Adapt Intermediate Preloading for Tor Browser

Can we turn https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading into something useful for ESR68?

added component::applications/tor browser in Legacy / Trac ff78-esr in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac severity::normal in Legacy / Trac sponsor::44-can in Legacy / Trac status::new in Legacy / Trac type::enhancement in Legacy / Trac labels

My initial thought is we should disable it unless we can bundle all the intermediates in TB. I am uncomfortable having TB doing kinto requests to Mozilla that disclose any data about the user's state, even if it's disclosing very minimal information over tor: https://groups.google.com/forum/#!searchin/mozilla.dev.platform/intermediate|sort:date/mozilla.dev.platform/ATbLAQpWLXE/F0MpR2wFBgAJ

Adding Sponsor 44 to ESR68 tickets

Trac:
Sponsor: N/A to Sponsor44-can

We could place the bundle in services/settings/dumps/main/ (https://searchfox.org/mozilla-esr68/rev/8d7d1cd37b45b4cb0a512234537d0e950d30a547/services/common/docs/RemoteSettings.rst#154) but I think that to use it while avoiding the remote fetch/sync would require some patching.

It seems we do not have to worry about this for esr68, since the feature is only enabled if MOZ_NEW_CERT_STORAGE=1 (https://searchfox.org/mozilla-esr68/rev/4fc15df791ad4d3ceaf1a958af2bfc1252433ca8/services/common/blocklist-clients.js#268), which is currently enabled only on Firefox Nightly. And I don't think we want to enable it while it's not even in latest Firefox (69 at the time of writing).

Replying to acat:

It seems we do not have to worry about this for esr68, since the feature is only enabled if MOZ_NEW_CERT_STORAGE=1 (https://searchfox.org/mozilla-esr68/rev/4fc15df791ad4d3ceaf1a958af2bfc1252433ca8/services/common/blocklist-clients.js#268), which is currently enabled only on Firefox Nightly. And I don't think we want to enable it while it's not even in latest Firefox (69 at the time of writing).

Sounds good. FWIW: I think the relevant bug here is: https://bugzilla.mozilla.org/show_bug.cgi?id=1555110 (which would disable the feature even if MOZ_NEW_CERT_STORAGE was set)

Trac:
Keywords: ff68-esr deleted, ff78-esr added

mentioned in issue legacy/trac#31740 (moved)

moved from legacy/trac#30682 (moved)

added Feature label and removed 1 deleted label

removed 1 deleted label

added 1 deleted label

mentioned in issue #33534 (closed)

mentioned in merge request !8 (merged)

mentioned in issue #40038 (closed)

closed via merge request !8 (merged)

mentioned in issue #40099

mentioned in issue #40783 (closed)