Merge remote-tracking branch 'tool/block_cloudflare_mitm_fx/master'

tool/block_cloudflare_mitm_fx/LICENSE.md

@@ -0,0 +1,21 @@
+# MIT License
+
+Copyright (c) 2017–2018 cypherpunk, nullius. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

tool/block_cloudflare_mitm_fx/README.md

@@ -0,0 +1,12 @@
+# Block Cloudflare MITM Attack
+
+**Pull requests are welcome!**
+
+The purpose of this browser add-on is to block Cloudflare sites.
+
+The TLS protocol promises end-to-end encryption between the client and an authenticated, identified endpoint server.  The browser’s lock icon is a UI widget which makes this promise to the user.  Cloudflare is a mass-decryption chokepoint, which intercepts and decrypts the Web requests made by billions of people to millions of websites.
+
+- Prior discussion: [Tor Browser Bug #24351: Block Global Active Adversary Cloudflare](https://trac.torproject.org/projects/tor/ticket/24351)
+- Imported from [block_cloudflare_mitm_attack-1.0.10.1-an+fx.xpi](https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/), by an anonymous cypherpunk.  “Cyperpunks write code.”  Cheers!
+- [Original announcement](https://trac.torproject.org/projects/tor/ticket/24351#comment:25)
+- Thanks to [Debian Bug #831835](https://bugs.debian.org/831835) for some inspiration.

tool/block_cloudflare_mitm_fx/src/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017-2018 cypherpunk, nullius.  All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

tool/block_cloudflare_mitm_fx/src/manifest.json

@@ -0,0 +1,31 @@
+{
+"manifest_version": 2,
+"name": "Block Cloudflare MiTM Attack",
+"description": "If the destination website use Cloudflare, block further request.",
+"version": "1.0.10.1",
+"homepage_url": "https://trac.torproject.org/projects/tor/ticket/24351",
+"permissions": ["webRequest","webRequestBlocking","<all_urls>","storage","activeTab","tabs"],
+"options_ui": {
+ "page": "setwhitelist.html",
+ "browser_style": false
+},
+"icons": {
+ "32": "icons/icon-32.png",
+ "48": "icons/icon-48.png",
+ "64": "icons/icon-64.png"
+},
+"browser_action": {
+"browser_style": true,
+"default_icon": {
+ "16": "icons/icon-16.png",
+ "32": "icons/icon-32.png"
+}
+},
+"background": {"scripts": ["stop_cf_mitm.js"]},
+"applications": {
+  "gecko": {
+    "id": "{d86b44dd-ef12-4f28-ab1c-ea32664490ac}",
+    "strict_min_version": "52.0"
+  }
+}
+}

tool/block_cloudflare_mitm_fx/src/setwhitelist.html

@@ -0,0 +1,26 @@
+<html><head><meta charset="utf-8"><link rel="stylesheet" href="style.css"></head><body><form>
+[Whitelist]<br>
+1. Add FQDN or .FQDN you want to ignore. Click "Save".<br>
+2. Open new tab and visit whitelisted website.<br>
+<small>(<i><b>.</b>mozilla.org</i> will allow <i>mozilla.org</i> and <i>*.mozilla.org</i>)</small><br>
+<textarea cols="50" rows="12" id="myset_cfwhite" wrap="off"></textarea><br>
+<label><input type="checkbox" id="myset_xautoclean"> Auto-remove whitelisted domain if it is no longer use MITM services</label><br><small>(Add-on will notify you)</small><br>
+<br>
+[Advanced]<br>
+<label><input type="checkbox" id="myset_xign3p"> Ignore 3rd party resource (not recommend)</label><br>
+<label><input type="checkbox" id="myset_xwhitemark"> Change whitelisted website's title, favicon, and website border</label><br>
+<label><input type="checkbox" checked disabled> I don't like Man-in-the-middle attack.</label><br><!-- justajokedonttakethisseriouslyLOL //-->
+<br>
+Also detect:<br>
+<label><input type="checkbox" id="myset_xincapsula"> Incapsula MiTM</label><br>
+<label><input type="checkbox" id="myset_xgshield"> Google's Project Shield MiTM</label><br>
+<label><input type="checkbox" id="myset_xsucuri"> Sucuri MiTM</label><br>
+<br>
+When MiTM attempt is detected:<br>
+<label><input type="radio" name="acttype" id="myset_xsimplewarn_0" value="0"> Show security warning page</label><br>
+<label><input type="radio" name="acttype" id="myset_xsimplewarn_1" value="1"> Just change title, favicon, and website border</label><br>
+<label><input type="radio" name="acttype" id="myset_xsimplewarn_2" value="2"> Cancel request immediately</label><br>
+<br>
+<input type="submit" value="  Save  ">
+</form><script src="setwhitelist.js"></script>
+</body></html>

