In October, the Tor Browser team made two releases: 4.0, and 4.0.1[1,2]. The 4.0 release marked the stabilization of our 4.0-alpha series, as well as the transition to Firefox 31ESR. The new UI is quite a bit more streamlined than the old Tor Browser, owing to Firefox's new Australis layout, as well as our improved ability to customize this layout[3]. The release also featured fingerprinting fixes and improvements[4,5,6,7,8,9], defense-in-depth checks for proxy safety[10], and disabled SSLv3 to prevent the POODLE attack[11]. We were also able to enable WebGL on Windows in this release[12] (though it is still click-to-play via NoScript). The full set of tickets that went into this Firefox 31 rebase can be found using the ff31-esr tag in our bug tracker[13]. Full changelogs for the 4.0 series are also on the blog release post.
However, this transition was a little bumpier than we would have liked. In particular, a Windows crash bug due to our Windows cross-compiler caused us to have to release 4.0.1 shortly afterwords[14]. We also updated the Tor Browser design document[15] to cover the 4.0 series, describe our build reproducibility enhancements[16], and update the list of fingerprinting attacks and defenses[17]. We've also discussed private browsing mode standardization[18] with some members of the W3C, and will be sending interested W3C people the updated design document links. The remainder of the month was spent preparing 4.5-alpha-1, which unfortunately only just barely didn't make it out in October. For this release, we deployed SOCKS username and password support to isolate all requests for a url bar domain on the same Tor circuit[19], implemented a browser UI for displaying the current circuit and exit IP address[20], implemented the Security Slider, backported HTTPS certificate pinning support[21], switched to 64 bit builds for Mac OS X[22], integrated the new obs4proxy pluggable transport[23], added (reproducible) incremental update support to reduce update download size (from ~40M down to 2M)[24], fixed an updater issue with our extension compatibility checks[25], and fixed a locale fingerprinting issue[26]. We also performed an experiment to test Mozilla Persona[27], to determine if we could easily adapt it to serve as a mechanism to anonymously prove that users had completed a captcha or some other proof-of-scarcity. Unfortunately, it seems as though Mozilla has left the system in a rather unusable state for us. In an attempt to drive adoption, they made two implementations: A "legacy" version using Javascript and DOM Storage for non-Firefox browsers, and a "native" version using code in Firefox. Unfortunately, the so-called legacy non-Firefox implementation appears to be incompatible with the native implementation, at least to the point where all sites that currently use Persona would have to upgrade to new code written by us, as well as new user-facing behavior. In short, if we were to try to make use of Persona, we'd have to choose either compatibility or privacy, and could not have both. This (coupled with the recent "community support" status of Persona[28]) has led us to conclude that we would be better off pursuing other options[29]. The full list of tickets closed by the Tor Browser team in October can be seen using the TorBrowserTeam201410 tag on our bug tracker[30]. In November, we will focus on stabilizing 4.5-alpha, work on supporting per-file signatures on our updates[31], work on fixing remaining bugs with our updater[32,33,34], and will continue updating all of our patches and adding unit tests in the Mozilla bug tracker[35]. We also hope to set up an auto-rebased branch for use with the official Mozilla testing infrastructure, to help ensure our patches continue to pass unit tests and to avoid surprise conflicts and regressions. The full list of tickets that the Tor Browser team plans to work on in November can be seen using the TorBrowserTeam201411 tag on our bug tracker[36]. 1. https://blog.torproject.org/blog/tor-browser-40-released 2. https://blog.torproject.org/blog/tor-browser-401-released 3. https://trac.torproject.org/projects/tor/ticket/13318 4. https://trac.torproject.org/projects/tor/ticket/13027 5. https://trac.torproject.org/projects/tor/ticket/13016 6. https://trac.torproject.org/projects/tor/ticket/13025 7. https://trac.torproject.org/projects/tor/ticket/13023 8. https://trac.torproject.org/projects/tor/ticket/13021 9. https://trac.torproject.org/projects/tor/ticket/13186 10. https://trac.torproject.org/projects/tor/ticket/13028 11. https://trac.torproject.org/projects/tor/ticket/13416 12. https://trac.torproject.org/projects/tor/ticket/10715 13. https://trac.torproject.org/projects/tor/query?keywords=~ff31-esr&status=closed 14. https://trac.torproject.org/projects/tor/ticket/13443 15. https://www.torproject.org/projects/torbrowser/design/ 16. https://www.torproject.org/projects/torbrowser/design/#BuildSecurity 17. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability 18. https://w3ctag.github.io/private-mode/ 19. https://trac.torproject.org/projects/tor/ticket/5752 20. https://trac.torproject.org/projects/tor/ticket/8641 21. https://trac.torproject.org/projects/tor/ticket/11955 22. https://trac.torproject.org/projects/tor/ticket/10138 23. https://trac.torproject.org/projects/tor/ticket/12903 24. https://trac.torproject.org/projects/tor/ticket/13324 25. https://trac.torproject.org/projects/tor/ticket/13301 26. https://trac.torproject.org/projects/tor/ticket/13019 27. https://trac.torproject.org/projects/tor/ticket/12193 28. http://identity.mozilla.com/post/78873831485/transitioning-persona-to-community-ownership 29. https://lists.torproject.org/pipermail/tor-dev/2014-October/007686.html 30. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201410 31. https://trac.torproject.org/projects/tor/ticket/13379 32. https://trac.torproject.org/projects/tor/ticket/13247 33. https://trac.torproject.org/projects/tor/ticket/13512 34. https://trac.torproject.org/projects/tor/ticket/13594 35. https://trac.torproject.org/projects/tor/ticket/12619 36. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201411 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
