Tor Browser issueshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues2023-02-15T08:26:56Zhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41351Move the crypto protection patch earlier in the patchset2023-02-15T08:26:56ZPier Angelo VendrameMove the crypto protection patch earlier in the patchsetThe patch for bug #40209 (e.g., ae81c697dfb66792ec5454a19e728f91abfee24d) could be moved to be with security level and new identity (so, possibly part of base browser, or be the first excluded patch).
The only problem is that it depends...The patch for bug #40209 (e.g., ae81c697dfb66792ec5454a19e728f91abfee24d) could be moved to be with security level and new identity (so, possibly part of base browser, or be the first excluded patch).
The only problem is that it depends on TorStrings.jsm.
We should either wait for #40924 to be completed, or do a workaround, like I've done for #40925 and #40926.Sponsor 131 - Phase 2 - Privacy BrowserPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41312Backport Firefox 105 Android security fixes to 102.3-based Tor Browser2022-09-23T23:01:49ZrichardBackport Firefox 105 Android security fixes to 102.3-based Tor Browserhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-41/
The list of issues:
- CVE-2022-40961: Stack-buffer overflow when initializing Graphics
- [x] https://bugzilla.mozilla.org/show_bug.cgi?id=1784588
@tom can you add me to...https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/
The list of issues:
- CVE-2022-40961: Stack-buffer overflow when initializing Graphics
- [x] https://bugzilla.mozilla.org/show_bug.cgi?id=1784588
@tom can you add me to these issues please :)Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41149Review Mozilla 1762576: Firefox is not allowing Symantec DLP to inject DLL i...2022-10-21T20:23:58ZrichardReview Mozilla 1762576: Firefox is not allowing Symantec DLP to inject DLL into the browser for Data Loss Prevention software## https://bugzilla.mozilla.org/show_bug.cgi?id=1762576
Here's a thought, let's not let random processes inject dlls into tor-browser (to be clear I propose we revert / disable this funcitonality)## https://bugzilla.mozilla.org/show_bug.cgi?id=1762576
Here's a thought, let's not let random processes inject dlls into tor-browser (to be clear I propose we revert / disable this funcitonality)Sponsor 131 - Phase 3 - Major ESR 102 MigrationDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41131Review Mozilla 1738983: Enable Background Update by default on Release starti...2022-12-09T14:40:46ZrichardReview Mozilla 1738983: Enable Background Update by default on Release starting in FX96## https://bugzilla.mozilla.org/show_bug.cgi?id=1738983
Updater changes, odds are you're already aware and handled in the rebase already## https://bugzilla.mozilla.org/show_bug.cgi?id=1738983
Updater changes, odds are you're already aware and handled in the rebase alreadyhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41112Integrate cross-tab identity leak protection into Tor Browser with native UX2024-03-27T14:39:06ZdonutsIntegrate cross-tab identity leak protection into Tor Browser with native UXIn response to the potential for cache side channel attacks reported in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41071, @ma1 deployed [Cross-tab Identity Leak Protection](https://noscript.net/usage/#crosstab-i...In response to the potential for cache side channel attacks reported in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41071, @ma1 deployed [Cross-tab Identity Leak Protection](https://noscript.net/usage/#crosstab-identity-leak-protection) (or "TabGuard") in NoScript 11.4.8. However some users are finding the warning confusing, and/or are suffering from warning fatigue – e.g.:
```
<Jeremy_Rand_36C3[m]> So far at least 2 users in #tor have been very confused about the NoScript warnings that were recently added. One of them thought the warning meant his identity had already leaked, and panicked and shut off Tor Browser. Seems like we should ask the UX Team to evaluate how we can improve this, now that we have some breathing room since the vulnerability is mitigated.
