

Personally, I would just use a secondary browser for icloud.

[RupertEverton]

1. Do not use `frame,redirect=click2load.html` in uB (for that site)

2. Disable RFP (letterboxing don't care)

3. Set XOriginPolicy=0 (XOriginTrimmingPolicy don't care)

1, I don't have uB. 2 and 3 done. Didn't work.

Don't change everything. How are you changing them? By directly changing the value in the user.js, or using OVERRIDES?

I added the values one by one to user-overrides.js and ran updater.sh to append. I never manually edited user.js

// my overrides: make icloud work
user_pref("network.http.referer.XOriginPolicy", 0); // 1601
user_pref("privacy.firstparty.isolate", false); // 4001
user_pref("privacy.resistFingerprinting", false); // 4501

Replace your user.js with a new copy of user.js. Close Firefox, add the overrides above to the bottom of the user.js. Restart Firefox.

I tried exactly that, it still does not work.

Personally, I would just use a secondary browser for icloud.

I might end up doing this if we can't find a solution.

Cheers

[Thorin-Oakenpants]

I tried exactly that, it still does not work.

Do you mean you can't even get to try logging in?

I might end up doing this if we can't find a solution

Well, you're not going to find a solution for RFP + iCloud as that would take a fix upstream at Mozilla: if that fix is feasible: they can't compromise timing mitigations. However, RFP is not everyone's cup of tea or threat model (do you hide your IP address?)

So I'll test and see what else is causing icloud to break. I'll use a vanilla profile, user.js with the above overrides and I'll also switch to dFPI. Then I'll troubleshoot it. Unless someone beats me too it

[RupertEverton]

Do you mean you can't even get to try logging in?

It's like at the beginning: the page loads, but instead of the login part I get the error (like in the initial screenshot: https://i.ibb.co/ZXxBkRn/screenshot.png).

So I'll test and see what else is causing icloud to break. I'll use a vanilla profile, user.js with the above overrides and I'll also switch to dFPI. Then I'll troubleshoot it. Unless someone beats me too it

Cheers, I appreciate it.

[Thorin-Oakenpants]

also see https://bugzilla.mozilla.org/show_bug.cgi?id=1618537 (but that's also RFP related)

[Thorin-Oakenpants]

@RupertEverton you must have fucked something up with your settings

In a brand new profile, in Firefox 93, I added the user.js

At the end of the user.js I added these

user_pref("network.http.referer.XOriginPolicy", 0);
user_pref("privacy.firstparty.isolate", false);
user_pref("privacy.resistFingerprinting", false);

Then I went to https://www.icloud.com/ and there were no errors and I am presented with the login form

[rusty-snake]

It even works with FPI.

And if I enable RFP or set XoriginPolicy=2 the error is a different one.

Maybe an extension? A security. or network. pref because of the error? Or snake oil?

Regarding the error, there must be someone to get the advanced message but IDK how.

[Thorin-Oakenpants]

that and the user.js might be a mess: sounds like the values (and lots of them) were edited instead of adding overrides at the end

@RupertEverton , if I were you I would

• replace your user.js with a new clean one
• with Firefox closed run prefsCleaner (place it in the same folder as your user.js, it's in the release download) so that everything is reset
• add the overrides to the user.js, and then start Firefox

@rusty-snake : did you log in with FPI? I don't have an account

[rusty-snake]

did you log in with FPI? I don't have an account

neither me

[crssi]

Well, you're not going to find a solution for RFP + iCloud as that would take a fix upstream at Mozilla: if that fix is feasible: they can't compromise timing mitigations. However, RFP is not everyone's cup of tea or threat model (do you hide your IP address?)

When someone does not hide IP... what benefits they get using RFP in the real world?

[rusty-snake]

security

https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L987

---

You do not need hide your IP. But it must not be stable over a long time.

[RupertEverton]

that and the user.js might be a mess: sounds like the values (and lots of them) were edited instead of adding overrides at the end

No, like I said I added the values one by one to user-overrides.js and ran updater.sh to append. I never manually edited user.js

@RupertEverton , if I were you I would

* replace your user.js with a new clean one

* with Firefox closed run prefsCleaner (place it in the same folder as your user.js, it's in the release download) so that everything is reset

* add the overrides to the user.js, and then start Firefox

I tired all that on the existing profile and I still got an error. I then created a new profile, added user.js with the three edited parameters appended at the bottom but still got an error.

Could it be that the user agent doesn't match my system?

