Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thus spake sigi (torn...@cpunk.de): > > We hope to better answer these questions in a Tor Browser Bundle > > design document. Just one of the many other items that were supposed > > to go into a new "stable" release that got pushed aside due to recent > > events: > > https://trac.torproject.org/projects/tor/ticket/3812 > > I'd really like to have such a document. I realized I neglected to mention that you can view the philosophical underpinnings of our approach here: https://blog.torproject.org/blog/improving-private-browsing-modes-do-not-track-vs-real-privacy-design Much of that thinking will be reflected in the design document. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpbicxunCs0T.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On 07/09/11 20:44, David Carlson wrote: > Thank you, this version works. > Curiously, since it seems to yahoo that I am somewhere in Europe, they think > that I want to see advertizements in German, even though I specifically > selected the US Yahoo page. > Maybe their captchas were in German too, and that is why it was so hard to > log in to my mail account. Ain't technology grand? > David Carlson Yahoo thinks you're in Europe because your exit node is in Europe (specifically Netherlands, according to your mail headers). That's how anonymity works. Grand indeed :) Julian signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thank you, this version works. Curiously, since it seems to yahoo that I am somewhere in Europe, they think that I want to see advertizements in German, even though I specifically selected the US Yahoo page. Maybe their captchas were in German too, and that is why it was so hard to log in to my mail account. Ain't technology grand? David Carlson --- On Wed, 9/7/11, Erinn Clark wrote: From: Erinn Clark Subject: Re: [tor-talk] TBB 2.2.32 & Automatic Updates To: tor-talk@lists.torproject.org Date: Wednesday, September 7, 2011, 10:55 AM * David Carlson [2011:09:07 06:06 -0700]: > Hi, > > Yesterday I downloaded tor-browser-2.2.32-3_en-US.exe and set it up on a USB > stick. When I try to start it, it gives a connection refused by peer message > just after parsing the GEOP. If I retry, it says Tor stopped > unexpectedly. Vidalia hangs after giving the message Bootstrapped 100% done. > I cannot get the advanced message log to give any debug entries. If I close > that browser bundle and use Task manager to make sure that Tor and Vidalia > really are not running, then start tor-browser-2.2.31-1-alpha_en-US.exe which > I downloaded on August 21, that version starts with no problem and continues > to open Aurora. I am using that instance to send this e-mail. > > I am using these on a Windows Vista laptop in a hotel that requires logging > on to their Wi-Fi for a time limited session with a web browser before they > allow access to the internet. I am using IE to log on and leaving it open as > they requested. Hi David, Can you try this bundle? I made it for Windows to fix this problem -- the automatic port selection in the new bundles is causing a lot of trouble, and you can use this until we put out the new TBBs with the fix: https://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-2.2.32-UNOFFICIAL-1_en-US.exe https://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-2.2.32-UNOFFICIAL-1_en-US.exe.asc It just changes two configuration files (torrc and vidalia.conf) to disable the automatic port selection. The official bundles will be coming out tomorrow. -Inline Attachment Follows- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* David Carlson [2011:09:07 06:06 -0700]: > Hi, > > Yesterday I downloaded tor-browser-2.2.32-3_en-US.exe and set it up on a USB > stick. When I try to start it, it gives a connection refused by peer message > just after parsing the GEOP. If I retry, it says Tor stopped > unexpectedly. Vidalia hangs after giving the message Bootstrapped 100% done. > I cannot get the advanced message log to give any debug entries. If I close > that browser bundle and use Task manager to make sure that Tor and Vidalia > really are not running, then start tor-browser-2.2.31-1-alpha_en-US.exe which > I downloaded on August 21, that version starts with no problem and continues > to open Aurora. I am using that instance to send this e-mail. > > I am using these on a Windows Vista laptop in a hotel that requires logging > on to their Wi-Fi for a time limited session with a web browser before they > allow access to the internet. I am using IE to log on and leaving it open as > they requested. Hi David, Can you try this bundle? I made it for Windows to fix this problem -- the automatic port selection in the new bundles is causing a lot of trouble, and you can use this until we put out the new TBBs with the fix: https://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-2.2.32-UNOFFICIAL-1_en-US.exe https://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-2.2.32-UNOFFICIAL-1_en-US.exe.asc It just changes two configuration files (torrc and vidalia.conf) to disable the automatic port selection. The official bundles will be coming out tomorrow. pgp9uuYO7bLw8.