On Mon, May 07, 2012 at 05:30:40AM -0000, m...@tormail.org wrote: > With this blog entry: > > https://blog.torproject.org/blog/new-tor-browser-bundles-security-release > > It claims 2.2.35-11 fixes a problem posted here: > > https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs > > With Tor Browser Bundle (2.2.35-11); suite=linux installed, I read where it > was fixed in the changelog: > > From: ~/tor-browser_en-US/Docs/changelog: > > * New Firefox patches: > - Prevent WebSocket DNS leak (closes: #5741) > > But when running this new bundle version, network.websocket.enabled > remains set at true.
Yep. > How was this patched when the value remains set as true? Shouldn't the > above value now be set at false? Setting the value to false was the quick workaround. It basically breaks all websockets for you. The better fix is to make websockets work without leaking your DNS query: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch See https://gitweb.torproject.org/torbrowser.git/tree/HEAD:/src/current-patches/firefox for the variety of other things we need to do to Firefox to make it safe to use. We're working with a Mozilla engineer to get these fixes back into mainline so we don't keep diverging even more -- but that's tough going. --Roger _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
