[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10682 [TorBrowserButton]: Disable update pings for Torbutton and Tor Launcher



#10682: Disable update pings for Torbutton and Tor Launcher
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  mikeperry
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:           |    Version:
  critical               |   Keywords:  tbb-security, extdev-interview,
    Component:           |  MikePerry201401R
  TorBrowserButton       |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Well, due to the fix for #10419, these requests are in fact broken. The
 browser will no longer connect to directly to 127.0.0.1, nor will
 connections to 127.0.0.1 be sent to the exit node, unless the user edits
 their torrc to set 'ExtendAllowPrivateAddresses 1' for some reason. So
 this should certainly be an improvement

 If you want defense in depth against people who reconfigure Tor/Firefox,
 we can also use a banned port too instead of 443, but this fix is already
 in 3.5.2, which we shouldn't delay any further without compelling reason
 because it contains security fixes for Firefox 24.3.0.

 Would you consider a banned port to be an improvement? If so, we can file
 a new ticket and I will commit that immediately for 3.5.3.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10682#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs