Re: [tor-bugs] #28147 [Applications/Tor Browser]: [meta] Improve Tor Browser Content Process Sandbox

2018-11-01 Thread Tor Bug Tracker & Wiki 
#28147: [meta] Improve Tor Browser Content Process Sandbox
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #28146| Points:
 Reviewer:|Sponsor:
--+--

Comment (by tom):

 Replying to [comment:1 gk]:
 > Are there corresponding Mozilla bugs somewhere because it seems to me
 that this sandbox tightening is something (privacy-conscious) Firefox
 users (with proxy) would maybe want to have as well? E.g. should there be
 no way to steal Android device information that way from within the
 content process regardless of whether Tor is used or not.

 Generally, no.  So far all of the things I've listed here are things we've
 made to support some feature of another. It's possible (but unlikely) that
 they could be dead code that we could remove, but AFAIK there are no
 corresponding Mozilla bugs to do what Tor wants, because it's going to
 conflict with what Mozilla wants.

 My suggestion would be that as each sub-item is investigated, we see what
 the use of the item is in Firefox, and determine if there is a way to
 tighten the IPC layer in Firefox either generally or under certain
 (existing) preferences.  (With a fallback to some new preference or
 preferences.)  That would be the easiest way to upstream the behavior Tor
 wants.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #28147 [Applications/Tor Browser]: [meta] Improve Tor Browser Content Process Sandbox

2018-10-23 Thread Tor Bug Tracker & Wiki 
#28147: [meta] Improve Tor Browser Content Process Sandbox
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:  #28146| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Are there corresponding Mozilla bugs somewhere because it seems to me that
 this sandbox tightening is something (privacy-conscious) Firefox users
 (with proxy) would maybe want to have as well? E.g. should there be no way
 to steal Android device information that way from within the content
 process regardless of whether Tor is used or not.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #28147 [Applications/Tor Browser]: [meta] Improve Tor Browser Content Process Sandbox

2018-10-22 Thread Tor Bug Tracker & Wiki 
#28147: [meta] Improve Tor Browser Content Process Sandbox
--+--
 Reporter:  tom   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:  #28146
   Points:|   Reviewer:
  Sponsor:|
--+--
 This ticket is specifically for tightening the content process sandbox.

 An attacker who achieves code execution inside the content process sandbox
 should not be able to achieve the most valuable goals (proxy
 bypass/persistent user identifier) inside the content process and should
 instead need a sandbox escape.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs