Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not!
+n
Right now the only things browsers have done is disable SharedArrayBuffer (which is not in 52) and reduce timer precision (which TB has already done more than any other browser.)
Eventually there will be patches to consider backporting, but they don't exist yet.
-tom
On 6 January 2018 at 18:03, Nathan Freitas nathan@freitas.net wrote:
Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not!
+n _______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
On 7 Jan 2018, at 11:03, Nathan Freitas nathan@freitas.net wrote:
Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not!
Someone will need to confirm my analysis here:
Here's the security advisory link:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
The relevant section is:
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
SharedArrayBuffer is already disabled in Firefox 52 ESR.
The two relevant features are:
SharedArrayBuffer:
TBB 7.0 is based on Firefox 52 ESR. Does TBB also disable SharedArrayBuffer?
Is Orfox based on Firefox 52 ESR? Does Orfox also disable SharedArrayBuffer?
performance.now():
TBB 7.0 reduces performance.now() to 100ms. https://trac.torproject.org/projects/tor/ticket/1517 https://trac.torproject.org/projects/tor/ticket/16340
But there are other sources of high-resolution timers, that Mozilla hasn't covered: (Maybe someone should let them know?) https://trac.torproject.org/projects/tor/ticket/16110 https://trac.torproject.org/projects/tor/ticket/17412 https://trac.torproject.org/projects/tor/ticket/21010
Should TBB or Orfox apply some of these fixes?
Does Orfox reduce the precision of performance.now()?
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On Jan 6, 2018 6:26 PM, "teor" teor2345@gmail.com wrote:
But there are other sources of high-resolution timers, that Mozilla hasn't covered: (Maybe someone should let them know?) https://trac.torproject.org/projects/tor/ticket/16110 https://trac.torproject.org/projects/tor/ticket/17412 https://trac.torproject.org/projects/tor/ticket/2101 https://trac.torproject.org/projects/tor/ticket/21010
We know :)
-tom
On 01/06/2018 07:26 PM, teor wrote:
On 7 Jan 2018, at 11:03, Nathan Freitas nathan@freitas.net wrote:
Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not!
To summarize, there isn't some secret, urgent TB release update happening... at least not yet.
Someone will need to confirm my analysis here:
Here's the security advisory link:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
The relevant section is:
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
SharedArrayBuffer is already disabled in Firefox 52 ESR.
The two relevant features are:
SharedArrayBuffer:
TBB 7.0 is based on Firefox 52 ESR. Does TBB also disable SharedArrayBuffer?
Good question!
Is Orfox based on Firefox 52 ESR? Does Orfox also disable SharedArrayBuffer?
If TB does, then Orfox should, as long as it is in the Gecko part of things. I don't think anything can be done in the Android/Java layer to mitigate these vulnerabilities.
performance.now():
TBB 7.0 reduces performance.now() to 100ms. https://trac.torproject.org/projects/tor/ticket/1517 https://trac.torproject.org/projects/tor/ticket/16340
But there are other sources of high-resolution timers, that Mozilla hasn't covered: (Maybe someone should let them know?) https://trac.torproject.org/projects/tor/ticket/16110 https://trac.torproject.org/projects/tor/ticket/17412 https://trac.torproject.org/projects/tor/ticket/21010
Should TBB or Orfox apply some of these fixes?
Does Orfox reduce the precision of performance.now()?
Same answer as above... we likely inherit anything TB does.
+n
SharedArrayBuffer is not in 52. You can verify by opening a console and typing SharedArrayBuffer.
You can verify performance.now() rounding by confirming it's output ends in two zeros with no decimal.
-tom
On 8 January 2018 at 09:27, Nathan Freitas nathan@freitas.net wrote:
On 01/06/2018 07:26 PM, teor wrote:
On 7 Jan 2018, at 11:03, Nathan Freitas nathan@freitas.net wrote:
Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not!
To summarize, there isn't some secret, urgent TB release update happening... at least not yet.
Someone will need to confirm my analysis here:
Here's the security advisory link:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
The relevant section is:
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
SharedArrayBuffer is already disabled in Firefox 52 ESR.
The two relevant features are:
SharedArrayBuffer:
TBB 7.0 is based on Firefox 52 ESR. Does TBB also disable SharedArrayBuffer?
Good question!
Is Orfox based on Firefox 52 ESR? Does Orfox also disable SharedArrayBuffer?
If TB does, then Orfox should, as long as it is in the Gecko part of things. I don't think anything can be done in the Android/Java layer to mitigate these vulnerabilities.
performance.now():
TBB 7.0 reduces performance.now() to 100ms. https://trac.torproject.org/projects/tor/ticket/1517 https://trac.torproject.org/projects/tor/ticket/16340
But there are other sources of high-resolution timers, that Mozilla hasn't covered: (Maybe someone should let them know?) https://trac.torproject.org/projects/tor/ticket/16110 https://trac.torproject.org/projects/tor/ticket/17412 https://trac.torproject.org/projects/tor/ticket/21010
Should TBB or Orfox apply some of these fixes?
Does Orfox reduce the precision of performance.now()?
Same answer as above... we likely inherit anything TB does.
+n
tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
-
Nathan Freitas -
teor -
Tom Ritter