In May, the Tor Browser team released 4.5.1[1] and 5.0a1[2]. Both releases coincided with an upstream Firefox security release.
The 4.5.1 release was a point release to address issues discovered during the 4.5-stable release. The most notable change was to slightly relax the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. With this change, Tor Circuit use and tracking identifier are now all isolated to the base (top-level) domain only, as opposed to the full domain name[3]. This change is also consistent with the browser URL bar hostname display - isolation is now performed based on the bold portion of the website address in the URL bar. In addition, the NoScript ClearClick clickjacking defense had to be disabled[4], due to a conflict with our canvas and resolution fingerprinting defenses[5]. Regressions in PDF usage[6] and running the meek pluggable transport on Windows[7] were also fixed, as were some Security Slider UI issues[8,9]. An issue with the updater that could cause updates to fail to apply in some cases if disk records were enabled was also fixed[10]. Having fixed these issues, we felt comfortable officially deprecating the 4.0 series, and 4.0 users were updated automatically to the 4.5 series. This also marked the official end of our support for 32 bit Mac systems[11]. Based on our past experience when we dropped support for MacOS 10.4 and 10.5, we expected to hear more complaints from old Mac users during this transition, but surprisingly this did not happen this time around. This may be because this time, Tails was a viable alternative for these users. The 5.0a1 release was the first release in our next alpha series, which will also cover the transition to Firefox 38-ESR over the coming months. This particular release featured improvements to the automatic window resizing fingerprinting defense that was first deployed in 4.5a4[12]. That defense was disabled for the 4.5-stable series, but has been re-enabled for this alpha to help stabilize it further. Additionally, this release also introduces a new defense against various forms of performance fingerprinting and time-based side channel attacks[13]. A handful of new attacks have been published recently that take advantage of Javascript's high-performance timers to determine hardware performance, perform keystroke fingerprinting[14], extract history information[15], and even steal sensitive data from memory[16]. This defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps. After shipping these two releases, we focused our attention on the upcoming Firefox 38-ESR switch. We've begun updating our build system to support the new version[17], have rebased most of our patches[18], and have reviewed the Firefox developer documentation[19] for major issues to deal with. This transition process will continue until Firefox 31 is end of life on August 11th. The full list of tickets closed by the Tor Browser team in May can be seen using the TorBrowserTeam201505 tag on our bug tracker[20]. In June, our efforts continue to be focused on reviewing and rebasing the remainder of our patches to Firefox 38ESR. The target date for the first Firefox 38-based Tor Browser alpha release is June 30th, which will also coincide with an upstream Firefox point release. The set of tickets on our radar for the Firefox 38 switch can be viewed with the ff38-esr bug tracker tag[21]. The full list of tickets that the Tor Browser team plans to work on in June can be seen using the TorBrowserTeam201506 tag on our bug tracker[22]. 1. https://blog.torproject.org/blog/tor-browser-451-released 2. https://blog.torproject.org/blog/tor-browser-50a1-released 3. https://trac.torproject.org/projects/tor/ticket/15933 4. https://trac.torproject.org/projects/tor/ticket/15945 5. https://trac.torproject.org/projects/tor/ticket/14985 6. https://trac.torproject.org/projects/tor/ticket/15899 7. https://trac.torproject.org/projects/tor/ticket/15872 8. https://trac.torproject.org/projects/tor/ticket/15837 9. https://trac.torproject.org/projects/tor/ticket/15927 10. https://trac.torproject.org/projects/tor/ticket/15857 11. https://blog.torproject.org/blog/end-life-plan-tor-browser-32-bit-macs 12. https://trac.torproject.org/projects/tor/ticket/14429 13. https://trac.torproject.org/projects/tor/ticket/1517 14. https://en.wikipedia.org/wiki/Keystroke_dynamics 15. http://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf 16. http://arxiv.org/abs/1502.07373 17. https://trac.torproject.org/projects/tor/ticket/15772 18. https://trac.torproject.org/projects/tor/ticket/15196 19. https://trac.torproject.org/projects/tor/ticket/16090 20. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201505 21. https://trac.torproject.org/projects/tor/query?keywords=~ff38-esr&status=!closed 22. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201506 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list tor-reports@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
