[tor-reports] June 2014 Report for the Tor Browser Team
Mike Perry
mikeperry at torproject.org
Mon Jul 7 22:25:25 UTC 2014
In early June, the Tor Browser team released Tor Browser 3.6.2[1]. This
release included security fixes for OpenSSL[2] and Firefox[3], as well
as provided a fix to allow Pluggable Transports to use proxies on Mac
and Linux[4]. Unfortunately, a build issue prevented the Windows
bundles from including a proper fix to this bug[5].
In this release, we also disabled a deprecated WebAudio API based on
recommendation from iSec[6], enabled TLS 1.1 and 1.2[7], fixed several
UI and configuration issues[8,9,10,11,12,13], and included documentation
for Pluggable Transports in the distribution[14,15]. We also included a
fix for a disk leak that caused large cut and paste regions to be
written to disk[16].
We also put out another test build that was compiled with additional
hardening options that were added to the latest GCC series[17].
In mid-June, the final version of the iSec audit report was released to
us, and we have filed tickets relevant to this report, and have noted
the suggestions for the security slider[18].
We also obtained a security token from DigiCert for signing Windows
bundles. However, investigation is needed to determine if we can use
this token from a Linux signing machine.
On the hiring front, we have settled on Arthur Edelstein as our primary
Tor Browser contractor from the Tor Browser hiring process. We will
honor existing contracts from the current interview candidates, and may
assign some additional work items to them as funding allows and workload
requires.
In terms of ongoing development on the upcoming 4.0-alpha-1 release, we
continued our efforts on the Tor Browser auto-updater[19], which
required another update to our development toolchain, and further fixes
upstream for Mozilla to build with this toolchain. Unfortunately, this
lead to last-minute issues due to updating the Windows toolchain to the
latest mingw-w64 release.
We've also delayed 4.0-alpha-1 to include the Meek transport[20], which
has some compelling censorship circumvention properties. Meek does not
require a bridge distributor, and the costs for blocking meek are very
high in terms of collateral damage. We are very excited about this
transport, and while it still has some performance issues, a relatively
high monetary cost, and potential privacy issues, it should serve us
well as a transport of last resort for censored users. For a visual
comparison of meek with our other Pluggable Transports, we welcome
interested readers to review "A Child's Garden of Pluggable
Transports"[21].
The 4.0-alpha-1 release will also feature fingerprinting fixes to
eliminate more edge cases with window resolution[22], include a patch to
bring DOM storage and the image cache under control of our third party
isolation preference[23], include a fix to aid in window navigation in
the Linux Desktop[24], and to include changes to NoScript to allow
script permissions to be based on the URL bar domain rather than
individual third party content elements[25]. We will also be including
Tor 0.2.5.x in this release.
As Firefox ESR 31 is coming soon, we've also began test builds to
investigate possible issues with our currently used toolchains in
Gitian[26].
In July, we hope to have a public blog post summarizing the iSec report,
and enumerating our plans to address the issues contained therein. We
also hope to have solidified the positions of the Security Slider based
on the input from the report.
We also hope to release 4.0-alpha-1, expect a pointfix release in the
3.6 series, and plan to continue our testing with Gitian builds of
vanilla Firefox 31, to get early notification of any reproducibility or
toolcahin issues.
We also hope to include a patch to improve our font limiting in this
release series[27].
1. https://blog.torproject.org/blog/tor-browser-362-released
2. https://www.openssl.org/news/secadv_20140605.txt
3. https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.6
4. https://trac.torproject.org/projects/tor/ticket/11629
5. https://trac.torproject.org/projects/tor/ticket/12381
6. https://trac.torproject.org/projects/tor/ticket/12212
7. https://trac.torproject.org/projects/tor/ticket/11253
8. https://trac.torproject.org/projects/tor/ticket/10425
9. https://trac.torproject.org/projects/tor/ticket/11772
10. https://trac.torproject.org/projects/tor/ticket/11699
11. https://trac.torproject.org/projects/tor/ticket/11510
12. https://trac.torproject.org/projects/tor/ticket/11722
13. https://trac.torproject.org/projects/tor/ticket/11763
14. https://trac.torproject.org/projects/tor/ticket/11834
15. https://trac.torproject.org/projects/tor/ticket/11835
16. https://trac.torproject.org/projects/tor/ticket/9701
17. https://lists.torproject.org/pipermail/tor-qa/2014-June/000428.html
18. https://trac.torproject.org/projects/tor/ticket/9387
19. https://trac.torproject.org/projects/tor/ticket/4234
20. https://trac.torproject.org/projects/tor/ticket/10935
21. https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
22. https://trac.torproject.org/projects/tor/ticket/9268
23. https://trac.torproject.org/projects/tor/ticket/10819
24. https://trac.torproject.org/projects/tor/ticket/11102
25. http://noscript.net/changelog
26. https://bugs.torproject.org/12460
27. https://trac.torproject.org/projects/tor/ticket/5798
--
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140707/48b3f533/attachment.sig>
More information about the tor-reports
mailing list