<Jeremy_Rand_36C3[m]> One of the two users I noticed who was confused about the warning was one of my co-workers, who is very technically proficient, including about Tor, and even he couldn't understand what the warning was about, what triggered it, and what the correct course of action was
<Jeremy_Rand_36C3[m]> Then you have a less sophisticated user who thought the warning meant he was already pwned and panicked
<Jeremy_Rand_36C3[m]> I was hoping the UX Team might be able to evaluate how this warning can be better presented so that users don't get confused or make bad decisions when they see it
```
We're planning on integrating this feature into Tor Browser as part of the work to migrate the Security Level feature in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40925. We should take this opportunity to improve the UX in general, in addition to converting the feature into standard Tor Browser UI patterns.ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41071Targeted Deanonymization via the Cache Side Channel2024-01-29T11:59:05ZGhost UserTargeted Deanonymization via the Cache Side Channelhttps://leakuidatorplusteam.github.io/
A paper describing the attacks will appear in the 31st USENIX Security Symposium (Boston, 10–12 August, 2022). A preprint of the paper is available [here](https://leakuidatorplusteam.github.io/prep...https://leakuidatorplusteam.github.io/
A paper describing the attacks will appear in the 31st USENIX Security Symposium (Boston, 10–12 August, 2022). A preprint of the paper is available [here](https://leakuidatorplusteam.github.io/preprint.pdf). The paper is the result of a collaboration between a group of researchers at the New Jersey Institute of Technology: Mojtaba Zaheri, Yossi Oren, and Reza Curtmola.
According to the authors, this attack has some nasty elements:
- It can precisely target any user with a specific public identifier, otherwise leave non-targeted users untouched.
- It can target users logged into highly popular resource-sharing services, for example Google, Dropbox, Twitter, Facebook.
- It works on users who use any browser including Tor Browser.
- It's scalable to attack large numbers of users.
- It gives no indication to the victim that they are being attacked.
- Effective countermeasures may involve a compromise of usability.
> On the Internet, the casual person surfing a website has a reasonable expectation that their identity remains private. We reveal new cache-based target deanonymization attacks which threaten user anonymity: An attacker who has complete or partial control over a website can learn whether a specific target (i.e., a unique individual) is browsing the website. The attacker knows this target only through a public identifier, such as an email address or a Twitter handle.
>
> The attacks leverage the sharing/blocking functionality provided by resource-sharing services such as YouTube, Google Drive, Dropbox, or Twitter. The target user is assumed to be logged into such a sharing service. The attacks exploit the CPU cache side channel on the target’s device, and can bypass isolation mechanisms and various defenses deployed by browser vendors or resource-sharing services.
>
> We evaluated the attacks on multiple hardware microarchitectures, multiple operating systems and multiple browser versions, including the highly-secure Tor Browser, and demonstrated practical targeted deanonymization attacks on major sites, including Google, Twitter, LinkedIn, TikTok, Facebook, Instagram and Reddit. The attack runs in less than 3 seconds in most cases, and can be scaled to target a large number of users.ma1ma12022-08-10https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41041[Feature proposal] Verification of onion service integrity2023-05-02T13:55:57ZErik Moeller[Feature proposal] Verification of onion service integrity## Problem statement
[SecureDrop](https://securedrop.org/) and similar onion services that seek to provide end-to-end-encrypted communications (between sender and designated recipient) have a bootstrapping problem: if the server is comp...## Problem statement
[SecureDrop](https://securedrop.org/) and similar onion services that seek to provide end-to-end-encrypted communications (between sender and designated recipient) have a bootstrapping problem: if the server is compromised, users cannot be sure that their communications are in fact end-to-end encrypted. Server-provided code or cryptographic key material may have been tampered with.
This is not addressed by existing web standards like [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) and [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP), both of which depend on the server being a trusted resource to begin with. In the context of WhatsApp E2EE, Cloudflare/Facebook have recently piloted the use of an [integrity verification browser extension](https://blog.cloudflare.com/cloudflare-verifies-code-whatsapp-web-serves-users/).
We similarly need a way to securely ship authenticated JavaScript and WASM code and ensure that script execution is limited to that resource(s) only.
