Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-04-08 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:  12
Parent ID:  #33661| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+
Changes (by pili):

 * parent:   => #33661


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-31 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:  12
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+

Comment (by Thorin):

 Replying to [comment:8 pospeselr]:
 > dom.push.enabled
 > - set to false to disable push notifications

 Default false in ESR68. I also think it's not enabled/doesn't do anything
 in PB mode, since it requires service workers which are also disabled (see
 next comment)

 However, disabling SWs (pref below) and push (pref above) is not enough to
 stop Firefox polling the Mozilla Push Server - which assigns a persistent
 ID
 - see `dom.push.userAgentID` (without testing, I am not sure if this still
 gets sets when started in PB mode)
 - you could blank 'dom.push.serverURL' for good measure

 > dom.serviceWorkers.enabled
 > - set to false to disable service workers

 This isn't new. It's default false in ESR60-68 and service workers are not
 available in PB mode

 > security.insecure_connection_icon.enabled
 > - when true shows crossed out padlock on HTTP sites ->
 https://www.askvg.com/firefox-tip-show-hide-insecure-connection-icon-in-
 address-bar/

 Just FYI: if this is true, then both normal and PB modes display the
 padlock, but if false, then the pref
 `security.insecure_connection_icon.pbmode.enabled` is used in PB mode.
 They are currently both default false in ESR68, true in non ESR

 > security.tls.version.enable-deprecated
 > - we probably want this to be false to disable old TLS

 Setting to false still allows downgrading, but makes that downgrading
 **session only**. To force TLS 1.0 and 1.1 permanently disabled, just set
  - `security.tls.version.min` = 3
  -  ^^ 3 was the default in FF74 but got reversed due to govt websites
 using TLS <1.2
  - no idea what it will be in ESR78 stable

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-31 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:  12
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+

Comment (by pospeselr):

 Ok, diffed vanilla esr68 vs beta75 prefs in firefox.js and greprefs.js and
 here's the noteworthy new values:

