[tbb-bugs] #16534 [Tor Browser]: Failed to remove debugging options in Firefox

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 9 17:58:33 UTC 2015

#16534: Failed to remove debugging options in Firefox
 Reporter:  ioerror      |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  major        |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:  security     |  Actual Points:
Parent ID:               |         Points:
 It is possible to set an environment variable, SSLKEYLOGFILE, that when
 set will export the CLIENT_RANDOM of Firefox's SSL/TLS handshakes to a
 file. This can include a Windows file share url - meaning that the
 CLIENT_RANDOM data would then be streamed to the remote server.
 Furthermore, I think this means that a better attacker can attach to
 firefox and simply use these functions to extract keying information.

 I propose that we disable this functionality and also that we remove the
 code that makes this possible - or even better - we hook it and panic if
 someone tries to use it.

 Relevant Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=908046
 Relevant Google discussion:

 I have tested this against Tor Browser by running this command:
 ```SSLKEYLOGFILE=/tmp/tb-keys.log ./start-tor-browser.desktop```

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16534>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list