[tor-reports] October 2014 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Tue Nov 4 07:53:47 UTC 2014

In October, the Tor Browser team made two releases: 4.0, and 4.0.1[1,2].

The 4.0 release marked the stabilization of our 4.0-alpha series, as
well as the transition to Firefox 31ESR. The new UI is quite a bit more
streamlined than the old Tor Browser, owing to Firefox's new Australis
layout, as well as our improved ability to customize this layout[3]. The
release also featured fingerprinting fixes and
improvements[4,5,6,7,8,9], defense-in-depth checks for proxy safety[10],
and disabled SSLv3 to prevent the POODLE attack[11].  We were also able
to enable WebGL on Windows in this release[12] (though it is still
click-to-play via NoScript). The full set of tickets that went into this
Firefox 31 rebase can be found using the ff31-esr tag in our bug
tracker[13].  Full changelogs for the 4.0 series are also on the blog
release post.

However, this transition was a little bumpier than we would have liked.
In particular, a Windows crash bug due to our Windows cross-compiler
caused us to have to release 4.0.1 shortly afterwords[14].

We also updated the Tor Browser design document[15] to cover the 4.0
series, describe our build reproducibility enhancements[16], and update
the list of fingerprinting attacks and defenses[17]. We've also
discussed private browsing mode standardization[18] with some members of
the W3C, and will be sending interested W3C people the updated design
document links.

The remainder of the month was spent preparing 4.5-alpha-1, which
unfortunately only just barely didn't make it out in October. For this
release, we deployed SOCKS username and password support to isolate all
requests for a url bar domain on the same Tor circuit[19], implemented a
browser UI for displaying the current circuit and exit IP address[20],
implemented the Security Slider, backported HTTPS certificate pinning
support[21], switched to 64 bit builds for Mac OS X[22], integrated the
new obs4proxy pluggable transport[23], added (reproducible) incremental
update support to reduce update download size (from ~40M down to
2M)[24], fixed an updater issue with our extension compatibility
checks[25], and fixed a locale fingerprinting issue[26].

We also performed an experiment to test Mozilla Persona[27], to
determine if we could easily adapt it to serve as a mechanism to
anonymously prove that users had completed a captcha or some other
proof-of-scarcity. Unfortunately, it seems as though Mozilla has left
the system in a rather unusable state for us. In an attempt to drive
adoption, they made two implementations: A "legacy" version using
Javascript and DOM Storage for non-Firefox browsers, and a "native"
version using code in Firefox.  Unfortunately, the so-called legacy
non-Firefox implementation appears to be incompatible with the native
implementation, at least to the point where all sites that currently use
Persona would have to upgrade to new code written by us, as well as new
user-facing behavior. In short, if we were to try to make use of
Persona, we'd have to choose either compatibility or privacy, and could
not have both. This (coupled with the recent "community support" status
of Persona[28]) has led us to conclude that we would be better off
pursuing other options[29].

The full list of tickets closed by the Tor Browser team in October can
be seen using the TorBrowserTeam201410 tag on our bug tracker[30].

In November, we will focus on stabilizing 4.5-alpha, work on supporting
per-file signatures on our updates[31], work on fixing remaining bugs
with our updater[32,33,34], and will continue updating all of our
patches and adding unit tests in the Mozilla bug tracker[35]. We also
hope to set up an auto-rebased branch for use with the official Mozilla
testing infrastructure, to help ensure our patches continue to pass unit
tests and to avoid surprise conflicts and regressions.

The full list of tickets that the Tor Browser team plans to work on in
November can be seen using the TorBrowserTeam201411 tag on our
bug tracker[36].

1. https://blog.torproject.org/blog/tor-browser-40-released
2. https://blog.torproject.org/blog/tor-browser-401-released
3. https://trac.torproject.org/projects/tor/ticket/13318
4. https://trac.torproject.org/projects/tor/ticket/13027
5. https://trac.torproject.org/projects/tor/ticket/13016
6. https://trac.torproject.org/projects/tor/ticket/13025
7. https://trac.torproject.org/projects/tor/ticket/13023
8. https://trac.torproject.org/projects/tor/ticket/13021
9. https://trac.torproject.org/projects/tor/ticket/13186
10. https://trac.torproject.org/projects/tor/ticket/13028
11. https://trac.torproject.org/projects/tor/ticket/13416
12. https://trac.torproject.org/projects/tor/ticket/10715
13. https://trac.torproject.org/projects/tor/query?keywords=~ff31-esr&status=closed
14. https://trac.torproject.org/projects/tor/ticket/13443
15. https://www.torproject.org/projects/torbrowser/design/
16. https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
17. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
18. https://w3ctag.github.io/private-mode/
19. https://trac.torproject.org/projects/tor/ticket/5752
20. https://trac.torproject.org/projects/tor/ticket/8641
21. https://trac.torproject.org/projects/tor/ticket/11955
22. https://trac.torproject.org/projects/tor/ticket/10138
23. https://trac.torproject.org/projects/tor/ticket/12903
24. https://trac.torproject.org/projects/tor/ticket/13324
25. https://trac.torproject.org/projects/tor/ticket/13301
26. https://trac.torproject.org/projects/tor/ticket/13019 
27. https://trac.torproject.org/projects/tor/ticket/12193
28. http://identity.mozilla.com/post/78873831485/transitioning-persona-to-community-ownership
29. https://lists.torproject.org/pipermail/tor-dev/2014-October/007686.html
30. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201410
31. https://trac.torproject.org/projects/tor/ticket/13379
32. https://trac.torproject.org/projects/tor/ticket/13247
33. https://trac.torproject.org/projects/tor/ticket/13512
34. https://trac.torproject.org/projects/tor/ticket/13594
35. https://trac.torproject.org/projects/tor/ticket/12619
36. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201411

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20141103/c2ec9061/attachment-0001.sig>

More information about the tor-reports mailing list