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Hi, Yesterday I downloaded tor-browser-2.2.32-3_en-US.exe and set it up on a USB stick. When I try to start it, it gives a connection refused by peer message just after parsing the GEOP. If I retry, it says Tor stopped unexpectedly. Vidalia hangs after giving the message Bootstrapped 100% done. I cannot get the advanced message log to give any debug entries. If I close that browser bundle and use Task manager to make sure that Tor and Vidalia really are not running, then start tor-browser-2.2.31-1-alpha_en-US.exe which I downloaded on August 21, that version starts with no problem and continues to open Aurora. I am using that instance to send this e-mail. I am using these on a Windows Vista laptop in a hotel that requires logging on to their Wi-Fi for a time limited session with a web browser before they allow access to the internet. I am using IE to log on and leaving it open as they requested. David Carlson --- On Tue, 9/6/11, sigi wrote: From: sigi Subject: Re: [tor-talk] TBB 2.2.32 & Automatic Updates To: tor-talk@lists.torproject.org Date: Tuesday, September 6, 2011, 4:45 PM On Mon, Sep 05, 2011 at 06:36:34PM -0700, Mike Perry wrote: > Thus spake sigi (torn...@cpunk.de): > > > Sorry, but at this point, I'm really asking myself, how I can trust > > the concept of the torproject anymore? Some time ago, the users were > > warned about the use of Torbutton with Firefox >3.6 - now the torproject > > recommends to use their TorBrowserBundle - but it has automatic updates > > for the browser included and some DigiNotar certificates? > > You are misunderstanding the situation. See other replies. > > Please bear with us. The DigiNotar fiasco forced us to release the > Firefox 6-based TBBs as "stable" at least 2 weeks early (if not a full > month), because we were unable to do source modifications to Firefox > 3.6 on Windows to properly deal with the certificate updates and the > initial "Dutch exemption". > > We would appreciate it if you tried to help us by diagnosing bugs and > issues rather than calling our integrity into question over bugs that > slipped in during a very high pressure situation. Pardon me for being so rude. I see how difficult this situation is for you Tor-devs! I think the most confusing point for me is the switch to the TorBrowserBundle. I'm using Tor a lot on my local machine - for xmpp, irc and www, and I'm certain it provides a great service for anonymity. The question for me was, if I can trust this Browser-Bundle enough for now. > > I'm confused. And I'd like some clarification here. Possibly I should > > switch back to my own browser-profile with torbutton? Is it as safe to > > use the Torbrowserbundle, as it was one year ago to use tor with your > > own browser with Torbutton? Is there any improvement? > > We hope to better answer these questions in a Tor Browser Bundle > design document. Just one of the many other items that were supposed > to go into a new "stable" release that got pushed aside due to recent > events: > https://trac.torproject.org/projects/tor/ticket/3812 I'd really like to have such a document. Kudos to you all! Regards, sigi. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On Mon, Sep 05, 2011 at 06:36:34PM -0700, Mike Perry wrote: > Thus spake sigi (torn...@cpunk.de): > > > Sorry, but at this point, I'm really asking myself, how I can trust > > the concept of the torproject anymore? Some time ago, the users were > > warned about the use of Torbutton with Firefox >3.6 - now the torproject > > recommends to use their TorBrowserBundle - but it has automatic updates > > for the browser included and some DigiNotar certificates? > > You are misunderstanding the situation. See other replies. > > Please bear with us. The DigiNotar fiasco forced us to release the > Firefox 6-based TBBs as "stable" at least 2 weeks early (if not a full > month), because we were unable to do source modifications to Firefox > 3.6 on Windows to properly deal with the certificate updates and the > initial "Dutch exemption". > > We would appreciate it if you tried to help us by diagnosing bugs and > issues rather than calling our integrity into question over bugs that > slipped in during a very high pressure situation. Pardon me for being so rude. I see how difficult this situation is for you Tor-devs! I think the most confusing point for me is the switch to the TorBrowserBundle. I'm using Tor a lot on my local machine - for xmpp, irc and www, and I'm certain it provides a great service for anonymity. The question for me was, if I can trust this Browser-Bundle enough for now. > > I'm confused. And I'd like some clarification here. Possibly I should > > switch back to my own browser-profile with torbutton? Is it as safe to > > use the Torbrowserbundle, as it was one year ago to use tor with your > > own browser with Torbutton? Is there any improvement? > > We hope to better answer these questions in a Tor Browser Bundle > design document. Just one of the many other items that were supposed > to go into a new "stable" release that got pushed aside due to recent > events: > https://trac.torproject.org/projects/tor/ticket/3812 I'd really like to have such a document. Kudos to you all! Regards, sigi. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thus spake cgp3cg (cgp...@gmail.com): > > If not, this could be a regression against Torbutton.. But I haven't > > experienced it, as far as I know. > > > > Where/how did you observe the password saving? > > I observed this logging into FastMail, and at the time checked the FF > settings and confirmed that saving passwords was enabled. I now can't > reproduce this -- I've re-extracted the TBB from the original > distribution, checked that saving password is _off_, and verified that > it _doesn't_ offer to save passwords. I'll just assume that _I_ did > something wrong unless I can reproduce it ;-) Please keep an eye on this. We are seeing some weird non-determinism crop up all over the place wrt prefs. It is possible that it is because we are using user_pref() calls as opposed to pref() calls in our version of prefs.js, and there is some race condition or other failure in a preference observer that is causing some of the prefs to randomly fail to apply: https://trac.torproject.org/projects/tor/ticket/3933#comment:1 -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpDyweiuaJaR.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
> This is a change in Firefox 6.0.2 where they list them so they can explicitly > distrust them. If you click on Aurora->Preferences (or Options, I think, in > Windows)->View Certificates->then click on any of the DigiNotar things > present, > it will say at the top "Explicitly Distrust [...]". Ah, nice, I hadn't noticed this! > You can see some more of that here: > https://hg.mozilla.org/releases/mozilla-release/rev/55b5cd1ce8fe > > This basically superseded our (and their) patches, and I think the reason > there > are so many more listed is because they got all of them, including > intermediaries. To be honest, while Mozilla has been very helpful and > responsive to us, we don't have complete insight into their decision-making > processes so we are trusting them to do the right thing here, at least right > this minute with the given time-constraints. When things have settled down a > bit more we will probably revisit how TBB handles certs overall. In essence, > there has been a lot of turbulence with this release (which happened 2 weeks > early because of this mess, and then went through a bunch of rapid changes > immediately after) so everything is a bit wobbly. Yes, this SSL kerfuffle is causing big headaches ... > We're going to be making some more radical changes and the build/QA team is > basically just me, for all platforms, except when other devs & volunteers > pitch > in. Would you be interested in helping us out with better testing? Yep, ping me off list each time you've got a new release ready. (Debian 5 (haven't got around to upgrading yet ...)) May take me a few days to test, but I certainly will! (Will also force me to upgrade and keep current ...) -C ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On 06/09/11 11:22, Mike Perry wrote: > Thus spake cgp3cg (cgp...@gmail.com): > >> I've also discovered that with this version FF defaults to saving >> passwords. > > Are you sure about this? Torbutton should be handling this under > Preferences->Security Settings->Forms.. > > The first checkbox is checked for you, yes? Yes, first is checked, second is not -- all looks good. > If not, this could be a regression against Torbutton.. But I haven't > experienced it, as far as I know. > > Where/how did you observe the password saving? I observed this logging into FastMail, and at the time checked the FF settings and confirmed that saving passwords was enabled. I now can't reproduce this -- I've re-extracted the TBB from the original distribution, checked that saving password is _off_, and verified that it _doesn't_ offer to save passwords. I'll just assume that _I_ did something wrong unless I can reproduce it ;-) Thanks -C ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thus spake sigi (torn...