[tbb-bugs] #16534 [Tor Browser]: Failed to remove debugging options in Firefox
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 9 17:58:33 UTC 2015
#16534: Failed to remove debugging options in Firefox
-------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor Browser | Version:
Keywords: security | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
It is possible to set an environment variable, SSLKEYLOGFILE, that when
set will export the CLIENT_RANDOM of Firefox's SSL/TLS handshakes to a
file. This can include a Windows file share url - meaning that the
CLIENT_RANDOM data would then be streamed to the remote server.
Furthermore, I think this means that a better attacker can attach to
firefox and simply use these functions to extract keying information.
I propose that we disable this functionality and also that we remove the
code that makes this possible - or even better - we hook it and panic if
someone tries to use it.
Relevant Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=908046
Relevant Google discussion:
https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/bu3b9x12c1Q
I have tested this against Tor Browser by running this command:
```SSLKEYLOGFILE=/tmp/tb-keys.log ./start-tor-browser.desktop```
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16534>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list