search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.06k stars 2.23k forks source link

Enable HTTPS-Only Mode for Private Windows with Tor #23030

Closed arthuredelstein closed 1 year ago

arthuredelstein commented 2 years ago

To enhance the safety of users of Tor windows, we should enable HTTPS-Only Mode by default.

HTTPS-Only Mode is currently opt-in. When it is enabled, attempting to visit an insecure website results in the following interstitial page from Chromium:

image

We can consider whether to add more information to the message on this page that is Tor-specific.

diracdeltas commented 2 years ago

bumping this to p2 since tor browser is now doing this: https://betanews.com/2022/07/17/tor-browser-11-5-is-here-with-https-only-mode-by-default-and-automatic-censorship-circumvention/

ArshErgon commented 1 year ago

is it still open? @diracdeltas and @arthuredelstein ? can you assign me this? and guide me how will I going to set it up locally?

Sranjan0208 commented 1 year ago

Hey! Is anyone working on this issue? If not can you assign me this? Also it would be really helpful if you can provide any resources which can help us in this issue.

diracdeltas commented 1 year ago

nobody has been working on this, PRs are welcome. but if you get stuck let us know and we can figure out someone at brave to assign.

arthuredelstein commented 1 year ago

I'll be taking on this issue shortly. @ArshErgon or @Sranjan0208: if you already started working on this, please let me know -- you can reach me at aedelstein AT brave DOT com.

kristiankauffeld commented 1 year ago

I'd like to take a look at it, but can you give any hints at what files to look at in the src code?

fmarier commented 1 year ago

Related issue: https://github.com/brave/brave-browser/issues/1136

arthuredelstein commented 1 year ago

Ideas for QA tests on Brave Desktop:

Test 1 Please test the following insecure websites in a normal window, a Private Windows, and a Private Window with Tor.

In normal and Private Windows, these sites should load with http://. In a Private Window with Tor, the browser should show an interstitial warning page with the message "The connection to $website is not secure." For each website, if you press "Continue to Site" it should load the website under http://. If you press "Go back" it should show the previous page.

Test 2 Please test the following upgradable websites in a normal window, a Private Window, and a Private Window with Tor:

Test 3 Please test the following self-upgrading secure websites in a normal window, a Private Window, and a Private Window with Tor:

These sites should automatically upgrade to https:// in all windows without any warning pages.

Test 4 Please test the following .onion sites in a Private Window with Tor:

stephendonner commented 1 year ago

Verification PASSED using

Brave 1.45.74 Chromium: 106.0.5249.55 (Official Build) beta (x86_64)
Revision 4d5f098fca6ab7f4b6b7c240be3d9593c2357709-refs/branch-heads/5249@{#531}
OS macOS Version 11.7 (Build 20G817)

Test 1

http://http.badssl.com/

normal window private window private window w/tor, interstitial fully loaded
Screen Shot 2022-09-26 at 7 29 09 PM Screen Shot 2022-09-26 at 7 30 06 PM Screen Shot 2022-09-26 at 8 01 37 PM Screen Shot 2022-09-26 at 8 01 41 PM

http://insecure.arthuredelstein.net

normal window private window private window w/tor, interstitial fully loaded
Screen Shot 2022-09-26 at 7 29 33 PM Screen Shot 2022-09-26 at 7 29 56 PM Screen Shot 2022-09-26 at 8 02 47 PM Screen Shot 2022-09-26 at 8 02 52 PM

Test 2

http://example.com

normal window private window private window w/tor
Screen Shot 2022-09-26 at 8 13 07 PM Screen Shot 2022-09-26 at 8 13 10 PM Screen Shot 2022-09-26 at 8 13 43 PM

http://upgradable.arthuredelstein.net

normal window private window private window w/tor
Screen Shot 2022-09-26 at 8 09 49 PM Screen Shot 2022-09-26 at 8 11 35 PM Screen Shot 2022-09-26 at 8 09 23 PM

Test 3

http://brave.com

normal window private window private window w/tor
Screen Shot 2022-09-26 at 8 21 02 PM Screen Shot 2022-09-26 at 8 20 46 PM Screen Shot 2022-09-26 at 8 23 36 PM

http://github.com

normal window private window private window w/tor
Screen Shot 2022-09-26 at 8 17 01 PM Screen Shot 2022-09-26 at 8 17 24 PM Screen Shot 2022-09-26 at 8 17 37 PM

Test 4

riseup Tor Project Keybase
Screen Shot 2022-09-26 at 8 25 02 PM Screen Shot 2022-09-26 at 8 35 09 PM Screen Shot 2022-09-26 at 8 28 12 PM
stephendonner commented 1 year ago

@arthuredelstein thank you so much for the testcases! 🙏

arthuredelstein commented 1 year ago

@stephendonner Thank you for the great QA! To confirm -- does "full" refer to what happens after pressing the "continue to site" button?

stephendonner commented 1 year ago

@stephendonner Thank you for the great QA! To confirm -- does "full" refer to what happens after pressing the "continue to site" button?