@cpunk.de): > Sorry, but at this point, I'm really asking myself, how I can trust > the concept of the torproject anymore? Some time ago, the users were > warned about the use of Torbutton with Firefox >3.6 - now the torproject > recommends to use their TorBrowserBundle - but it has automatic updates > for the browser included and some DigiNotar certificates? You are misunderstanding the situation. See other replies. Please bear with us. The DigiNotar fiasco forced us to release the Firefox 6-based TBBs as "stable" at least 2 weeks early (if not a full month), because we were unable to do source modifications to Firefox 3.6 on Windows to properly deal with the certificate updates and the initial "Dutch exemption". We would appreciate it if you tried to help us by diagnosing bugs and issues rather than calling our integrity into question over bugs that slipped in during a very high pressure situation. > I'm confused. And I'd like some clarification here. Possibly I should > switch back to my own browser-profile with torbutton? Is it as safe to > use the Torbrowserbundle, as it was one year ago to use tor with your > own browser with Torbutton? Is there any improvement? We hope to better answer these questions in a Tor Browser Bundle design document. Just one of the many other items that were supposed to go into a new "stable" release that got pushed aside due to recent events: https://trac.torproject.org/projects/tor/ticket/3812 -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpngmskNyqfz.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thus spake cgp3cg (cgp...@gmail.com): > I've also discovered that with this version FF defaults to saving > passwords. Are you sure about this? Torbutton should be handling this under Preferences->Security Settings->Forms.. The first checkbox is checked for you, yes? If not, this could be a regression against Torbutton.. But I haven't experienced it, as far as I know. Where/how did you observe the password saving? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgp9rkhYaFe7n.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* cgp3cg [2011:09:06 07:52 +1000]: > Thanks Erinn, > > I've also discovered that with this version FF defaults to saving > passwords, and that there a 4 CA certificates present for DigiNotar and > 2 for DigiNotar B.V. > > The first isn't a huge issue, but according to the changelog for 2.2.32-2: > > * Update Firefox to 6.0.1, with an additional patch to exclude > DigiNotar completely > > I've also had a quick poke at a few older versions (the only ones I have > handy): > - 2.2.25 (FF 4.0.1) > - 1.1.3 (FF 3.6.13) > > and both only show 1 CA cert for DigiNotar. Stock standard FF 6.0 also > only had one, and it's now gone completely from 6.0.1 ... so why the > presence of four in TBB? This is a change in Firefox 6.0.2 where they list them so they can explicitly distrust them. If you click on Aurora->Preferences (or Options, I think, in Windows)->View Certificates->then click on any of the DigiNotar things present, it will say at the top "Explicitly Distrust [...]". You can see some more of that here: https://hg.mozilla.org/releases/mozilla-release/rev/55b5cd1ce8fe This basically superseded our (and their) patches, and I think the reason there are so many more listed is because they got all of them, including intermediaries. To be honest, while Mozilla has been very helpful and responsive to us, we don't have complete insight into their decision-making processes so we are trusting them to do the right thing here, at least right this minute with the given time-constraints. When things have settled down a bit more we will probably revisit how TBB handles certs overall. In essence, there has been a lot of turbulence with this release (which happened 2 weeks early because of this mess, and then went through a bunch of rapid changes immediately after) so everything is a bit wobbly. We're going to be making some more radical changes and the build/QA team is basically just me, for all platforms, except when other devs & volunteers pitch in. Would you be interested in helping us out with better testing? pgpD6dvWr0LiY.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Thus spake Erinn Clark (er...@torproject.org): > * Erinn Clark [2011:09:05 15:01 +0100]: > > However, as of Firefox 4, there is a pref called extensions.enabledScopes > > which > > allows you to define the scope of plugins and limit them to things like > > "just > > this profile", "just this app", "just this user", etc. In the current TBBs > > it > > is limited by profile (the most limited and mandatory scope) but it seems to > > behave somewhat unpredictably. It used to be that it did not even show all > > of > > the plugins, now it shows them but you have to enable them. I should look > > into > > this to make sure there isn't another pref interfering. > > > > You can read more about this here: > > https://developer.mozilla.org/en/Addons/Add-on_Manager/AddonManager#Installation_scopes > > http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1238 > > Okay, I misspoke here. It doesn't actually show all of the system plugins, but > it seems to show some? I would like to hear reports about how a vanilla > Firefox > plugin list looks compared to our Firefox on users' systems, because although > I > have access to a lot of VMs, none of them are tarted up with plugins right > now. > > Does it show none, some, or all? Is there any consistency to which ones you > see? Btw, I plan on bypassing this enabledScopes setting and solving this a different way. I hope to have the solution ready by the end of the week: https://trac.torproject.org/projects/tor/ticket/3547 -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpAiaywUJM0j.