[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Reason Firefox version in TBB is so far behind?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Reason Firefox version in TBB is so far behind?
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Tue, 9 Aug 2011 09:55:05 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 09 Aug 2011 05:55:22 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=jfPMKcwwN8BlMkGaW72W/ThXwbMLEWvHD4IIJarr13Y=; b=HVbbyMjEbOKd0ADJRqAV0mqRsCm77ldq4yxfoF2MDYN05E/pxjN9q/2paqhukBLMnR BaxUcZrUgUXAx+ZaJlW49lwwPTdYZOGfCvrcBvl7XtBnNxdpiZidFZ2oANidPBohXjsH mfR1CKpXFC8LdW9IPbMj4Q0IhLgpEai27nBKI=
In-reply-to: <4E3C422E.7030102@xxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E388E84.1090506@xxxxxxx> <201108022010.25830.andrew@xxxxxxxxxxxxxx> <4E389944.1090907@xxxxxxx> <4E3C422E.7030102@xxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 2011-08-05, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> On 8/2/2011 7:41 PM, Joe Btfsplk wrote:
>> On 8/2/2011 7:10 PM, Andrew Lewman wrote:
>>> On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote:
>>>> Are there specific reasons for not using latest (or late-er) Firefox
>>>> versions in Tor Browser Bundle?  Is it primarily because the latest
>>>> version doesn't always work w/ Tor&  fixes must be developed for Tor to
>>>> deal w/ that?
>>> It's the latest udpated Firefox 3.6 branch.  FF4 branch has been
>>> killed and
>>> replaced with 5.  We have FF5 testing bundles. See
>>> https://blog.torproject.org/blog/new-tor-browser-bundles-3.
>> Thanks.  I realize the latest stable TBB has FF 3.6.  Is the reason
>> for delay in updating to latest FF version always for testing - to see
>> if Tor works properly?
>> Firefox versions used in stable TBB have always run behind the latest
>> FF release - sometimes several versions.  This may well be unavoidable
>> for TBB developers.  My original question - how does this affect the
>> security of TBB users?
>> _______________________________________________
>>
> No comments on security implications of using a Firefox version in TBB,
> that isn't up to date with security fixes (sometimes not even close)?
> I'm grateful for the work done to create TBB, but the mantra of security
> experts has always been, "ALWAYS keep your browser / OS updated w/
> security patches."

That is why we ship the latest version of Firefox on the 3.6 branch in
our stable TBBs.  Mozilla is still releasing security updates on the
Firefox 3.6 branch.

As you can see from
https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox
3.6.19 and Firefox 5.0.1 were released on the same day.  That is
because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases
that fix the same security bug.  (Firefox 4.0, 4.0.1, and 5.0 are no
longer safe to use, even though their version numbers are greater than
3.6.19.)

> As said, it may be unavoidable (currently) for TBB developers to
> integrate new FF versions quickly, but surely I'm not the 1st to wonder
> about security issues of using old browser versions.
> The testing bundles Andrew mentioned are fine for, well... testing, but
> not for general users.  It's a long way & many fixes, from Firefox 3.6
> to 5.0 / 5.0.1.

There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19
-- notably, Mozilla finally applied our patch to fix Firefox's
hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1
no longer require an HTTP proxy such as Polipo between the browser and
Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x
is that Firefox 5.0.x contains many new features.  And those features
introduced a crapload of bugs which have security implications for Tor
users -- mainly WebGL security bugs, but there were a few nasty
surprises in the new JavaScript interpreter (see
https://trac.torproject.org/projects/tor/ticket/2819 ,
https://trac.torproject.org/projects/tor/ticket/2873 , and
https://trac.torproject.org/projects/tor/ticket/2874 ).  There were
plenty of other changes to audit as well; look through Tor's bug
tracker if you're interested.


Robert Ransom
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Reason Firefox version in TBB is so far behind?
  - From: Joe Btfsplk

References:
- [tor-talk] Reason Firefox version in TBB is so far behind?
  - From: Joe Btfsplk
- Re: [tor-talk] Reason Firefox version in TBB is so far behind?
  - From: Andrew Lewman
- Re: [tor-talk] Reason Firefox version in TBB is so far behind?
  - From: Joe Btfsplk
- Re: [tor-talk] Reason Firefox version in TBB is so far behind?
  - From: Joe Btfsplk

Prev by Author: [tor-talk] Tor 0.2.2.32 Expert Bundle for Windows
Next by Author: Re: [tor-talk] Problem with Linux Version
Previous by thread: Re: [tor-talk] Reason Firefox version in TBB is so far behind?
Next by thread: Re: [tor-talk] Reason Firefox version in TBB is so far behind?
Index(es):
- Author
- Thread