Re: [tor-bugs] #5433 [Applications/Tor bundles/installation]: Tor Browser Bundle 32bit Linux - GTK2 Themes Not Sticking

[Tor Bug Tracker & Wiki]

#5433: Tor Browser Bundle 32bit Linux - GTK2 Themes Not Sticking
-+-
 Reporter:  DasFox   |  Owner:  erinn
 Type:  defect   | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor |Version:
  bundles/installation   | Resolution:  not a
 Severity:  Normal   |  bug
 Keywords:   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by michael926@…):

 * severity:   => Normal


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19001 [Obfuscation/Snowflake]: Tor Browser with Snowflake

[Tor Bug Tracker & Wiki]

#19001: Tor Browser with Snowflake
---+-
 Reporter:  dcf|  Owner:
 Type:  project| Status:  new
 Priority:  Medium |  Milestone:
Component:  Obfuscation/Snowflake  |Version:
 Severity:  Normal | Resolution:
 Keywords: |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-

Comment (by dcf):

 I wrote a longer howto on building Tor Browser at
 [[doc/Snowflake#IntegrationwithTorBrowser]].

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19738 [Applications/Tor Browser]: Update check-prerequisites.sh

[Tor Bug Tracker & Wiki]

#19738: Update check-prerequisites.sh
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  task  | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-gitian|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by dcf):

 On Debian I needed libvirt-daemon-system as well, to create the libvirt
 group (#18785).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #19742 [- Select a component]: колеса

[Tor Bug Tracker & Wiki]

#19742: колеса
--+-
 Reporter:  michael926@…  |  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  - Select a component  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+-


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #8725 [Applications/Tor Browser]: resource:// URIs leak information

[Tor Bug Tracker & Wiki]

#8725: resource:// URIs leak information
-+-
 Reporter:  holizz   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Very High| Status:
Component:  Applications/Tor Browser |  needs_review
 Severity:  Major|  Milestone:
 Keywords:  tbb-fingerprinting, tbb-rebase-  |Version:
  regression, tbb-testcase, tbb-firefox-patch,   | Resolution:
  TorBrowserTeam201607R  |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Replying to [comment:37 yawning]:
 > https://git.schwanenlied.me/yawning/torbutton/commits/bug8725_take3
 >
 > One more change to handle redirects properly.

 r=me

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18762 [Applications/Tor Browser]: implement first-party isolation for OCSP generated by speculative connect

[Tor Bug Tracker & Wiki]

#18762: implement first-party isolation for OCSP generated by speculative 
connect
--+--
 Reporter:  arthuredelstein   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-linkability   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arthuredelstein):

 Replying to [comment:3 gk]:
 > I was looking a bit closer at a thing which was nagging me while doing
 the review for #16998. There is
 > {{{
 > // Check for proxy information. If there is a proxy configured then
 a
 > // speculative connect should not be performed because the potential
 > // reward is slim with tcp peers closely located to the browser.
 > }}}
 > and this piece of code in `nsIOService.cpp`:
 > {{{
 > NS_IMETHODIMP
 > IOServiceProxyCallback::OnProxyAvailable(nsICancelable *request,
 nsIChannel *channel,
 >  nsIProxyInfo *pi, nsresult
 status)
 > {
 > // Checking proxy status for speculative connect
 > nsAutoCString type;
 > if (NS_SUCCEEDED(status) && pi &&
 > NS_SUCCEEDED(pi->GetType(type)) &&
 > !type.EqualsLiteral("direct")) {
 > // proxies dont do speculative connect
 > return NS_OK;
 > }
 > }}}
 > And it seems to me we hit this code path with Tor Browser. Retesting
 #16324 by looking at `tcpdump` output confirms my suspicion as well: there
 is no network activity visible even if Torbutton claims isolation is
 happening.
 >
 > So, it seems to me that at least this ticket and #16324 can be closed. I
 am not sure yet what this means for #16998. I guess, we should not have
 been worried by it because there is no speculative connect happening
 anyway?