The executed code would be the same for all SecureDrop instances of the same version. This requirement is both to prevent browser exploits from untrusted sites and from trusted but compromised websites, as well as to prevent MITM attacks from trusted but compromised websites.
## Proposal
We suggest that an integrity verification feature can be built on top of the existing [about:rulesets](https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/262) functionality in Tor Browser, which maps full-length onion addresses against short names in the form `<service-name>.<namespace>.tor.onion`, e.g., `nytimes.securedrop.tor.onion`, and ships this information as a signed ruleset.
In this proposal, a ruleset provider could act as a verifier of a set of hashes (e.g., sha-256) which correspond to accepted response bodies for specific paths, e.g., `/index.html`, `/1.0.0/`. Subresources could then be verified using SRI.
Tor Browser would need to compute the hash based on the decompressed response body, before rendering the page, and display an error message if it does not correspond to one of the accepted hashes.
Interactions with Tor Browser's safety settings and the NoScript extension will need to be considered; ideally we'd like to ensure script execution is limited to resources that are verified directly or indirectly (e.g., via SRI hashes in a verified resource).
## Alternatives and implementation
We’d be happy to discuss alternative approaches that seem like a better fit from the Tor Project’s perspective, and are open to partnering directly with you on the implementing, testing and piloting any agreed upon approach.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41020Tor browser does not enable CFG on Windows.2022-07-09T02:21:44Znum0005Tor browser does not enable CFG on Windows.Control Flow Guard ([MS docs](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard)) is a mitigation measure that blocks certain ways of redirecting the control flow. It is an example of a [control flow integrity](http...Control Flow Guard ([MS docs](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard)) is a mitigation measure that blocks certain ways of redirecting the control flow. It is an example of a [control flow integrity](https://en.wikipedia.org/wiki/Control-flow_integrity) mitigation. I did not check if the binary had other control flow integrity measures enabled as that would require reviewing the build process or disassembling the binary.
I verified that Tor Browser does not support support CFG while Firefox does [using the `dumpbin` tool](https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard#how-do-i-tell-that-a-binary-is-under-control-flow-guard).
The advantage of enabling CFG even if other CFI measures are already in place is that it allows for interoperability with OS libraries - it allows OS libraries to verify any callbacks that point inside Tor Browser modules are valid.Sponsor 131 - Phase 3 - Major ESR 102 Migrationhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40813Latest Tor Browser versions are not available via F-Droid2022-02-25T10:49:57ZGeorg KoppenLatest Tor Browser versions are not available via F-DroidI still have Tor Browser 10.5.10 and 11.0a8 on my phones using the Guardianproject workaround.
/cc @richard @sysrqb @aguestuser @eighthaveI still have Tor Browser 10.5.10 and 11.0a8 on my phones using the Guardianproject workaround.
/cc @richard @sysrqb @aguestuser @eighthavehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40609Investigate Firefox's per-site "Disable Javascript" feature2022-12-08T15:15:29ZMatthew FinkelInvestigate Firefox's per-site "Disable Javascript" featurefe6cfda83acdbdd9f1576f710a1aa0d4116635b2fe6cfda83acdbdd9f1576f710a1aa0d4116635b2ma1ma1https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40218Safest security level hides video controls2022-12-08T15:15:26ZtorrrrrrrrrrrrrrrrSafest security level hides video controlsTor Browser version: 10.0.2 (desktop) and 10.0.3 (Android)
Steps to reproduce:
- Go to about:preferences
- search for `security`
- change security level to safest
- open https://gnu.org
- click to authorize the medias
![image](/upload...Tor Browser version: 10.0.2 (desktop) and 10.0.3 (Android)
Steps to reproduce:
- Go to about:preferences
- search for `security`
- change security level to safest
- open https://gnu.org
- click to authorize the medias
![image](/uploads/55273e2e8ef4cbb2f470eb87807cfde3/image.png)https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40208NoScript dies and crashes WebExtensions process2022-07-08T22:53:43ZGeorg KoppenNoScript dies and crashes WebExtensions processI got reports from a cypherpunk:
```
NoScript died and crashed WebExtensions process on auto-updating,
silently removing all the protections and enabling JS on Safest! ^%(*^#!!!
