In August, the Tor Browser team made two releases: 3.6.4 and 4.0-alpha-1[1].
3.6.4 primarily featured a fix to emit log message notifications that detect the BlackHat attack[2]. 4.0-alpha-1 features improvements to NoScript to allow scripts to be more easily enabled or disabled for an entire page at once (called "cascading permissions")[3], a workaround for a hang on New Identity[4], a fingerprinting fix[5], and some usability fixes to Torbutton and Tor Launcher[6,7,8,9]. It also reorganizes the directory structure to support our Firefox-based updater[10]. For the remainder of the month, the team focused on preparing 3.6.5 and 4.0-alpha-2, which will be released on September 2nd, to coincide with the Mozilla Firefox security update (24.8.0). 3.6.5 features improvements to the HTML5 Canvas Image Data extraction permission prompt[11], disables NTLM and Negotiate auth for privacy reasons[12], fixes a Linux hardening regression[13], and fixes a popup-based fingerprinting issue[14], and also fixes a fingerprinting regression[15]. 4.0-alpha-2 includes those changes as well as support for the built-in Firefox-based updater[16]. Users will be able to update their Tor Browser through the in-browser update UI, but updates will not be installed automatically just yet. We will be continually evaluating the reliability and security of this updater to determine if and when we will allow it to provide fully automated updates without user interaction. The 4.0-alpha-2 release also fixes the Windows hardening issues[17] mentioned in the iSEC hardening study[18], and fixed some additional configuration-related usability issues[19,20,21]. August also saw the completion of the Google Summer of Code, with student Marc Juarez completing his research prototype for defenses against Website Traffic Fingerprinting[22,23]. We are looking forward to seeing the results of his further research using this prototype to help guide defenses in Tor against Website Traffic Fingerprinting. On the QA and testing front, we have begun running the Mozilla XPCShell tests on Tor Browser releases[24], and have identified which of our patches break which tests in the suite[25]. This information should greatly help with identifying potential issues with our patches, and for ensuring that Mozilla's tests continue to pass or can be fixed where needed when they merge our patches. We also wrote an independent, static implementation of Mozilla's update manifest specification, to avoid running dynamic code on our update servers[26]. We also made some preliminary progress on switching to Firefox 31ESR, which supersedes Firefox 24 on October 14th. We performed a preliminary audit of the new features and APIs in Firefox[27], have begun building test builds of Firefox 31ESR in our build infrastructure to identify potential build issues specific to our build system[28], and have rebased our patchset to this version and have begun writing unit tests[29]. The full list of tickets closed by the Tor Browser team in August can be seen using the TorBrowserTeam201408 tag on our bugtracker[30]. In September, our focus will be on rebasing our patches for Firefox 31 ESR and ensuring that release is behaving correctly. Firefox 24 is officially end of life on October 14th, so making sure we have a smooth transition is currently top priority, after which we will be submitting our new, updated patches back to Mozilla for review and potential inclusion in upstream Firefox. The full list of work we need to get done for this to happen is all currently tagged with our TorBrowserTeam201409 tag[31]. It is going to be quite a busy month, but with any luck, we'll even be able to update the 4.0-alpha users to this new 31ESR-based Tor Browser through the in-browser updater! 1. https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released 2. https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack 3. https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/?page=1#version-2.6.8.31 4. https://trac.torproject.org/projects/tor/ticket/9531 5. https://trac.torproject.org/projects/tor/ticket/9268 6. https://trac.torproject.org/projects/tor/ticket/11199 7. https://trac.torproject.org/projects/tor/ticket/11471 8. https://trac.torproject.org/projects/tor/ticket/9516 9. https://trac.torproject.org/projects/tor/ticket/10819 10. https://trac.torproject.org/projects/tor/ticket/11641 11. https://trac.torproject.org/projects/tor/ticket/12684 12. https://trac.torproject.org/projects/tor/ticket/12974 13. https://trac.torproject.org/projects/tor/ticket/12103 14. https://trac.torproject.org/projects/tor/ticket/9881 15. https://trac.torproject.org/projects/tor/ticket/2874 16. https://trac.torproject.org/projects/tor/ticket/4234 17. https://trac.torproject.org/projects/tor/ticket/10065 18. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study 19. https://trac.torproject.org/projects/tor/ticket/11405 20. https://trac.torproject.org/projects/tor/ticket/12444 21. https://trac.torproject.org/projects/tor/ticket/12895 22. https://bitbucket.org/mjuarezm/obfsproxy-wfpadtools/ 23. https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt 24. https://trac.torproject.org/projects/tor/ticket/12570 25. http://93.95.228.164/reports/index-browserunit.html 26. https://trac.torproject.org/projects/tor/ticket/12622 27. https://trac.torproject.org/projects/tor/ticket/12621 28. https://trac.torproject.org/projects/tor/ticket/12460 29. https://trac.torproject.org/projects/tor/ticket/12620 30. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201408 31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201409 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
