January 2017 - tbb-dev - lists.torproject.org

Team meetings calendar and Tor Browser Team
by isabela＠riseup.net 21 Feb '17

21 Feb '17

Hello Tor Browser Team! I would like to share a little bit how we will be organizing the team meetings day at Amsterdam Meeting. As you might have seem at the meeting wiki: https://trac.torproject.org/projects/tor/wiki/org/meetings/2017Amsterdam#We… We are reserving a day just for the teams to meet: Thu, 23 Mar: Teams meet to work on mapping and other issues; general meeting invitees arrive; group dinner in the evening. We created a 'calendar' system to better organize this day. I bet most of you haven't use google calendar but at Twitter we did and a cool feature was to be able to see everyone's calendar so you could figure out a good time to schedule a meeting. I created a 'calendar' for us here: https://storm.torproject.org/shared/_xuQsyM7Lkssjv9gKLw2rePMn9JYhtUBx1nr5Wg… You will see that some folks have already schedule meetings on it. Please read the suggested guidelines on how to use it. Some things to keep in mind as we organize Tor Browser Team meetings: 1. In the past we used this time to organize our roadmaps 2. You might want to invite Linda to join your roadmap discussion as she will be working on some tasks with you (all ux work before building UIs etc) 3. You should think if you want invite any person who is coming to Tor Meeting and you think should be in an specific meeting (remember this day is for teams and teams invites only) - maybe would be good to include some mobile people and have a mobile roadmap meeting? Let me know if you have any questions o/ Isabela

3 3

Fwd: [tor-project] We need project ideas for GSoC 2017!
by Tom Ritter 30 Jan '17

30 Jan '17

Here are some ideas I'd be willing to mentor if anyone thinks they're good/bad: - Creating a Crash Reporter and accompanying backend - Privacy-preserving metrics gathering (RAPPOR + opt-in) - this might be too ambitious though... - .onion, HTTP/2, Alt-Srv investigation - An idea of speeding up sites by serving them over a .onion with HTTP2 using the Alt-Srv header, probably with judicious use of server push - Security Slider Enhancements (Putting more features in FF behind the slider) - this one is probably not ambitious enough -tom ---------- Forwarded message ---------- From: Damian Johnson <atagar(a)torproject.org> Date: 29 January 2017 at 15:57 Subject: [tor-project] We need project ideas for GSoC 2017! To: tor-project(a)lists.torproject.org Hi all! This week I'm getting our ducks in a row to apply for Google Summer of Code 2017... https://summerofcode.withgoogle.com/ I just trimmed our volunteer page of projects that were done last year and sadly that doesn't leave us with much. We need mentors and project ideas! Got anything you'd care to mentor this summer? If so please let me know! Just send me a description like the ones on the following and I'd be happy to add it to our site... https://www.torproject.org/getinvolved/volunteer.html.en#Coding Please note that all projects must have two mentors, one of which is an established tor person. If you're not part of our internal community that's fine, but please find a core developer to co-sponsor your project and act as a secondary mentor. Thanks! -Damian _______________________________________________ tor-project mailing list tor-project(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

2 3

Re: [tbb-dev] [Tails-dev] future of tor-launcher? - Firefox XPCOM / XUL based add-ons deprecation
by Yawning Angel 30 Jan '17

30 Jan '17

Sorry for messing threading up, I wasn't subbed to this list. anonym wrote: > > It is also worth noting that Yawning created a new launcher/updater > > for Linux as part of his Sandboxed Tor Browser Project (it uses go, > > Gtk+ 3, and libnotify). > > https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux > > Interesting, but I wonder how much of this launcher that is about > setting up the sandboxes -- my fear is that it simply is designed for > something else than what we want. Any way, I haven't looked at it, I'm > just speculating. :) Well. Any decent sandboxing solution can't have firefox being the process launching the tor daemon, because that requires granting it things like network access, filesystem access to the tor data directory, etc that it frankly has no business of ever accessing. From a security standpoint, I think that tor-launcher needs to die, and I wrote sandboxed-tor-browser accordingly. Since it's an Alpha, and I had limited time, it doesn't do everything that tor-launcher currently can, it currently supports: * Configure a tor daemon. * Pluggable transports (limited to that supported by obfs4proxy because I don't have a good answer for sandboxing meek/snowflake, and no one uses FTE). * Bridges, both custom and built in. * External network proxies (HTTPS/SOCKS4(a)/SOCKS5). * Launch the tor daemon and monitor bootstrapping status. * (what tor-browser-launcher does) * (update check/fetch/apply) * (lots of sandboxing stuff that only I care about) Things it should have: * i18n support (Dropped in favor of "get something done"). * Support the rest of the Pluggable Transports. * Support user specified torrc directives (eg: ExcludeNodes related tinfoil hattery). * Support runtime reconfiguration. The torrc is never checkpointed to disk, and is regenerated on each launch. I don't think firefox should ever get to talk to the control port either (and sandboxed-tor-browser enforces this), so this might be somewhat tricky. I don't think what I wrote is what people want here, because: * It was written to only support Tor Browser. * As you note, it has lots of stuff related to sandboxing, though in an ideal world, everything should be sandboxed. * I used Gtk because the sandboxing implementation I wrote assumes Linux. If I were to be the one working on a "tor-launcher" replacement, I'd probably write an external launcher, using Qt or something... Regards, -- Yawning Angel

1 0

future of tor-launcher? - Firefox XPCOM / XUL based add-ons deprecation
by Michael Carbone 26 Jan '17

