[tor-reports] May 2015 Report for the Tor Browser Team

Mike Perry mikeperry at torproject.org
Tue Jun 2 07:03:21 UTC 2015

In May, the Tor Browser team released 4.5.1[1] and 5.0a1[2]. Both
releases coincided with an upstream Firefox security release.

The 4.5.1 release was a point release to address issues discovered
during the 4.5-stable release. The most notable change was to slightly
relax the first party isolation privacy property, due to issues
encountered on several file hosting sites as well as other sites that
host content on multiple subdomains. With this change, Tor Circuit use
and tracking identifier are now all isolated to the base (top-level)
domain only, as opposed to the full domain name[3]. This change is also
consistent with the browser URL bar hostname display - isolation is now
performed based on the bold portion of the website address in the URL

In addition, the NoScript ClearClick clickjacking defense had to be
disabled[4], due to a conflict with our canvas and resolution
fingerprinting defenses[5]. Regressions in PDF usage[6] and running the
meek pluggable transport on Windows[7] were also fixed, as were some
Security Slider UI issues[8,9]. An issue with the updater that could
cause updates to fail to apply in some cases if disk records were
enabled was also fixed[10].

Having fixed these issues, we felt comfortable officially deprecating
the 4.0 series, and 4.0 users were updated automatically to the 4.5
series. This also marked the official end of our support for 32 bit Mac
systems[11]. Based on our past experience when we dropped support for
MacOS 10.4 and 10.5, we expected to hear more complaints from old Mac
users during this transition, but surprisingly this did not happen this
time around. This may be because this time, Tails was a viable
alternative for these users.

The 5.0a1 release was the first release in our next alpha series, which
will also cover the transition to Firefox 38-ESR over the coming months.
This particular release featured improvements to the automatic window
resizing fingerprinting defense that was first deployed in 4.5a4[12].
That defense was disabled for the 4.5-stable series, but has been
re-enabled for this alpha to help stabilize it further. Additionally,
this release also introduces a new defense against various forms of
performance fingerprinting and time-based side channel attacks[13]. A
handful of new attacks have been published recently that take advantage
of Javascript's high-performance timers to determine hardware
performance, perform keystroke fingerprinting[14], extract history
information[15], and even steal sensitive data from memory[16]. This
defense reduces the resolution of time available to Javascript to 100
milliseconds for all time sources, and to 250 milliseconds for keypress
event timestamps.

After shipping these two releases, we focused our attention on the
upcoming Firefox 38-ESR switch. We've begun updating our build system to
support the new version[17], have rebased most of our patches[18], and
have reviewed the Firefox developer documentation[19] for major issues
to deal with. This transition process will continue until Firefox 31 is
end of life on August 11th.

The full list of tickets closed by the Tor Browser team in May can be
seen using the TorBrowserTeam201505 tag on our bug tracker[20].

In June, our efforts continue to be focused on reviewing and rebasing
the remainder of our patches to Firefox 38ESR. The target date for the
first Firefox 38-based Tor Browser alpha release is June 30th, which
will also coincide with an upstream Firefox point release.

The set of tickets on our radar for the Firefox 38 switch can be viewed
with the ff38-esr bug tracker tag[21].

The full list of tickets that the Tor Browser team plans to work on in
June can be seen using the TorBrowserTeam201506 tag on our bug

1. https://blog.torproject.org/blog/tor-browser-451-released
2. https://blog.torproject.org/blog/tor-browser-50a1-released
3. https://trac.torproject.org/projects/tor/ticket/15933
4. https://trac.torproject.org/projects/tor/ticket/15945
5. https://trac.torproject.org/projects/tor/ticket/14985
6. https://trac.torproject.org/projects/tor/ticket/15899
7. https://trac.torproject.org/projects/tor/ticket/15872
8. https://trac.torproject.org/projects/tor/ticket/15837
9. https://trac.torproject.org/projects/tor/ticket/15927
10. https://trac.torproject.org/projects/tor/ticket/15857
11. https://blog.torproject.org/blog/end-life-plan-tor-browser-32-bit-macs
12. https://trac.torproject.org/projects/tor/ticket/14429
13. https://trac.torproject.org/projects/tor/ticket/1517
14. https://en.wikipedia.org/wiki/Keystroke_dynamics
15. http://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf
16. http://arxiv.org/abs/1502.07373
17. https://trac.torproject.org/projects/tor/ticket/15772
18. https://trac.torproject.org/projects/tor/ticket/15196
19. https://trac.torproject.org/projects/tor/ticket/16090
20. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201505
21. https://trac.torproject.org/projects/tor/query?keywords=~ff38-esr&status=!closed
22. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201506

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20150602/f090cee4/attachment.sig>

More information about the tor-reports mailing list