[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Torbutton 1.2.0rc1 released



The first release candidate for the next stable series of the
security-enhanced Torbutton Firefox extension has been released. This
release features functional support for Firefox 3. However, this
support has not been extensively tested. In particular, timezone
masking does not work at all. The workaround is to manually set the
environment variable 'TZ' to 'UTC' before starting Firefox. This works
on both Linux and Windows.

Firefox 3 users should keep a close eye on Torbutton. In particular,
the new Places history database code is connected to all sorts of
different parts of the browser, and it is unknown if 'disabling
history' actually prevents disk writes for many parts of its database.
It is also possible this code may perform strange network accesses at
odd times as well (the 'Livemarks' code is one case of this that has
known issues). Please keep an eye on your Vidalia window. Adventurous
users can also run wireshark, and/or help with the disk access
auditing by running Process Monitor on their Windows systems:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

A list of other Firefox bugs known to impact Torbutton security can be
found at: https://torbutton.torproject.org/dev/design/#FirefoxSecurity

Here is the complete changelog for 1.2.0rc1:
 * general: FF3 should now be functional, but timezone masking is not
   operational
 * bugfix: Fix Places/history component hooking in FF3
 * bugfix: Disable Places database in FF3 via browser.history_expire_days=0
   if history writes are disabled.
 * bugfix: General component hooking fixes for FF3
 * bugfix: Block favicon leaking in FF3
 * bugfix: Enable safebrowsing updates in FF3 (it's finally HMACd. Yay).
 * bugfix: Use Greg Fleischer's new useragent prefs in FF3.
 * bugfix: Properly reset cookie lifetime policy when user changes
   cookie handling options.
 * bugfix: Fix 'Restore defaults' button issues with custom proxy settings
 * bugfix: navigator.oscpu hooking was broken in 1.1.18
 * bugfix: Try to prevent alleged 0x0 windows on crash recovery
 * bugfix: Attempt to block livemarks updates during Tor. Only
   partial fix. Not possible to cancel existing Livemarks timer (one fetch 
   will still happen via Tor before disable). See Firefox Bug 436250
 * misc: Set plugin.disable_full_page_plugin_for_types for all plugin
   mimetypes just in case our custom full page blocking code fails


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgp9oQWsl3abX.pgp
Description: PGP signature