Firefox Attempts to Bypass Tor in Ubuntu


2 years ago
Setup:
-Standard TBB installation (tor-browser-linux32-3.5.2.1_en-US.tar)
-No add-ons; js disabled in both NoScript and about:config
-Ubuntu 12.04

Problem Description:
-Start up TBB from command line: ./start-tor-browser
-Allow Tor connection through application and port level firewalls
-Monitor processes through netstat window
-Observe tor communicating with outside world
-Observe firefox on 127.0.0.1 ports communicating only with tor across 127.0.0.1:9150/9151
Problem (Unknown Connection and Bypass to Tor) => Sometimes sooner, sometimes later...I get an application level alert that Firefox is attempting to connect to the internet
-I deny this Firefox connection attempt
-Firefox continues working well over its 127:0:0:1 connection

Additional Detail:
-Firefox continues working well over its 127:0:0:1 connection after I block the direct connection attempt
-The Firefox PID given in the direct connection alert is the same TBB Firefox PID as in my netstat window, so this is not a non-TBB Firefox process

Concern:
-Something in TBB Firefox is connecting to internet outside of Tor without my direction or something in ubuntu is using TBB Firefox to connect to internet outside of Tor without my direction
-This connection is bypassing the tor proxy
-While I see this as a huge design flaw, it is actually fortunate for me that this connection attempt is bypassing tor, otherwise this unknown connection (from ??? to ??? sharing ???) would occur through Tor and I would be oblivious to the occurrence. As it is occurring now, I am at least able to see the Firefox direct connection attempt and block it
-If individuals do not use application level access control or if they just allow Firefox connections believing that this is part of normal TBB operation, they may be vulnerable

Thanks for your ideas...


=========================================================
Follow-Up Information
-----------------------------------
-I am not a linux expert sadly and have no wireshark capabilities.
-After checking a few ubuntu sites for ideas, I ran a list of Firefox resources before and after the Firefox direct (non-tor) connection attempt alert
-These may all be normal or may be an effect and not the cause of the tor bypass

Before/after bypass connection (differences between lsof | grep firefox):
---------------------------------------------------------------------------------------------------------
(all start similar to: firefox 10265 username mem REG 8,1 10370 675699...)
/usr/share/locale-langpack/en_GB/LC_MESSAGES/pulseaudio.mo
/usr/lib/xxxx-linux-gnu/libcanberra-0.28/libcanberra-pulse.so
/home/username/.local/share/gvfs-metadata/root-xxxxxx.log
/usr/share/locale-langpack/en_GB/LC_MESSAGES/eog.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/file-roller.mo
/home/username/.local/share/gvfs-metadata/root
/home/username/tor-browser_en-US/Data/Browser/profile.default/formhistory.sqlite
unix 0x00000000 0t0 132338 socket
/home/username/tor-browser_en-US/.cache/event-sound-cache.tdb.xxxx.xxxx-pc-linux-gnu
/home/username/.local/share/gvfs-metadata/root (deleted)
/home/username/.local/share/gvfs-metadata/root-xxxxxxxx.log (deleted)


Of immediate concern is that I use standard TBB install, meaning EN-US. Only my system, and now you, lol, know that I have an EN-GB language preference set.
References to /usr/share/locale-langpack/, /usr/lib/xxxx-linux-gnu/l, gvfs-metadata, and fileroller add to this concern.

I am no Ubuntu genius, but it sure appears that Ubuntu system processes are hooking TBB Firefox for updates.

2 years ago
Is it possible to find out, what IP address does Firefox tries to connect?

I mean, that "application level alert" - what information does it show? Maybe
# tail -n 100 /var/log/syslog

will show more info?

2 years ago
Seems like Firefox Auto-Update or Safe-Browsing feature.

Reply

You are not logged in. Login or register to reply on this thread.