I sat down on my desktop to take a closer look at how Kagi implemented this. It turns out that the privacy pass extension isn't the one implemented by CloudFlare (and rejected by Tor), but a new extension called Kagi Privacy Pass.
// ./scripts/privacypass.js
/*
* Privacy Pass protocol implementation
*/
import init, * as kagippjs from "./kagippjs/kagippjs.js";
...
// load WASM for Privacy Pass core library
await init();
I opened ./kagippjs/kagippjs.js and was, of course, greeted with a WASM binary.
I personally would not install unknown WASM blobs in Tor browser. Source and reproducible build, please!
Let's continue.
// get WWW-Authenticate HTTP header value
let origin_wwwa_value = "";
const endpoint = onion ? ONION_WWWA_ENDPOINT : WWWA_ENDPOINT;
try {
const resp = await fetch(endpoint, { method: "GET", headers: { 'X-Kagi-PrivacyPass-Client': 'true' } });
origin_wwwa_value = resp.headers.get("WWW-Authenticate");
} catch (ex) {
if (onion) {
// this will signal that WWWA could not fetch via .onion
// the extension will then try normally.
// if the failure is due to not being on Tor, this is the right path
// if the failure is due to being on Tor but offline, then trying to fetch from kagi.com
// won't deanonymise anyway, and will result in the "are you online?" error message, also the right path
return origin_wwwa_value;
}
throw FETCH_FAILED_ERROR;
}
What?? If the Onion isn't reachable, you make a request to the clearnet site? That will, in fact, deanonymize you (although I don't know if Tor browser will Torify `fetch` calls made in extensions). You don't want Tor browser making clearnet requests just because it couldn't reach the .onion! What if the request times out while it's bouncing between the 6 relays in the onion circuit? Happens all the time.
The extension is open-source [1], including the Rust code that produces the WASM [2]. You should be able to produce a bit-compatible binary from these repos, and if not, please file a bug!
Ok, let's look at the source.
Alright, here's some nice, clean, easy-to-read Javascript. Nice! Wait, what's that? I opened ./kagippjs/kagippjs.js and was, of course, greeted with a WASM binary.I personally would not install unknown WASM blobs in Tor browser. Source and reproducible build, please!
Let's continue.
What?? If the Onion isn't reachable, you make a request to the clearnet site? That will, in fact, deanonymize you (although I don't know if Tor browser will Torify `fetch` calls made in extensions). You don't want Tor browser making clearnet requests just because it couldn't reach the .onion! What if the request times out while it's bouncing between the 6 relays in the onion circuit? Happens all the time.