```
and
```
NoScript 11.1.4 also does it after hibernation ...I got reports from a cypherpunk:
```
NoScript died and crashed WebExtensions process on auto-updating,
silently removing all the protections and enabling JS on Safest! ^%(*^#!!!
```
and
```
NoScript 11.1.4 also does it after hibernation (32-bit version, at least)!
```
That's on Windows at least.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40207Tor Browser is writing to Windows registry on every start2022-11-30T15:19:24ZGeorg KoppenTor Browser is writing to Windows registry on every startI got a report from a cypherpunk:
```
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Platform-Installation
Firefox is still writing to Windows Registry on every start:
Computer\HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firef...I got a report from a cypherpunk:
```
https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Platform-Installation
Firefox is still writing to Windows Registry on every start:
Computer\HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
There it stores all the paths TBB was started from.
That also allows an attacker to permanently disable Launcher Process
security feature, and even any hiccup can do/leads to it:
about:support
Launcher Process Disabled due to failure
```Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41212Fix startup crash in debug build when installing noscript2022-09-01T22:36:57ZAlex CatarineuFix startup crash in debug build when installing noscript```
2020-10-30 16:29:12.038 10759-10759/org.torproject.torbrowser_debug D/StrictMode: StrictMode policy violation; ~duration=175 ms: android.os.strictmode.DiskWriteViolation
at android.os.StrictMode$AndroidBlockGuardPolicy.onWrit...```
2020-10-30 16:29:12.038 10759-10759/org.torproject.torbrowser_debug D/StrictMode: StrictMode policy violation; ~duration=175 ms: android.os.strictmode.DiskWriteViolation
at android.os.StrictMode$AndroidBlockGuardPolicy.onWriteToDisk(StrictMode.java:1552)
at libcore.io.BlockGuardOs.open(BlockGuardOs.java:252)
at libcore.io.ForwardingOs.open(ForwardingOs.java:166)
at android.app.ActivityThread$AndroidOs.open(ActivityThread.java:7542)
at libcore.io.IoBridge.open(IoBridge.java:478)
at java.io.FileOutputStream.<init>(FileOutputStream.java:236)
at java.io.FileOutputStream.<init>(FileOutputStream.java:186)
at org.mozilla.fenix.components.TorBrowserFeatures.installNoScript(TorBrowserFeatures.kt:33)
at org.mozilla.fenix.components.TorBrowserFeatures.install(TorBrowserFeatures.kt:96)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:121)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:78)
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
at org.mozilla.fenix.components.Core.getEngine(Unknown Source:2)
at org.mozilla.fenix.FenixApplication.setupInMainProcessOnly(FenixApplication.kt:150)
at org.mozilla.fenix.FenixApplication.onCreate(FenixApplication.kt:96)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1192)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6712)
at android.app.ActivityThread.access$1300(ActivityThread.java:237)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1913)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
2020-10-30 16:29:12.039 10759-10759/org.torproject.torbrowser_debug E/AndroidRuntime: FATAL EXCEPTION: main
Process: org.torproject.torbrowser_debug, PID: 10759
java.lang.RuntimeException: StrictMode ThreadPolicy violation
at android.os.StrictMode$AndroidBlockGuardPolicy.onThreadPolicyViolation(StrictMode.java:1813)
at android.os.StrictMode$AndroidBlockGuardPolicy.lambda$handleViolationWithTimingAttempt$0$StrictMode$AndroidBlockGuardPolicy(StrictMode.java:1727)
at android.os.-$$Lambda$StrictMode$AndroidBlockGuardPolicy$9nBulCQKaMajrWr41SB7f7YRT1I.run(Unknown Source:6)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: android.os.strictmode.DiskWriteViolation
at android.os.StrictMode$AndroidBlockGuardPolicy.onWriteToDisk(StrictMode.java:1552)
