[tbb-bugs] #15910 [Tor Browser]: Figure out what to do with Open264H (downloads)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun May 3 20:21:49 UTC 2015

#15910: Figure out what to do with Open264H (downloads)
 Reporter:  gk           |          Owner:  tbb-team
     Type:  task         |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:  ff38-esr     |  Actual Points:
Parent ID:               |         Points:
 We should think about what we want to do with the OpenH264 video codec
 plugin which Firefox downloads since version 33 shortly after it got
 started for the first time (see: http://andreasgal.com/2014/10/14/openh264
 -now-in-firefox/ and https://wiki.mozilla.org/QA/WebRTC/OpenH264).

 The good news is, the code is free: https://github.com/cisco/openh264. The
 bad news is it needs to get downloaded from Cisco as a binary blob due to
 patent issues. And there is currently now known way to build this binary
 blob deterministically:

 I think we should make sure that the plugin does not get downloaded as:

 1) It is currently only used for WebRTC which we have disabled
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1150544#c8) (we should make
 sure that this argument still holds for ESR 38 when we ship it if that

 2) The binary blob is not built reproducibly which poses security risks.
 Although there seems to be kind of a mechanism for Mozilla to verify
 Mozilla and Cisco have established a process by which the binary is
 verified as having been built from the publicly available source, thereby
 enhancing the transparency and trustworthiness of the system.

 3) The download uses essentially Mozilla's "cert pinning". We might want
 to have something stronger in place.


 See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769716 for a way to
 disable the plugin download.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15910>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list