[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Reason Firefox version in TBB is so far behind?
On 2011-08-05, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> On 8/2/2011 7:41 PM, Joe Btfsplk wrote:
>> On 8/2/2011 7:10 PM, Andrew Lewman wrote:
>>> On Tuesday, August 02, 2011 19:55:48 Joe Btfsplk wrote:
>>>> Are there specific reasons for not using latest (or late-er) Firefox
>>>> versions in Tor Browser Bundle? Is it primarily because the latest
>>>> version doesn't always work w/ Tor& fixes must be developed for Tor to
>>>> deal w/ that?
>>> It's the latest udpated Firefox 3.6 branch. FF4 branch has been
>>> killed and
>>> replaced with 5. We have FF5 testing bundles. See
>>> https://blog.torproject.org/blog/new-tor-browser-bundles-3.
>> Thanks. I realize the latest stable TBB has FF 3.6. Is the reason
>> for delay in updating to latest FF version always for testing - to see
>> if Tor works properly?
>> Firefox versions used in stable TBB have always run behind the latest
>> FF release - sometimes several versions. This may well be unavoidable
>> for TBB developers. My original question - how does this affect the
>> security of TBB users?
>> _______________________________________________
>>
> No comments on security implications of using a Firefox version in TBB,
> that isn't up to date with security fixes (sometimes not even close)?
> I'm grateful for the work done to create TBB, but the mantra of security
> experts has always been, "ALWAYS keep your browser / OS updated w/
> security patches."
That is why we ship the latest version of Firefox on the 3.6 branch in
our stable TBBs. Mozilla is still releasing security updates on the
Firefox 3.6 branch.
As you can see from
https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox
3.6.19 and Firefox 5.0.1 were released on the same day. That is
because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases
that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no
longer safe to use, even though their version numbers are greater than
3.6.19.)
> As said, it may be unavoidable (currently) for TBB developers to
> integrate new FF versions quickly, but surely I'm not the 1st to wonder
> about security issues of using old browser versions.
> The testing bundles Andrew mentioned are fine for, well... testing, but
> not for general users. It's a long way & many fixes, from Firefox 3.6
> to 5.0 / 5.0.1.
There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19
-- notably, Mozilla finally applied our patch to fix Firefox's
hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1
no longer require an HTTP proxy such as Polipo between the browser and
Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x
is that Firefox 5.0.x contains many new features. And those features
introduced a crapload of bugs which have security implications for Tor
users -- mainly WebGL security bugs, but there were a few nasty
surprises in the new JavaScript interpreter (see
https://trac.torproject.org/projects/tor/ticket/2819 ,
https://trac.torproject.org/projects/tor/ticket/2873 , and
https://trac.torproject.org/projects/tor/ticket/2874 ). There were
plenty of other changes to audit as well; look through Tor's bug
tracker if you're interested.
Robert Ransom
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk