[tor-bugs] #8342 [TorBrowserButton]: Site update & Plugin update - TorButton 1.5

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 1 07:02:00 UTC 2013 

#8342: Site update & Plugin update - TorButton 1.5
------------------------------+---------------------------------------------
 Reporter:  sekesey           |          Owner:  mikeperry
     Type:  task              |         Status:  new      
 Priority:  normal            |      Milestone:           
Component:  TorBrowserButton  |        Version:           
 Keywords:                    |         Parent:           
   Points:                    |   Actualpoints:           
------------------------------+---------------------------------------------

Comment(by sekesey):

 Replying to [comment:5 mikeperry]:
 > We've had to rely on direct patches to Firefox even to preserve basic
 proxy security. This makes it unsafe to attempt to use any non-TBB Firefox
 at the moment. See:
 > https://www.torproject.org/projects/torbrowser/design/#proxy-obedience
 and
 > https://www.torproject.org/projects/torbrowser/design/#firefox-patches

 Thats awfully bad. Are they aware about this, like, are any of these
 reported on bugzilla? If not i could do that. But, coming from
 TorButton/TorBrowser Dev-team might get more attention rather than just a
 newbie account reporting them. But, i can if you want.

 Its weird how Firefox keeps rolling out new versions so fast, but is not
 concerned about basic security issues. FF 19 now comes with WebRTC which
 is great, but with security flaws it ruins it. Their are even talks about
 syncing & strongly integrating plugin SDK releases with FF release v21
 (May2013) onwards. And, the plugin sdk will lack backward compatibility
 with older FF versions.
 It will be beneficial for TB/TBB if the patches are done upstream, as they
 will also get incorporated in future builds of FF. Otherwise, patching
 newer versions of FF will get more & more difficult.
 http://www.h-online.com/open/news/item/Firefox-s-Add-on-SDK-future-mapped-
 out-1813367.html


 So, along with the fund raiser campaign, there is pressing need to make
 people aware that Firefox(& derivatives) is not a safe browser. If public
 awareness increases, Firefox dev-team will be obligated to patch these
 serious security flaws directly into the main code. That would be helpful
 to a very large set of users and will also make it possible to just
 require to maintain the TorButton (instead of whole Browserbundle). Or,
 maybe if all flaws are fixed, there wont be even need for plugin, changing
 proxy setting would be enough.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8342#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list