tbb-dev August 2014

tbb-dev@lists.torproject.org

5 participants
6 discussions

Tor Browser self-updater vs. sandboxing
by intrigeri 22 Sep '14

22 Sep '14

Hi, while discussing opportunities for increased cooperation between Tails and Freepto [1] recently, I've mentioned the upcoming Tor Browser's self-updater, and one of the Freepto developers rightly noted that there may be a fundamental incompatibility between this updater, and the desire to confine the browser in a sandbox. Indeed, it seems quite clear to me that one of the important tasks such a sandbox should fulfill would be... to avoid the confined program from modifying itself. It seems that supporting such sandboxes is part of your plans ([2], [3]), so I'm curious: what's the TBB team's take on this problem? [1] http://www.freepto.mx/ [2] https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorP [3] https://trac.torproject.org/projects/tor/ticket/5791 Cheers, -- intrigeri

2 2

Is JS monkey patching viable as a fingerprinting countermeasure?
by Arthur D. Edelstein 22 Sep '14

22 Sep '14

Hi All, I'm wondering about the history of JS fingerprinting mitigation in Tor Browser. What prompted the change of approach from JavaScript hooks to C++ patches? I had read something about a race condition discovered, but I haven't found more details. I've been thinking about the idea of developing a C++ patch for Tor Browser (and Firefox) that allows extensions to securely replace arbitrary members (functions and properties) of the global window object at runtime, before content is loaded. By "secure" I mean that, by design, there would be no workaround for content scripts to access the original window object members. (Maybe this capability already exists -- I don't know.) The advantages of this monkey patching approach over addressing fingerprinting vulnerabilities with C++ patches is (1) it would (I think) simplify fingerprinting countermeasures, and (2) it would reduce the number of Firefox C++ patches that Mozilla needs to accept. Is this idea worth pursuing further? Thanks, Arthur

3 4

TBB and h.264 default configuration
by La Colectividad 07 Aug '14

07 Aug '14

Hi folks, I have a simple question: why is that TBB has by default the option media.gstreamer as "false"? (At least in Linux). I need to have it "enabled" in order to watch videos on, say, Vimeo (which requires h.264). I know how to do this from about:config, but this makes me wonder whether it is safe to enable it and surf the web with TBB (I guess this is my real question). Thanks a lot. Best, Col.

1 0

No more click-to-play barrier on YouTube: new feature, or regression?
by intrigeri 05 Aug '14

05 Aug '14

Hi, with TBB 3.6.3 (and possibly a few versions earlier), I see no click-to-play barrier on YouTube, while the manual test suite [1] still reads "Will have a NoScript click-to-play barrier, but should play after clicking it." So my question is: is the behavior I'm seeing a regression, or a new feature? If the former, then I'll file a Trac ticket about it. If the latter, then I will update the testing documentation. [1] https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff#TestPa… Cheers, -- intrigeri

2 2

Tor Browser Weekly IRC meetings moved to 18:00 UTC Mondays
by Mike Perry 01 Aug '14

01 Aug '14

Hello all, We've decided to relocate the Tor Browser team meeting to 18:00 UTC on Mondays (aka 20:00 CEST, 14:00 EDT, and 11:00 PDT). We've done this to try to shift the focus of our meetings towards planning for the coming week. I felt that with a meeting on Friday, we were too focused on what had been done, and that after the weekend, we'd already forgotten what we'd plan to do. That said, because it still will be useful to report what was actually done, and because a large amount of our workload is still devoted to reacting to issues that came up during the week, the overall meeting format will still be more or less in the form of the original post, just with more of an emphasis on what you plan to do rather than what you did: https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.htmla We'll also still be using the monthly trac keyword for tracking development plans. On Monday, we should plan to transfer the July tickets to August, and add or drop tickets as necessary: https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam2014… This change is effective immediately. Our next meeting is August 4th. We will not have the meeting this Friday (August 1st). -- Mike Perry

1 0

stopgap fix for ticket #9516 (Show log in Tor Browser)
by Mark Smith 01 Aug '14

01 Aug '14

Is it is too late to include a small but possibly important Tor Launcher improvement in TB 3.6.4? Please take a look at: https://trac.torproject.org/projects/tor/ticket/9516#comment:7 If Mike and others think the change is useful, it would be trivial to merge this fix into Tor Launcher's maint-0.2.5 branch (for TB 3.6.4). -- Mark Smith Pearl Crescent http://pearlcrescent.com/

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

tbb-dev August 2014