 browser.aboutwelcome.enabled
 - this pref seems enable a one-time welcome screen that shows off
 firefox features and importing bookmarks and stuff
 browser.search.modernConfig
 - seems like mozilla working on a new system for configuring search
 engines, setting to false falls back to legacy
 browser.search.separatePrivateDefault
 - separete search engine config for private browsing mode, redundant
 for us since we're always in private browsing mode
 browser.ssb.enabled
 - site-specific browser (1602117) to launch websites in a window
 without browser UI
 browser.tabs.remote.separatedMozillaDomains
 - so this is a list of mozilla domains which are allowed to be loaded
 in a priviledged process, probably empty this list
 browser.urlbar.update1
 - new style for urlbar that sort of 'hovers' over the background when
 true
 device.storage.enabled
 - set to false to disable -> https://developer.mozilla.org/en-
 US/docs/Archive/B2G_OS/API/Device_Storage_API
 dom.push.enabled
 - set to false to disable push notifications
 dom.serviceWorkers.enabled
 - set to false to disable service workers
 extensions.experiments.enabled
 - enable to access experimental web extension APIs (suspect we want
 false) -> https://firefox-source-
 docs.mozilla.org/toolkit/components/extensions/webextensions/basics.html
 #webextensions-experiments
 javascript.options.blinterp
 - enable the new experimental baseline interpeter ->
 https://hacks.mozilla.org/2019/08/the-baseline-interpreter-a-faster-js-
 interpreter-in-firefox-70/
 marionette.enabled
 - enables the marionette remote access/testing thing, like Selenium ->
 https://firefox-source-docs.mozilla.org/testing/marionette/Intro.html
 media.autoplay.default
 - 0 => allow all, 1 => block audio, 5 => block audio+video (suspect we
 should disable all autoplay)
 media.videocontrols.picture-in-picture.enabled
 - enables the new picture-in-picture video viewer
 network.dns.skipTRR-when-parental-control-enabled
 - disable DoH when parental controls are enabled
 network.http.http3.enabled
 - enable http3 (seems http3 uses udp so I would guess we want to
 disable this) -> https://techdows.com/2019/11/mozilla-adds-http3-support-
 to-firefox-72-nightly.html
 permissions.fullscreen.allowed
 - when this is enabled permissions prompt will appear when ff is in
 full screen, when not it drops out of fullscreen (to avoid chrome spoofing
 we want this to be false)
 privacy.purge_trackers.enabled
 - purges cookies from tracking sites that have not been interacted
 with (we don't use tracking protection and we're in private browsing mode
 so this is not needed -> https://www.ghacks.net/2020/03/04/firefox-75
 -will-purge-site-data-if-associated-with-tracking-cookies/
 security.aboutcertificate.enabled
 - enables the new cert viewer (if we enable this, we need to port over
 our work adding in 'Onion Service' string to the security info of a page
 #23247)
 security.allow_eval_in_parent_process
 security.allow_eval_with_system_principal
 - these disable eval in certain contexts, ensure these are false ->
 https://bugzilla.mozilla.org/show_bug.cgi?id=1582512
 security.cert_pinning.hpkp.enabled
 - used to disable HPKP (HTTP Public Key Pinning) when false, pretty
 sure we want to keep it that way?
 security.enterprise_roots.enabled
 - lets firefox look to the OS for additional valid root CA issuers,
 set to false -> https://support.mozilla.org/en-US/kb/how-disable-
 enterprise-roots-preference
 security.identityblock.show_extended_validation
 - false in firefox, do we want to show the EV text?
 security.insecure_connection_icon.enabled
 - when true shows crossed out padlock on HTTP sites ->
 https://www.askvg.com/firefox-tip-show-hide-insecure-connection-icon-in-
 address-bar/
 security.osclientcerts.autoload
 - when true autoloads certs from OS cert store  (I assume we want this
 false) -> https://bugzilla.mozilla.org/show_bug.cgi?id=1592111
 security.pki.crlite_mode
 - when set to 2 this enables crlite, 0 disables, an offline cert
 revocation store ->

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-23 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:  12
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+

Comment (by Thorin):

 Replying to [comment:6 pospeselr]:
 > {{{
 > 74:
 > TextMetrics interface updated, canvas fingerprinting?
 > - https://bugzilla.mozilla.org/show_bug.cgi?id=1102584
 > }}}

 https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#fonts -
 see the textmetric entry and click the view details

 RFP doesn't protect against this. The prefs (all added in 74+) are
 - `dom.textMetrics.actualBoundingBox.enabled` FF74+ default true
 - `dom.textMetrics.baselines.enabled` - 76 Nightly still at default false
 - `dom.textMetrics.emHeight.enabled` - 76 Nightly still at default false
 - `dom.textMetrics.fontBoundingBox.enabled` - 76 Nightly still at default
 false

 measureText uses floats (which may be affected by OS), so the precision is
 much higher than say domrect (which uses app-units - e.g. 1/60th of a CSS
 pixel). Additionally, text layout goes from device pixels (which _are_
 affected by DPI) to CSS pixels: so it could also be affected by DPI (but
 no one knows for sure)

 I'm not sure if it really adds any more entropy than other font
 measurements like dcf's unicode glyphs - but it is another avenue

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-23 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:  12
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+
Changes (by pospeselr):

 * actualpoints:   => 12


Comment:

 {{{
 Release notes:

 69:
 Enhanced Tracking Protection
 - I believe we want to turn this off
 Web Authentication HmacSecret extension via Windows Hello (for Windows
 10 versions > May 2019)
 - suspect this feature violates our disk avoidance requirements
 32-bit Firefox on 64-bit OS users no-longer differentiable from 64-bit
 Firefox on 64-bit OS
 - navgator.userAgent, navigator.platform, navigator.oscpu props
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1559747
 userChrome.css and userContent.css no longer enabled by default
 - sure users will probably complain about this but seems like a
 good thing
 - toolkit.legacyUserProfileCustomizations.stylesheets -> true to
 re-enable

