[tor-reports] May 2015 Report for the Tor Browser Team
mikeperry at torproject.org
Tue Jun 2 07:03:21 UTC 2015
In May, the Tor Browser team released 4.5.1 and 5.0a1. Both
releases coincided with an upstream Firefox security release.
The 4.5.1 release was a point release to address issues discovered
during the 4.5-stable release. The most notable change was to slightly
relax the first party isolation privacy property, due to issues
encountered on several file hosting sites as well as other sites that
host content on multiple subdomains. With this change, Tor Circuit use
and tracking identifier are now all isolated to the base (top-level)
domain only, as opposed to the full domain name. This change is also
consistent with the browser URL bar hostname display - isolation is now
performed based on the bold portion of the website address in the URL
In addition, the NoScript ClearClick clickjacking defense had to be
disabled, due to a conflict with our canvas and resolution
fingerprinting defenses. Regressions in PDF usage and running the
meek pluggable transport on Windows were also fixed, as were some
Security Slider UI issues[8,9]. An issue with the updater that could
cause updates to fail to apply in some cases if disk records were
enabled was also fixed.
Having fixed these issues, we felt comfortable officially deprecating
the 4.0 series, and 4.0 users were updated automatically to the 4.5
series. This also marked the official end of our support for 32 bit Mac
systems. Based on our past experience when we dropped support for
MacOS 10.4 and 10.5, we expected to hear more complaints from old Mac
users during this transition, but surprisingly this did not happen this
time around. This may be because this time, Tails was a viable
alternative for these users.
The 5.0a1 release was the first release in our next alpha series, which
will also cover the transition to Firefox 38-ESR over the coming months.
This particular release featured improvements to the automatic window
resizing fingerprinting defense that was first deployed in 4.5a4.
That defense was disabled for the 4.5-stable series, but has been
re-enabled for this alpha to help stabilize it further. Additionally,
this release also introduces a new defense against various forms of
performance fingerprinting and time-based side channel attacks. A
handful of new attacks have been published recently that take advantage
performance, perform keystroke fingerprinting, extract history
information, and even steal sensitive data from memory. This
milliseconds for all time sources, and to 250 milliseconds for keypress
After shipping these two releases, we focused our attention on the
upcoming Firefox 38-ESR switch. We've begun updating our build system to
support the new version, have rebased most of our patches, and
have reviewed the Firefox developer documentation for major issues
to deal with. This transition process will continue until Firefox 31 is
end of life on August 11th.
The full list of tickets closed by the Tor Browser team in May can be
seen using the TorBrowserTeam201505 tag on our bug tracker.
In June, our efforts continue to be focused on reviewing and rebasing
the remainder of our patches to Firefox 38ESR. The target date for the
first Firefox 38-based Tor Browser alpha release is June 30th, which
will also coincide with an upstream Firefox point release.
The set of tickets on our radar for the Firefox 38 switch can be viewed
with the ff38-esr bug tracker tag.
The full list of tickets that the Tor Browser team plans to work on in
June can be seen using the TorBrowserTeam201506 tag on our bug
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Digital signature
More information about the tor-reports