In July, the Tor Browser team released Tor Browser 3.6.3[1]. This release featured a Firefox update, as well as updates to the obfsproxy and FTE pluggable transports. It also featured UI and fingerprinting fixes for Torbutton[2], and a desktop usability fix for Linux[3].
The first week of July was spent with most of the team at the Tor Developer meeting in Paris[4]. This meeting allowed us to coordinate team member responsibilities and schedule our remaining deliverables for SponsorP. This schedule has been transcribed to our wiki[5]. In terms of other organizational changes and improvements, we have decided to shift our weekly IRC meetings to Mondays at 18:00 UTC (14:00 EDT)[6]. The meeting format[7] remains the same, but the hope is that having meetings on Mondays rather than Fridays will help shift the focus towards planning the coming week, rather than primarily reporting on what happened during the previous week. We have also begun tagging our monthly planned tickets in the bug tracker. Interested parties can obtain an in-depth view of the tickets we have completed in a given month by viewing a URL similar to: https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201407 Similarly, the currently opened tickets we plan to make progress on during a given month can be observed with a URL similar to: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~TorBrowserTeam201408 All tickets for the month (opened and closed) can be obtained by omitting the status modifier: https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201408 We intend to update these tags on a monthly basis during the first IRC meetings of the month. Tickets should begin to appear in that TorBrowserTeam201408 tag URL after August 4th. We also investigated the use of our security token from DigiCert for signing Windows bundles, and planned some infrastructure deployment to better support multiple release series and secure codesigning. Digicert has a proprietary set of tools for code signing Windows from Linux using this token that we need to experiment with to see if they will work in our current distributed environment. In terms of ongoing development on the upcoming 4.0-alpha release series, we continued our efforts on the Tor Browser auto-updater[8]. We discovered that the Firefox updater does not support symlinks[9], which we require for some of our pluggable transports. After this, the remaining barrier to deploying updates is an update responder script[10]. Unfortunately, due primarily to intermittent failures with the updated mingw-64 toolchain that is required for features in 4.0-alpha[11,12], we have not yet released 4.0-alpha-1 as we had hoped in the previous status report, but plan to do so in August. On the Mozilla front, Firefox 31 was released this month, and we've begun preparing our Linux toolchain for Firefox ESR 31[13,14]. We hope to begin rebasing our patches as soon as possible. We also solidified the positions of the Security Slider based on the input from the iSEC report[15]. Development can begin immediately on this functionality, but may be delayed until we get a solid start on the rebase work to support Firefox 31ESR. Google Summer of Code student Marc Juarez is making good progress on his project to prototype defenses to Website Traffic Fingerprinting attacks using the obfsproxy pluggable transport as the base implementation for his research prototype (called wfpadtools)[16]. We discussed a set of primitives at the Tor Dev meeting and posted them[17], and Marc is working towards implementing them. In August, we hope to have a public blog post summarizing the iSec report, and enumerating our plans to address the issues contained therein. We also hope to release 4.0-alpha-1, expect a pointfix release in the 3.6 series to pick up the log message notifications that detect the BlackHat attack[18], and plan to continue our testing with Gitian builds of Firefox 31, and begin rebasing patches. We also hope to finally solve the remaining issues preventing Windows users from successfully using Pluggable Transports with HTTP and SOCKS proxies[19]. As stated previously, the tickets from Monday's planning meeting should be available August 4th or 5th[20]. 1. https://blog.torproject.org/blog/tor-browser-363-released 2. https://trac.torproject.org/projects/tor/ticket/9268 3. https://trac.torproject.org/projects/tor/ticket/11102 4. https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting 5. https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorP#TimelinefromDevMeeting 6. https://lists.torproject.org/pipermail/tbb-dev/2014-August/000100.html 7. https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html 8. https://trac.torproject.org/projects/tor/ticket/4234 9. https://trac.torproject.org/projects/tor/ticket/12647 10. https://trac.torproject.org/projects/tor/ticket/12622 11. https://trac.torproject.org/projects/tor/ticket/12391 12. https://trac.torproject.org/projects/tor/ticket/12753 13. https://bugs.torproject.org/12462 14. https://bugs.torproject.org/12743 15. https://trac.torproject.org/projects/tor/ticket/9387#comment:43 16. https://bitbucket.org/mjuarezm/obfsproxy-wfpadtools/ 17. https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt 18. https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack 19. https://bugs.torproject.org/12381 20. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201408 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
