[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Firefox vs. Tor Browser Bundle release cycles



My point was that users may not be aware of the possibilities of "looking
at checkins, code changes, and binary diffs" even though it can affect
their anonymity quite significantly. It doesn't seem crazy for users to
assume that the latest version of a piece of software based on Firefox
would generally use the latest version of Firefox.

To illustrate why I think this matters in practice, here's some
data--which I should caution may not be 100% accurate since it's mostly
pulled from blog posts and wikipedia--comparing Mozilla release dates with
TBB release dates:

MRD = Mozilla Release Date
TBBRD = Tor Browser Bundle (Stable Branch) Release Date
DPAR = Days Potentially at Risk, when TBB's Firefox code is older than the
current TBB release's


MRD	Version         TBBRD   Version	        DPAR
12/9/13	24.2.0esr	12/11/13 TBD	        2
11/15/1317.0.11esr	11/21/132.3.25-15	6
10/29/1317.0.10esr	11/1/13	2.3.25-14	3
9/17/13	17.0.9esr	9/20/13	2.3.25-13	3
8/6/13	17.0.8esr	8/9/13	2.3.25-11	3
6/25/13	17.0.7esr	6/26/13	2.3.25-10	1
5/10/13	17.0.6esr	5/14/13	2.3.25-8	4
4/2/13	17.0.5esr	4/4/13	2.3.25-6	2
3/7/13	17.0.4esr	3/14/13	2.3.25-5	7
2/19/13	17.0.3esr	2/22/13	2.3.25-4	3
1/8/13	10.0.12esr	1/8/13	2.3.25-2	0

There was no ridiculously-long delay between Firefox releases and TBB
updates. There have been some delays of multiple weeks for beta/alpha
versions of TBB this year, but that's not reflected above.

But cumulatively, users of the Tor Browser Bundle have had a total of at
least 34 days since January 8th of this year when they've been using old
Firefox code. Obviously, these crude numbers don't address any of the
qualitative aspects of whether vulnerabilities patched were severe or
possible to exploit in TBB.

Having only 34 out of 337 days between January 8th and today where TBB
users were using old Firefox code may not seem so bad (and was actually
better than I expected), but having a 10% chance (on average) of being
potentially vulnerable to bugs that Mozilla has already patched strikes me
as a "low-hanging fruit" sort of opportunity to address for TBB users.

It's also worth keeping in mind that 10% is a minimum estimate for an
average TBB user's risk of using old (and in my opinion, easier to
exploit) Firefox code in TBB, and conservatively assumes that all users
checked for and installed TBB updates every single time they used TBB this
year.

I believe that may be a significant underestimate because I can say
firsthand that using the Tor Browser Bundle in its stock configuration did
NOT immediately notify me that I was using outdated Firefox code during
the time that the FBI was exploiting Tor users this summer. I had been
using an outdated but stock/stable version of TBB without being notified
of available updates until I read about those exploits in the press and
checked the website for updates manually.

Perhaps my experience was unique or users are to blame for their own
laziness in staying up-to-date, but I hope we can agree that making it
easier for TBB users to run the latest available Firefox code 95 or 99% of
the time could still be significantly safer than the status quo, where
unless you build TBB yourself, running the latest Firefox code in TBB is
only possible about 90% of the time.


> Yes but good luck with that. Mozilla and Tor are both aware of the
> possibilities involving looking at checkins, code changes, and binary
> diffs.
>
> From: bm-2d9whbg2vekslcsgbtplgwdlqypizsqs85@xxxxxxxxxxxxx
> bm-2d9whbg2vekslcsgbtplgwdlqypizsqs85@xxxxxxxxxxxxx
>
> An adversary could potentially dig through current Firefox release code, 
> diff it against relevant portions of the code base used to build the Tor 
> Browser Bundle, and then infer potentially exploitable vulnerabilities 
> that TBB users might also be vulnerable to. 
> -- 
> Al Billings
> http://makehacklearn.org
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk