In April, the Tor Browser team made three releases: 3.6-beta-2[1], 3.5.4[2], and 3.6[3]. The first two releases included fixes for the OpenSSL Heartbleed issue[4]. The 3.6 release was triggered by Mozilla's release of 24.5.0ESR. Mozilla actually tagged the the 24.5.0ESR release a week in advance, which gave us extra time to prepare the 3.6 series for a stable release.
The 3.5.4 release only updated OpenSSL. The 3.6-beta-2 release also featured Turkish bundles[5], enabled some Javascript hardening options[6], fixed an instance of improper update notification[7], and improved ease of localization of the about:tor and bootstrap messages[8,9]. It also fixed a launch error with the FTE transport on Windows[10]. Due to the OpenSSL heartbleed fiasco, we were unable to also produce a 4.0-alpha build this month. The 3.6 release is our first stable release of the combined Pluggable Transport and standard bundles. It features some usability improvements to the bridge entry UI[11,12], improved the download warning dialog text to be more concise and understandable (based on support feedback)[13], removes a hidden menu item relic from the toggle days[14], and a fix to prevent the installation path from leaking in certain Javascript exceptions on Mac OS and Windows[15]. Unfortunately, TBB 3.6 was not without its bumps and snags, so we were quite lucky to have the extra week notice from Mozilla. It turns out that HTTPS-Everywhere switched to a new rule distribution format and build process in its latest stable release (3.5), which occurred concurrently with the TBB 3.6 release. We fixed an issue in order to build HTTPS-Everywhere from source for TBB[16], but the new HTTPS-Everywhere 3.5 is still not reproducible[17]. We had to ship TBB 3.6 with HTTPS-Everywhere 3.4.5 as a result, and will likely have to bundle the version of the addon built by and downloaded from the EFF, until such time as it can be made reproducible again. We also had a regression in the proxy support for TBB 3.6[18]. It turns out the addition of Pluggable Transports tripped on a bug in tor that prevented the user from configuring a proxy. We will put out a TBB 3.6.1 as soon as possible to correct this issue. We made progress investigating a few outstanding issues, including remaining window resolution issues with certain Mac and Windows desktop environments[19], a hang on New Identity[20], and a window resizing issue[21]. On the Mozilla Merge process front, we merged a test to verify against future proxy bypass by WebSockets[22], which has been a pain point for us in the past. The Firefox 31ESR merge deadline was also at the end of the month, so any future patches we merge will not appear for use in TBB until Firefox 38ESR is released, sometime in February 2015. Unfortunately, we also learned that HTTPS Certificate Pinning did not land in time for Firefox 31ESR, so we will need to help Mozilla backport that patch set to TBB if we want certificate pinning (which we do). On the QA and testing front, we continued to improve our integration testing infrastructure and add tests. The testing infrastructure is now capable of emailing the tor-qa mailinglist directly with build results[23], as well as watching our build repository for TBB build tags to indicate candidate builds are ready for testing. On the security front, we agreed to the project direction and had an initial kickoff meeting with iSec, for their audit of Firefox and the Tor Browser Bundle. The overall direction is to determine which features of Firefox are good candidates for disabling at various points on the 'Security Slider'[24]. Additionally, they may investigate various build hardening options, such as AddressSanitizer[25] and enabling refcounting and other assert checks. On the build process front, we refactored the build process to explicitly support partial rebuilds, and to pre-build common tools in a separate stage[26]. We also performed a number of build process code cleanups and minor fixes[27,28,29,30,31]. On the future Pluggable Transport front, we discussed a promising new transport by David Fifield called 'meek'[32]. It uses Google AppEngine in combination with NPN to tunnel Tor traffic over pre-existing Google domains. It sounds like a good addition to the TBB 3.6 bundles as an optional PT, however it does add a fair amount to the