[tor-talk] Reason Firefox version in TBB is so far behind?
Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor & fixes must be developed for Tor to deal w/ that? I can understand that, but many of the changes in FF versions are security patches. How does not using the FF version w/ latest security patches affect Tor users' security? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote: > Are there specific reasons for not using latest (or late-er) Firefox > versions in Tor Browser Bundle? Is it primarily because the latest > version doesn't always work w/ Tor & fixes must be developed for Tor to > deal w/ that? It's the latest udpated Firefox 3.6 branch. FF4 branch has been killed and replaced with 5. We have FF5 testing bundles. See https://blog.torproject.org/blog/new-tor-browser-bundles-3. -- Andrew pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 8/2/2011 7:10 PM, Andrew Lewman wrote: On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote: Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor& fixes must be developed for Tor to deal w/ that? It's the latest udpated Firefox 3.6 branch. FF4 branch has been killed and replaced with 5. We have FF5 testing bundles. See https://blog.torproject.org/blog/new-tor-browser-bundles-3. Thanks. I realize the latest stable TBB has FF 3.6. Is the reason for delay in updating to latest FF version always for testing - to see if Tor works properly? Firefox versions used in stable TBB have always run behind the latest FF release - sometimes several versions. This may well be unavoidable for TBB developers. My original question - how does this affect the security of TBB users? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 8/2/2011 7:41 PM, Joe Btfsplk wrote: On 8/2/2011 7:10 PM, Andrew Lewman wrote: On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote: Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor& fixes must be developed for Tor to deal w/ that? It's the latest udpated Firefox 3.6 branch. FF4 branch has been killed and replaced with 5. We have FF5 testing bundles. See https://blog.torproject.org/blog/new-tor-browser-bundles-3. Thanks. I realize the latest stable TBB has FF 3.6. Is the reason for delay in updating to latest FF version always for testing - to see if Tor works properly? Firefox versions used in stable TBB have always run behind the latest FF release - sometimes several versions. This may well be unavoidable for TBB developers. My original question - how does this affect the security of TBB users? ___ No comments on security implications of using a Firefox version in TBB, that isn't up to date with security fixes (sometimes not even close)? I'm grateful for the work done to create TBB, but the mantra of security experts has always been, "ALWAYS keep your browser / OS updated w/ security patches." As said, it may be unavoidable (currently) for TBB developers to integrate new FF versions quickly, but surely I'm not the 1st to wonder about security issues of using old browser versions. The testing bundles Andrew mentioned are fine for, well... testing, but not for general users. It's a long way & many fixes, from Firefox 3.6 to 5.0 / 5.0.1. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 2011-08-05, Joe Btfsplk wrote: > On 8/2/2011 7:41 PM, Joe Btfsplk wrote: >> On 8/2/2011 7:10 PM, Andrew Lewman wrote: >>> On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote: Are there specific reasons for not using latest (or late-er) Firefox versions in Tor Browser Bundle? Is it primarily because the latest version doesn't always work w/ Tor& fixes must be developed for Tor to deal w/ that? >>> It's the latest udpated Firefox 3.6 branch. FF4 branch has been >>> killed and >>> replaced with 5. We have FF5 testing bundles. See >>> https://blog.torproject.org/blog/new-tor-browser-bundles-3. >> Thanks. I realize the latest stable TBB has FF 3.6. Is the reason >> for delay in updating to latest FF version always for testing - to see >> if Tor works properly? >> Firefox versions used in stable TBB have always run behind the latest >> FF release - sometimes several versions. This may well be unavoidable >> for TBB developers. My original question - how does this affect the >> security of TBB users? >> ___ >> > No comments on security implications of using a Firefox version in TBB, > that isn't up to date with security fixes (sometimes not even close)? > I'm grateful for the work done to create TBB, but the mantra of security > experts has always been, "ALWAYS keep your browser / OS updated w/ > security patches." That is why we ship the latest version of Firefox on the 3.6 branch in our stable TBBs. Mozilla is still releasing security updates on the Firefox 3.6 branch. As you can see from https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 3.6.19 and Firefox 5.0.1 were released on the same day. That is because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no longer safe to use, even though their version numbers are greater than 3.6.19.) > As said, it may be unavoidable (currently) for TBB developers to > integrate new FF versions quickly, but surely I'm not the 1st to wonder > about security issues of using old browser versions. > The testing bundles Andrew mentioned are fine for, well... testing, but > not for general users. It's a long way & many fixes, from Firefox 3.6 > to 5.0 / 5.0.1. There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19 -- notably, Mozilla finally applied our patch to fix Firefox's hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1 no longer require an HTTP proxy such as Polipo between the browser and Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x is that Firefox 5.0.x contains many new features. And those features introduced a crapload of bugs which have security implications for Tor users -- mainly WebGL security bugs, but there were a few nasty surprises in the new JavaScript interpreter (see https://trac.torproject.org/projects/tor/ticket/2819 , https://trac.torproject.org/projects/tor/ticket/2873 , and https://trac.torproject.org/projects/tor/ticket/2874 ). There were plenty of other changes to audit as well; look through Tor's bug tracker if you're interested. Robert Ransom ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 8/9/2011 4:55 AM, Robert Ransom wrote: That is why we ship the latest version of Firefox on the 3.6 branch in our stable TBBs. Mozilla is still releasing security updates on the Firefox 3.6 branch. As you can see from https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 3.6.19 and Firefox 5.0.1 were released on the same day. That is because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no longer safe to use, even though their version numbers are greater than 3.6.19.) On 2011-08-05, Joe Btfsplk wrote: As said, it may be unavoidable (currently) for TBB developers to integrate new FF versions quickly, but surely I'm not the 1st to wonder about security issues of using old browser versions. The testing bundles Andrew mentioned are fine for, well... testing, but not for general users. It's a long way& many fixes, from Firefox 3.6 to 5.0 / 5.0.1. There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19 -- notably, Mozilla finally applied our patch to fix Firefox's hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1 no longer require an HTTP proxy such as Polipo between the browser and Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x is that Firefox 5.0.x contains many new features. And those features introduced a crapload of bugs which have security implications for Tor users -- mainly WebGL security bugs, but there were a few nasty surprises in the new JavaScript interpreter (see https://trac.torproject.org/projects/tor/ticket/2819 , https://trac.torproject.org/projects/tor/ticket/2873 , and https://trac.torproject.org/projects/tor/ticket/2874 ). There were plenty of other changes to audit as well; look through Tor's bug tracker if you're interested. Robert Ransom Thanks for the detailed explanation & links to the trac tickets. It sounds like what I suspected - new versions create new security issues for Tor, which take time to deal with. Unfortunate, but... Re: Firefox 5.0 - unsafe: I was under impression the 5.0.1 update was for Mac (possibly Linux) - yes? I don't get any avail updates, when checking manually from my Windows FF 5.0 installation. I read somewhere * Windows * users don't need the 5.0.1 update (though 5.0.1 is what they get if d/l the entire package vs updating)?? Have another question then about 2 instances of Tor - which I'll ask in another post. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
