[tor-talk] Firefox vs. Tor Browser Bundle release cycles

[BM-2D9WhbG2VeKsLCsGBTPLGwDLQyPizSqS85 at bitmessage.ch]

The version of Firefox incorporated into the Tor Browser Bundle (TBB)
available via torproject.org is currently multiple releases behind both
Firefox ESR and Firefox. The latest-available Tor Browser Bundles
generally include versions of Firefox ESR that do not include patches for
publicly known security vulnerabilities.

That means that unless you're sufficiently skilled to compile TBB's
extensive modifications to Firefox along with Mozilla's current stable
release code, it's likely that *ALL* TBB users will be vulnerable to
multiple serious, known, and publicly patched security vulnerabilities
that have been discussed in public for a popular piece of software with a
huge attack surface.

My own view is that TBB users should consider rejecting arguments like
"TBB's release cycle is only a few weeks behind Mozilla's" since publicly
known exploits are often disclosed, discussed, and patched in Mozilla's
release cycle before updates to Firefox are issued. We have to do better.

Many more TBB users are probably--and in many cases, unknowingly--using
Tor Browser Bundles that are even more out of date than the latest
available from torproject.org and are therefore even more likely to be
vulnerable to Firefox exploits. Most Tor Browser Bundle users probably
don't obsessively check the Tor Project's blog at
https://blog.torproject.org/blog/ (since notifications of new Tor Browser
Bundles usually aren't even announced on the main torproject.org site) and
may not always benefit from the latest, greatest update notification
functionality.

The targeting of Tor users accessing tormail.org with Firefox exploits
earlier this year underscores the fact that these concerns are not merely
theoretical or overly-paranoid. Firefox security exploits targeting Tor
users are a problem, and arguing "it was a Firefox vulnerability, not a
Tor vulnerability" doesn't seem reasonable when Tor Browser Bundle
releases that include fully-patched versions of Firefox are rarely if ever
available at any given point in time.

And although there are usually multiple examples at any given time, I
think it's particularly unfortunate that essentially *all* TBB users are
probably still vulnerable to MITM attacks with a bad French SSL
certificate for Google when users of the latest versions of Chrome and
Firefox users aren't. Before that, TBB's Firefox ESR didn't have important
patches to the NSS crypto library that normal Firefox users *did* have for
a while. And so on.

Several weeks may not seem like a long time for users to be running
vulnerable code, but if that's essentially *always* the case, targeting
TBB users with Firefox exploits becomes a lot like shooting fish in a
barrel for a malicious server, since many if not most Tor users use the
recommended Tor Browser Bundle, which an adversary can increasingly bet
will be vulnerable to Firefox exploits that are relatively easy to target.

I'm not suggesting that The Tor Project start taking responsibility for
the security of Firefox itself or address vulnerabilities faster than
Mozilla does. And I still believe that, on average, TBB is more secure
than Firefox for most users most of the time...by a longshot. Supporting
extensive modifications and improvements to Firefox in TBB is a massive
undertaking, and supporting so many platforms on a shoestring budget is
itself a huge accomplishment. As of today, TAILS includes a more recent
version of Firefox code, which is awesome. I hope TBB can move in that
direction.

"Catching up" to Mozilla's release cycle for security patches in the Tor
Browser Bundle release cycle should not be impossible. Mozilla doesn't
just spit out binaries for Tor Project staff to decompile and puzzle over
for months before the process of updating the Tor Browser Bundle can
begin. "Catching up" may ultimately require resources that The Tor Project
simply doesn't have, but at some point, users of the latest TBB code are
either vulnerable to publicly-known and already-patched Firefox security
vulnerabilities, or they aren't.

All that is to say that I hope the Tor Project will give greater priority
to harmonizing TBB's security update cycle with Mozilla's. Same-day
security updates to stable releases of the Firefox code in TBB would be
ideal. I understand recent job announcements already reflect greater
emphasis on the Tor Browser Bundle and add-ons, but the current reality of
most users of the latest-available TBB releases being vulnerable to
serious, publicly-known Firefox vulnerabilities most of the time is
untenable.

What can users do to help?