Torbutton 1.1.17-alpha released

Mike Perry mikeperry at fscked.org
Mon Mar 17 19:40:26 UTC 2008


The 1.1.17 alpha release of the Torbutton Firefox extension is out.
Those of you who have installed 1.1.14 or later can upgrade by going
to the Firefox 'Addons' Menu and clicking 'Check for Updates'. 
Otherwise, download a copy via: https://torbutton.torproject.org/dev/

The major enhancements include less annoying (I hope) window
resizing, fixes for installed extension/chrome disclosure issues,
and application of the javascript hooks to javascript: urls.


***NOTE***: The Date hooks are still unmaskable, which means a
determined adversary still can get access to your real timezone.

If concealing your timezone is important to you (and you subscribe to
the 'Just because you're paranoid doesn't mean they AREN'T after you'
school of thoughti :), you can achieve protection against an active
adversary under Linux by setting the TZ environment variable to 'UTC'
before launching Firefox. I have not tested if this (or an equivalent
variable) works for Windows or MacOS. It would be nice if someone who
uses those systems regularly could let me know so I can update the
website documentation. You can check by visiting
http://gemal.dk/browserspy/date.html with Tor disabled.


Other than that, I think we are starting to get close to a stable
release. The next release will probably be 1.2.0-rc.


Here's the changelog for 1.1.17 and 1.1.16 (since I skipped the
announcement for 1.1.16):

1.1.7
  15 Mar 2008
  * bugfix: Improve chrome disclosure protection (patch from Greg
    Fleischer)
  * bugfix: Block network access from file urls to workaround Firefox
    'Content-Disposition' file stealing attack (found/fixed by Greg)
  * bugfix: Apply Javascript hooks to javascript: urls (found by Greg)
  * bugfix: Improve Torbutton chrome concealment (found by Greg)
  * bugfix: Use 127.0.0.1 instead of localhost for IPv6 users
  * bugfix: Don't resize maximized windows
  * misc: Improve window resizing to only resize on document load,
    and to try to address drift by remembering window sizes
  * misc: Clear session history if clear history on tor toggle is set
  * new: Remove history hooks in favor of nsISHistoryListeners that
    prevent history navigation from alternate Tor states

1.1.16
  03 Mar 2008
  * bugfix: Fix yet more javascript unmasking issues found by Greg.
    Date is still unmaskable.
  * bugfix: Close tabs *before* toggling proxy settings if pref is
    set.
  * bugfix: Fix a couple exceptions thrown on resizing and plugin
    canceling




-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080317/778c1a71/attachment.pgp>


More information about the tor-talk mailing list