Mike Perry:
Georg Koppen:
Mike Perry:
Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
Ok. After thinking about it a bit more, here is additional feedback:
- In 4.6.10 we might want to mention our #13027 backport.
I believe I've fixed all of Tom's and your comments in the latest update (and also added 4.5-alpha-1 material too), except for this one. I think it is a distracting implementation detail, especially since Mozilla has already committed the fix for future versions. Other browsers are unlikely to hit this same bug, and may also have different bugs related to directly JS-exposed OS and arch info.
Good points. Nits after looking at your recent changes:
1) s/is likely to more fingerprintable/is likely to be more fingerprintable/
2) s/If WebGL is normalized/If WebGL were normalized/ <- still irrealis as the other things you mention, no? :)
3) s/poverage for the all languages/coverage for all the languages/
4) We disable "gfx.font_rendering.opentype_svg.enabled" on the low level of the security slider.
5) s/disable Javascript entirely all elements/disable Javascript entirely for all elements/
6 s/pyc timestamps had to be address/pyc timestamps had to be addressed/
Looks good! (Good hint at CSP 2.0 for the Referer)
Georg