Audit for tor leakage parity with browser-laptop

[diracdeltas]

We should go through all of the test cases in brave/browser-laptop#14143 and make sure none of them exist in private tabs with Tor.

[srirambv]

Basic functionality

1. Open a new private tab. The 'Use tor' and 'Use duckduckgo' switches should be off. Check that turning on Tor turns on DDG, and that DDG can be disabled independently of Tor. - Fail DDG is mentioned as default search engine but still uses Google (Tor window uses Google.com by default #1226)
2. Go to check.torproject.org in the private tab. It should say that you're using Tor. - Pass
3. Go to check.torproject.org in a regular tab. It should not say that you're using Tor - Pass
4. Go to https://www.whatismyip.com/ in a second private tab. It should show a different IP than what was shown on check.torproject.org in the first private tab. - Pass used http://www.whatsmyip.org/ as http://www.whatismyip.com kept blocking out
5. Open a new private tab and do a search. It should go over duckduckgo. - Pass,toggle switch uses DDG as default search
6. Open shields in a tor tab. It should show a warning that some sites don't work over Tor. - Fail issue logged (Show a warning that some sites don't work over Tor #1351)
7. Open shields in a regular tab. It shouldn't show a warning. - Pass

Enable/disable

1. Disable Tor in a private tab. Disable DDG. - Fail, Search engine settings not available because blocked on (style Search section in settings  #1186)
2. Visit check.torproject.org in the tab. It should not say that you're using Tor. If you open more private tabs, you should see the same result. - Pass on Private and normal tabs
3. Re-enable Tor. DDG should be auto-enabled too. - Fail blocked on (Tor window uses Google.com by default #1226)
4. Go to check.torproject.org in the private tab. It should say that you're using Tor. Pass, works on Tor window, fails on Private window which is expected
5. Disable duckduckgo in the private tab. Do a search and it should go over Google now. Fail, blocked on (style Search section in settings  #1186)

Issue 12990 - Pass

1. go to http://3expgpdnrrzezf7r.onion/ in a tor tab
2. no icon should be in the urlbar - Pass, shows Not secure message no padlock shown
3. go to https://3g2upl4pq6kufc4m.onion/
4. you should see a lock icon Pass, shows grey padlock for the site

Issue 13347 - Fail issue logged #1353

1. go to https://browserleaks.com/geo in a tor tab
2. you should not see a prompt asking to access your location -
3. the tab should show "PERMISSION DENIED - user denied geolocation"

Plugins - Fail blocked on #1078

1. ensure flash is installed and enabled in preferences
2. go to https://www.onlinemictest.com/webcam-test-in-adobe-flash/
3. make sure there is no popup asking you to run flash
4. right click on the flash click-to-play element (looks like a puzzle
   piece) on the page. no context menu should appear.
5. go to https://shaka-player-demo.appspot.com in a tor private tab
6. you should not see a widevine notification

Favicon leak - Need to verify on source as browser dev tools not available on b-c

1. Go to bing.com in a tor tab.
2. Open the browser inspector (shift + fn + f8 on mac) and inspect the favicon in the tab area.
3. It should show up as a data: URL instead of https://bing.com....

Search autocomplete - Pass, search auto complete option not available on Tor windows.

1. In preferences > Search, enable 'autocomplete search term'
2. Verify that it's working as expected in a regular tab
3. Open a new Tor tab and type in the URL bar. You should not see autocomplete search results.

WebRTC - Failed, issue logged #1254

1. Open https://browserleaks.com/webrtc in a Tor tab. It should not show any private IPs.

WebTorrent - Fail blocked on #1134 loads both .torrent and magnet links

1. Open a new Tor tab
2. Go to https://webtorrent.io/torrents/sintel.torrent
3. It should not load webtorrent

New circuit - Pass, verified on http://whatsmyip.org as https://www.whatismyip.com/ kept blocking out

1. Open a Tor tab.
2. Go to check.torproject.org, note the IP.
3. Do a hard refresh
4. It should now show a different IP
5. Do a regular refresh
6. It should show the same IP
7. Open another Tor tab, go to https://www.whatismyip.com/. Do a hard refresh. The IP should change.
8. Go back to the original Tor tab, do a regular refresh. It should still show the same IP.

cc: @bbondy @tomlowenthal

[diracdeltas]

for favicon leak, i think @jumde found that we are not loading favicons remotely (#477), so it's probable that the leak doesn't exist. however, it should be verified using wireshark.

[diracdeltas]

another test that wasn't included in the original test plan:

1. open tor window
2. go duckduckgo.com and search 'what is my IP'
3. on the results page you should see a message from duckduckgo telling you what your IP is
4. click on any of the results that shows you your IP
5. the IPs shown in 3 and 4 should be different

[diracdeltas]

here's one way to check favicon leak (and tor leaks generally):

1. download wireshark: https://www.wireshark.org/download.html
2. close as many applications as you can to reduce network traffic from your computer
3. delete your brave profile folder
4. open wireshark and click the blue button to start a capture
5. open brave and open a new tor window
6. go to http://example.com in the tor window and wait for it to load
7. stop the wireshark capture
8. look through the wireshark results. you should not see any requests to example.com or its associated IP address (dig example.com -> returns 93.184.216.34 for me)

[jumde]

Verified the favicons are not leaked.

[jumde]

Whitelisted protocols in tor - #1378

[bbondy]

Can we post anything else that remains from this list and close this issue?

[srirambv]

Verification Passed on

Brave	0.55.12 Chromium: 70.0.3538.45 (Official Build) beta (64-bit)
Revision	cbdc32e4334458954e9def214d7e5fa1ca1960eb-refs/branch-heads/3538@{#830}
OS	Linux

Tor Search - #1226 - Looks fixed on Windows and Linux.
Issue 12990 - Pass
Issue 13347 - #1353 - Pass
Search autocomplete - Pass
Not tested as its part of 1.0
WebRTC - #1254 - Pass
WebTorrent - #1134 - Pass
New circuit - Pass,
#1270 (comment) - Pass

Not tested
#1351 (Part of 1.0)
#1186 (Part of 1.0)
Plugins - #1078 (Not fixed yet)

Verified passed with

Brave	0.55.12 Chromium: 70.0.3538.45 (Official Build) beta(64-bit)
Revision	cbdc32e4334458954e9def214d7e5fa1ca1960eb-refs/branch-heads/3538@{#830}
OS	Mac OS X

Used test plan from #1270 (comment)

• Basic Functionality 👍 (encountered Show a warning that some sites don't work over Tor #1351)
• Enable/Disable 👍 (encountered style Search section in settings  #1186)
• Issue 12990 👍
• Issue 13347 👍
• Plugins blocked on Disable flash in Tor Mode #1078
• Favicon leak 👍 - used steps from Audit for tor leakage parity with browser-laptop #1270 (comment) to verify
• Search Autocomplete 👍
• WebRTC 👍
• WebTorrent 👍
• new circuit logged hard refresh of Tor tab usually does not get new IP #1512

Verification passed on

Brave	0.55.17 Chromium: 70.0.3538.67 (Official Build) (64-bit)
Revision	9ab0cfab84ded083718d3a4ff830726efd38869f-refs/branch-heads/3538@{#1002}
OS	Windows 7 x64

• Basic Functionality: PASS
• Enable/Disable: PASS
• Issue 12990 : PASS
• Issue 13347 : PASS
• Flash blocked: PASS
• Search Autocomplete :PASS
• WebRTC :PASS
• WebTorrent :PASS
• new circuit: PASS
• Favicon leak: PASS

-block Widevine: FAIL #1076