[tor-reports] April 2015 Report for the Tor Browser Team
Mike Perry
mikeperry at torproject.org
Mon May 4 22:00:46 UTC 2015
In April, the Tor Browser team released 4.0.7[1], 4.0.8[2] and 4.5[3].
The 4.0.7 and 4.0.8 releases were created to deal with two hidden
service crash issues in the included Tor binary. Unfortunately, a
build/versioning issue with 4.0.7 caused that version to experience an
update loop[4], so 4.0.8 was released to deal with this immediately
afterwords.
The 4.5-stable release represents the culmination of the past several
months of usability, security, and privacy improvements in the Tor
Browser 4.5 series. While we are excited for this release series to
finally be in our users' hands, we decided that it was safest to
withhold automatically updating the 4.0 users to the 4.5 series until we
could determine if there were any serious regressions due to this
release. This proved to be a wise move, as it turned out that an obscure
bug prevents Windows 7 users from properly using the Meek transport in
4.5.0[5]. This regression will be fixed in 4.5.1 next week, and we will
push out the 4.5.1 update to all 4.0 users at that time.
Otherwise, the 4.5-stable release was well received. For a review of the
extensive improvements in the entire 4.5 series since 4.0, we invite
interested readers to view the 4.5 release blog post[3].
Since the 4.5a5 release last month, we made several finishing touches to
usability, security, and privacy properties for the 4.5-stable release.
On the usability front, we improved the Linux launcher script's argument
handling and added the ability to register Tor Browser as a proper Linux
Desktop app[6]. We also improved the circuit and HTTP keep-alive
handling to reduce instances of sudden site behavior changes[7,8], and
made additional improvements to the initial configuration
wizard[9,10,11,12]. We also fixed some annoying bugs when using HTTP
authentication and when interacting with the TLS connection info
window[13].
On the security front, we improved some configuration properties of the
Security Slider[14,15], fixed a crash bug related to disabled SVG
images[16], and improved our Windows signing process to ensure that the
official Windows signatures can be reproducibly removed[17] (to maintain
build verification ability[18] for our final signed official Windows
packages).
On the privacy front, we discovered additional APIs that present issues
for the privacy of Tor Browser users. The URL.createObjectURL API[19]
enables the creation of special globally-scoped UUID URLs (so called
'blob:' URLs) that can contain arbitrary content data. These URLs can be
used to tag users and track them across sites. We reduced the scope of
these objects to the top-level URL bar domain that they are created
under, and ensured that these URLs are properly cleared during New
Identity[20]. We also disabled the SharedWorker API[21], because it
enables cross-site third party communication and tracking[22]. We
additionally disabled the Video Statistics API[23] extensions, as well
as the Device Sensor API[24] for fingerprinting reasons[25,26]. We also
improved our resolution fingerprinting defenses to properly spoof the
current device pixel ratio[27].
In order to help us communicate the changes in the 4.5 series to
technical audiences such as Mozilla and the W3C, we also updated the Tor
Browser Design Document[28] to cover the changes in the 4.5 series[29].
In particular, we will be sending the updated fingerprinting section[30]
to the W3C, to provide input for the new W3C fingerprinting guidance
document[31].
To help ensure that future HTTP standards remain compatible with the Tor
network and do not negatively impact our ability to provide tracking
defenses, we submitted a position paper[32] to the HTTP/3 workshop[33].
Our position paper also covers important enhancements we would like to
see in HTTP. Specifically, we are very interested in mandatory
authenticated TLS for confidentiality and integrity, as well as improved
defenses against traffic fingerprinting and traffic analysis.
The full list of tickets closed by the Tor Browser team in April can be
seen using the TorBrowserTeam201504 tag on our bug tracker[34].
In May, our focus is to fix as many remaining issues and regressions in
the 4.5 series as possible, and release 4.5.1 for this on May 12th. The
current set of known regressions is tagged with tbb-4.5-regression[35].
Following the 4.5.1 release, our efforts will switch to rebasing our
patches and reviewing the developer documentation for Firefox releases
since Firefox 31. We will be updating the Mozilla bugs with new patches
as soon as possible. The set of tickets on our radar for the Firefox 38
switch can be viewed with the ff38-esr bug tracker tag[36].
The full list of tickets that the Tor Browser team plans to work on in
May can be seen using the TorBrowserTeam201505 tag on our bug
tracker[37].
1. https://blog.torproject.org/blog/tor-browser-407-released
2. https://blog.torproject.org/blog/tor-browser-408-released
3. https://blog.torproject.org/blog/tor-browser-45-released
4. https://trac.torproject.org/projects/tor/ticket/15637
5. https://trac.torproject.org/projects/tor/ticket/15872
6. https://trac.torproject.org/projects/tor/ticket/15747
7. https://trac.torproject.org/projects/tor/ticket/4100
8. https://trac.torproject.org/projects/tor/ticket/15482
9. https://trac.torproject.org/projects/tor/ticket/15704
10. https://trac.torproject.org/projects/tor/ticket/11879
11. https://trac.torproject.org/projects/tor/ticket/13576
12. https://trac.torproject.org/projects/tor/ticket/15657
13. https://trac.torproject.org/projects/tor/ticket/14716
14. https://trac.torproject.org/projects/tor/ticket/15533
15. https://trac.torproject.org/projects/tor/ticket/15795
16. https://trac.torproject.org/projects/tor/ticket/15794
17. https://trac.torproject.org/projects/tor/ticket/15539
18. https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
19. https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL
20. https://trac.torproject.org/projects/tor/ticket/15502
21. https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker
22. https://trac.torproject.org/projects/tor/ticket/15562
23. https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties
24. https://wiki.mozilla.org/Sensor_API
25. https://trac.torproject.org/projects/tor/ticket/15758
26. https://trac.torproject.org/projects/tor/ticket/15757
27. https://trac.torproject.org/projects/tor/ticket/13875
28. https://www.torproject.org/projects/torbrowser/design/
29. https://trac.torproject.org/projects/tor/ticket/15580
30. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
31. https://w3c.github.io/fingerprinting-guidance/
32. https://gitweb.torproject.org/tor-browser-spec.git/plain/position-papers/HTTP3/HTTP3.pdf
33. https://httpworkshop.github.io/
34. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201504
35. https://trac.torproject.org/projects/tor/query?keywords=~tbb-4.5-regression
36. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff38-esr
37. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201505
--
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20150504/d6597e58/attachment.sig>
More information about the tor-reports
mailing list