[tor-reports] June 2015 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Wed Jul 1 03:45:49 UTC 2015

In June, the Tor Browser team released 4.5.2[1] and 5.0a2[2]. We also
produced builds for 4.5.3 and 5.0a3 releases[3,4], but as of the time of
this writing, these releases have not been published yet. We expect them
to be published within the next day.

The 4.5.2 release fixed the Logjam attack[5], as well as updated OpenSSL
to fix a DoS/crash bug[6]. It also fixed a crash bug with certain media
in GStreamer[7]. The 5.0a2 release included these fixes, and
additionally fixed two issues with meek[8,9].

The 4.5.3 release updated Tor Browser to the latest Firefox 31-ESR point
release. It also fixed a crash bug when displaying certain SVG images at
the high security slider level[10]. Finally, it backported a Tor patch
to allow underscores in DNS names, which was needed to make The New York
Times load properly[11].

The 5.0a3 release is our first release based on the Firefox 38-ESR code
base.  We performed a thorough network and feature review[12,13], fixed
the most pressing privacy and Tor proxy safety issues, and documented
the remainder in our bug tracker for followup in subsequent alphas. 

In terms of fixes in this release, we wrote patches for fingerprinting
issues[14,15,16], third party tracking issues[17,18,19,20], updates to
New Identity[21,22], and disabled several potentially invasive and/or
as-yet unaudited features[23,24,25,26,27].

The release also features usability improvements to the Tor Launcher
Bridge UI[28], single-word URL bar searching[29], and improvements to
the WebGL feature set[30].

With 5.0a3, we have completed a good portion of the work involved with
switching to Firefox 38-ESR. We have 6 more weeks until Firefox 31-ESR
is officially end of life, and the Firefox 38-ESR must become the new

The full list of tickets closed by the Tor Browser team in June can be
seen using the TorBrowserTeam201506 tag on our bug tracker[31].

In July, our efforts continue to be focused on patching the remaining
issues with Firefox 38-ESR. The hard deadline for the first Firefox
38-based Tor Browser stable release is August 11th, which will also
coincide with an upstream Firefox point release. However, we may opt to
do a "soft launch" at an earlier date so we do not have to autoupdate
all of our users to the new Firefox 38 code immediately in case there
are any lingering issues, similar to how we released Tor Browser 4.5.

The set of tickets on our radar for the Firefox 38 switch can be viewed
with the ff38-esr bug tracker tag[32]. The set of tickets we'd prefer to
have tested in a "soft launch" are tagged with some variation of

Two members of the Tor Browser team will also be at the HTTP/3 workshop
at the end of July. The position paper we submitted can be found in our
spec archives[34].

The full list of tickets that the Tor Browser team plans to work on in
July can be seen using the TorBrowserTeam201507 tag on our bug

1. https://blog.torproject.org/blog/tor-browser-452-released
2. https://blog.torproject.org/blog/tor-browser-50a2-released
3. https://lists.torproject.org/pipermail/tor-qa/2015-June/000628.html
4. https://lists.torproject.org/pipermail/tor-qa/2015-June/000634.html
5. https://weakdh.org/
6. https://www.openssl.org/news/vulnerabilities.html#2015-1790
7. https://trac.torproject.org/projects/tor/ticket/16026
8. https://trac.torproject.org/projects/tor/ticket/16014
9. https://trac.torproject.org/projects/tor/ticket/16269
10. https://trac.torproject.org/projects/tor/ticket/16397
11. https://trac.torproject.org/projects/tor/ticket/16430
12. https://trac.torproject.org/projects/tor/ticket/16222 
13. https://trac.torproject.org/projects/tor/ticket/16090
14. https://trac.torproject.org/projects/tor/ticket/15646
15. https://trac.torproject.org/projects/tor/ticket/13024
16. https://trac.torproject.org/projects/tor/ticket/16340
17. https://trac.torproject.org/projects/tor/ticket/13670
18. https://trac.torproject.org/projects/tor/ticket/16448
19. https://trac.torproject.org/projects/tor/ticket/7561
20. https://trac.torproject.org/projects/tor/ticket/16300
21. https://trac.torproject.org/projects/tor/ticket/16200
22. https://trac.torproject.org/projects/tor/ticket/16357
23. https://trac.torproject.org/projects/tor/ticket/16439
24. https://trac.torproject.org/projects/tor/ticket/16285
25. https://trac.torproject.org/projects/tor/ticket/15910
26. https://trac.torproject.org/projects/tor/ticket/16222
27. https://trac.torproject.org/projects/tor/ticket/16254
28. https://trac.torproject.org/projects/tor/ticket/6503
29. https://trac.torproject.org/projects/tor/ticket/15145
30. https://trac.torproject.org/projects/tor/ticket/16005
31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201506
32. https://trac.torproject.org/projects/tor/query?keywords=~ff38-esr&status=!closed
33. https://trac.torproject.org/projects/tor/query?keywords=~tbb-5.0a&status=!closed
34. https://gitweb.torproject.org/tor-browser-spec.git/plain/position-papers/HTTP3/HTTP3.pdf
35. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201507 

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20150630/e7b928a6/attachment.sig>

More information about the tor-reports mailing list