[tor-bugs] #3994 [Tor bundles/installation]: Get TorBrowser in Debian
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Feb 24 21:21:34 UTC 2012
#3994: Get TorBrowser in Debian
--------------------------------------+-------------------------------------
Reporter: lunar | Owner: erinn
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by cypherpunks):
One problem I can foresee with the idea of packaging TorBrowser for Debian
is that the packaging of Firefox/Iceweasel usually lags behind upstream by
several version numbers. This is particularly true of Debian stable. Thus
it's likely that for most of the lifetime of each Debian stable release,
the version of Iceweasel in stable will be considerably older than the
version of Firefox that the upstream TorBrowser bundle is based on.
It is probably possible for an active attacker to detect the underlying
version of Firefox by probing the level of javascript/css/html support
that the browser provides (e.g. see the ecmascript compatibility tables at
http://kangax.github.com/es5-compat-table/ ). Thus a Debian-packaged
TorBrowser will have a different "fingerprint" to a recent upstream
TorBrowserBundle, and an attacker who is trying to track users will be
able to distinguish between the two.
If there are considerably fewer users of Debian-packaged TorBrowser than
users of the upstream TorBrowserBundle on all platforms (which is likely),
users of Debian-packaged TorBrowser would have significantly less
anonymity than users of the upstream TorBrowserBundle.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3994#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list