[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] 2.2.35-11, TBB Linux: network.websocket.enabled = true, why?



On Mon, May 07, 2012 at 05:30:40AM -0000, ming@xxxxxxxxxxx wrote:
> With this blog entry:
> 
> https://blog.torproject.org/blog/new-tor-browser-bundles-security-release
> 
> It claims 2.2.35-11 fixes a problem posted here:
> 
> https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
> 
> With Tor Browser Bundle (2.2.35-11); suite=linux installed, I read where it
> was fixed in the changelog:
> 
> From: ~/tor-browser_en-US/Docs/changelog:
> 
> * New Firefox patches:
> - Prevent WebSocket DNS leak (closes: #5741)
> 
> But when running this new bundle version, network.websocket.enabled
> remains set at true.

Yep.

> How was this patched when the value remains set as true? Shouldn't the
> above value now be set at false?

Setting the value to false was the quick workaround. It basically
breaks all websockets for you. The better fix is to make websockets work
without leaking your DNS query:
https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch

See
https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-patches/firefox
for the variety of other things we need to do to Firefox to make it safe
to use. We're working with a Mozilla engineer to get these fixes back into
mainline so we don't keep diverging even more -- but that's tough going.

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk