tbb-dev August 2021

tbb-dev@lists.torproject.org

2 participants
2 discussions

Attn: Beginning 91esr transition, expect Nightly breakage
by Matthew Finkel 30 Aug '21

30 Aug '21

Hello everyone, Tor Browser's transition from Firefox 78esr to Firefox 91esr is in progress. Please expect Nightly breakage (and sorry for any inconvenience this causes). Please open issues on Gitlab [0] when you experience new bugs and regressions. Thanks, Matthew [0] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/new

1 0

Disabling JITs in the Tor Browser
by sanketh 05 Aug '21

05 Aug '21

Hello, Edge Vuln Research just dropped the amazing named "Super Duper Secure Mode" [1]---an interesting albeit slightly provocative statement they make in the announcement is that JITs may not be worth it for security-sensitive users, since they account for about half the bugs in V8 (Chromium's JS engine) and their new research shows that disabling JITs, despite the huge performance regressions in traditional JS benchmarks, is rarely noticeable in real-life. I don't think tbb is new to clamping down JS (for security-sensitive users), but this idea of disabling JITs might be interesting to look into*. First, taking a step back, recall that modern browsers execute JS by converting it into bytecode and then using an interpreter to execute, and functions that are "hot" (executed many times) are recompiled using a JIT to produce faster code. This is super simplified, see [2] for a more technical overview of how this works in Firefox. I think this idea can be used to improve the Tor Browser, 1. we can disable JITs in "Safer" mode which would reduce usability but improve security; and 2. we can enable JS and disable JITs in "Safest" mode which would reduce significantly improve usability but degrade security. On a more meta note, this wouldn't be hard to implement, Firefox has prefs to enable and disable this stuff, and @freddyb's tweet [3] seems to confirm this intuition. What do y'all think? Best, Sanketh *disabling JITs was discussed in the tor issue tracker 4 years ago [4] but most of the then concerns (like changing build settings) seem to have been resolved and JITs are now enabled across the browser (they were not enabled for content back then) and so this, I feel, can use fresh eyes. [1]: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ [2]: https://hacks.mozilla.org/2020/11/warp-improved-js-performance-in-firefox-8… [3]: https://twitter.com/freddyb/status/1423020386560712705?s=20 [4]: https://gitlab.torproject.org/legacy/trac/-/issues/21011

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

tbb-dev August 2021