 I watch for STREAM events in the browser console and I can confirm that
 the speculative connects don't seem to be causing any network activity. So
 I agree that this ticket and #16324 can be closed. However, I did notice
 that under some special situations, a favicon is displayed in the
 searchbar popup which causes a connection over the catchall circuit; see
 #19741.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19741 [Applications/Tor Browser]: favicon in searchbar popup uses catchall circuit

[Tor Bug Tracker & Wiki]

#19741: favicon in searchbar popup uses catchall circuit
-+-
 Reporter:  arthuredelstein  |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  Medium   | Status:  new
Component:  Applications/Tor Browser |  Milestone:
 Severity:  Normal   |Version:
 Keywords:  tbb-linkability, | Resolution:
  TorBrowserTeam201607   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * keywords:   => tbb-linkability, TorBrowserTeam201607
 * owner:   => tbb-team
 * component:  - Select a component => Applications/Tor Browser


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #19741 [- Select a component]: favicon in searchbar popup uses catchall circuit

[Tor Bug Tracker & Wiki]

#19741: favicon in searchbar popup uses catchall circuit
--+-
 Reporter:  arthuredelstein   |  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  - Select a component  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+-
 To reproduce:

 * Set "torbutton.loglevel" to 3.
 * Enter the word "test" in the searchbar. Click on the DuckDuckGo icon in
 the popup menu below to cause a search for "test" to be performed on
 DuckDuckGo. After the search is performed, a green "plus" symbol appears
 on the searchbar magnifying glass icon.
 * Open the browser console, and clear it.
 * Click on the searchbar again. An additional menu item appears, which
 contains the text `Add "DuckDuckGo (HTML)"` and a DuckDuckGo favicon.
 * Examine the browser console. Log messages should appear as follows:
 {{{
 [07-22 22:38:01] Torbutton INFO: tor SOCKS:
 http://3g2upl4pq6kufc4m.onion/favicon.ico via --NoFirstPartyHost-chrome-
 browser.xul--:9bb8a61534faf1f952647a3537560fb0
 GET
 http://3g2upl4pq6kufc4m.onion/favicon.ico [HTTP/1.1 200 OK 0ms]
 getFirstPartyURI failed for chrome://browser/content/browser.xul:
 0x80070057
 [07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 NEW 0
 3g2upl4pq6kufc4m.onion:80 SOURCE_ADDR=127.0.0.1:52895 PURPOSE=USER
 [07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SENTCONNECT
 15 3g2upl4pq6kufc4m.onion:80
 getFirstPartyURI failed for chrome://browser/content/browser.xul:
 0x80070057
 [07-22 22:38:02] Torbutton INFO: controlPort >> 650 STREAM 264 SUCCEEDED
 15 3g2upl4pq6kufc4m.onion:80
 }}}
   should be visible. I believe these messages are caused by

 So it appears that the favicon display inside "add-engines" vbox of the
 search popup is being sent over the catchall circuit.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19703 [Applications/Tor Browser]: Upgrade Go to 1.6.3

[Tor Bug Tracker & Wiki]

#19703: Upgrade Go to 1.6.3
--+--
 Reporter:  dcf   |  Owner:  tbb-team
 Type:  task  | Status:  needs_review
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  TorBrowserTeam201607R |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by dcf):

 * keywords:   => TorBrowserTeam201607R
 * status:  new => needs_review


Comment:

 Here is a patch. I tested it only on linux.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19740 [Core Tor/Tor]: (new ?) efficient attack against an exit relay (was: (new ?) efficient atatcka gainst an exit relay)

[Tor Bug Tracker & Wiki]

#19740: (new ?) efficient attack against an exit relay
--+-
 Reporter:  toralf|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Core Tor/Tor  |Version:  Tor: 0.2.8.5-rc
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #19740 [Core Tor/Tor]: (new ?) efficient atatcka gainst an exit relay

[Tor Bug Tracker & Wiki]

#19740: (new ?) efficient atatcka gainst an exit relay
--+-
 Reporter:  toralf|  Owner:
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Core Tor/Tor  |Version:  Tor: 0.2.8.5-rc
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+-
 Today I was faced by an DDoS attack which looks different from all the
 ones I observed in former times.