[Thorin-Oakenpants]

You do not need hide your IP. But it must not be stable over a long time.

A client JS fingerprint we can reduce or suck naive scripts in. Some passive FP we can deal to as well (like some headers). But IPs we can't - there's always going to be an endpoint - that's outside the realm of FF until they add a Tor Window Mode, i.e to achieve that level of IP protection will only come from protocols like Tor that are set up correctly: i.e random exit nodes per eTLD+1.

We are all giving away an IP. It can be collected as the IP address itself, and it makes up part of an overall fingerprint (client properties/active + passive + IP). And that IP can rendered into something more meaningful, or ignored. Such as TB users can be rendered to "Tor", your VPN can be rendered to "VPN Provider ABC", your real IP can be reduced to "AT&T Los Angeles" etc. A fingerprint is just a snapshot in time - it can be manipulated after collection to link traffic, and IP is simply one metric of many

Entropy of IP will vary: e.g. your ISP is small in some rural town vs living in the heart of New York - or your VPN only has a million users vs a VPN with 100 million ... whether your real IP is static/dynamic .. and there are lots of other variables to do with ISPs

Read https://bugzilla.mozilla.org/show_bug.cgi?id=1449732 and eka and tjr's comments. For the record, I've sat in on meetings with Tor Project people, and a presentation to eka, for steps needed to get a Tor Window Mode into Firefox, and there was even a prototype built

Ultimately, Mozilla knows that a proper 100% solution is not just RFP but also Tor. And that there are also many tools in the toolbag. Blocking known FPing scripts is one. Fooling naive ones is another. And with uBO you can control a lot of third parties etc. When you factor those into the equation - then a VPN makes sense, even without Tor.

[Thorin-Oakenpants]

Could it be that the user agent doesn't match my system?

Shouldn't be. You're not modifying it in any way. What is your userAgent? Do you mind confirming your OS and what Firefox version you're using?

I tired all that on the existing profile and I still got an error. I then created a new profile, added user.js with the three edited parameters appended at the bottom but still got an error.

What was the error? Was it in the console? What's in the console (ctrl-shift-K)

Otherwise, I'm scraping the barrel, so don't get mad: are you editing the right profile, is the user throwing errors, what does the parrot say in about:config (just search for "parrot" in about:config) - add a final line to the user.js. I assume, being a new profile there were no extensions. Do you have antivirus running?

user_pref("network.http.referer.XOriginPolicy", 0);
user_pref("privacy.firstparty.isolate", false);
user_pref("privacy.resistFingerprinting", false);
user_pref("_user.js.parrot", "PROFILE X: RUPERT OVERRIDES: SUCCESS");

Not all errors in user.js cause an abort: so you should also open the console after starting (ctrl-shift-J) and see if anything is in there

We can't replicate the issue, and need more details: otherwise we're stabbing in the dark

[Thorin-Oakenpants]

oh, and I forgot to mention that a masking your IP, e.g. VPN, also offers a degree of separation from the real you - it's not just about linking traffic / fingerprint - obviously factors include no logging (if your threat model calls for it: normally no-one cares about small fishies not breaking the law) and opsec - but it gives a degree of anonymity you otherwise can't get. That said, ISP would rarely get asked for log info either.

[crssi]

Thank you @Thorin-Oakenpants, love you.

[RupertEverton]

Could it be that the user agent doesn't match my system?

Shouldn't be. You're not modifying it in any way. What is your userAgent? Do you mind confirming your OS and what Firefox version you're using?

Firefox 93 on Linux -- the user agent is modified after implementing user.js to Windows NT (I haven't manually edited it)

I tired all that on the existing profile and I still got an error. I then created a new profile, added user.js with the three edited parameters appended at the bottom but still got an error.

What was the error? Was it in the console? What's in the console (ctrl-shift-K)

The error is a different one when inserting the three parameters, it still appears in the center of the page (where the login box is supposed to be):

Secure Connection Failed

An error occurred during a connection to idmsa.apple.com. The OCSP server experienced an internal error.

