Lunar:
Georg Koppen:
Hi,
we have built some nightlies for the upcoming switch to ESR 31 and they are even reproducible which is good news. They can be found on
https://people.torproject.org/~gk/testbuilds/esr31-nightly/
. Testing them would be really helpful. Do the bundles start at all (especially on older OSes like Debian stable and Windows XP)? If so, do you see any weird and or broken things not already found among
https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~...
?
Feedback from testing the English OS X version:
When I click on the menu on the right, I have the proeminent choice between “New Window” and “New Private Window”. That's confusing in the Tor Browser setting.
Right there, there's also a “Fullscreen” entry. Given the fingerprinting issue, this should also not be encouraged like that!
I fixed these two and some other things about the menu that annoyed me in https://trac.torproject.org/projects/tor/ticket/13318.
Same menu, there's “Sign in to Sync”. Do we want that?
Not sure. Sync used to be end-to-end encrypted and opt-in to things like pref sync (which is bad for us). They were thinking about changing it though, and I have no idea how well it behaves if you have a TBB and a normal Firefox hooked up to your sync account.
Unfortunately, this "Sign in to sync" option is not possible to remove with just pref changes.
Icons can be moved through the “Customize” entry at the bottom, so I hope this is doable without crazy tweaks.
Yes, for the most part. I think I also want the menu bar to come back, but that option seems independent of any pref.
I still can't do NTLM authentication, despite `network.negotiate-auth.allow-insecure-ntlm-v1-https` being set to `true`. That's a bit annoying.
Are there actually public sites that use NTLM? I thought NTLM was mostly an enterprise LAN thing, which we were unlikely to encounter via Tor and the public Internet. Is this something you have noticed, or is this becoming a common support question?
We disabled it because the NTLM protocol can leak username, hostname, perform non-Tor DNS lookups, etc. It's also very hard to control all of this, because many auth mechanisms are implemented by the underlying OS and not by Firefox, and if you lump in SPNEGO, there's a ton of crazy shit that can happen.
The version string still says “Firefox/24.0”.
Also fixed.
Thanks for your feedback! The changes should appear in the next nightly.