 Former attacks shows a characteristic where the malicious IN traffic was
 just on top of the usual network load (as seen in
 https://www.zwiebeltoralf.de/torserver/graph.png).
 The attack today looks like that the IN traffic supersedes the usual
 network load completely
 (https://www.zwiebeltoralf.de/torserver/graph.svg).

 The system is a stable hardened Gentoo Linux with latest kernel.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19737 [Applications/Tor Browser]: gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19

[Tor Bug Tracker & Wiki]

#19737: gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19
--+--
 Reporter:  dcf   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-gitian|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by dcf):

 I worked around it by copying gk's current key on top of gpg/gk.gpg and
 gpg/torbutton.gpg.

 I tried using `--trust-model always` but that doesn't work because "this
 trust model still does not allow the use of expired, revoked, or disabled
 keys."

 Maybe it would work to migrate to using
 [https://www.gnupg.org/documentation/manuals/gnupg/gpgv.html gpgv],
 because it "assumes that all keys in the keyring are trustworthy ... it
 does not check for expired or revoked keys."

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19732 [Applications/Tor Browser]: "Tor circuit for this site" labels meek bridge as being in China

[Tor Bug Tracker & Wiki]

#19732: "Tor circuit for this site" labels meek bridge as being in China
--+--
 Reporter:  dcf   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  invalid
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by dcf):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 This was my fault. It turns out I had somewhere in the past been hacking
 on my files to test something, and changed the dummy address for meek-
 azure to 1.2.2.4.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13080 [Metrics/Onionoo]: Add Ant tasks for measuring coverage, dependencies, etc.

[Tor Bug Tracker & Wiki]

#13080: Add Ant tasks for measuring coverage, dependencies, etc.
-+---
 Reporter:  karsten  |  Owner:
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:  Onionoo 3.1.1
Component:  Metrics/Onionoo  |Version:
 Severity:  Normal   | Resolution:  duplicate
 Keywords:   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+---
Changes (by iwakeh):

 * status:  new => closed
 * resolution:   => duplicate
 * severity:   => Normal


Comment:

 Actually we now have the Coding Guidelines and work on implementing them
 in all Java projects.
 So this can be closed, I think.  Work is tracked in #19613.

 Feel free to reopen, if I missed anything.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19618 [Metrics/Onionoo]: java8 for Onionoo

[Tor Bug Tracker & Wiki]

#19618: java8 for Onionoo
-+---
 Reporter:  iwakeh   |  Owner:
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Onionoo 3.1.2
Component:  Metrics/Onionoo  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:  #19617   | Points:
 Reviewer:   |Sponsor:
-+---
Changes (by iwakeh):

 * milestone:   => Onionoo 3.1.2


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] [Tor Bug Tracker & Wiki] Batch modify: #13080, #13362, #19613, #19259

[Tor Bug Tracker & Wiki]

Batch modification to #13080, #13362, #19613, #19259 by iwakeh:
milestone to Onionoo 3.1.1

--
Tickets URL: 

Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13088 [Metrics/Onionoo]: Versioning and Releases

[Tor Bug Tracker & Wiki]

#13088: Versioning and Releases
-+---
 Reporter:  iwakeh   |  Owner:
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:  Onionoo 3.1.1
Component:  Metrics/Onionoo  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+---
Changes (by iwakeh):

 * milestone:   => Onionoo 3.1.1


Comment:

 This can be closed when the first version 3.1.1 is released.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19183 [Metrics/Metrics website]: Add sybilhunter's visualisations to Metrics website

[Tor Bug Tracker & Wiki]

#19183: Add sybilhunter's visualisations to Metrics website
-+-
 Reporter:  phw  |  Owner:  phw
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Metrics/Metrics website  |Version:
 Severity:  Normal   | Resolution:
 Keywords:  sybilhunter, visualization, churn,   |  Actual Points:
  uptime | Points:
Parent ID:   |Sponsor:
 Reviewer:   |
-+-

Comment (by phw):

 > Please let me know if you spot any problems or want me to change
 something. Like, want me to pick a different month as example? Happy to
 make such changes.

 It looks good to me.  Thanks for your work.

 > Oh, would you be able to update your image galleries? The latest graphs
 there are from 2016-01, and I bet people will ask for recent months when
 these pages go online.

