The version of Firefox incorporated into the Tor Browser Bundle (TBB) available via torproject.org is currently multiple releases behind both Firefox ESR and Firefox. The latest-available Tor Browser Bundles generally include versions of Firefox ESR that do not include patches for publicly known security vulnerabilities.
That means that unless you're sufficiently skilled to compile TBB's extensive modifications to Firefox along with Mozilla's current stable release code, it's likely that *ALL* TBB users will be vulnerable to multiple serious, known, and publicly patched security vulnerabilities that have been discussed in public for a popular piece of software with a huge attack surface. My own view is that TBB users should consider rejecting arguments like "TBB's release cycle is only a few weeks behind Mozilla's" since publicly known exploits are often disclosed, discussed, and patched in Mozilla's release cycle before updates to Firefox are issued. We have to do better. Many more TBB users are probably--and in many cases, unknowingly--using Tor Browser Bundles that are even more out of date than the latest available from torproject.org and are therefore even more likely to be vulnerable to Firefox exploits. Most Tor Browser Bundle users probably don't obsessively check the Tor Project's blog at https://blog.torproject.org/blog/ (since notifications of new Tor Browser Bundles usually aren't even announced on the main torproject.org site) and may not always benefit from the latest, greatest update notification functionality. The targeting of Tor users accessing tormail.org with Firefox exploits earlier this year underscores the fact that these concerns are not merely theoretical or overly-paranoid. Firefox security exploits targeting Tor users are a problem, and arguing "it was a Firefox vulnerability, not a Tor vulnerability" doesn't seem reasonable when Tor Browser Bundle releases that include fully-patched versions of Firefox are rarely if ever available at any given point in time. And although there are usually multiple examples at any given time, I think it's particularly unfortunate that essentially *all* TBB users are probably still vulnerable to MITM attacks with a bad French SSL certificate for Google when users of the latest versions of Chrome and Firefox users aren't. Before that, TBB's Firefox ESR didn't have important patches to the NSS crypto library that normal Firefox users *did* have for a while. And so on. Several weeks may not seem like a long time for users to be running vulnerable code, but if that's essentially *always* the case, targeting TBB users with Firefox exploits becomes a lot like shooting fish in a barrel for a malicious server, since many if not most Tor users use the recommended Tor Browser Bundle, which an adversary can increasingly bet will be vulnerable to Firefox exploits that are relatively easy to target. I'm not suggesting that The Tor Project start taking responsibility for the security of Firefox itself or address vulnerabilities faster than Mozilla does. And I still believe that, on average, TBB is more secure than Firefox for most users most of the time...by a longshot. Supporting extensive modifications and improvements to Firefox in TBB is a massive undertaking, and supporting so many platforms on a shoestring budget is itself a huge accomplishment. As of today, TAILS includes a more recent version of Firefox code, which is awesome. I hope TBB can move in that direction. "Catching up" to Mozilla's release cycle for security patches in the Tor Browser Bundle release cycle should not be impossible. Mozilla doesn't just spit out binaries for Tor Project staff to decompile and puzzle over for months before the process of updating the Tor Browser Bundle can begin. "Catching up" may ultimately require resources that The Tor Project simply doesn't have, but at some point, users of the latest TBB code are either vulnerable to publicly-known and already-patched Firefox security vulnerabilities, or they aren't. All that is to say that I hope the Tor Project will give greater priority to harmonizing TBB's security update cycle with Mozilla's. Same-day security updates to stable releases of the Firefox code in TBB would be ideal. I understand recent job announcements already reflect greater emphasis on the Tor Browser Bundle and add-ons, but the current reality of most users of the latest-available TBB releases being vulnerable to serious, publicly-known Firefox vulnerabilities most of the time is untenable. What can users do to help? -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