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Hi! Sorry, but at this point, I'm really asking myself, how I can trust the concept of the torproject anymore? Some time ago, the users were warned about the use of Torbutton with Firefox >3.6 - now the torproject recommends to use their TorBrowserBundle - but it has automatic updates for the browser included and some DigiNotar certificates? I'm confused. And I'd like some clarification here. Possibly I should switch back to my own browser-profile with torbutton? Is it as safe to use the Torbrowserbundle, as it was one year ago to use tor with your own browser with Torbutton? Is there any improvement? Regards, sigi ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On 05/09/11 21:09, Erinn Clark wrote:
> * cgp3cg [2011:09:05 16:19 +1000]:
>> Hi,
>>
>> Just downloaded TBB 2.2.32 for Linux
>> (tor-browser-gnu-linux-i686-2.2.32-3-dev-en-US.tar.gz) and was surprised
>> to find FF set to automatically check for and download updates. This
>> seems like a significant change, and I can't find a record in my
>> archives, nor in a quick scan through the changelog.
>>
>> Was this deliberate and did I miss something?
>
> No, this is not deliberate and must be a bug. The prefs.js we ship has:
>
> user_pref("app.update.auto", false);
> user_pref("app.update.enabled", false);
>
> https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/build-scripts/config/no-polipo-4.0.js
>
> We enabled addon updates because we believe it is safer, but that is a
> different setting. I see in my own TBB that app.update.auto has been set to
> true, but I certainly didn't make it that way either as a user or developer.
>
> Thanks for noticing, I'm going to add fixing this to our next update
> (September
> 10th).
Thanks Erinn,
I've also discovered that with this version FF defaults to saving
passwords, and that there a 4 CA certificates present for DigiNotar and
2 for DigiNotar B.V.
The first isn't a huge issue, but according to the changelog for 2.2.32-2:
* Update Firefox to 6.0.1, with an additional patch to exclude
DigiNotar completely
I've also had a quick poke at a few older versions (the only ones I have
handy):
- 2.2.25 (FF 4.0.1)
- 1.1.3 (FF 3.6.13)
and both only show 1 CA cert for DigiNotar. Stock standard FF 6.0 also
only had one, and it's now gone completely from 6.0.1 ... so why the
presence of four in TBB?
Thanks
-C
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* Erinn Clark [2011:09:05 15:01 +0100]: > However, as of Firefox 4, there is a pref called extensions.enabledScopes > which > allows you to define the scope of plugins and limit them to things like "just > this profile", "just this app", "just this user", etc. In the current TBBs it > is limited by profile (the most limited and mandatory scope) but it seems to > behave somewhat unpredictably. It used to be that it did not even show all of > the plugins, now it shows them but you have to enable them. I should look into > this to make sure there isn't another pref interfering. > > You can read more about this here: > https://developer.mozilla.org/en/Addons/Add-on_Manager/AddonManager#Installation_scopes > http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1238 Okay, I misspoke here. It doesn't actually show all of the system plugins, but it seems to show some? I would like to hear reports about how a vanilla Firefox plugin list looks compared to our Firefox on users' systems, because although I have access to a lot of VMs, none of them are tarted up with plugins right now. Does it show none, some, or all? Is there any consistency to which ones you see? pgpzA0jimYn1w.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* Koh Choon Lin <2choon...@gmail.com> [2011:09:05 20:57 +0800]: > I note that for previous versions of the TBB, all plugins installed on > the system is not visible at all under the Add-ons Manager. This > release shows all the plugins (eg. Java, Flash, etc..) with an option > to enable them as they are currently disabled by default. The reason for this is that in the old versions of TBB with FF3.6 on linux, I binary patched libxul.so in a filthy way so that it would not pick up system plugins; on Windows it was possible to comment out a section of nsExtensionsManager.js that scanned the Windows registry. On OSX I never figured out how to stop it. However, as of Firefox 4, there is a pref called extensions.enabledScopes which allows you to define the scope of plugins and limit them to things like "just this profile", "just this app", "just this user", etc. In the current TBBs it is limited by profile (the most limited and mandatory scope) but it seems to behave somewhat unpredictably. It used to be that it did not even show all of the plugins, now it shows them but you have to enable them. I should look into this to make sure there isn't another pref interfering. You can read more about this here: https://developer.mozilla.org/en/Addons/Add-on_Manager/AddonManager#Installation_scopes http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#1238 pgpxRP86DOgKh.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
According to Mozilla: https://www.mozilla.org/en-US/mobile/sync/ everything should be encrypted, both in the browser-server communication and on the server side, while storing your data. They also affirm data is encrypted in such way they cannot retrieve the plaintext. I haven't wiresharked my connection to get a proof but, since the user has to specifically log in, as already noted by Erinn, I would say it's safe to leave it enabled. Ciao! -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Hi > Just downloaded TBB 2.2.32 for Linux > (tor-browser-gnu-linux-i686-2.2.32-3-dev-en-US.tar.gz) and was surprised > to find FF set to automatically check for and download updates. This > seems like a significant change, and I can't find a record in my > archives, nor in a quick scan through the changelog. I note that for previous versions of the TBB, all plugins installed on the system is not visible at all under the Add-ons Manager. This release shows all the plugins (eg. Java, Flash, etc..) with an option to enable them as they are currently disabled by default. -- Regards Koh Choon Lin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On 05/09/11 13:57, Marco Bonetti wrote: > According to Mozilla: https://www.mozilla.org/en-US/mobile/sync/ everything > should be encrypted, both in the browser-server communication and on the > server side, while storing your data. They also affirm data is encrypted in > such way they cannot retrieve the plaintext. > I haven't wiresharked my connection to get a proof but, since the user has to > specifically log in, as already noted by Erinn, I would say it's safe to > leave it enabled. > > Ciao! > Fair enough, I stand corrected. Julian signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
On the subject of surprises, has anyone else twigged that the "Firefox sync" feature isn't disabled? Nice way to get decloaked in one simple click. Julian signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* Julian Yon [2011:09:05 11:52 +0100]: > On the subject of surprises, has anyone else twigged that the "Firefox > sync" feature isn't disabled? Nice way to get decloaked in one simple click. I'm learning about sync now. Is it really so simple to get decloaked in one simple click? The website says you have to sign up for an account, which I imagine you also then have to log into deliberately before syncing. If it's that easy I agree it should be disabled, but if it's not, I can imagine people wanting to use it (which is, of course, not the deciding factor but still something to consider). I'm going to read about it more, but if you have any more information you think I (or other Tor devs) should read, please pass it on. Thanks! Erinn pgpOSQydSsFiY.pgp Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
* cgp3cg [2011:09:05 16:19 +1000]:
> Hi,
>
> Just downloaded TBB 2.2.32 for Linux
> (tor-browser-gnu-linux-i686-2.2.32-3-dev-en-US.tar.gz) and was surprised
> to find FF set to automatically check for and download updates. This
> seems like a significant change, and I can't find a record in my
> archives, nor in a quick scan through the changelog.
>
> Was this deliberate and did I miss something?
No, this is not deliberate and must be a bug. The prefs.js we ship has:
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/build-scripts/config/no-polipo-4.0.js
We enabled addon updates because we believe it is safer, but that is a
different setting. I see in my own TBB that app.update.auto has been set to
true, but I certainly didn't make it that way either as a user or developer.
Thanks for noticing, I'm going to add fixing this to our next update (September
10th).
pgpBdwLW5xC5f.pgp
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] TBB 2.2.32 & Automatic Updates
Hi, Just downloaded TBB 2.2.32 for Linux (tor-browser-gnu-linux-i686-2.2.32-3-dev-en-US.tar.gz) and was surprised to find FF set to automatically check for and download updates. This seems like a significant change, and I can't find a record in my archives, nor in a quick scan through the changelog. Was this deliberate and did I miss something? -C P.S. Otherwise the new version is great! ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
