[tor-bugs] #18546 [Applications/Tor Browser]: Review networking code for Firefox 45

Thu Apr 21 11:42:57 UTC 2016

#18546: Review networking code for Firefox 45
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
     Type:  task                                 |  mikeperry
 Priority:  Very High                            |         Status:
Component:  Applications/Tor Browser             |  assigned
 Severity:  Critical                             |      Milestone:
 Keywords:  ff45-esr, MikePerry201604,           |        Version:
  TorBrowserTeam201604                           |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:6 gk]:
 > Replying to [comment:4 mikeperry]:
 > > Here's the quick notes for stuff that really needs another set of
 eyes:
 > >  * We need to verify the proper application of our OCSP and NSS safety
 patches in security/nss. Last time we improperly applied the DNS patch
 while rebasing. That might happen again here, too.
 >
 > They look good to me.
 >
 > >  * We should make sure that ./netwerk/dns/mdns/libmdns/ is Android
 only and also disabled for OrFox
 >
 > This is #18821.
 >
 > >  * The "Presentation API" stuff seems new, but possibly not enabled
 yet. It has lots of networking things. We should make sure it is disabled.

 Yes, it is disabled. However, we already had libmdns things leaking into
 desktop/android builds which are related to the Presentation API (see:
 https://wiki.mozilla.org/images/thumb/e/e6/Presentation_API_Architecture_overview.png
 /650px-Presentation_API_Architecture_overview.png). Thus, we should take a
 closer look at the whole picture when we move to ESR52: #18862

 > >  * The nsDNSService patches should be verified for the same reason as
 the NSS ones

 Looks good to me.

 > >  * There's some resolver stuff in Android that uses SOCK_DGRAM. We
 should make sure this is not active in OrFox

 Might be best to ask the Orfox people as this code is available for ages
 and IIRC Orfox is already supposed to be proxy bypass free: #18864.

 > >  * It looks like
 ./toolkit/modules/secondscreen/SimpleServiceDiscovery.jsm is included now?
 Can we kill it? And what is this second screen stuff?

 We take care of it by the patch mcs and brade wrote back for #16439
 (cafffd10e5be3dc27b3a666df1769ee53eb9b009 on tor-browser-45.0.2esr-6.x-1).

 > >  * dom.udpsocket and dom.moztcpsocket are still off, yes?

 The former, yes, for the latter there are no relevant changes compared to
 ESR38 it seems. However, this pref is not really exposed, so we may want
 to set it explicitly to avoid digging through code each time. This is
 #18863.

 > >  * We disabled/patched the debugger and related discovery stuff
 before, right? Is that still off?

 Yes and comparing the ESR38 prefs with the ESR45 show we are still good
 here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18546#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online