Updated tor2web check to return a 403 status on success

[zenmonkeykstop]

Status

Ready for review

Description of Changes

Fixes #6291 .

Changes the SI behaviour when a tor2web request is detected. Previously, the application would display a warning flash message on the page, with a link to info/tor2web_warning summarizing the risks of using tor2web. Now, the application will respond with the warning page directly, served with a 403 error status.

The warning page now also contains the correct onion URL for the instance, and text has been updated:

Note that by itself this PR will not improve detection of tor2web proxies, preserving the current logic of checking for the X-tor2web header (which is rarely present anymore).

Testing

• check out this branch and run make dev-tor
• connect to the docker container with docker exec -it securedrop-dev-0 bash and add a file /var/lib/securedrop/source_v3_url containing a single line with a validly-formatted v3 onion URL (<56chars>.onion, no protocol or slashes)
• verify that the SI is available (via localhost:8080 or over Tor) and that basic functionality works with no tor2web warnings or redirects
• verify that the v3 url specified above is available via the SI /metadata endpoint
• add an X-tor2web header to your browser requests (eg. via a browser addon like ModHeader)
• verify that any requests for non-static resources on the SI result in a 403 and the Tor2Web warning page in the screenshot above
• verify that the v3 url you specified matches the one displayed on the warning page.
• visit the Tor version of the dev environment via a tor2web proxy and verify that the v3 url in the page has not been rewritten.

Deployment

n/a

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

[ninavizz]

The body and header text both need some work, imho.

1. Active voice.
- OSS trends towards being far too passive, wanting to leave things open for users. In UI messaging, people just want to be told what "is" and what "to do."
2. Headers should rarely exceed 2 words. What is the page topic, as TL;DR as possible. Not complete sentences. Speculatively, "Tor2Web Detected" seems like the most appropriate header, with an inline error message below that says as its declarative "Anonymity Risk" and then in body text after that, qualify why. Then, include a link to Tor Browser, after that.
3. If in fact this is a warning page, an inline error-bang warning should also display with this page. Similar to how it's styled in the new SI. See above text recommendation.
4. Second sentence and "strongly advise" both sound too wishy-washy, and the second sentence takes too long to cut to the chase.
5. Please do not leave out private adversaries; returning to the personas, Ed Snowden is not the primary whistleblower SD targets. Speaking to "government" as a broad concept, instead of more abstractly "public or private adversaries"

[legoktm]

Agreed that "strongly advise" doesn't cut it here, since we're actually fully blocking access to SDs if we see Tor2Web is being used.

In the commit message and PR title, you described this as a "redirect", but it's not actually a redirect, it just overrides the current page. I think actually doing a redirect to an endpoint like /tor2web would be nicer if we end up implementing a proxy/URL check in JavaScript.

[eloquence]

I agree with Nina and Kunal that, given that the behavior change is from warning to blocking, we'll need to update the page a bit more to make that explicit. It may also be worth making it even clearer that, at this point, the user has effectively disclosed their IP address to the Tor2web operator (and apparently Google Analytics and ad providers for many of them). In other words, depending on their behavior or threat model, it may no longer be safe for them to make a submission at all.

I realize most of the page pre-dates the PR, but I think it'd be worth workshopping the entire page content a bit in a GDoc or Figma, assuming we can actually reliably detect Tor2web gateways in one way or another.

[zenmonkeykstop]

I'm down to make the changes mentioned - afterwards if we do want to workshop it I'd prefer to get that scheduled sooner rather than later, in the interest of getting this change out the door in a reasonable timeframe.

[zenmonkeykstop]

@legoktm re: redirect word, that's just sloppy terminology on my part, but I do think that a 403 is appropriate given that the intent is to deny access. Will update the PR. Also, the original /info/tor2web-warning route is preserved, precisely so that it can be used with a Javascript check.

[zenmonkeykstop]

Not down with the "public or private adversaries" bit on further reflection, as it's probably best not to overload sources with domain-specific terminology. Also, the current text does speak accurately, tho not completely, to the specific adversaries a source in this situation would have to worry about.

[eloquence]

Could say "(your employer, your government, your Internet provider)" which doesn't strike me as overly unwieldy. But I think after you have a version up you're happy with, maybe we can have a quick huddle on Wednesday or Thursday to futz a bit more.

[zenmonkeykstop]

OK, new version up.

• updated header as suggested by @ninavizz
• added error flash message using existing SI flash styling. Note that the existing flash message format does not have a declarative (unless you add it as markup, which I'd prefer to avoid), so it doesn't have that part. IMO this can be revisited in the context of ongoing design updates.
• decreased wishy-washiness by 47% (took two passes as in the first pass I added "please" everywhere...)
• see previous reservations re "adversaries" etc. - updated list to include the proxy operator, who, given historical events and obvious DPI nonsense currently going on, are probably one of the more significant threats.

[legoktm]

Technically LGTM, not giving it the green check in case people have other wording concerns. One thing I was worried about was that the proxy would try to rewrite the onion URL, but in my testing it only does so if it's in a href, not if it's just in plain text - so we're good on that front.

[zenmonkeykstop]

tweaked the language a bit based on the discussion in #6293 - now looks like this:

[eloquence]

I've proposed a slight reword of the page here:
https://pad.riseup.net/p/tor2web-warning

Proposed changes in a nutshell:

• Active voice for "You are not anonymous right now" warning
• Simplify some language
• Removed article "the" in front of "Tor Browser" (see Gonzalo's similar cleanup commit: freedomofpress/securedrop-docs@0071f52)
• Remind them to note down the .onion address if they click "New identity", since it will disappear from view otherwise

Please feel free to futz further in the pad or challenge any of those tweaks :)

[zenmonkeykstop]

YA round of text updates is complete. See below:

[eloquence]

LGTM! Thanks for patiently poking at it together.

[codecov-commenter]

Codecov Report

Merging #6300 (6353879) into develop (ecd6b2b) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@             Coverage Diff             @@
##           develop    #6300      +/-   ##
===========================================
+ Coverage    84.07%   84.09%   +0.01%     
===========================================
  Files           60       60              
  Lines         4208     4213       +5     
  Branches       508      509       +1     
===========================================
+ Hits          3538     3543       +5     
  Misses         549      549              
  Partials       121      121              

Impacted Files	Coverage Δ
securedrop/source_app/__init__.py	90.52% <100.00%> (+0.20%)	⬆️
securedrop/source_app/info.py	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecd6b2b...6353879. Read the comment docs.

[legoktm]

Confirmed test plan, LGTM. If there are still concerns with the new wording, it can be adjusted in a follow-up.