at libcore.io.BlockGuardOs.open(BlockGuardOs.java:252)
at libcore.io.ForwardingOs.open(ForwardingOs.java:166)
at android.app.ActivityThread$AndroidOs.open(ActivityThread.java:7542)
at libcore.io.IoBridge.open(IoBridge.java:478)
at java.io.FileOutputStream.<init>(FileOutputStream.java:236)
at java.io.FileOutputStream.<init>(FileOutputStream.java:186)
at org.mozilla.fenix.components.TorBrowserFeatures.installNoScript(TorBrowserFeatures.kt:33)
at org.mozilla.fenix.components.TorBrowserFeatures.install(TorBrowserFeatures.kt:96)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:121)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:78)
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
at org.mozilla.fenix.components.Core.getEngine(Unknown Source:2)
at org.mozilla.fenix.FenixApplication.setupInMainProcessOnly(FenixApplication.kt:150)
at org.mozilla.fenix.FenixApplication.onCreate(FenixApplication.kt:96)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1192)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6712)
at android.app.ActivityThread.access$1300(ActivityThread.java:237)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1913)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
2020-10-30 16:29:12.040 10759-10759/org.torproject.torbrowser_debug E/ExceptionHandler: Uncaught exception handled:
java.lang.RuntimeException: StrictMode ThreadPolicy violation
at android.os.StrictMode$AndroidBlockGuardPolicy.onThreadPolicyViolation(StrictMode.java:1813)
at android.os.StrictMode$AndroidBlockGuardPolicy.lambda$handleViolationWithTimingAttempt$0$StrictMode$AndroidBlockGuardPolicy(StrictMode.java:1727)
at android.os.-$$Lambda$StrictMode$AndroidBlockGuardPolicy$9nBulCQKaMajrWr41SB7f7YRT1I.run(Unknown Source:6)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
Caused by: android.os.strictmode.DiskWriteViolation
at android.os.StrictMode$AndroidBlockGuardPolicy.onWriteToDisk(StrictMode.java:1552)
at libcore.io.BlockGuardOs.open(BlockGuardOs.java:252)
at libcore.io.ForwardingOs.open(ForwardingOs.java:166)
at android.app.ActivityThread$AndroidOs.open(ActivityThread.java:7542)
at libcore.io.IoBridge.open(IoBridge.java:478)
at java.io.FileOutputStream.<init>(FileOutputStream.java:236)
at java.io.FileOutputStream.<init>(FileOutputStream.java:186)
at org.mozilla.fenix.components.TorBrowserFeatures.installNoScript(TorBrowserFeatures.kt:33)
at org.mozilla.fenix.components.TorBrowserFeatures.install(TorBrowserFeatures.kt:96)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:121)
at org.mozilla.fenix.components.Core$engine$2.invoke(Core.kt:78)
at kotlin.SynchronizedLazyImpl.getValue(LazyJVM.kt:74)
at org.mozilla.fenix.components.Core.getEngine(Unknown Source:2)
at org.mozilla.fenix.FenixApplication.setupInMainProcessOnly(FenixApplication.kt:150)
at org.mozilla.fenix.FenixApplication.onCreate(FenixApplication.kt:96)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1192)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6712)
at android.app.ActivityThread.access$1300(ActivityThread.java:237)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1913)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7656)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
```https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40087Use "Safer" as the default security level2023-01-05T16:13:52ZMatthew FinkelUse "Safer" as the default security levelWe should move toward shipping Tor Browser with Safer as the default security level. Safer includes a more sane and reasonable compromise between usability and security, and (we suspect) most users never change the security level from th...We should move toward shipping Tor Browser with Safer as the default security level. Safer includes a more sane and reasonable compromise between usability and security, and (we suspect) most users never change the security level from the default. Therefore, we should use a safe(r) default.
