[tor-bugs] #16285 [Applications/Tor Browser]: Make sure EME is no tracking risk in Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 19 11:29:44 UTC 2016 

#16285: Make sure EME is no tracking risk in Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  gk
     Type:  task                                 |         Status:
 Priority:  Medium                               |  assigned
Component:  Applications/Tor Browser             |      Milestone:
 Severity:  Normal                               |        Version:
 Keywords:  ff45-esr, tbb-linkability,           |     Resolution:
  GeorgKoppen201605, TorBrowserTeam201605,       |  Actual Points:
  tbb-6.0-must                                   |         Points:
Parent ID:                                       |        Sponsor:
 Reviewer:                                       |
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:
     ff45-esr, tbb-linkability, GeorgKoppen201506, TorBrowserTeam201605,
     tbb-6.0-must
     =>
     ff45-esr, tbb-linkability, GeorgKoppen201605, TorBrowserTeam201605,
     tbb-6.0-must
 * severity:   => Normal


Old description:

> The EME architecture got uplifted to Firefox 37
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1137045) in is included in
> ESR 38 as well. We should make sure there are no accompanying
> tracking/fingerprinting risks. The best plan is probably to disable EME
> as Mozilla is doing in its ESR 38 release. We may need a custom patch as
> Mozilla is basically enabling it
> {{{
> #if !defined(MOZ_UPDATE_CHANNEL) || MOZ_UPDATE_CHANNEL != esr
> }}}
> While we may want to take a deeper look at it when we switch to ESR 45 we
> should make sure that everything related to EME is really disabled if the
> respective prefs are set to `false`.

New description:

 The EME architecture got uplifted to Firefox 37
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1137045) and is included in
 ESR 38 as well. We should make sure there are no accompanying
 tracking/fingerprinting risks. The best plan is probably to disable EME as
 Mozilla is doing in its ESR 38 release. We may need a custom patch as
 Mozilla is basically enabling it
 {{{
 #if !defined(MOZ_UPDATE_CHANNEL) || MOZ_UPDATE_CHANNEL != esr
 }}}
 While we may want to take a deeper look at it when we switch to ESR 45 we
 should make sure that everything related to EME is really disabled if the
 respective prefs are set to `false`.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16285#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list