[tor-reports] March 2015 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Fri Apr 3 22:59:25 UTC 2015

In March, the Tor Browser team released 4.0.5[1], 4.0.6[2] and 4.5a5[3].

The 4.0.5 release was unscheduled, and was triggered by an urgent
"chemspill" release by Mozilla in response to the two vulnerabilities[4,5]
exploited against Firefox in the Pwn2own contest[6]. This release owes
itself largely to the heroic efforts of Georg Koppen. Due to issues with
one of the fixes, Mozilla did not have a release tag for the ESR series
until late Friday night. Georg worked through the weekend to produce
builds for the release of 4.0.5 on early Monday.

The 4.0.6 release was a regularly scheduled release the following week,
and contained the latest round of memory safety hazard fixes in Firefox

The 4.5a5 release is our last scheduled alpha release for the 4.5
series. It contains yet another round of usability and security
improvements in this release. 

Nearly all of our development effort this month was focused on the
improvements present in the 4.5a5 release.

On the usability front, we've created a FreeDesktop-compatible launcher
wrapper for Linux that can be invoked from either the GUI or the
shell[7], and we also provide Windows users with the ability to add
optional Start Menu and Desktop shortcuts[8]. The circuit usage of Tor
Browser has also been improved to avoid transitioning to a new circuit
for a website while it is in active use[9], and also to fix several
other circuit display bugs[10,11,12,13,14,15].

On the security front, the Security Slider now has full descriptions of
the browser behaviors that are changed at each security level[16], and
also contains code to disable MathML and SVG at the medium-high and high
security levels[17,18], respectively. This should mark the completion of
the Security Slider properties recommended in the iSec Hardening Study.
It also appears that both Pwn2own exploits would have been prevented by
various positions on the security slider. The first[4] is blocked by
disabling the ASM.JS JIT at the Medium-Low security level, and second[5]
is blocked at the High security level by blocking SVG images. It is also
likely that the Medium-High security level would also prevent the SVG
exploit from being successful on non-HTTPS pages without an additional
helper exploit against NoScript, since our NoScript settings for the
Medium-High security level prevent script execution (including SVG
script execution) in those contexts. Both the SVG and ASM.JS features
were specifically highlighted in iSec's report[19] as having high
vulnerability counts with respect to their utility for correct website

These results are encouraging, and suggest that Tor Browser's entry into
the Pwn2Own contest at our higher security levels may be worthwhile
(rather than being purely redundant to Mozilla's entry).

On the browser fingerprinting front, we fixed a locale fingerprinting
vector[20], also made improvements to our display resolution
fingerprinting defenses to better handle vertical displays[21], to
automatically resize the browser window to a 200x100 pixel multiple
after resize or maximization[22], and to perform similar resizing for
full screen HTML5 video. Unfortunately, the resizing feature has proved
to be very susceptible to cross-platform issues and general user
frustration, and it may end up being off-by-default in the 4.5-stable

Finally, the Windows releases are also now signed using the hardware
signing token graciously provided to us by DigiCert, so Windows users
should no longer be warned about Tor Browser being downloaded from an
"unknown publisher"[23].

Our updater and related build scripts also saw some improvements.
Specifically, to aid independent build verification, the tools required
to produce the update files are now authenticated with the rest of the
build[24], and previous releases should now be downloaded
automatically[25]. We also made some changes to reduce the size of our
incremental updates by avoiding unnecessary updates to our addons[26].

On the team organization front, during the developer meeting at the
beginning of the month, we produced a roadmap for the next 12
months[27]. We will be updating that page with specific tickets in the
coming weeks. We also made efforts to communicate the nature of the Tor
Browser release cycle with the rest of Tor, so as to better synchronize
the releases of Tor Browser with core Tor and Pluggable Transports[28].

The full list of tickets closed by the Tor Browser team in March can be
seen using the TorBrowserTeam201501 tag on our bug tracker[29].

In April, we will make the first release of our 4.5-stable series as an
out-of-cycle release that does not coincide with any other security
update, to give us the option to perform a "soft" release that does not
force an update to 4.0-stable users until we are sure that there will be
no surprise issues with this transition. The tickets we intend to focus
on for the 4.5-stable release are tagged with tbb-4.5-alpha[30].

Following this 4.5-stable release, we will begin preparation to
transition to the Firefox 38 branch. The initial prep work will include
collecting our patches and rebasing them onto Firefox 38-beta, as well
as updating the relevant Mozilla bugs. 

The full list of tickets that the Tor Browser team plans to work on in
April can be seen using the TorBrowserTeam201504 tag on our bug

1. https://blog.torproject.org/blog/tor-browser-405-released
2. https://blog.torproject.org/blog/tor-browser-406-released
3. https://blog.torproject.org/blog/tor-browser-45a5-released
4. https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
5. https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
6. https://en.wikipedia.org/wiki/Pwn2own
7. https://trac.torproject.org/projects/tor/ticket/13375
8. https://trac.torproject.org/projects/tor/ticket/14688
9. https://trac.torproject.org/projects/tor/ticket/15482
10. https://trac.torproject.org/projects/tor/ticket/13891
11. https://trac.torproject.org/projects/tor/ticket/14324
12. https://trac.torproject.org/projects/tor/ticket/14937
13. https://trac.torproject.org/projects/tor/ticket/15086
14. https://trac.torproject.org/projects/tor/ticket/15207
15. https://trac.torproject.org/projects/tor/ticket/15472
16. https://trac.torproject.org/projects/tor/ticket/9387#comment:82
17. https://trac.torproject.org/projects/tor/ticket/13548
18. https://trac.torproject.org/projects/tor/ticket/12827
19. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study
20. https://trac.torproject.org/projects/tor/ticket/13019
21. https://trac.torproject.org/projects/tor/ticket/13650
22. https://trac.torproject.org/projects/tor/ticket/14429
23. https://trac.torproject.org/projects/tor/ticket/3861
24. https://trac.torproject.org/projects/tor/ticket/15023
25. https://trac.torproject.org/projects/tor/ticket/14959
26. https://trac.torproject.org/projects/tor/ticket/15406
27. https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorBrowser
28. https://lists.torproject.org/pipermail/tor-dev/2015-March/008428.html
29. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201503
30. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-4.5-alpha
31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201504

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20150403/0166eb23/attachment.sig>

More information about the tor-reports mailing list