[tbb-dev] Updating TB and Orfox for Meltdown and Spectre?
Tom Ritter
tom at ritter.vg
Mon Jan 8 15:50:52 UTC 2018
SharedArrayBuffer is not in 52. You can verify by opening a console
and typing SharedArrayBuffer.
You can verify performance.now() rounding by confirming it's output
ends in two zeros with no decimal.
-tom
On 8 January 2018 at 09:27, Nathan Freitas <nathan at freitas.net> wrote:
>
>
>
> On 01/06/2018 07:26 PM, teor wrote:
>>
>>
>>> On 7 Jan 2018, at 11:03, Nathan Freitas <nathan at freitas.net> wrote:
>>>
>>> Not sure if there is an open ticket I should be monitoring, or a meeting
>>> I missed, but just saw the Firefox update to address Meltdown and Spectre:
>>> https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
>>>
>>> Are Tor Browser and Orfox vulnerable these attacks? Has this been
>>> covered somewhere else?
>>>
>>> Thanks, and just figuring out if my week ahead is going to be spent on
>>> an urgent Orfox release or not!
>
> To summarize, there isn't some secret, urgent TB release update
> happening... at least not yet.
>
>>
>> Someone will need to confirm my analysis here:
>>
>> Here's the security advisory link:
>>
>> https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
>>
>> The relevant section is:
>>
>> Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
>>
>> SharedArrayBuffer is already disabled in Firefox 52 ESR.
>>
>> The two relevant features are:
>>
>> SharedArrayBuffer:
>>
>> TBB 7.0 is based on Firefox 52 ESR.
>> Does TBB also disable SharedArrayBuffer?
>
> Good question!
>
>>
>> Is Orfox based on Firefox 52 ESR?
>> Does Orfox also disable SharedArrayBuffer?
>
> If TB does, then Orfox should, as long as it is in the Gecko part of
> things. I don't think anything can be done in the Android/Java layer to
> mitigate these vulnerabilities.
>
>> performance.now():
>>
>> TBB 7.0 reduces performance.now() to 100ms.
>> https://trac.torproject.org/projects/tor/ticket/1517
>> https://trac.torproject.org/projects/tor/ticket/16340
>>
>> But there are other sources of high-resolution timers, that Mozilla hasn't covered:
>> (Maybe someone should let them know?)
>> https://trac.torproject.org/projects/tor/ticket/16110
>> https://trac.torproject.org/projects/tor/ticket/17412
>> https://trac.torproject.org/projects/tor/ticket/21010
>>
>> Should TBB or Orfox apply some of these fixes?
>>
>> Does Orfox reduce the precision of performance.now()?
>
> Same answer as above... we likely inherit anything TB does.
>
> +n
>
>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
>
More information about the tbb-dev
mailing list