tool/block_cloudflare_mitm_fx/src/setwhitelist.js

@@ -0,0 +1,52 @@
+function onError(e){console.log(`CFMITM_CFG Error:${e}`);}
+function saveWhitelist(e){
+e.preventDefault();
+//WHITELIST
+// check each line and remove bad fqdn (simple check)
+var cf_tmpdata=document.querySelector("#myset_cfwhite").value.split("\n");
+for (var i=0;i<cf_tmpdata.length;i++){
+if (!/^([0-9a-z.-]{1,})\.([a-z]{2,20})$/.test(cf_tmpdata[i])||cf_tmpdata[i].includes("..")||
+cf_tmpdata[i].endsWith(".cloudflare.com")||cf_tmpdata[i]=='cloudflare.com'||
+cf_tmpdata[i].endsWith(".incapsula.com")||cf_tmpdata[i]=='incapsula.com'||
+cf_tmpdata[i].endsWith(".withgoogle.com")||cf_tmpdata[i].endsWith(".google.com")){cf_tmpdata[i]='';}
+}
+cf_tmpdata=cf_tmpdata.slice().sort(function(a,b){return a>b}).reduce(function(a,b){if (a.slice(-1)[0]!==b){a.push(b);};return a;},[]);// -duplicate
+cf_tmpdata=cf_tmpdata.filter(v=>v!='');// -empty
+cf_tmpdata=cf_tmpdata.join("\n");
+browser.storage.local.set({myset_cfwhite: cf_tmpdata});document.querySelector("#myset_cfwhite").value=cf_tmpdata;
+//workaround - simplewarn didn't work as expected if ign3p is active
+if (document.querySelector("#myset_xsimplewarn_1").checked){document.querySelector("#myset_xign3p").checked=false;}
+//ADVANCED
+if (document.querySelector("#myset_xautoclean").checked){browser.storage.local.set({myset_xautoclean: "y"});}else{browser.storage.local.set({myset_xautoclean: "n"});}
+if (document.querySelector("#myset_xincapsula").checked){browser.storage.local.set({myset_xincapsula: "y"});}else{browser.storage.local.set({myset_xincapsula: "n"});}
+if (document.querySelector("#myset_xgshield").checked){browser.storage.local.set({myset_xgshield: "y"});}else{browser.storage.local.set({myset_xgshield: "n"});}
+if (document.querySelector("#myset_xsucuri").checked){browser.storage.local.set({myset_xsucuri: "y"});}else{browser.storage.local.set({myset_xsucuri: "n"});}
+if (document.querySelector("#myset_xign3p").checked){browser.storage.local.set({myset_xign3p: "y"});}else{browser.storage.local.set({myset_xign3p: "n"});}
+if (document.querySelector("#myset_xwhitemark").checked){browser.storage.local.set({myset_xwhitemark: "y"});}else{browser.storage.local.set({myset_xwhitemark: "n"});}
+//ACTION
+if (document.querySelector("#myset_xsimplewarn_0").checked){browser.storage.local.set({myset_xsimplewarn:0});}
+if (document.querySelector("#myset_xsimplewarn_1").checked){browser.storage.local.set({myset_xsimplewarn:1});}
+if (document.querySelector("#myset_xsimplewarn_2").checked){browser.storage.local.set({myset_xsimplewarn:2});}
+browser.runtime.sendMessage({relnow:'go'}).then(function(r){},onError);
+}
+function loadWhitelist(){
+function setCurrentChoice(r){
+//WHITELIST
+document.querySelector("#myset_cfwhite").value = r.myset_cfwhite||"";
+//ADVANCED
+if (r.myset_xautoclean=='y'){document.querySelector("#myset_xautoclean").checked=true;}else{document.querySelector("#myset_xautoclean").checked=false;}
+if (r.myset_xincapsula=='y'){document.querySelector("#myset_xincapsula").checked=true;}else{document.querySelector("#myset_xincapsula").checked=false;}
+if (r.myset_xgshield=='y'){document.querySelector("#myset_xgshield").checked=true;}else{document.querySelector("#myset_xgshield").checked=false;}
+if (r.myset_xsucuri=='y'){document.querySelector("#myset_xsucuri").checked=true;}else{document.querySelector("#myset_xsucuri").checked=false;}
+if (r.myset_xign3p=='y'){document.querySelector("#myset_xign3p").checked=true;}else{document.querySelector("#myset_xign3p").checked=false;}
+if (r.myset_xwhitemark=='y'){document.querySelector("#myset_xwhitemark").checked=true;}else{document.querySelector("#myset_xwhitemark").checked=false;}
+if (r.myset_xsimplewarn){switch(r.myset_xsimplewarn){
+case 1:document.querySelector("#myset_xsimplewarn_1").checked=true;break;
+case 2:document.querySelector("#myset_xsimplewarn_2").checked=true;break;
+default:document.querySelector("#myset_xsimplewarn_0").checked=true;break;
+}}else{document.querySelector("#myset_xsimplewarn_0").checked=true;}
+}
+var getting=browser.storage.local.get();getting.then(setCurrentChoice,onError);
+}
+document.addEventListener("DOMContentLoaded", loadWhitelist);
+document.querySelector("form").addEventListener("submit", saveWhitelist);

tool/block_cloudflare_mitm_fx/src/style.css

@@ -0,0 +1,3 @@
+body{font:13px Verdana}
+label{-webkit-user-select:none;-moz-user-select:none}
+textarea{white-space:pre;overflow-wrap:normal;overflow-x:scroll}