[tor-qa] Testing ESR 31 based Nightlies

Mike Perry mikeperry at torproject.org
Wed Oct 1 22:58:29 UTC 2014

> Georg Koppen:
> > Hi,
> > 
> > we have built some nightlies for the upcoming switch to ESR 31 and they
> > are even reproducible which is good news. They can be found on
> > 
> > https://people.torproject.org/~gk/testbuilds/esr31-nightly/
> > 
> > . Testing them would be really helpful. Do the bundles start at all
> > (especially on older OSes like Debian stable and Windows XP)? If so, do
> > you see any weird and or broken things not already found among
> > 
> > https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff31-esr
> > 
> > ?
> Feedback from testing the English OS X version:
> When I click on the menu on the right, I have the proeminent choice
> between “New Window” and “New Private Window”. That's confusing in the
> Tor Browser setting.
> Right there, there's also a “Fullscreen” entry. Given the
> fingerprinting issue, this should also not be encouraged like that!

I fixed these two and some other things about the menu that annoyed me
in https://trac.torproject.org/projects/tor/ticket/13318.
> Same menu, there's “Sign in to Sync”. Do we want that?

Not sure. Sync used to be end-to-end encrypted and opt-in to things like
pref sync (which is bad for us). They were thinking about changing it
though, and I have no idea how well it behaves if you have a TBB and a
normal Firefox hooked up to your sync account.

Unfortunately, this "Sign in to sync" option is not possible to remove
with just pref changes.
> Icons can be moved through the “Customize” entry at the bottom, so
> I hope this is doable without crazy tweaks.

Yes, for the most part. I think I also want the menu bar to come back,
but that option seems independent of any pref.

> I still can't do NTLM authentication, despite
> `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to
> `true`. That's a bit annoying.

Are there actually public sites that use NTLM? I thought NTLM was mostly
an enterprise LAN thing, which we were unlikely to encounter via Tor and
the public Internet. Is this something you have noticed, or is this
becoming a common support question?

We disabled it because the NTLM protocol can leak username, hostname,
perform non-Tor DNS lookups, etc. It's also very hard to control all of
this, because many auth mechanisms are implemented by the underlying OS
and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy
shit that can happen.
> The version string still says “Firefox/24.0”.

Also fixed.

Thanks for your feedback! The changes should appear in the next nightly.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-qa/attachments/20141001/ecee0300/attachment.sig>

More information about the tor-qa mailing list