In December, the Tor Browser team released 4.0.2[1] and 4.5-alpha-2[2]. The 4.0.2 updates the 4.0.x users to the latest Firefox 31.3.0ESR release. It also fixed a regression in third party cache isolation (tracking protection) that appeared in the 4.0 release, due to changes in the underlying Firefox cache implementation[3]. It also features fixes to locale fingerprinting leaks through Javascript[4,5], as well as fixes to the mingw-w64 compiler that were resulting in crash bugs on Windows[6,7]. We also fixed an update failure for Windows XP users[8].
The 4.5-alpha-2 release features fixes to the security slider and circuit status UI[9,10], as well as a fix for a third party tracking regression in the use of HTTP authentication[11] that was caused due to over-zealous removal of Torbutton code[12]. Beyond the 4.5-alpha-2 work, we have also implemented the code changes necessary for signing incremental updates[13]. With these changes, updates will be authenticated through the pinned HTTPS certificate, as well as individual file signatures. This will prevent compromise of dist.torproject.org from yielding the ability to distribute malicious updates to our users. We also improved the Canvas permissions prompt to eliminate warnings during the display of PDFs, and during use of the Web Developer Console[14]. At the end of the month, Mike Perry and Seth Schoen gave a talk at the Chaos Communications Congress on Reproducible Builds, covering the work in Tor Browser, as well as related efforts by F-Droid and Debian. A video recording of their talk can be viewed online[15]. The full list of tickets closed by the Tor Browser team in September can be seen using the TorBrowserTeam201412 tag on our bug tracker[16]. This list is a bit sparse due to both the holidays and because of the large volume of patches waiting for review to be merged in the next 4.5-alpha series[17]. Next month, we will continue to stabilize 4.5-alpha. The merge window for Firefox 38 is also approaching in mid-February. Our primary target for this merge window is our third party tracking protection patches. At the end of January, we will be holding a Usability Sprint at the University of California at Berkeley, with the goal of performing user studies and providing feedback for future usability improvements to the browser. For more details, see the wiki page[18]. The full list of tickets that the Tor Browser team plans to work on in January can be seen using the TorBrowserTeam201501 tag on our bug tracker[19]. 1. https://blog.torproject.org/blog/tor-browser-402-released 2. https://blog.torproject.org/blog/tor-browser-45-alpha-2-released 3. https://trac.torproject.org/projects/tor/ticket/13742 4. https://trac.torproject.org/projects/tor/ticket/5926 5. https://trac.torproject.org/projects/tor/ticket/13019 6. https://trac.torproject.org/projects/tor/ticket/13443 7. https://trac.torproject.org/projects/tor/ticket/13558 8. https://trac.torproject.org/projects/tor/ticket/13594 9. https://trac.torproject.org/projects/tor/ticket/13671 10. https://trac.torproject.org/projects/tor/ticket/13672 11. https://trac.torproject.org/projects/tor/ticket/13784 12. https://trac.torproject.org/projects/tor/ticket/13742 13. https://trac.torproject.org/projects/tor/ticket/13379 14. https://trac.torproject.org/projects/tor/ticket/13439 15. http://media.ccc.de/browse/congress/2014/31c3_-_6240_-_en_-_saal_g_-_201412271400_-_reproducible_builds_-_mike_perry_-_seth_schoen_-_hans_steiner.html 16. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201412 17. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201501R 18. https://trac.torproject.org/projects/tor/wiki/org/meetings/2015UXsprint 19. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201501 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