This ticket can track what is needed for this:
- [ ] #40086
- [ ] #33000
- [ ] #19850
- [ ] #22981https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34136Audit the Content Process Sandbox Level bump in ESR68.8 on Windows2022-01-11T19:31:33ZcypherpunksAudit the Content Process Sandbox Level bump in ESR68.8 on WindowsTo fix CVE-2020-12388 and CVE-2020-12389, Mozilla set `security.sandbox.content.level` to `6`.
The code to support that was backported to ESR: https://hg.mozilla.org/mozilla-unified/file/esr68/security/sandbox/win/src/sandboxbroker/sandb...To fix CVE-2020-12388 and CVE-2020-12389, Mozilla set `security.sandbox.content.level` to `6`.
The code to support that was backported to ESR: https://hg.mozilla.org/mozilla-unified/file/esr68/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp#l505
Correctness and completeness of the backport should be audited.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34017Bump openssl version to 1.1.1g for Tor Browser2022-01-11T19:31:33ZcypherpunksBump openssl version to 1.1.1g for Tor Browserhttps://www.openssl.org/news/secadv/20200421.txthttps://www.openssl.org/news/secadv/20200421.txthttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33479PDF fullscreen Presentation Mode doesn't letterbox2023-05-03T13:40:28ZcypherpunksPDF fullscreen Presentation Mode doesn't letterbox1. Open a PDF file in a new tab so it opens in the browser's internal PDF viewer. Here's one. https://gitweb.torproject.org/company/policies.git/plain/corpdocs/IRS-Determination-Letter.pdf
2. Click the 4-outward-arrows (fullscreen?) icon...1. Open a PDF file in a new tab so it opens in the browser's internal PDF viewer. Here's one. https://gitweb.torproject.org/company/policies.git/plain/corpdocs/IRS-Determination-Letter.pdf
2. Click the 4-outward-arrows (fullscreen?) icon on the PDF toolbar. Its tooltip when you hover on it says, "Switch to Presentation Mode"
3. Observe that Presentation Mode is not letterboxed.
PDF Presentation Mode is distinct from browser full screen (F11 key) and from maximize.
Is this exploitable at all? Is the internal PDF API fingerprintable? Tor Browser warns when downloading to not open files in external viewers that could circumvent Tor.
Similar vectors:
* legacy/trac#32713, Letterboxing doesn't work when fullscreening videos
* legacy/trac#12609, HTML5 fullscreen API makes TB fingerprintable
Inspired by:
* https://blog.torproject.org/comment/286752#comment-286752https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33390Consider Open in Browser addon2023-05-27T13:57:20ZcypherpunksConsider Open in Browser addonWhat Tor Browser still lacks.
Have you ever been annoyed when you wanted to see a document and the download popup appears which forces you to select an external application to view it?
This extension allows you to open the document dire...What Tor Browser still lacks.
Have you ever been annoyed when you wanted to see a document and the download popup appears which forces you to select an external application to view it?
This extension allows you to open the document directly in your browser.
https://addons.mozilla.org/en-US/firefox/addon/open-in-browser/https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32896Keep track of security updates to parts of Tor Browser2022-01-11T19:31:33ZGeorg KoppenKeep track of security updates to parts of Tor BrowserTor Browser is actually a bundle containing a bunch of software pieces like Firefox, Tor, NoScript, OpenSSL. For some of those pieces (like Firefox, Tor, NoScript) there is a way to keep track of security issues and their fixes, be it du...Tor Browser is actually a bundle containing a bunch of software pieces like Firefox, Tor, NoScript, OpenSSL. For some of those pieces (like Firefox, Tor, NoScript) there is a way to keep track of security issues and their fixes, be it due to code inspection and notification or, kind of, due to automatic updates as in the NoScript case. But that does not hold for every piece of the bundle.
We should do two things to have at least a better overview about potential security issues we want to fix:
a) We need to come up with all of the bundle parts we think we should track for security issues.
b) We need to actually track those pieces.
Mozilla had a [third-party library alert](https://github.com/mozilla-services/third-party-library-alert) tjr worked on a while back, which we might be able to look at for help.