In early May, the Tor Browser team released Tor Browser 3.6.1[1] to correct a proxy settings regression in the 3.6 series. Due to changes made to the default configuration of the Tor client in order to support Pluggable Transports, normal Tor users were unable to configure an upstream proxy for normal Tor usage[2]. In addition to fixing this regression, the 3.6.1 release also featured a stopgap for the HTTPS-Everywhere reproducibility issue[3] mentioned in last month's report. For now, we are using the pre-built versions of the addon produced by the EFF, which allows our packages to remain reproducible. We are also in the process of investigating a proper fix to build the addon from source in a reproducible fashion.
In May, iSec also performed an audit of the Tor Browser. Due to the limited timeframe of the engagement, their efforts were focused on evaluating the current compiler hardening in Tor Browser, suggesting new hardening improvements, and suggesting preferences and additional items for the Security Slider[4]. Using historical security bug data from Mozilla's bugtracker, they enumerated vulnerability counts by high-level components, to provide insight into which preferences and features we should disable at various positions on the slider. In addition to confirming known issues with our Windows hardening options[5], their investigation into compiler hardening options also uncovered issues with both Firefox and our usage of the now deprecated Mac OS 10.6 SDK, which apparently prevents both our Mac builds and official Firefox Mac builds from making full use of Address Space Layout Randomization[6]. The full iSec report is due to be made public in mid-June. On the build system front, we have refactored our build scripts to allow us to build common dependencies and utilities as a separate step, reducing build time[7]. We fixed a few issues with our nightly build system, and improved reporting of failures of nightly builds[8,9]. We have also produced hardened test builds of Tor Browser, using the new AddressSanitizer, Undefined Behavior Sanitizer, and Virtual Table Verification features of GCC 4.9.0[10], and along the way merged an upstream fix to Mozilla for a build issue[11]. We are hopeful that these hardened builds will both be more resistant to exploitation, and will help us track down bugs quickly. The plan is to deploy these builds for the 4.0-alpha series. On the QA and testing front, we have developed test cases for validating correctness of proxy settings for both uncensored as well as Pluggable Transport users, have developed a test suite in the mbox sandbox[12] to check for network and disk leaks[13], and have tests to check for the successful application of compiler hardening options on Linux[14]. The reporting functionality of our testing infrastructure has also been improved so that test result summaries are now present in result emails on the tor-qa mailinglist. In June, we plan to make two releases of Tor Browser: 3.6.2 and 4.0-alpha-1. The fixes for 3.6.2 are written and ready to deploy. However, we have decided to hold the release to coincide with the upstream Mozilla Firefox release on June 10th, to pick up any security fixes at the same time. The most important fix on our side is to enable the configuration of SOCKS and HTTP proxies with Pluggable Transports, which will fix the remaining issues for users of Tor Browser behind a proxy, whether censored or not. In addition, the release will enable TLS 1.1 and 1.2, which was set to off by default in the 24ESR series, but the code is present and has been unchanged since release, and has been turned on by default in later Firefox releases[15]. A couple minor localization and configuration issues with the Tor Launcher UI have also been corrected[16,17,18]. On top of this, fixes are already written to improve the about:tor initial homepage/status notification[19], to address a couple race conditions in the config and New Identity UI elements[20,21], and to include missing Pluggable Transports documentation[22,23]. A few minor issues with esoteric configurations, options, and Linux issues have also been fixed[24,25,26]. We intend to use the 4.0-alpha series to test new features, as well as to roll out our initial test deployments of the Firefox updater[27]. To this end, the 4.0-alpha series will feature a new directory layout[28], which will improve the Mac OS docking behavior of the Tor Browser app icon[29], as well as simplify the changes we need to make to the Firefox updater. This series will also feature an additional patch to enable or disable all of our third party identifier protections[30], which should help to get this set of patches merged with Firefox. We will also be including Tor 0.2.5.x in this series. Also in June, we will begin prioritizing issues from the iSec report, and evaluating their recommendations for the Security Slider options and positions. 1. https://blog.torproject.org/blog/tor-browser-361-released 2. https://trac.torproject.org/projects/tor/ticket/11658 3. https://trac.torproject.org/projects/tor/ticket/11630 4. https://trac.torproject.org/projects/tor/ticket/9387 5. https://trac.torproject.org/projects/tor/ticket/10065 6. https://bugzilla.mozilla.org/show_bug.cgi?id=1018210 7. https://trac.torproject.org/projects/tor/ticket/10120 8. https://trac.torproject.org/projects/tor/ticket/11615 9. https://trac.torproject.org/projects/tor/ticket/11249 10. https://trac.torproject.org/projects/tor/ticket/10599 11. https://bugzilla.mozilla.org/show_bug.cgi?id=1013341 12. http://pdos.csail.mit.edu/mbox/ 13. https://lists.torproject.org/pipermail/tor-dev/2014-May/006911.html 14. https://trac.torproject.org/projects/tor/ticket/12107 15. https://trac.torproject.org/projects/tor/ticket/11253 16. https://trac.torproject.org/projects/tor/ticket/11699 17. https://trac.torproject.org/projects/tor/ticket/11754 18. https://trac.torproject.org/projects/tor/ticket/11772 19. https://trac.torproject.org/projects/tor/ticket/11510 20. https://trac.torproject.org/projects/tor/ticket/11763 21. https://trac.torproject.org/projects/tor/ticket/11783 22. https://trac.torproject.org/projects/tor/ticket/11834 23. https://trac.torproject.org/projects/tor/ticket/11835 24. https://trac.torproject.org/projects/tor/ticket/12161 25. https://trac.torproject.org/projects/tor/ticket/11190 26. https://trac.torproject.org/projects/tor/ticket/10425 27. https://trac.torproject.org/projects/tor/ticket/4234 28. https://trac.torproject.org/projects/tor/ticket/11641 29. https://trac.torproject.org/projects/tor/ticket/6457 30. https://trac.torproject.org/projects/tor/ticket/10819 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
