[tor-reports] August 2014 Report for the Tor Browser Team

Tue Sep 2 23:30:33 UTC 2014

In August, the Tor Browser team made two releases: 3.6.4 and
4.0-alpha-1[1].

3.6.4 primarily featured a fix to emit log message notifications that
detect the BlackHat attack[2].

4.0-alpha-1 features improvements to NoScript to allow scripts to be
more easily enabled or disabled for an entire page at once (called
"cascading permissions")[3], a workaround for a hang on New Identity[4],
a fingerprinting fix[5], and some usability fixes to Torbutton and Tor
Launcher[6,7,8,9].  It also reorganizes the directory structure to
support our Firefox-based updater[10].

For the remainder of the month, the team focused on preparing 3.6.5 and
4.0-alpha-2, which will be released on September 2nd, to coincide with
the Mozilla Firefox security update (24.8.0).

3.6.5 features improvements to the HTML5 Canvas Image Data extraction
permission prompt[11], disables NTLM and Negotiate auth for privacy
reasons[12], fixes a Linux hardening regression[13], and fixes a
popup-based fingerprinting issue[14], and also fixes a fingerprinting
regression[15].

4.0-alpha-2 includes those changes as well as support for the built-in
Firefox-based updater[16]. Users will be able to update their Tor
Browser through the in-browser update UI, but updates will not be
installed automatically just yet. We will be continually evaluating the
reliability and security of this updater to determine if and when we
will allow it to provide fully automated updates without user
interaction. The 4.0-alpha-2 release also fixes the Windows hardening
issues[17] mentioned in the iSEC hardening study[18], and fixed some
additional configuration-related usability issues[19,20,21].

August also saw the completion of the Google Summer of Code, with
student Marc Juarez completing his research prototype for defenses
against Website Traffic Fingerprinting[22,23]. We are looking forward to
seeing the results of his further research using this prototype to help
guide defenses in Tor against Website Traffic Fingerprinting.

On the QA and testing front, we have begun running the Mozilla XPCShell
tests on Tor Browser releases[24], and have identified which of our
patches break which tests in the suite[25]. This information should
greatly help with identifying potential issues with our patches, and for
ensuring that Mozilla's tests continue to pass or can be fixed where
needed when they merge our patches. We also wrote an independent, static
implementation of Mozilla's update manifest specification, to avoid
running dynamic code on our update servers[26].

We also made some preliminary progress on switching to Firefox 31ESR,
which supersedes Firefox 24 on October 14th. We performed a preliminary
audit of the new features and APIs in Firefox[27], have begun building
test builds of Firefox 31ESR in our build infrastructure to identify
potential build issues specific to our build system[28], and have
rebased our patchset to this version and have begun writing unit
tests[29].

The full list of tickets closed by the Tor Browser team in August can be
seen using the TorBrowserTeam201408 tag on our bugtracker[30].

In September, our focus will be on rebasing our patches for Firefox 31
ESR and ensuring that release is behaving correctly. Firefox 24 is
officially end of life on October 14th, so making sure we have a smooth
transition is currently top priority, after which we will be submitting
our new, updated patches back to Mozilla for review and potential
inclusion in upstream Firefox. The full list of work we need to get done
for this to happen is all currently tagged with our TorBrowserTeam201409
tag[31].

It is going to be quite a busy month, but with any luck, we'll even be
able to update the 4.0-alpha users to this new 31ESR-based Tor Browser
through the in-browser updater!

1. https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released
2. https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
3. https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/?page=1#version-2.6.8.31
4. https://trac.torproject.org/projects/tor/ticket/9531
5. https://trac.torproject.org/projects/tor/ticket/9268
6. https://trac.torproject.org/projects/tor/ticket/11199
7. https://trac.torproject.org/projects/tor/ticket/11471
8. https://trac.torproject.org/projects/tor/ticket/9516
9. https://trac.torproject.org/projects/tor/ticket/10819
10. https://trac.torproject.org/projects/tor/ticket/11641
11. https://trac.torproject.org/projects/tor/ticket/12684
12. https://trac.torproject.org/projects/tor/ticket/12974
13. https://trac.torproject.org/projects/tor/ticket/12103
14. https://trac.torproject.org/projects/tor/ticket/9881
15. https://trac.torproject.org/projects/tor/ticket/2874
16. https://trac.torproject.org/projects/tor/ticket/4234
17. https://trac.torproject.org/projects/tor/ticket/10065
18. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study
19. https://trac.torproject.org/projects/tor/ticket/11405
20. https://trac.torproject.org/projects/tor/ticket/12444
21. https://trac.torproject.org/projects/tor/ticket/12895
22. https://bitbucket.org/mjuarezm/obfsproxy-wfpadtools/
23. https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt
24. https://trac.torproject.org/projects/tor/ticket/12570
25. http://93.95.228.164/reports/index-browserunit.html
26. https://trac.torproject.org/projects/tor/ticket/12622
27. https://trac.torproject.org/projects/tor/ticket/12621
28. https://trac.torproject.org/projects/tor/ticket/12460
29. https://trac.torproject.org/projects/tor/ticket/12620
30. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201408
31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201409

-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140902/f42519d3/attachment.sig>