26 Jan '17

> Georg: Patrick Schleizer: >> Hi, >> >> XPCOM / XUL based add-ons will be deprecated in Firefox. [1] >> >> I've searched trac, mailing list, irc logs... I know you are aware >> of that, but haven't found your plan forward. Is there already >> one? >> >> What are your plans regarding tor-launcher? Will tor-launcher be >> ported over as Firefox WebExtension? Is that even possible? > > We investigated what we would need for porting the extensions over > to Webextensions a while ago in > https://trac.torproject.org/projects/tor/ticket/17248. > > The current plan has not changed: we still plan to port our > extensions over to the Webextensions framework. It might need some > upstream changes which we would provide with own patches but we'll > see. > > Georg I had some discussions with Mark and Linda at the Tor Summit about the various non-browser use-cases for tor-launcher, especially as a means to allow the user to enable bridges/transports via GUI. There is currently no GUI for users to select bridges/transports for non-XUL tor project applications. The move to WebExtensions does not seem to improve the situation. I was wondering if this is still something being considered, even in the longer term? The move away from XUL could be an opportunity to address this by building a more generic solution that could be used by the increasing number of tor-powered applications/environments, such as onionshare, ricochet, tails, qubes, subgraph, etc., in addition to tor browser and tor messenger. For background there had been a previously aborted effort to write a python-based tor-launcher clone: https://www.whonix.org/blog/connection-bridge-wizard Michael -- Michael Carbone Qubes OS | https://www.qubes-os.org @QubesOS <https://www.twitter.com/QubesOS> PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4

4 4

future of tor-launcher? - Firefox XPCOM / XUL based add-ons deprecation
by Patrick Schleizer 26 Jan '17

26 Jan '17

Hi, XPCOM / XUL based add-ons will be deprecated in Firefox. [1] I've searched trac, mailing list, irc logs... I know you are aware of that, but haven't found your plan forward. Is there already one? What are your plans regarding tor-launcher? Will tor-launcher be ported over as Firefox WebExtension? Is that even possible? Or will tor-launcher become a standalone application that runs outside of Firefox? If it is the latter, we Whonix would be interested in that. Our use case is "same as system Tor". I guess the Tails developers may be interested in that also, hence cc'd their list also. Best regards, Patrick [1] https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox…

4 5

tor-browser-launcher missing TBB 6.5 signing subkey
by teor 25 Jan '17

25 Jan '17

Hi, tor-browser-launcher users are reporting validation failures for Tor Browser 6.5: Tor Browser 6.5 was signed by a new subkey. But apparently tor-browser-launcher hard-codes the old subkeys. See #tor and GitHub: https://github.com/micahflee/torbrowser-launcher/issues/260 T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------

1 0

A few notes from things I've seen
by Tom Ritter 04 Jan '17

04 Jan '17

[[If anyone finds this helpful or useful please say so I'll continue to keep an eye out and continue this vein, otherwise I'll assume everyone follows the same news sources I do.]] mac x86/x86-64 has gone away, and it is now only x86-64: https://groups.google.com/forum/#!topic/mozilla.dev.platform/XwUrL4d9Rf0 Fennec now has Chromecast/casting stuff on by default. I'd suggest this should be disabled but that it should also be investigated at some point to see if it's doesn't enable proxy bypasses and might be able to be enabled at the lowest slider level. https://groups.google.com/forum/#!topic/mozilla.dev.platform/Q-dSrp4PYe4 Eventually coming will be OpenType Variation Fonts: https://groups.google.com/forum/#!topic/mozilla.dev.platform/_FacI6Aw2BQ I don't know anything about these specifically, although I'm sure there's font fingerprinting concerns and general font security concerns. MediaError:message attribute is being turned on by default: https://groups.google.com/forum/#!topic/mozilla.dev.platform/CKTzq7rF50o This looks like something that could be used to fingerprint users! Installing multiple XPIs simultaneously may be going away: https://groups.google.com/forum/#!topic/mozilla.dev.platform/om5BrXM-Gb8 I don't think this should affect TBB... Eventually planning on writing some Private Browsing mode data to disk: https://groups.google.com/forum/#!topic/mozilla.dev.platform/Js-pI-6dSQA There's a NetworkInformation API that got some discussion: https://groups.google.com/forum/#!topic/mozilla.dev.platform/lCZmhCDGHPY It's basically as horrible as one would expect, but fortunately several people raised concerns. Still is important to keep an eye on as it seems eventually it will need to be turned off or hardcoded. GCC 4.9 is now required to build Linux/Android: https://groups.google.com/forum/#!topic/mozilla.dev.platform/QgxoSzTcp1M clang-cl has become a tier 2 compiler: https://groups.google.com/forum/#!topic/mozilla.dev.platform/JzHt3ykIfHg I hope to get mingw to tier-2 status also. There's this new (or maybe old?) thing called compact themes: https://bugzilla.mozilla.org/show_bug.cgi?id=1314091 There are a few features that are brand-new but not known to be dangerous. It's just 'new code'. I'm not sure if there's any appetite to disable these sorts of features at the medium or high security level for a time before enabling them. CSS Grid: https://groups.google.com/forum/#!topic/mozilla.dev.platform/6shk3TZX5vo CSS Mask Image: https://groups.google.com/forum/#!topic/mozilla.dev.platform/15nssyOe1gc Selection::setBaseAndExtent() https://groups.google.com/forum/#!topic/mozilla.dev.platform/YdFwg3VpGMg (no pref for this) html5 dialog element: https://groups.google.com/forum/#!topic/mozilla.dev.platform/vTPGW1aJq24 CSS display:flow-root https://groups.google.com/forum/#!topic/mozilla.dev.platform/bG9Kpgr5LC4 CSS caret-color: https://groups.google.com/forum/#!topic/mozilla.dev.platform/lOpCwCMIWwo (no pref)

2 1