In March, the Tor Browser team released 4.0.5[1], 4.0.6[2] and 4.5a5[3]. The 4.0.5 release was unscheduled, and was triggered by an urgent "chemspill" release by Mozilla in response to the two vulnerabilities[4,5] exploited against Firefox in the Pwn2own contest[6]. This release owes itself largely to the heroic efforts of Georg Koppen. Due to issues with one of the fixes, Mozilla did not have a release tag for the ESR series until late Friday night. Georg worked through the weekend to produce builds for the release of 4.0.5 on early Monday.
The 4.0.6 release was a regularly scheduled release the following week, and contained the latest round of memory safety hazard fixes in Firefox 31-ESR. The 4.5a5 release is our last scheduled alpha release for the 4.5 series. It contains yet another round of usability and security improvements in this release. Nearly all of our development effort this month was focused on the improvements present in the 4.5a5 release. On the usability front, we've created a FreeDesktop-compatible launcher wrapper for Linux that can be invoked from either the GUI or the shell[7], and we also provide Windows users with the ability to add optional Start Menu and Desktop shortcuts[8]. The circuit usage of Tor Browser has also been improved to avoid transitioning to a new circuit for a website while it is in active use[9], and also to fix several other circuit display bugs[10,11,12,13,14,15]. On the security front, the Security Slider now has full descriptions of the browser behaviors that are changed at each security level[16], and also contains code to disable MathML and SVG at the medium-high and high security levels[17,18], respectively. This should mark the completion of the Security Slider properties recommended in the iSec Hardening Study. It also appears that both Pwn2own exploits would have been prevented by various positions on the security slider. The first[4] is blocked by disabling the ASM.JS JIT at the Medium-Low security level, and second[5] is blocked at the High security level by blocking SVG images. It is also likely that the Medium-High security level would also prevent the SVG exploit from being successful on non-HTTPS pages without an additional helper exploit against NoScript, since our NoScript settings for the Medium-High security level prevent script execution (including SVG script execution) in those contexts. Both the SVG and ASM.JS features were specifically highlighted in iSec's report[19] as having high vulnerability counts with respect to their utility for correct website function. These results are encouraging, and suggest that Tor Browser's entry into the Pwn2Own contest at our higher security levels may be worthwhile (rather than being purely redundant to Mozilla's entry). On the browser fingerprinting front, we fixed a locale fingerprinting vector[20], also made improvements to our display resolution fingerprinting defenses to better handle vertical displays[21], to automatically resize the browser window to a 200x100 pixel multiple after resize or maximization[22], and to perform similar resizing for full screen HTML5 video. Unfortunately, the resizing feature has proved to be very susceptible to cross-platform issues and general user frustration, and it may end up being off-by-default in the 4.5-stable release. Finally, the Windows releases are also now signed using the hardware signing token graciously provided to us by DigiCert, so Windows users should no longer be warned about Tor Browser being downloaded from an "unknown publisher"[23]. Our updater and related build scripts also saw some improvements. Specifically, to aid independent build verification, the tools required to produce the update files are now authenticated with the rest of the build[24], and previous releases should now be downloaded automatically[25]. We also made some changes to reduce the size of our incremental updates by avoiding unnecessary updates to our addons[26]. On the team organization front, during the developer meeting at the beginning of the month, we produced a roadmap for the next 12 months[27]. We will be updating that page with specific tickets in the coming weeks. We also made efforts to communicate the nature of the Tor Browser release cycle with the rest of Tor, so as to better synchronize the releases of Tor Browser with core Tor and Pluggable Transports[28]. The full list of tickets closed by the Tor Browser team in March can be seen using the TorBrowserTeam201501 tag on our bug tracker[29]. In April, we will make the first release of our 4.5-stable series as an out-of-cycle release that does not coincide with any other security update, to give us the option to perform a "soft" release that does not force an update to 4.0-stable users until we are sure that there will be no surprise issues with this transition. The tickets we intend to focus on for the 4.5-stable release are tagged with tbb-4.5-alpha[30]. Following this 4.5-stable release, we will begin preparation to transition to the Firefox 38 branch. The initial prep work will include collecting our patches and rebasing them onto Firefox 38-beta, as well as updating the relevant Mozilla bugs. The full list of tickets that the Tor Browser team plans to work on in April can be seen using the TorBrowserTeam201504 tag on our bug tracker[31]. 1. https://blog.torproject.org/blog/tor-browser-405-released 2. https://blog.torproject.org/blog/tor-browser-406-released 3. https://blog.torproject.org/blog/tor-browser-45a5-released 4. https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ 5. https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ 6. https://en.wikipedia.org/wiki/Pwn2own 7. https://trac.torproject.org/projects/tor/ticket/13375 8. https://trac.torproject.org/projects/tor/ticket/14688 9. https://trac.torproject.org/projects/tor/ticket/15482 10. https://trac.torproject.org/projects/tor/ticket/13891 11. https://trac.torproject.org/projects/tor/ticket/14324 12. https://trac.torproject.org/projects/tor/ticket/14937 13. https://trac.torproject.org/projects/tor/ticket/15086 14. https://trac.torproject.org/projects/tor/ticket/15207 15. https://trac.torproject.org/projects/tor/ticket/15472 16. https://trac.torproject.org/projects/tor/ticket/9387#comment:82 17. https://trac.torproject.org/projects/tor/ticket/13548 18. https://trac.torproject.org/projects/tor/ticket/12827 19. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study 20. https://trac.torproject.org/projects/tor/ticket/13019 21. https://trac.torproject.org/projects/tor/ticket/13650 22. https://trac.torproject.org/projects/tor/ticket/14429 23. https://trac.torproject.org/projects/tor/ticket/3861 24. https://trac.torproject.org/projects/tor/ticket/15023 25. https://trac.torproject.org/projects/tor/ticket/14959 26. https://trac.torproject.org/projects/tor/ticket/15406 27. https://trac.torproject.org/projects/tor/wiki/org/roadmaps/TorBrowser 28. https://lists.torproject.org/pipermail/tor-dev/2015-March/008428.html 29. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201503 30. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-4.5-alpha 31. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201504 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