 I did it for now, for the uptime images, but I don't have plans to do that
 in the future.  I'm just providing code and past analyses, but I don't
 want to sign up for providing continuous visualisations.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19420 [Metrics/Onionoo]: No AS data for some relays

[Tor Bug Tracker & Wiki]

#19420: No AS data for some relays
-+--
 Reporter:  twim |  Owner:  karsten
 Type:  defect   | Status:  reopened
 Priority:  Medium   |  Milestone:
Component:  Metrics/Onionoo  |Version:
 Severity:  Normal   | Resolution:
 Keywords:  as, asn, geoip   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+--

Comment (by cypherpunks):

 another note:
 the number of relays for which maxmind's DB was unable to provide any AS
 data (no number and no name) improved from 8 to 0 relays
 (this is all based on onionoo details records from 2016-07-22 13:00:00

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19420 [Metrics/Onionoo]: No AS data for some relays

[Tor Bug Tracker & Wiki]

#19420: No AS data for some relays
-+--
 Reporter:  twim |  Owner:  karsten
 Type:  defect   | Status:  reopened
 Priority:  Medium   |  Milestone:
Component:  Metrics/Onionoo  |Version:
 Severity:  Normal   | Resolution:
 Keywords:  as, asn, geoip   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+--

Comment (by cypherpunks):

 > The best way to see whether it is a good idea to use a new version is to
 use the current set of relay IP addresses and check how many of them will
 have no AS name after the (simulated) upgrade.

 Ok, I had the time to do that now and the results say that the number of
 AS-name less relays will increase from 111 to 353. One of the major ASes
 apparently lost their name (AS12876).

 So I'd recommend to NOT upgrade.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

[Tor Bug Tracker & Wiki]

#19200: HTML5 video not blocked with placeholder, plays automatically
-+-
 Reporter:  potato   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  needs_information
 Severity:  Major|  Milestone:
 Keywords:  tbb-security-slider, |Version:
  tbb-6.0-issues, GeorgKoppen201607, | Resolution:
  TorBrowserTeam201607   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by f451022):

 Replying to [comment:18 gk]:

 > We could tried it at least I guess. There was the idea in #19736 to just
 set `media.autoplay.enabled` to `false` and be done with it but I assume
 that this does not prevent malicious code from exploiting bugs in
 Mozilla's media code but that might be worth to double-check. Another
 thing I looked at was the Flashstopper extension which at least provides
 an interesting way to block audio/video tags until the user does
 something. Giorgio, what do you think would be the best road for making
 sure we keep our security guarantees and a click-to-play mechanism?


 set  `media.autoplay.enabled` to false introduce a bug on youtube, and
 probably others sites too, I saw this today on some tests.

 whatever, I prefer disable MSE because:

 1. it's use javascript and I don't like it.

 2. without MSE you can get de video path including youtube videos, it's
 allows to open the video on a standalone tab and also download the video
 easily.

 example:

 take it, [https://www.youtube.com/watch?v=dQw4w9WgXcQ].
 and using right click > page info > media, you can get the path.
 or just copy the link on noscript placeholder.

 now you can standalone and also download the video.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19732 [Applications/Tor Browser]: "Tor circuit for this site" labels meek bridge as being in China

[Tor Bug Tracker & Wiki]

#19732: "Tor circuit for this site" labels meek bridge as being in China
--+--
 Reporter:  dcf   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  meek  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by mcs):

 * cc: mcs (added)


Comment:

 Another data point: I was unable to reproduce this on an OSX 10.11.5
 system with TB 6.5a1. But dcf's screenshot does not lie, so there must be
 something different about his setup.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19733 [Applications/Tor Browser]: GETINFO response parser doesn't handle AF_UNIX entries.