 69.0.1:
 69.0.2:
 69.0.3:
 Seems like Firefox hooks into Windows Parental Controls (though
 they are removed in newer versions of Windows 10?)
 - I would think our build should stup out parental controls
 and logging if we don't do this already
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1584613
 - also has implementation for android and macos
 70:
 Firefox Lockwise (about:logins)
 - violates disk avoidance
 'Gift' icon in toolbar that spams users with feature updates/news
 70.0.1:
 71:
Picture-in-Picture video
 - this feature is pretty awesome, but we should make sure it
 doesn't expose fingerprinting surface
 - can be toggled off with media.videocontrols.picture-in-
 picture.enabled
 72:
 72.0.1:
 72.0.2:
 73:
 Enhancement to Windows' High Contrast Mode, web renderer now adds
 'readability backplate' of solid color between background and text
 - possible finger-printing vector?
 73.0.1:
 74:


 Developer release notes

 69:
 Lithuanian specific case rules (also exists for greek, dutch, others),
 locale fingerprinting
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1322992
 add-on api topsites.get() certainly seems sketchy af:
 https://developer.mozilla.org/en-US/docs/Mozilla/Add-
 ons/WebExtensions/API/topSites/get
 - updated to add includePinned and includeSearchShortcuts options
 70:

 71:

 72:

 73:

 74:
 TextMetrics interface updated, canvas fingerprinting?
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1102584
 75:

 Noteworthy Tickets:

 69:
 1584613 - Parental control detection doesn't work on Windows 10
 - make sure parental access checks are always disabled
 1559747 - User-Agent string needn't reveal a user is running 32-bit
 Firefox on a 64-bit OS
 - make sure this is also true for Tor Browser if it isn't already
 1561307 - Add pref to enable/disable the What's New Panel feature
 - make sure this panel is disabled
 70:
 1570732 - Disable DoH if parental controls detected
 - followup on 1584613 to ensure we don't have parental controls in
 Tor Browser
 1561273 - network ID: ipv4NetworkId/scanArp returns gateway IP instead
 of its MAC
 - certainly seems like we shouldn't have runnable code that can
 read the user's IP or MAC
 1563319 - Enable the What's New UI when pref is enabled
 - make sure this is disabled
 1572389 - Add pref to show normal lock icon for sites with EV
 (Extended Validation) certificates
 - so looks like we can bring back full EV names if we so wish
 1576246 - Set pref browser.urlbar.eventTelemetry.enabled by default
 - make sure this is disabled
 1567826 - Don't mark localhost as insecure
 - this should be fine but the patch does touch the url icon logic
 1572936 - Move EV cert UI out of URL Bar
 - security.identityblock.show_extended_validation pref for showing
 EV in url bar, we may want to enable this for onionsites?
 71:
 1539212 - implement readability backplate for high contrast mode
 - probably fingerprinting vector for folks with high contrast mode
 enabled as it adds a new rendering layer
 1585920 - network ID: fix VPN detection on Linux for non ethernet
 devices
 - seems like we would never want to calculate a fingerprintable
 'Network ID' in tor-browser, though I'm not sure what

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-19 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:  Sponsor58-must
--+
Changes (by pili):

 * sponsor:   => Sponsor58-must


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

2020-03-04 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+---
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

Comment (by cypherpunks):

 Site Compatibility: https://www.fxsitecompat.dev/en-CA/versions/

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73) (was: Review FF relase notes from FF69 to latest (FF73))

2020-03-04 Thread Tor Bug Tracker & Wiki 
#33534: Review FF release notes from FF69 to latest (FF73)
--+---
 Reporter:  pospeselr |  Owner:  pospeselr
 Type:  defect| Status:  assigned
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs