[tor-bugs] #12620 [Tor Browser]: Rebase TBB patches to Firefox 31 and add unit tests

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 25 19:23:58 UTC 2014 

#12620: Rebase TBB patches to Firefox 31 and add unit tests
-------------------------+-------------------------------------------------
     Reporter:  gk       |      Owner:  tbb-team
         Type:  task     |     Status:  new
     Priority:  major    |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  TorBrowserTeam201408D, ff31-esr,
   Resolution:           |  tbb-rebase, tbb-firefox-patch
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Replying to [comment:17 gk]:
 > Two other thoughts:
 >
 > 1) What is the rationale for including the patch for #2874 into ESR 31?
 Reading #2874 it seems to me the issue is resolved in ESR 31 by Mozilla
 itself and comment:16:ticket:2874 does not convince me (yet) as there are
 numerous ways to distinguish ESR 24 and ESR 31 users and we don't aim at
 making them undistinguishable. I'd like to see the patches we need as a
 kind of roadmap of things still in need of getting upstreamed and I wonder
 how the patch in question would fit into that picture (but, admittedly,
 maybe the picture is wrong to begin with)...

 Mozilla also sometimes makes interface changes in point releases, and
 interfaces can vary between platforms and OS versions. I think we want
 this entire Components.* hierarchy gone, not just defanged.

 > 2) I wonder whether we should still include the patch for #5741. For
 one, Mozilla fixed that leak
 (https://bugzilla.mozilla.org/show_bug.cgi?id=751465). Then, we added a
 unit test making sure that nothing gets backed out wrt the WebSocket
 protocol which leads to another round of DNS bypassing tor
 (https://bugzilla.mozilla.org/show_bug.cgi?id=971153). Now, we can even
 observe the respective notification in Torbutton to be extra sure that no
 leaks happening (might be a good QA thing...). The only argument for
 including the patch in ESR 31 I currently can come up with is that ws://
 is the only protocol currently being tested in the unit test. If that is a
 show-stopper, fair enough (I planned to add tests for the remaining non-
 internal protocols + getting them merged into ESR 38).

 They fixed the WebSockets leak, but the second part of the #5741 patch was
 to ensure against any additional forms of DNS leak. It also saved our
 users from being told by StartPage to enter www.startpage.com in "no
 proxies for" line of the proxy settings, since not being able to do that
 resolution prevented that from working.

 I think for defense in depth, we should keep the DNS service piece of
 patch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12620#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list