[Tor Bug Tracker & Wiki]

#19733: GETINFO response parser doesn't handle AF_UNIX entries.
+--
 Reporter:  yawning |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  Very Low|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Minor   | Resolution:
 Keywords:  tbb-sandbox, tbb-torbutton  |  Actual Points:
Parent ID:  #14270  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by mcs):

 * cc: brade, mcs (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19727 [Metrics/CollecTor]: correct exitlist

[Tor Bug Tracker & Wiki]

#19727: correct exitlist
---+-
 Reporter:  iwakeh |  Owner:
 Type:  defect | Status:  closed
 Priority:  Medium |  Milestone:  CollecTor 1.0.0
Component:  Metrics/CollecTor  |Version:
 Severity:  Normal | Resolution:  fixed
 Keywords:  ctip   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-
Changes (by karsten):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Yes, that patch makes it work just fine.  I pushed your task-19727 branch
 but didn't push that commit 1426040 yet which we should merge soon as part
 of the other branch.  Closing.  Thanks!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19575 [Applications/Quality Assurance and Testing]: Test for privacy.thirdparty.isolate fails with a timeout

[Tor Bug Tracker & Wiki]

#19575: Test for privacy.thirdparty.isolate fails with a timeout
-+-
 Reporter:  boklm|  Owner:
 Type:  defect   |  cypherpunks
 Priority:  Medium   | Status:  new
Component:  Applications/Quality Assurance and   |  Milestone:
  Testing|Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-test-failures|  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Yes, that's due to https://bugzilla.mozilla.org/show_bug.cgi?id=536509. I
 think what we want to do is having kind of 2 tests:

 1) The test running while e.g. third party cookies are enabled (to make
 sure we can test our isolation technique.
 2) The test catching the exception in a way that it succeeds as long as it
 throws where it throws right now.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #19739 [Metrics/Atlas]: Bad family members

[Tor Bug Tracker & Wiki]

#19739: Bad family members
---+-
 Reporter:  hsys   |  Owner:  irl
 Type:  defect | Status:  new
 Priority:  Low|  Milestone:
Component:  Metrics/Atlas  |Version:
 Severity:  Minor  |   Keywords:  atlas;familymembers
Actual Points: |  Parent ID:
   Points: |   Reviewer:
  Sponsor: |
---+-
 When you search any Nodes from the details page of another Node, family
 members field on the new node searched is not updated (are those of the
 previous node).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #19738 [Applications/Tor Browser]: Update check-prerequisites.sh

[Tor Bug Tracker & Wiki]

#19738: Update check-prerequisites.sh
--+
 Reporter:  gk|  Owner:  tbb-team
 Type:  task  | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:  tbb-gitian
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+
 Setting up a new build machine brought some bugs in our `check-
 prerequisites.sh` to light.

 1) On Debian I needed `libvirt-bin` as well
 2) `tor-browser-builder-4` is a thing now
 3) Ubuntu 16.04 with the vmbuilder (we need) packaged is available. We
 should take that into account and not point them to our work around.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #13917 [Applications/Tor Browser]: Investigate brokeness of our Tor Browser debug symbols

[Tor Bug Tracker & Wiki]

#13917: Investigate brokeness of our Tor Browser debug symbols
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  task  | Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:  tbb-gitian|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * status:  new => closed
 * resolution:   => fixed
 * severity:   => Normal


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12240 [Applications/Tor Browser]: Make Mac bundles built with LXC match their KVM counterparts

[Tor Bug Tracker & Wiki]

#12240: Make Mac bundles built with LXC match their KVM counterparts
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:  gitian, tbb-gitian|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * status:  reopened => closed
 * resolution:   => fixed
 * severity:   => Normal


Comment:

 We are building release builds on LXC machines for a while now and it
 works.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

[Tor Bug Tracker & Wiki]

#19200: HTML5 video not blocked with placeholder, plays automatically
-+-
 Reporter:  potato   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  needs_information
 Severity:  Major|  Milestone:
 Keywords:  tbb-security-slider, |Version:
  tbb-6.0-issues, GeorgKoppen201607, | Resolution:
  TorBrowserTeam201607   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_revision => needs_information


Comment:

