In April, the Tor Browser team released 4.0.7[1], 4.0.8[2] and 4.5[3]. The 4.0.7 and 4.0.8 releases were created to deal with two hidden service crash issues in the included Tor binary. Unfortunately, a build/versioning issue with 4.0.7 caused that version to experience an update loop[4], so 4.0.8 was released to deal with this immediately afterwords.
The 4.5-stable release represents the culmination of the past several months of usability, security, and privacy improvements in the Tor Browser 4.5 series. While we are excited for this release series to finally be in our users' hands, we decided that it was safest to withhold automatically updating the 4.0 users to the 4.5 series until we could determine if there were any serious regressions due to this release. This proved to be a wise move, as it turned out that an obscure bug prevents Windows 7 users from properly using the Meek transport in 4.5.0[5]. This regression will be fixed in 4.5.1 next week, and we will push out the 4.5.1 update to all 4.0 users at that time. Otherwise, the 4.5-stable release was well received. For a review of the extensive improvements in the entire 4.5 series since 4.0, we invite interested readers to view the 4.5 release blog post[3]. Since the 4.5a5 release last month, we made several finishing touches to usability, security, and privacy properties for the 4.5-stable release. On the usability front, we improved the Linux launcher script's argument handling and added the ability to register Tor Browser as a proper Linux Desktop app[6]. We also improved the circuit and HTTP keep-alive handling to reduce instances of sudden site behavior changes[7,8], and made additional improvements to the initial configuration wizard[9,10,11,12]. We also fixed some annoying bugs when using HTTP authentication and when interacting with the TLS connection info window[13]. On the security front, we improved some configuration properties of the Security Slider[14,15], fixed a crash bug related to disabled SVG images[16], and improved our Windows signing process to ensure that the official Windows signatures can be reproducibly removed[17] (to maintain build verification ability[18] for our final signed official Windows packages). On the privacy front, we discovered additional APIs that present issues for the privacy of Tor Browser users. The URL.createObjectURL API[19] enables the creation of special globally-scoped UUID URLs (so called 'blob:' URLs) that can contain arbitrary content data. These URLs can be used to tag users and track them across sites. We reduced the scope of these objects to the top-level URL bar domain that they are created under, and ensured that these URLs are properly cleared during New Identity[20]. We also disabled the SharedWorker API[21], because it enables cross-site third party communication and tracking[22]. We additionally disabled the Video Statistics API[23] extensions, as well as the Device Sensor API[24] for fingerprinting reasons[25,26]. We also improved our resolution fingerprinting defenses to properly spoof the current device pixel ratio[27]. In order to help us communicate the changes in the 4.5 series to technical audiences such as Mozilla and the W3C, we also updated the Tor Browser Design Document[28] to cover the changes in the 4.5 series[29]. In particular, we will be sending the updated fingerprinting section[30] to the W3C, to provide input for the new W3C fingerprinting guidance document[31]. To help ensure that future HTTP standards remain compatible with the Tor network and do not negatively impact our ability to provide tracking defenses, we submitted a position paper[32] to the HTTP/3 workshop[33]. Our position paper also covers important enhancements we would like to see in HTTP. Specifically, we are very interested in mandatory authenticated TLS for confidentiality and integrity, as well as improved defenses against traffic fingerprinting and traffic analysis. The full list of tickets closed by the Tor Browser team in April can be seen using the TorBrowserTeam201504 tag on our bug tracker[34]. In May, our focus is to fix as many remaining issues and regressions in the 4.5 series as possible, and release 4.5.1 for this on May 12th. The current set of known regressions is tagged with tbb-4.5-regression[35]. Following the 4.5.1 release, our efforts will switch to rebasing our patches and reviewing the developer documentation for Firefox releases since Firefox 31. We will be updating the Mozilla bugs with new patches as soon as possible. The set of tickets on our radar for the Firefox 38 switch can be viewed with the ff38-esr bug tracker tag[36]. The full list of tickets that the Tor Browser team plans to work on in May can be seen using the TorBrowserTeam201505 tag on our bug tracker[37]. 1. https://blog.torproject.org/blog/tor-browser-407-released 2. https://blog.torproject.org/blog/tor-browser-408-released 3. https://blog.torproject.org/blog/tor-browser-45-released 4. https://trac.torproject.org/projects/tor/ticket/15637 5. https://trac.torproject.org/projects/tor/ticket/15872 6. https://trac.torproject.org/projects/tor/ticket/15747 7. https://trac.torproject.org/projects/tor/ticket/4100 8. https://trac.torproject.org/projects/tor/ticket/15482 9. https://trac.torproject.org/projects/tor/ticket/15704 10. https://trac.torproject.org/projects/tor/ticket/11879 11. https://trac.torproject.org/projects/tor/ticket/13576 12. https://trac.torproject.org/projects/tor/ticket/15657 13. https://trac.torproject.org/projects/tor/ticket/14716 14. https://trac.torproject.org/projects/tor/ticket/15533 15. https://trac.torproject.org/projects/tor/ticket/15795 16. https://trac.torproject.org/projects/tor/ticket/15794 17. https://trac.torproject.org/projects/tor/ticket/15539 18. https://www.torproject.org/projects/torbrowser/design/#BuildSecurity 19. https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL 20. https://trac.torproject.org/projects/tor/ticket/15502 21. https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker 22. https://trac.torproject.org/projects/tor/ticket/15562 23. https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties 24. https://wiki.mozilla.org/Sensor_API 25. https://trac.torproject.org/projects/tor/ticket/15758 26. https://trac.torproject.org/projects/tor/ticket/15757 27. https://trac.torproject.org/projects/tor/ticket/13875 28. https://www.torproject.org/projects/torbrowser/design/ 29. https://trac.torproject.org/projects/tor/ticket/15580 30. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability 31. https://w3c.github.io/fingerprinting-guidance/ 32. https://gitweb.torproject.org/tor-browser-spec.git/plain/position-papers/HTTP3/HTTP3.pdf 33. https://httpworkshop.github.io/ 34. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorBrowserTeam201504 35. https://trac.torproject.org/projects/tor/query?keywords=~tbb-4.5-regression 36. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff38-esr 37. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201505 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