Yes, let me change it to "fully loaded" for clarify 👍

MadhaviSeelam commented 1 year ago

Verification PASSED using 

Brave | 1.46.83 Chromium: 107.0.5304.68 (Official Build) beta (64-bit)
-- | --
Revision | a4e93e89d3b3df1be22214603fba846ad0183ca5-refs/branch-heads/5304@{#991}
OS | Windows 11 Version 21H2 (Build 22000.1098)

Test Case 1: Insecure websites - PASSED

Case 1: http://http.badssl.com/

  1. http://http.badssl.com/ site loaded with http:// in normaland Private Windows
  2. Load http://http.badssl.com/ site in private window with TOR
    • the browser loads an interstitial warning page with the message The connection to $website is not secure.
    • clicked Continue to Site, the website loads under http://.
    • clicked Go back in the interstitial page, navigated to previous page.
Normal Private window Private window w/TOR, interstitial Fully loaded, continue previous page, Go back
image image image image image

Case 2: http://insecure.arthuredelstein.net/

  1. http://insecure.arthuredelstein.net/ site loaded with http:// in normaland Private Windows
  2. http://insecure.arthuredelstein.net/ site in private window with TOR
    • the browser loads an interstitial warning page with the message The connection to $website is not secure.
    • clicked "Continue to Site", the website loads under http://.
    • clicked "Go back" in the interstitial page, navigated to previous page.
Normal Private window Private window w/TOR, interstitial Fully loaded, continue previous page, click back
image image image image image

Test Case 2 - Upgradable websites - PASSED

Case 1: http://example.com/

Normal Private window Private window w/TOR
image image image

Case 2: http://upgradable.arthuredelstein.net/

Normal Private window Private window w/TOR
image image image

Test 3 - Self-upgrading secure websites - PASSED

  1. http://brave.com/ - site should automatically upgrade to https:// in all windows without any warning pages.
  2. http://github.com - site should automatically upgrade to https:// in all windows without any warning pages.

Case 1: http://brave.com/

Normal Private window Private window w/TOR
image image image

Case 2: http://github.com

Normal Private window Private window w/TOR
image image image

Test 4 - .onion sites in a Private Window with Tor - PASSED

Case 1: loaded following .onion sites using http://, and no error page displayed because .onion sites are secure without requiring https://.

  - Riseup: http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/  
  - Tor Project: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/
  - Keybase: http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion/ - (site was down for this URL so not tested)
Riseup Torproject
image image
arthuredelstein commented 1 year ago

@MadhaviSeelam Thanks for the great QA. Unfortunately upgradable.arthuredelstein.net was temporarily offline, but I have fixed it now.

MadhaviSeelam commented 1 year ago

@arthuredelstein thanks for fixing the URL. Was going to reach out to you infact and that worked. Now I need help again from you. Keybase onion site is throwing an error This site can't be reached

image

fmarier commented 1 year ago

I have the same problem with Keybase, it seems like their Onion site/gateway might be down.

MadhaviSeelam commented 1 year ago

Thanks @fmarier for confirming!!

LaurenWags commented 1 year ago

Verified with

Brave   1.46.106 Chromium: 107.0.5304.110 (Official Build) beta (64-bit) 
Revision    2a558545ab7e6fb8177002bf44d4fc1717cb2998-refs/branch-heads/5304@{#1202}
OS  Linux
Test Case 1 - Insecure websites - PASSED Case 1: http://http.badssl.com/ 1. `http://http.badssl.com/` site loaded with `http://` in `normal `and `Private Windows` 2. Load `http://http.badssl.com/` site in `private window with TOR` - the browser loads an `interstitial warning` page with the message `The connection to $website is not secure.` - clicked `Continue to Site`, the website loads under `http://`. - clicked `Go back` in the interstitial page, navigated to previous page. Normal|Private window|Private window w/TOR, interstitial|Fully loaded, continue|previous page, Go back ------------|-------------|-----------------|----------------|------- 1 | 2 | 3 | 4 | 5 Case 2: http://insecure.arthuredelstein.net/ 1. `http://insecure.arthuredelstein.net/` site loaded with `http://` in `normal `and `Private Windows` 2. `http://insecure.arthuredelstein.net/` site in `private window with TOR` - the browser loads an `interstitial warning` page with the message `The connection to $website is not secure.` - clicked "Continue to Site", the website loads under `http://`. - clicked "Go back" in the interstitial page, navigated to previous page. Normal|Private window|Private window w/TOR, interstitial|Fully loaded, continue|previous page, click back ------------|-------------|-----------------|----------------|------- 1 | 2 | 3 | 4 | 5
Test Case 2 - Upgradable websites - PASSED Case 1: http://example.com/ - `http://example.com/` site loaded with `http://` in `normal `and `Private Windows` - `http://example.com/` site loaded automatically with `https://` in `private window with TOR`. No warning pages shown. Normal|Private window|Private window w/TOR ------------|-------------|----------------- 1 | 2 | 3 Case 2: http://upgradable.arthuredelstein.net/ - `http://upgradable.arthuredelstein.net/` site loaded with `http://` in `normal `and `Private Windows` - `http://upgradable.arthuredelstein.net/` site loaded automatically with `https://` in `private window with TOR`. No warning pages shown. Normal|Private window|Private window w/TOR ------------|-------------|--------- 1 | 2 | 3
Test Case 3 - Self-upgrading secure websites - PASSED 1. `http://brave.com/` - site should automatically upgrade to `https://` in all windows without any warning pages. 2. `http://github.com` - site should automatically upgrade to `https://` in all windows without any warning pages. Case 1: http://brave.com/ Normal|Private window|Private window w/TOR ------------|-------------|----------------- 1 | 2 | 3 Case 2: http://github.com Normal|Private window|Private window w/TOR ------------|-------------|----------------- 1 | 2 | 3
Test Case 4 - `.onion` sites in a `Private Window with Tor` - PASSED Case 1: loaded following `.onion` sites using `http://`, and no error page displayed because `.onion` sites are secure without requiring `https://`. - Riseup: http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/ - Tor Project: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/ - Keybase: http://keybase5wmilwokqirssclfnsqrjdsi7jdir5wy7y7iu3tanwmtp6oid.onion/ - (site was down for this URL so not tested) Riseup|Torproject ----|---- 1 | 2