[tor-talk] 2.2.35-11, TBB Linux: network.websocket.enabled = true, why?

Roger Dingledine arma at mit.edu
Mon May 7 05:48:19 UTC 2012


On Mon, May 07, 2012 at 05:30:40AM -0000, ming at tormail.org wrote:
> With this blog entry:
> 
> https://blog.torproject.org/blog/new-tor-browser-bundles-security-release
> 
> It claims 2.2.35-11 fixes a problem posted here:
> 
> https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
> 
> With Tor Browser Bundle (2.2.35-11); suite=linux installed, I read where it
> was fixed in the changelog:
> 
> From: ~/tor-browser_en-US/Docs/changelog:
> 
> * New Firefox patches:
> - Prevent WebSocket DNS leak (closes: #5741)
> 
> But when running this new bundle version, network.websocket.enabled
> remains set at true.

Yep.

> How was this patched when the value remains set as true? Shouldn't the
> above value now be set at false?

Setting the value to false was the quick workaround. It basically
breaks all websockets for you. The better fix is to make websockets work
without leaking your DNS query:
https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch

See
https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-patches/firefox
for the variety of other things we need to do to Firefox to make it safe
to use. We're working with a Mozilla engineer to get these fixes back into
mainline so we don't keep diverging even more -- but that's tough going.

--Roger



More information about the tor-talk mailing list