[tbb-dev] Proposal: extensions.update.enabled=false [tbb-fingerprinting]
Georg Koppen
gk at torproject.org
Fri Apr 21 09:51:00 UTC 2017
Rusty Bird:
> Hi,
>
> I propose to disable Tor Browser's automatic extension update,
> effectively freezing extension versions between releases. This would,
> among other things, get rid of a fingerprintable difference between
> mainline TB and TB with an immutable extensions directory, such as
> sandboxed-tor-browser, Split Browser for Qubes[1], or Tails[2].
>
> (Currently, mainline TB uses extensions.update.enabled=true. Of the
> included extensions, HTTPS Everywhere and NoScript actually update,
> whereas Torbutton and TorLauncher already opt out by setting a bogus
> updateURL.)
>
> So when e.g. HTTPS Everywhere at some point updates itself to a
> version with new rules, a website affected by the rule changes (as a
> first party or as a third party) can distinguish which version is
> active. For NoScript, fingerprinting different versions is less
> obvious, but probably still possible when an update breaks or fixes
> some content.
>
> Downsides of disabling:
>
> - Minor improvements to HTTPSE/NoScript take a little longer to reach
> the user. (If there's a _serious_ security or usability issue, the
> TB version would have to be bumped anyway.)
>
> Upsides:
>
> - More uniform fingerprint for mainline and immutable TB
> - More reproducible environment for bug reports
> - Not affected by vulnerabilities in the extension updater
> - Slightly reduced exit traffic :)
We won't disable extension updates by flipping some preference in Tor
Browser. Users who install extensions which we don't ship (even though
this is strongly discouraged) should get updates. However, it is planned
at least since the AMO pinning fiasco we witnessed last year (see
#20146) that we essentially prevent all extensions *we* ship from
auto-updating. We'll start with doing so for HTTPS-Everywhere (#10394)
which is currently blocked on HTTPS-Everywhere getting the ruleset
updates disentangled from the extension updates. Once we are done with
HTTPS-Everywhere and got some experience what this means for our
releases we'll do the same with NoScript.
Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170421/545d93b9/attachment.sig>
More information about the tbb-dev
mailing list