My point was that users may not be aware of the possibilities of "looking at checkins, code changes, and binary diffs" even though it can affect their anonymity quite significantly. It doesn't seem crazy for users to assume that the latest version of a piece of software based on Firefox would generally use the latest version of Firefox.
To illustrate why I think this matters in practice, here's some data--which I should caution may not be 100% accurate since it's mostly pulled from blog posts and wikipedia--comparing Mozilla release dates with TBB release dates: MRD = Mozilla Release Date TBBRD = Tor Browser Bundle (Stable Branch) Release Date DPAR = Days Potentially at Risk, when TBB's Firefox code is older than the current TBB release's MRD Version TBBRD Version DPAR 12/9/13 24.2.0esr 12/11/13 TBD 2 11/15/1317.0.11esr 11/21/132.3.25-15 6 10/29/1317.0.10esr 11/1/13 2.3.25-14 3 9/17/13 17.0.9esr 9/20/13 2.3.25-13 3 8/6/13 17.0.8esr 8/9/13 2.3.25-11 3 6/25/13 17.0.7esr 6/26/13 2.3.25-10 1 5/10/13 17.0.6esr 5/14/13 2.3.25-8 4 4/2/13 17.0.5esr 4/4/13 2.3.25-6 2 3/7/13 17.0.4esr 3/14/13 2.3.25-5 7 2/19/13 17.0.3esr 2/22/13 2.3.25-4 3 1/8/13 10.0.12esr 1/8/13 2.3.25-2 0 There was no ridiculously-long delay between Firefox releases and TBB updates. There have been some delays of multiple weeks for beta/alpha versions of TBB this year, but that's not reflected above. But cumulatively, users of the Tor Browser Bundle have had a total of at least 34 days since January 8th of this year when they've been using old Firefox code. Obviously, these crude numbers don't address any of the qualitative aspects of whether vulnerabilities patched were severe or possible to exploit in TBB. Having only 34 out of 337 days between January 8th and today where TBB users were using old Firefox code may not seem so bad (and was actually better than I expected), but having a 10% chance (on average) of being potentially vulnerable to bugs that Mozilla has already patched strikes me as a "low-hanging fruit" sort of opportunity to address for TBB users. It's also worth keeping in mind that 10% is a minimum estimate for an average TBB user's risk of using old (and in my opinion, easier to exploit) Firefox code in TBB, and conservatively assumes that all users checked for and installed TBB updates every single time they used TBB this year. I believe that may be a significant underestimate because I can say firsthand that using the Tor Browser Bundle in its stock configuration did NOT immediately notify me that I was using outdated Firefox code during the time that the FBI was exploiting Tor users this summer. I had been using an outdated but stock/stable version of TBB without being notified of available updates until I read about those exploits in the press and checked the website for updates manually. Perhaps my experience was unique or users are to blame for their own laziness in staying up-to-date, but I hope we can agree that making it easier for TBB users to run the latest available Firefox code 95 or 99% of the time could still be significantly safer than the status quo, where unless you build TBB yourself, running the latest Firefox code in TBB is only possible about 90% of the time. > Yes but good luck with that. Mozilla and Tor are both aware of the > possibilities involving looking at checkins, code changes, and binary > diffs. > > From: [email protected] > [email protected] > > An adversary could potentially dig through current Firefox release code, > diff it against relevant portions of the code base used to build the Tor > Browser Bundle, and then infer potentially exploitable vulnerabilities > that TBB users might also be vulnerable to. > -- > Al Billings > http://makehacklearn.org > > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
