[tor-reports] December 2014 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Mon Jan 5 14:21:38 UTC 2015

In December, the Tor Browser team released 4.0.2[1] and 4.5-alpha-2[2].

The 4.0.2 updates the 4.0.x users to the latest Firefox 31.3.0ESR
release. It also fixed a regression in third party cache isolation
(tracking protection) that appeared in the 4.0 release, due to changes
in the underlying Firefox cache implementation[3]. It also features
fixes to locale fingerprinting leaks through Javascript[4,5], as well as
fixes to the mingw-w64 compiler that were resulting in crash bugs on
Windows[6,7]. We also fixed an update failure for Windows XP users[8].

The 4.5-alpha-2 release features fixes to the security slider and
circuit status UI[9,10], as well as a fix for a third party tracking
regression in the use of HTTP authentication[11] that was caused due to
over-zealous removal of Torbutton code[12].

Beyond the 4.5-alpha-2 work, we have also implemented the code changes
necessary for signing incremental updates[13]. With these changes,
updates will be authenticated through the pinned HTTPS certificate, as
well as individual file signatures. This will prevent compromise of
dist.torproject.org from yielding the ability to distribute malicious
updates to our users. We also improved the Canvas permissions prompt to
eliminate warnings during the display of PDFs, and during use of the Web
Developer Console[14].

At the end of the month, Mike Perry and Seth Schoen gave a talk at the
Chaos Communications Congress on Reproducible Builds, covering the work
in Tor Browser, as well as related efforts by F-Droid and Debian. A
video recording of their talk can be viewed online[15].

The full list of tickets closed by the Tor Browser team in September can
be seen using the TorBrowserTeam201412 tag on our bug tracker[16]. This
list is a bit sparse due to both the holidays and because of the large
volume of patches waiting for review to be merged in the next 4.5-alpha

Next month, we will continue to stabilize 4.5-alpha. The merge window
for Firefox 38 is also approaching in mid-February. Our primary target
for this merge window is our third party tracking protection patches.

At the end of January, we will be holding a Usability Sprint at the
University of California at Berkeley, with the goal of performing user
studies and providing feedback for future usability improvements to the
browser. For more details, see the wiki page[18].

The full list of tickets that the Tor Browser team plans to work on in
January can be seen using the TorBrowserTeam201501 tag on our bug

1. https://blog.torproject.org/blog/tor-browser-402-released
2. https://blog.torproject.org/blog/tor-browser-45-alpha-2-released
3. https://trac.torproject.org/projects/tor/ticket/13742
4. https://trac.torproject.org/projects/tor/ticket/5926
5. https://trac.torproject.org/projects/tor/ticket/13019
6. https://trac.torproject.org/projects/tor/ticket/13443
7. https://trac.torproject.org/projects/tor/ticket/13558
8. https://trac.torproject.org/projects/tor/ticket/13594
9. https://trac.torproject.org/projects/tor/ticket/13671
10. https://trac.torproject.org/projects/tor/ticket/13672
11. https://trac.torproject.org/projects/tor/ticket/13784
12. https://trac.torproject.org/projects/tor/ticket/13742
13. https://trac.torproject.org/projects/tor/ticket/13379
14. https://trac.torproject.org/projects/tor/ticket/13439
15. http://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html
16. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201412
17. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201501R
18. https://trac.torproject.org/projects/tor/wiki/org/meetings/2015UXsprint
19. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201501

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20150105/2f085b3c/attachment.sig>

More information about the tor-reports mailing list