<b><i>Mike Perry <mikeperry@fscked.org></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> The first release candidate for the next stable series of the<br>security-enhanced Torbutton Firefox extension has been released. This<br>release features functional support for Firefox 3. However, this<br>support has not been extensively tested. In particular, timezone<br>masking does not work at all. The workaround is to manually set the<br>environment variable 'TZ' to 'UTC' before starting Firefox. This works<br>on both Linux and Windows.<br><br>Firefox 3 users should keep a close eye on Torbutton. In particular,<br>the new Places history database code is connected to all sorts of<br>different parts of the browser, and it is unknown if 'disabling<br>history' actually prevents disk writes for many parts of its database.<br>It is also possible this code may perform strange network accesses at<br>odd
times as well (the 'Livemarks' code is one case of this that has<br>known issues). Please keep an eye on your Vidalia window. Adventurous<br>users can also run wireshark, and/or help with the disk access<br>auditing by running Process Monitor on their Windows systems:<br>http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx<br><br>A list of other Firefox bugs known to impact Torbutton security can be<br>found at: https://torbutton.torproject.org/dev/design/#FirefoxSecurity<br><br>Here is the complete changelog for 1.2.0rc1:<br> * general: FF3 should now be functional, but timezone masking is not<br> operational<br> * bugfix: Fix Places/history component hooking in FF3<br> * bugfix: Disable Places database in FF3 via browser.history_expire_days=0<br> if history writes are disabled.<br> * bugfix: General component hooking fixes for FF3<br> * bugfix: Block favicon leaking in FF3<br> * bugfix: Enable safebrowsing updates in FF3 (it's finally HMACd. Yay).<br> *
bugfix: Use Greg Fleischer's new useragent prefs in FF3.<br> * bugfix: Properly reset cookie lifetime policy when user changes<br> cookie handling options.<br> * bugfix: Fix 'Restore defaults' button issues with custom proxy settings<br> * bugfix: navigator.oscpu hooking was broken in 1.1.18<br> * bugfix: Try to prevent alleged 0x0 windows on crash recovery<br> * bugfix: Attempt to block livemarks updates during Tor. Only<br> partial fix. Not possible to cancel existing Livemarks timer (one fetch <br> will still happen via Tor before disable). See Firefox Bug 436250<br> * misc: Set plugin.disable_full_page_plugin_for_types for all plugin<br> mimetypes just in case our custom full page blocking code fails<br><br><br>-- <br>Mike Perry<br>Mad Computer Scientist<br>fscked.org evil labs<br></blockquote><br>Thank you so much!<br><br>Have you thought about having an option to set the initial starting state of TorButton? Mine starts in the state it was in when I last
exited Firefox. That has led to me browsing to hidden services in the clear without initially realizing that Tor was not enabled. I am thinking that a radio button to select from "Default (Starts in previous state), Starts Enabled, and Starts Disabled".<br><br>Another behavior of Firefox is that if I visit a web address such as http://hiddenservice.onion/ , it changes it to http://www.hiddenservice.onion/ when Tor is disabled. I don't know how to change this, or if it is possible to do this via the plugin. I find it very annoying.<br><br>Thanks again,<br><p>