In early June, the Tor Browser team released Tor Browser 3.6.2[1]. This release included security fixes for OpenSSL[2] and Firefox[3], as well as provided a fix to allow Pluggable Transports to use proxies on Mac and Linux[4]. Unfortunately, a build issue prevented the Windows bundles from including a proper fix to this bug[5].
In this release, we also disabled a deprecated WebAudio API based on recommendation from iSec[6], enabled TLS 1.1 and 1.2[7], fixed several UI and configuration issues[8,9,10,11,12,13], and included documentation for Pluggable Transports in the distribution[14,15]. We also included a fix for a disk leak that caused large cut and paste regions to be written to disk[16]. We also put out another test build that was compiled with additional hardening options that were added to the latest GCC series[17]. In mid-June, the final version of the iSec audit report was released to us, and we have filed tickets relevant to this report, and have noted the suggestions for the security slider[18]. We also obtained a security token from DigiCert for signing Windows bundles. However, investigation is needed to determine if we can use this token from a Linux signing machine. On the hiring front, we have settled on Arthur Edelstein as our primary Tor Browser contractor from the Tor Browser hiring process. We will honor existing contracts from the current interview candidates, and may assign some additional work items to them as funding allows and workload requires. In terms of ongoing development on the upcoming 4.0-alpha-1 release, we continued our efforts on the Tor Browser auto-updater[19], which required another update to our development toolchain, and further fixes upstream for Mozilla to build with this toolchain. Unfortunately, this lead to last-minute issues due to updating the Windows toolchain to the latest mingw-w64 release. We've also delayed 4.0-alpha-1 to include the Meek transport[20], which has some compelling censorship circumvention properties. Meek does not require a bridge distributor, and the costs for blocking meek are very high in terms of collateral damage. We are very excited about this transport, and while it still has some performance issues, a relatively high monetary cost, and potential privacy issues, it should serve us well as a transport of last resort for censored users. For a visual comparison of meek with our other Pluggable Transports, we welcome interested readers to review "A Child's Garden of Pluggable Transports"[21]. The 4.0-alpha-1 release will also feature fingerprinting fixes to eliminate more edge cases with window resolution[22], include a patch to bring DOM storage and the image cache under control of our third party isolation preference[23], include a fix to aid in window navigation in the Linux Desktop[24], and to include changes to NoScript to allow script permissions to be based on the URL bar domain rather than individual third party content elements[25]. We will also be including Tor 0.2.5.x in this release. As Firefox ESR 31 is coming soon, we've also began test builds to investigate possible issues with our currently used toolchains in Gitian[26]. In July, we hope to have a public blog post summarizing the iSec report, and enumerating our plans to address the issues contained therein. We also hope to have solidified the positions of the Security Slider based on the input from the report. We also hope to release 4.0-alpha-1, expect a pointfix release in the 3.6 series, and plan to continue our testing with Gitian builds of vanilla Firefox 31, to get early notification of any reproducibility or toolcahin issues. We also hope to include a patch to improve our font limiting in this release series[27]. 1. https://blog.torproject.org/blog/tor-browser-362-released 2. https://www.openssl.org/news/secadv_20140605.txt 3. https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.6 4. https://trac.torproject.org/projects/tor/ticket/11629 5. https://trac.torproject.org/projects/tor/ticket/12381 6. https://trac.torproject.org/projects/tor/ticket/12212 7. https://trac.torproject.org/projects/tor/ticket/11253 8. https://trac.torproject.org/projects/tor/ticket/10425 9. https://trac.torproject.org/projects/tor/ticket/11772 10. https://trac.torproject.org/projects/tor/ticket/11699 11. https://trac.torproject.org/projects/tor/ticket/11510 12. https://trac.torproject.org/projects/tor/ticket/11722 13. https://trac.torproject.org/projects/tor/ticket/11763 14. https://trac.torproject.org/projects/tor/ticket/11834 15. https://trac.torproject.org/projects/tor/ticket/11835 16. https://trac.torproject.org/projects/tor/ticket/9701 17. https://lists.torproject.org/pipermail/tor-qa/2014-June/000428.html 18. https://trac.torproject.org/projects/tor/ticket/9387 19. https://trac.torproject.org/projects/tor/ticket/4234 20. https://trac.torproject.org/projects/tor/ticket/10935 21. https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports 22. https://trac.torproject.org/projects/tor/ticket/9268 23. https://trac.torproject.org/projects/tor/ticket/10819 24. https://trac.torproject.org/projects/tor/ticket/11102 25. http://noscript.net/changelog 26. https://bugs.torproject.org/12460 27. https://trac.torproject.org/projects/tor/ticket/5798 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