 Replying to [comment:16 ma1]:
 > Mediasource is quite a hairy problem.
 >
 > The reason why ClickToPlay cannot work the way it does for "normal"
 videos is because there's no general way to identify the actual origin of
 the stream that is going to be played: in facts, the data can be generated
 on the fly by JavaScript code on the page and can actually come from
 anywhere (XMLHttpRequest, fetch(), random numbers, images whose bits are
 read using the canvas API, user input, whatever).
 >
 > Therefore the only meaningful "subject of trust" can be '''pages
 origin: trying to put individual mediasource elements behind ClickToPlay
 is impossible (since the data is fetched and/or assembled by scripts, you
 are required to reload the page upon placeholder activation, and the
 identity of the element to be activated is usually lost, since it's not
 bound to any persistent unique URL); furthermore, I doubt it's even useful
 from a security standpoint, since you cannot actually tell one instance
 from the other.
 >
 > The only partial work around I can think of is to implement a "special
 case" ClickToPlay for MSE, activating all the elements of a certain page
 if any placeholder gets clicked (the key would be page's URL, rather than
 the non-existent "media URL", and a page reload would occur). Would that
 work for you?

 We could tried it at least I guess. There was the idea in #19736 to just
 set `media.autoplay.enabled` to `false` and be done with it but I assume
 that this does not prevent malicious code from exploiting bugs in
 Mozilla's media code but that might be worth to double-check. Another
 thing I looked at was the Flashstopper extension which at least provides
 an interesting way to block audio/video tags until the user does
 something. Giorgio, what do you think would be the best road for making
 sure we keep our security guarantees and a click-to-play mechanism?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

[Tor Bug Tracker & Wiki]

#19200: HTML5 video not blocked with placeholder, plays automatically
-+-
 Reporter:  potato   |  Owner:  tbb-
 Type:  defect   |  team
 Priority:  High | Status:
Component:  Applications/Tor Browser |  needs_revision
 Severity:  Major|  Milestone:
 Keywords:  tbb-security-slider, |Version:
  tbb-6.0-issues, GeorgKoppen201607, | Resolution:
  TorBrowserTeam201607   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: f451022 (added)


Comment:

 Marked #19736 as a duplicate of this bug.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19736 [Applications/Tor Browser]: media.autoplay.enabled

[Tor Bug Tracker & Wiki]

#19736: media.autoplay.enabled
--+---
 Reporter:  f451022   |  Owner:
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:  tbb-security-slider   |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---
Changes (by gk):

 * status:  new => closed
 * resolution:   => duplicate
 * component:  - Select a component => Applications/Tor Browser
 * keywords:   => tbb-security-slider


Comment:

 Well, maybe. But I guess we don't even want to get the video loaded in the
 first place until the user clicks on it. And the pref set to `false` does
 not guarantee that. see: #19200 for a discussion about handling the MSE
 case properly. Marking this as a duplicate of that bug and mentioning the
 idea there.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19723 [Metrics/Metrics website]: 2 days missing on direct users graph

[Tor Bug Tracker & Wiki]

#19723: 2 days missing on direct users graph
-+--
 Reporter:  mrphs|  Owner:  karsten
 Type:  defect   | Status:  assigned
 Priority:  Medium   |  Milestone:
Component:  Metrics/Metrics website  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+--
Changes (by karsten):

 * owner:   => karsten
 * status:  new => assigned


Comment:

 Right, I can confirm that something's wrong there.  We're missing data in
 the database from June 28 and maybe the day before.  I'll have to re-
 import data from end of June.  Thanks for the report!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19727 [Metrics/CollecTor]: correct exitlist

[Tor Bug Tracker & Wiki]

#19727: correct exitlist
---+-
 Reporter:  iwakeh |  Owner:
 Type:  defect | Status:  needs_review
 Priority:  Medium |  Milestone:  CollecTor 1.0.0
Component:  Metrics/CollecTor  |Version:
 Severity:  Normal | Resolution:
 Keywords:  ctip   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-

Comment (by iwakeh):

 That's probably what I patched
 
[https://gitweb.torproject.org/user/iwakeh/collector.git/commit/?h=task-19018-scheduler=1426040a653ae2e9e2e3df6c648804e4748daf33
 here].

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19727 [Metrics/CollecTor]: correct exitlist

[Tor Bug Tracker & Wiki]

#19727: correct exitlist
---+-
 Reporter:  iwakeh |  Owner:
 Type:  defect | Status:  needs_review
 Priority:  Medium |  Milestone:  CollecTor 1.0.0
Component:  Metrics/CollecTor  |Version:
 Severity:  Normal | Resolution:
 Keywords:  ctip   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-

Comment (by karsten):

 Patch looks good, but I'm having trouble testing it.  It's probably
 something unrelated, but I don't know what.  Do you have an idea?