compressed bundle size (~4MB). Hopefully we can reduce this overhead somehow and begin shipping it ASAP. On the C++ interview process front, 2 of our 3 candidates have short-term trial contracts and have begun work. One of them has already had a patch merged, and has another patch pending. The third has most of a patch written, but still needs a contract for it. On the community coordination front, we have two promising student/volunteer projects lined up for the summer. The first is an official Google Summer of Code project to deploy a Pluggable Transport to prototype defenses against Website Traffic Fingerprinting[32], and the second is a research project to deploy a Browser Fingerprinting test suite to measure the fingerprintability of Tor Browser, and to evaluate our fingerprinting defenses[33]. We look forward to helping these projects to succeed. On the team communication front, due to the EU "Summer Time" change, we moved our weekly meeting to before the Pluggable Transport meeting on Fridays at 15:00 UTC. In May, the first thing we'll be doing is finding some form of fix for the proxy settings issue in TBB 3.6. This will likely mean a TBB 3.6.1 release early in the month. We'll also be continuing to coordinate with the iSec team for input into the Security Slider and other hardening options. We will also continue our efforts at improving the unified 3.6 bundles, ideally also adding support for proxied PTs in either 3.6.1 or 3.6.2. We also received an offer for a code signing certificate from a major CA. Previously, excessive paperwork, strange liability sign offs, build process issues, and CA registration requirements have dissuaded us from obtaining such a certificate ourselves, but hopefully the direct offer of a donation from a major CA will smooth much of this over. We will be investigating this offer and feasibility with our build process over the course of the month. In terms of ongoing development, we will continue work on the Firefox updater, restructuring the bundles, and testing this new layout. If we're lucky, this may result in a 4.0-alpha with a restructured layout, or at least a few nightlies. We will also include Tor 0.2.5.x-alpha in this upcoming alpha, to aid in testing of that Tor release. 1. https://blog.torproject.org/blog/tor-browser-36-beta-2-released 2. https://blog.torproject.org/blog/tor-browser-354-released 3. https://blog.torproject.org/blog/tor-browser-36-released 4. https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 5. https://trac.torproject.org/projects/tor/ticket/9010 6. https://trac.torproject.org/projects/tor/ticket/9387#comment:17 7. https://trac.torproject.org/projects/tor/ticket/11242 8. https://trac.torproject.org/projects/tor/ticket/10398 9. https://trac.torproject.org/projects/tor/ticket/9665 10. https://trac.torproject.org/projects/tor/ticket/11286 11. https://trac.torproject.org/projects/tor/ticket/11482 12. https://trac.torproject.org/projects/tor/ticket/11484 13. https://trac.torproject.org/projects/tor/ticket/7439 14. https://trac.torproject.org/projects/tor/ticket/11384 15. https://trac.torproject.org/projects/tor/ticket/9308 16. https://trac.torproject.org/projects/tor/ticket/11556 17. https://trac.torproject.org/projects/tor/ticket/11630 18. https://trac.torproject.org/projects/tor/ticket/11658 19. https://trac.torproject.org/projects/tor/ticket/9268 20. https://trac.torproject.org/projects/tor/ticket/9531 21. https://trac.torproject.org/projects/tor/ticket/9881 22. https://bugzilla.mozilla.org/show_bug.cgi?id=971153 23. https://lists.torproject.org/pipermail/tor-qa/2014-April/000403.html 24. https://trac.torproject.org/projects/tor/ticket/9387 25. https://trac.torproject.org/projects/tor/ticket/10599 26. https://trac.torproject.org/projects/tor/ticket/10120 27. https://trac.torproject.org/projects/tor/ticket/10356 28. https://trac.torproject.org/projects/tor/ticket/11539 29. https://trac.torproject.org/projects/tor/ticket/11459 30. https://trac.torproject.org/projects/tor/ticket/11240 31. https://trac.torproject.org/projects/tor/ticket/11478 32. https://trac.torproject.org/projects/tor/wiki/doc/meek 33. https://lists.torproject.org/pipermail/tor-dev/2014-April/006741.html 34. https://lists.torproject.org/pipermail/tor-dev/2014-April/006722.html -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
