Tor Browser 3.6-beta-2 is released
This release is an important security update over 3.6-beta-1. This release updates OpenSSL to version 1.0.1g, to address potential client-side vectors for CVE-2014-0160.
The browser itself does not use OpenSSL, and is not vulnerable to this CVE. However, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process.
Here is the complete changelog since 3.6-beta-1:
- All Platforms
- Update OpenSSL to 1.0.1g
- Bug 9010: Add Turkish language support.
- Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
- Update fte transport to 0.2.12
- Update NoScript to 18.104.22.168
- Update Torbutton to 22.214.171.124
- Update Tor Launcher to 0.2.5.3
- Bug 9665: Localize Tor's unreachable bridges bootstrap error
- Backport Pending Tor Patches:
- Bug 11286: Fix fte transport launch error
A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.
Has there been any systematic attempt to evaluate what effect this may have on performance?
Has there, for that matter, been any systematic attempt to evaluate what additional security benefit this brings, e.g. what proportion of past Firefox vulnerabilities would users have been protected against if each of these features were disabled?
While your suggestion of going thru past issues may sound systematic and smart, the low hanging fruit for bad guys is using already disclosed -- but unfixed -- vulnerabilities. So the past is somewhat irrelevant.
Regarding speed....well that's one of the benefits of having a beta to evaluate.