 {{{
 ~/src/collector$ java -jar collector-0.9.0-dev.jar
 Error: A JNI error has occurred, please check your installation and try
 again
 Exception in thread "main" java.lang.SecurityException: Invalid signature
 file digest for Manifest main attributes
 at
 
sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
 at
 sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
 at java.util.jar.JarVerifier.processEntry(JarVerifier.java:273)
 at java.util.jar.JarVerifier.update(JarVerifier.java:228)
 at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
 at java.util.jar.JarFile.getInputStream(JarFile.java:450)
 at
 sun.misc.URLClassPath$JarLoader$2.getInputStream(URLClassPath.java:940)
 at sun.misc.Resource.cachedInputStream(Resource.java:77)
 at sun.misc.Resource.getByteBuffer(Resource.java:160)
 at java.net.URLClassLoader.defineClass(URLClassLoader.java:454)
 at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
 at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
 at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
 at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
 at
 sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19728 [Core Tor/Tor]: Pick, and deploy, a new bridge authority

[Tor Bug Tracker & Wiki]

#19728: Pick, and deploy, a new bridge authority
--+
 Reporter:  arma  |  Owner:
 Type:  task  | Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.2.8.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by BrassHornComms):

 Replying to [comment:14 teor]:
 > The Brass Horn relays aren't on the fallback list for 0.2.8.5-rc,
 because the bandwidth cutoff was ~6 Mbps, and the Brass Horn relays that
 were opted in were below that.

 Ah, well once I've finished getting IXP peering sorted bandwidth will
 become a lot cheaper and will allow for a significant increase in relay
 speeds!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19737 [Applications/Tor Browser]: gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19

[Tor Bug Tracker & Wiki]

#19737: gpg/gk.gpg and gpg/torbutton.gpg are expired since 2016-07-19
--+--
 Reporter:  dcf   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-gitian|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:   => tbb-gitian


Comment:

 *Sigh*. I guess there is no good solution for this kind of issue. :( We
 could do the same as the Qubes folks and create one never expiring key for
 the git tags. But that would be another key to handle properly and we
 would need to deal with the issue that more than one of us should be able
 to tag things for official builds. And then there is the revocation issue
 in case things go wrong...

 I think what we could do is make sure that at least the latest release in
 every series is always buildable. If one wants to build older Tor Browser
 versions it is fine to me if this is not working out of the box due to
 issues with signed git tags (one could easily work around by setting
 `VERIFY_TAGS` to `0`).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19727 [Metrics/CollecTor]: correct exitlist

[Tor Bug Tracker & Wiki]

#19727: correct exitlist
---+-
 Reporter:  iwakeh |  Owner:
 Type:  defect | Status:  needs_review
 Priority:  Medium |  Milestone:  CollecTor 1.0.0
Component:  Metrics/CollecTor  |Version:
 Severity:  Normal | Resolution:
 Keywords:  ctip   |  Actual Points:
Parent ID: | Points:
 Reviewer: |Sponsor:
---+-
Changes (by iwakeh):

 * status:  new => needs_review


Comment:

 Please review the
 
[https://gitweb.torproject.org/user/iwakeh/collector.git/commit/?h=task-19727=7dc17f8e14b3e87f26bd34e1d7c4649546e3476a
 implementation].

 Clean compile, tests pass, coverage stays the same, no checkstyle
 complaints added.

 This is a good example for adding a property setting with a new class
 type.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #19614 [Metrics/Metrics website]: metrics-web should confirm to style guide

[Tor Bug Tracker & Wiki]

#19614: metrics-web should confirm to style guide
-+---
 Reporter:  iwakeh   |  Owner:  karsten
 Type:  task | Status:  assigned
 Priority:  Medium   |  Milestone:  Metrics 1.0.0
Component:  Metrics/Metrics website  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:  #19611   | Points:
 Reviewer:   |Sponsor:
-+---

Comment (by karsten):

 Aaaand, pushed now.  Going back to: Leaving open in case you want to make
 further changes as part of this ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs