The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-20T23:28:07Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/25021Update Tor Browser spec2024-03-20T23:28:07ZGeorg KoppenUpdate Tor Browser specTor Browser 11.0 is coming out soon. We should update our design document to cover all the new issues that are showing up in it. Highlights are
1) Switch to rbm/tor-browser-build
2) The security slider copy update
...
The update should...Tor Browser 11.0 is coming out soon. We should update our design document to cover all the new issues that are showing up in it. Highlights are
1) Switch to rbm/tor-browser-build
2) The security slider copy update
...
The update should cover the current goals and state of the browser, and fold in all the 8.0, 8.5, 9.0, 9.5, 10.0, and 10.5 changes.Tor Browser: 11.0 Issues with previous releaserichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/24945Tor Browser design doc says it whitelists flash and gnash as plugins2024-02-13T20:04:29ZRoger DingledineTor Browser design doc says it whitelists flash and gnash as pluginsThe Tor Browser design doc says "we also patch the Firefox source code to prevent the load of any plugins except for Flash and Gnash. Even for Flash and Gnash, we also patch Firefox to prevent loading them into the address space until th...The Tor Browser design doc says "we also patch the Firefox source code to prevent the load of any plugins except for Flash and Gnash. Even for Flash and Gnash, we also patch Firefox to prevent loading them into the address space until they are explicitly enabled."
If this is so, we should probably change Tor Browser to just prevent all plugins, including Flash and Gnash.
And if it is no longer so, we should fix the wrong statement in the design doc.
Noticed in legacy/trac#10885.https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/21922Add our reasoning for dealing with the XPI signing to our design document2022-12-09T13:20:15ZGeorg KoppenAdd our reasoning for dealing with the XPI signing to our design documentWe missed to explain how we deal with the code-signing requirement for our own extensions. We should have that in our design document I think.We missed to explain how we deal with the code-signing requirement for our own extensions. We should have that in our design document I think.https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/21566Document Tor Browser hardening in the Tor Browser design document2021-06-25T15:44:23ZGeorg KoppenDocument Tor Browser hardening in the Tor Browser design documentWe compile Tor Browser with different hardening flags for different platforms we should document that in our design document.We compile Tor Browser with different hardening flags for different platforms we should document that in our design document.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/34051Generate list of all dependencies and additional files2023-11-07T12:36:49ZMatthew FinkelGenerate list of all dependencies and additional filesExternal Tor Browser packages (for other platforms) would find it helpful if we produce a list of all dependencies used for building Tor Browser for a platform and if those dependencies were built using custom patches. This list should i...External Tor Browser packages (for other platforms) would find it helpful if we produce a list of all dependencies used for building Tor Browser for a platform and if those dependencies were built using custom patches. This list should include any additional files we inject into the final packages (such as licenses, start script, fonts, etc.).https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/33013Add file listing the main rules for tor-browser-build rbm files2023-01-05T14:20:33ZboklmAdd file listing the main rules for tor-browser-build rbm filesWe should add a file listing the main rules to follow when making changes to tor-browser-build.
legacy/trac#33012 is one example, but there are probably others.We should add a file listing the main rules to follow when making changes to tor-browser-build.
legacy/trac#33012 is one example, but there are probably others.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/32416Add some documentation about building go libraries/programs with build_go_lib2023-01-05T14:16:24ZboklmAdd some documentation about building go libraries/programs with build_go_libAs `build_go_lib` template is getting more complex, we should add some documentation about how to use it, probably into 'README.HACKING'.As `build_go_lib` template is getting more complex, we should add some documentation about how to use it, probably into 'README.HACKING'.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/11751Add documentation for using TBB with Windows Tor expert bundle2022-08-02T14:40:21ZcypherpunksAdd documentation for using TBB with Windows Tor expert bundleOn Windows, I installed the expert bundle to have a single tor process to be used by multiple applications, including multiple Tor Browsers.
I can configure Tor Browser by creating a user.js file with extensions.torlauncher.start_tor se...On Windows, I installed the expert bundle to have a single tor process to be used by multiple applications, including multiple Tor Browsers.
I can configure Tor Browser by creating a user.js file with extensions.torlauncher.start_tor set to 0. But this config also leads to this message:
"Something Went Wrong!
Tor is not working in this browser."
Other than that, I can use the browser normally.
Can you fix this?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33773Add Tor Browser-specific licenses in about:license2022-07-08T20:55:01ZMatthew FinkelAdd Tor Browser-specific licenses in about:licenseThis idea came out of legacy/trac#33771 and legacy/trac#33772. GeKo mentioned that we don't need to ship a specific license for NSS because it is covered by `about:license`, and we could use `about:license` for the additional licenses we...This idea came out of legacy/trac#33771 and legacy/trac#33772. GeKo mentioned that we don't need to ship a specific license for NSS because it is covered by `about:license`, and we could use `about:license` for the additional licenses we must ship, as well. Currently those Tor Browser-specific licenses are controlled by tor-browser-build and they are included as text files at build-time. Extending `about:license` is a good idea.
The main disadvantage I see is downstream projects who take a tor browser package and re-use all of the tor parts but they don't use the browser. We could achieve this by continuing with adding licenses in text files and then patching them into tor-browser's `toolkit/content/license.html` at build time. I'm not very excited about the additional complexity this would require, though.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32922New cross-browser fingerprinting method2023-09-01T01:40:59ZTracNew cross-browser fingerprinting methodThis isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine....This isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine.org/
#
https://arstechnica.com/information-technology/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-multiple-browsers/
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
----------------------------
If already discussed elsewhere, redirect to relevant ticket.
I tested the uniquemachine.org webpage on the Tor Browser on a computer running Windows10 and it got stuck on 'fingerprinting GPU' and the display of graphics - probably due to webGL disabled but i cant be sure.
In terms of defenses to this:
- Disabling javascript is the obvious. webGL is already disabled by default in the Tor Browser, so all ok there ?
- disabling the microphone is another measure. i cant see that Windows10 has the option to disable speakers aside from turning the volume down to 0 for all apps, or for just for the Tor Browser.
- Is running the Tor Browser in a virtual machine kind of overkill to be completely sure of preventing this (and other) cross-browser fingerprinting?
**Trac**:
**Username**: thelamperhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32748Show the Tor Browser version number on f-droid (instead of firefox version)2022-07-08T19:14:00ZboklmShow the Tor Browser version number on f-droid (instead of firefox version)It seems that some users are confused by the version number that is shown on f-droid:
https://blog.torproject.org/comment/285989#comment-285989
It looks like the version number that is shown is the Firefox version on which it is based, ...It seems that some users are confused by the version number that is shown on f-droid:
https://blog.torproject.org/comment/285989#comment-285989
It looks like the version number that is shown is the Firefox version on which it is based, instead of the Tor Browser version.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32544Create Style Guides2023-01-05T15:49:18ZMatthew FinkelCreate Style GuidesFollowing legacy/trac#26184, we should document our coding style preferences. We should consider documenting all Tor Browser-related projects.Following legacy/trac#26184, we should document our coding style preferences. We should consider documenting all Tor Browser-related projects.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30604Describe why Tor Browser requests each permission on Android2022-11-29T13:07:02ZMatthew FinkelDescribe why Tor Browser requests each permission on AndroidTor Browser requests a few "risky" permissions, we should describe how each of them is used. This is especially important information for people on older Android devices where permissions are not optional (they must allow all permissions...Tor Browser requests a few "risky" permissions, we should describe how each of them is used. This is especially important information for people on older Android devices where permissions are not optional (they must allow all permissions at installation time or they don't install the app).
I'll start with Google Play, but we should add this information on our website (and F-Droid, in the future), too.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27674Add README to Tor Browser2022-07-13T23:08:53ZtraumschuleAdd README to Tor BrowserI am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/RE...I am struck that there is none.
```
tor-browser8.5a1$ find |grep -i readme
./Browser/TorBrowser/Docs/Obfsproxy/README
./Browser/TorBrowser/Docs/fteproxy/README.md
./Browser/TorBrowser/Docs/meek/README
./Browser/TorBrowser/Docs/libfte/README.md
./Browser/TorBrowser/Docs/snowflake/README.md
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26917Update QA and Testing content on our HACKING document2022-06-23T22:21:24ZGeorg KoppenUpdate QA and Testing content on our HACKING documentOur QA and Testing content on our HACKING page needs some update.Our QA and Testing content on our HACKING page needs some update.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20811Should users be able to set Tor Browser as their default browser?2023-01-05T17:04:13ZRoger DingledineShould users be able to set Tor Browser as their default browser?A really common user request lately has been how to set up Tor Browser as their default browser, e.g. when they click on urls in their email in thunderbird.
I'm under the impression that the current Tor Browser team answer is "don't do ...A really common user request lately has been how to set up Tor Browser as their default browser, e.g. when they click on urls in their email in thunderbird.
I'm under the impression that the current Tor Browser team answer is "don't do that, it's dangerous". Is that right? If so we should write it down explicitly, along with some intuitions for why it's dangerous so people will understand why.
And if not, we should write up some heuristics or hints or guides or something for how to do it most safely.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15797Add some explanation of certificate storage being disabled2023-01-05T16:57:13ZTracAdd some explanation of certificate storage being disabledIn Tor Browser 4.0.8 (windows) I was unable to import certificates until I changed preference security.nocertdb to false (legacy/trac#13366). I tried the directions in legacy/trac#13353 but disabling private browsing mode didn't work to...In Tor Browser 4.0.8 (windows) I was unable to import certificates until I changed preference security.nocertdb to false (legacy/trac#13366). I tried the directions in legacy/trac#13353 but disabling private browsing mode didn't work to enable the certificate storage.
There is no warning that certificate storage is disabled. When you add a certificate nothing happens. Also when you view a site with an unrecognized certificate the 'Confirm Security Exception' button does nothing. Please consider making some changes to add a message box "This feature will not work with the current settings because foo. To enable this feature do bar."
Thanks
**Trac**:
**Username**: supermariohttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15690Document how other extensions should ask to isolate their streams2023-01-05T15:50:05ZRoger DingledineDocument how other extensions should ask to isolate their streamsI'm talking to a Firefox extension developer who is installing his extension into Tor Browser and giving the resulting bundle to his users.
His extension makes network requests, and it occurred to me that the new per-tab stream isolatio...I'm talking to a Firefox extension developer who is installing his extension into Tor Browser and giving the resulting bundle to his users.
His extension makes network requests, and it occurred to me that the new per-tab stream isolation feature in Tor Browser probably lumps the requests from his extension into the catch-all circuit.
Is there a URL I can send him to that explains how his extension should set its socks username/password (or whatever it needs to do) to request its own isolation from Tor?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/5767Document auditing setups for testers to use2023-01-05T16:56:22ZMike PerryDocument auditing setups for testers to useWe've got a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB. On legacy/trac#5741, some dude named unknown posted iptables rules that log violations. I hear there is also an OSX Seatbelt policy flo...We've got a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB. On legacy/trac#5741, some dude named unknown posted iptables rules that log violations. I hear there is also an OSX Seatbelt policy floating around somewhere that may also be useful.
We should create a meta document, or perhaps just describe on https://trac.torproject.org/projects/tor/wiki/doc/build/BuildSignoff how to use these things to test for disk leaks, proxy issues, oddities, and other violations.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/5294Make human summary of Tor Browser design doc2023-01-05T16:50:07ZMike PerryMake human summary of Tor Browser design docWe should create a brief human-readable summary of the privacy properties of TBB, based on the Design Requirements.
We should probably include this in the short user manual, or on the download page, or both.
See also https://lists.torp...We should create a brief human-readable summary of the privacy properties of TBB, based on the Design Requirements.
We should probably include this in the short user manual, or on the download page, or both.
See also https://lists.torproject.org/pipermail/tor-talk/2012-January/022899.html.