Web Developers and Firefox Hackers: Help us with Firefox 4

by mikeperry | March 25, 2011

We need some web-savvy people to help us audit the Torbutton alpha series for Firefox 4. I've performed a preliminary audit, and Torbutton 1.3.2-alpha should be safe from major issues, but a lot more testing is needed. In particular, we need people to test the new Firefox 4 features.

The notes from my preliminary audit are available in the Torbutton git repository, but note that I have not tested everything that struck me as potentially troublesome, and there may be other things I missed too.

As a reminder, the types of things we are looking for are things that violate the Torbutton Security Requirements, which may include new ways to bypass proxy settings, to fingerprint users, or to use novel identifiers to correlate Tor and Non-Tor activity.

In addition, we may have some funding to address outstanding Torbutton-related bugs in Firefox. If you know C++ and/or Firefox internals, we should be able to pay you for your time to address these issues and shepherd the relevant patches through Mozilla's review process.

If you find issues, or if you are interested in working on fixing these bugs, please contact us at tor-assistants at torproject dot org. Torbutton bugs that you find can be added to the growing pile at the Torbutton Bug Tracker.

The sooner we get these issues taken care of, the sooner we can confidently release a stable Torbutton for Firefox 4.

Comments

Please note that the comment area below has been archived.

This is exactly what we are planning for the Firefox bugs. We also can pay for certain Tor tasks as well, but usually we want those done on a larger amount of work/timescale than per-bug basis, mostly because it is painful to assign a public dollar amount to *every* issue and task we want completed.

Do you think we should assign explicit, public dollar amounts to the Firefox bugs? The problem I see with this is that the Mozilla code review process is an especially painful one. You can literally end up shepherding a patch for years (I'm not kidding: see Bug 280661).

I think this means we probably should assign two sets of hourly rates, one before code review and one after, perhaps with two ceilings on these amounts. The rate before code review/submission would be higher, to encourage better work up front. Or perhaps this not right either.

But, I think if we do not figure out a way to both allow people to bill before the patch is actually merged (perhaps once we merge it into Tor Browser Bundle, for example), and also to get compensated for dealing with Mozilla bureaucracy, we're going to end up with only partially written patches that never get finished, and/or we're not going to get any responses from people who have dealt with Mozilla before.

Oh, I just realized you want to be paid for exploits of Tor ;).

Hrmm, we'll need to think about this. Not all of Torbutton's Security Requirements are of equal worth/importance. #1 is proxy bypass, #2 is correlation of tor to non-tor. Then, much farther down, are things like fingerprinting and anonymity set reduction.

If you find a bug against #1 (and maybe also #2, depending on the strength of correlation), we could possibly work something out :)

March 26, 2011

Permalink

Peace be with you.
Just to let you know that i/we do really appreciate the paramount drive to keep us up our and/or every of individual dignity and respect to privacy which we consider part of our life sanctity.
Keep it on!
God Bless.

March 31, 2011

Permalink

It would help if you would Update the outstanding Torbutton-related bugs page:

=============

6.1. Bugs impacting security

2. Bug 280661 - RESOLVED FIXED

3. Bug 418986 - Bounty by someone else

"JonDonym 2010-09-10 11:40:46 PDT
We would pay 300 Euro for someone fixing this bug and putting it in the
official Mozilla code. And another 300 Euro for fixing it with CSS media
queries. Just contact me for further questions and discussions about the
implementation."

=============

6.2. Bugs blocking functionality

1. Bug 445696 - RESOLVED DUPLICATE of bug 484832
2. Bug 290456 - RESOLVED FIXED

============
6.3. Low Priority Bugs

1. Bug 435151 - RESOLVED FIXED

Ok, I've updated the design doc bug list to take care of this. The list also needs another update to cover TLS issues, and new fingerprinting issues introduced in FF4.

April 05, 2011

Permalink

Firefox 4.0 + Torbutton 1.3.2-alpha leaks:
1. Browser sends Accept-Encoding="gzip,SPACEdeflate" instead of just "gzip,deflate" which is pretty unique (test at panopticlick.eff.org).
2. User-Agent says Firefox/3.6.3, but browser sends the DNT header which, afaik, only appeared in Firefox 4.

Temporary solution is to respectively set and filter headers by hand with ModifyHeaders. Also, Noscript sends DNT on its own and bypasses ModifyHeaders. Can be turned off in about:config noscript.doNotTrack.enabled. One can test DNT presence and other headers with TamperData.

April 25, 2011

Permalink

Dear Sir,
I have no technical knowledge and unfortunately many of my fellow activists lack tech savvy, we can't all be programmers. But as you may have noticed the Arab spring is chugging on the thing is the easy countries are done. the very very hard ones are left AKA Saudi Arabia. there are about 40,000 political prisoners in Saudi. Frankly I don't want to add to that number until we are ready to revolt. So we need tor. We need tor-button for firefox4. We need it in a few months. how can we help you get there? how much money do you need for that? I might be able to entice a few to chip in if you give me a target.
thank you very much you have already saved lives in Tunisia and Syria hopefully we will owe some of our necks to you guys too.

April 28, 2011

Permalink

Torbutton 1.3.2 is incompatible with the 4.0.1 update to Firefox.