[tor-reports] January 2014 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Sat Feb 1 20:52:58 UTC 2014

In January, we released TBB 3.5.1, which enabled screen readers for the
blind, added Arabic bundles to the 3.x series, and provided updated
versions for several components of the bundle[0].

Several additional fixes are also ready for inclusion in the next
release of the bundle after 3.5.1, though Mozilla has also recently
tagged a new Firefox 24ESR release (out of phase with their normal 6
week schedule, due to the holidays), so we may delay merging non-serious
issues until the release after that.

The fixes that are ready for review and merge include improvements in
browser fingerprinting defenses via screen resolution[1,2], default
character sets[3], site permissions[4], and local service
enumeration[5]. A few security fixes are also ready, including disabling
addon update requests for addons that should not update[6], a potential
fix for a disk leak in the browser's video cache[7], a fix for two
localization issues with Tor Launcher[8,9], and a potential fix to
prevent the Flash plugin from being loaded into the browser at all until
the user actually requests to use it[10] (rather than loading the plugin,
but setting it disabled).

Partial progress has also been made on a number of fronts, most notable
is the work on unifying the pluggable transport bundles with the
official bundles[11], so that both censored and uncensored users can use
the same bundles. UI support for configuring pluggable transports has
also progressed[12]. The progress is sufficient that we are very likely
to be able to deploy a 3.6-beta1 release in February to test these
unified bundles. Soon after that, if all goes well, we will declare the
3.6 series the new stable, so that all users will be using the same
bundle distribution.

Progress has also been made on code hardening on Windows (ASLR and DEP
support)[13]. Discussions and initial patches for improvements to the
usability of the "New Identity" button are also underway.

On the organizational side, we have reviewed resumes and began
contacting candidates who applied to the browser developer positions
that we posted in December[14]. We're also working on streamlining our
release process, and documenting it to the point where release duties
can be rotated through the team[15].

We have also continued the merge process with Mozilla, and have worked
to ensure that every patch of ours is on their radar (through a shared
Google spreadsheet with the Privacy Tech Lead). Two patches, one for an
API we require to manage the Tor subprocess[16], and another to give us
a filter to remove potentially dangerous drag-and-drop events to the
desktop[17] have already been merged. Next steps will include filing
more bugs, continual contact with their development team, and touching
up patches as needed.

In February, we will make at least one, but possibly two or even three
releases of the TBB: 3.5.2, 3.6-beta1, and possibly also 3.5.3. We hope
to use these releases to dial in the process for rotating release

Respectively, these three releases will contain the Mozilla Firefox
security update; unified pluggable transports; and the fixes mentioned
above that have been developed in January.

Along with our existing semi-weekly meetings with Mozilla, we will also
be holding weekly meetings with the HTTPS-Everywhere developers at the
EFF.  Specifically, we will be investigating and designing improvements
to the HTTPS-Everywhere SSL Observatory, to work towards the ability to
turn the SSL Observatory on in TBB, and to improve the user notification
if SSL tampering is detected.

0. https://blog.torproject.org/blog/tor-browser-351-released
1. https://trac.torproject.org/projects/tor/ticket/10095
2. https://trac.torproject.org/projects/tor/ticket/9738
3. https://trac.torproject.org/projects/tor/ticket/10703
4. https://trac.torproject.org/projects/tor/ticket/10374
5. https://trac.torproject.org/projects/tor/ticket/10419
6. https://trac.torproject.org/projects/tor/ticket/10682
7. https://trac.torproject.org/projects/tor/ticket/10237
8. https://trac.torproject.org/projects/tor/ticket/10398
9. https://trac.torproject.org/projects/tor/ticket/10640
10. https://trac.torproject.org/projects/tor/ticket/10280
11. https://trac.torproject.org/projects/tor/ticket/9444
12. https://trac.torproject.org/projects/tor/ticket/10418
13. https://trac.torproject.org/projects/tor/ticket/10065
14. https://www.torproject.org/about/jobs-browserhacker.html.en
15. https://gitweb.torproject.org/tor-browser-spec.git/blob/HEAD:/processes/ReleaseProcess
16. https://bugzilla.mozilla.org/show_bug.cgi?id=962314
17. https://bugzilla.mozilla.org/show_bug.cgi?id=939319

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140201/d27bb5dc/attachment.sig>

More information about the tor-reports mailing list