Error code: SEC_ERROR_OCSP_SERVER_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Console shows the following:

Cookie “” has been rejected as third-party. cloudkit.js
Cookie “” has been rejected as third-party. authService.latest.min.js
Source map error: Error: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Resource URL: https://cdn.apple-cloudkit.com/ck/2/cloudkit.js
Source Map URL: resources/cloudkit.js.map

Otherwise, I'm scraping the barrel, so don't get mad:

Not at all mate, actually thanks for all the help!

are you editing the right profile, is the user throwing errors, what does the parrot say in about:config (just search for "parrot" in about:config) - add a final line to the user.js. I assume, being a new profile there were no extensions. Do you have antivirus running?

user_pref("network.http.referer.XOriginPolicy", 0);
user_pref("privacy.firstparty.isolate", false);
user_pref("privacy.resistFingerprinting", false);
user_pref("_user.js.parrot", "PROFILE X: RUPERT OVERRIDES: SUCCESS");

I can confirm I'm editing the right profile. Parrot: PROFILE X: RUPERT OVERRIDES: SUCCESS And you're correct, new profile with no extensions - completely vanilla. No antivirus.

Not all errors in user.js cause an abort: so you should also open the console after starting (ctrl-shift-J) and see if anything is in there

We can't replicate the issue, and need more details: otherwise we're stabbing in the dark

Ctrl-shift-J shows the following on browser opening:

[Exception... "Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]"  nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)"  location: "JS frame :: resource:///modules/BrowserGlue.jsm :: _collectStartupConditionsTelemetry :: line 1624"  data: no] BrowserGlue.jsm:1624:9
    _collectStartupConditionsTelemetry resource:///modules/BrowserGlue.jsm:1624
    BG__onFirstWindowLoaded resource:///modules/BrowserGlue.jsm:1731
    BG_observe resource:///modules/BrowserGlue.jsm:1013
    _delayedStartup chrome://browser/content/browser.js:2115
    _delayedStartup self-hosted:1175

When I open icloud.com :

NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIWebNavigation.loadURI] 3 ViewSourceChild.jsm:146
    loadSourceFromURL resource://gre/actors/ViewSourceChild.jsm:146
    loadSource resource://gre/actors/ViewSourceChild.jsm:120
    viewSource resource://gre/actors/ViewSourceChild.jsm:67
    receiveMessage resource://gre/actors/ViewSourceChild.jsm:21

Status 421 Misdirected Request
Referrer Policy strict-origin-when-cross-origin
error | "Invalid or missing Origin header"

[rusty-snake]

Firefox 93 on Linux -- the user agent is modified after implementing user.js to Windows NT (I haven't manually edited it)

RFP which you need to disable anyway.

SEC_ERROR_OCSP_SERVER_ERROR

Now the question is why is the OCSP check failing for you? Obvious because we enforce it. But it work for me with OCSP enabled so it's not a server issues. Firewall?

[RupertEverton]

Now the question is why is the OCSP check failing for you? Obvious because we enforce it. But it work for me with OCSP enabled so it's not a server issues. Firewall?

But still, why would I be able to connect in every case except for when user.js is implemented?

[rusty-snake]

Because we enforce it.

https://github.com/arkenfox/user.js/blob/85438d00e457bff692303af519da618c6372476b/user.js#L512-L519

Firefox defaults to "check if the cert is still valid, and if the check fails ignore it". This mean privacy leak and no real security gain.

[Thorin-Oakenpants]

I used to have user_pref("security.OCSP.require", false); in my overrides until about a year+ ago. I think people's mileage on this one varies quite a bit and I'm not sure what other factors play a role (timing, latency, ISP, cert lab being contacted? not my area sorry)

Feel free to add it to your overrides - but if it's just one website (icloud) that already requires sacrificing too many other protections/benefits, then I wouldn't ... but I consider the risk to be low if you do

[RupertEverton]

So I did some testing:

• adding user_pref("security.OCSP.require", false); and then also user_pref("privacy.resistFingerprinting", false); returned the following error, both times:

  
  Firefox Can’t Open This Page

To protect your security, idmsa.apple.com will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.

- adding `user_pref("network.http.referer.XOriginPolicy", 0);` and `user_pref("security.OCSP.require", false);` did not show any error, but neither the login box; instead I was presented with an endless "loading" wheel.

- adding all three parameters worked, I was finally shown the login box.

However if disabling these three parameters is what's necessary to make just one website work, I'll follow your advice of using an alternative way to use icloud.

Cheers to everyone!

[Thorin-Oakenpants]

At some stage we're going to move to dFPI (instead of FPI which if there is an actual issue logging in, this would fix that), and at some stage they might fix the RFP issue(s) with icloud (looks doable IMO)

Referers you can work around by using Smart Referer in hard mode and whitelist icloud<->appleid (or whatever it is). And the OSCP one varies person to person

So all up, until then, use a secondary browser - I have nightly here with just uBO and a couple of basic tweaks, which I use for testing and the occasional one off sites. Works a treat