logs archiveIRC Archive / Oftc / #tor / 2015 / August / 28 / 1
oman
we're expecting some minor switch- changes AS24940 upcoming hours. lets see if some tortraffic will be affected.
Chocolate_Chip
I have sent another email regarding the fraudulent apps.
kernelcorn
arma: are you aware of ^ ?
special
it's the lawyers that we want to be aware of it :)
shibboleth
Do staff ever comment on status vis-a-vis upcoming TBB updates? Nasty firefox vuln in the current one
cacahuatl
Link?
shibboleth
https://www.mozilla.org/en-US/firefox/40.0.3/releasenotes/
https://www.mozilla.org/security/known-vulnerabilities/firefox/#firefox40.0.3
cacahuatl
Is that affected the ESR too?
shibboleth
yes
critical/remote code exec
https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ specifically
it has been like this for > 10 updates, no comment from staff and over 24hrs between TBB updates and upstream patches
not that I can complain, but...
         

cacahuatl
Thanks for the heads up, I know what you mean but since it's really just using firefox it's probably better to tune into mozilla for updates on vulns. Tor would only be repeated what Mozilla already said, better to just push an update ASAP.
shibboleth
tune into mozilla...?
cacahuatl
Well I mean subscribe to their security updates mailinglist or whatever :P
shibboleth
yes, perhaps most users should, but how does this help with TBB updates?
cacahuatl
Well that vuln was announced today, there's always going to be a delay due to the nature of time.
spartacus
I'm curious, what do you think is a reasonable time to get the patch, understand it, integrate, compile, test & ship?
(I'm not involved in doing that for Tor)
shibboleth
as I said
i cannot complain
i was pointing out that the turnaround has been less than stellar lately
the pdf.js vuln was left unchecked for what, four days
but I am sure the powers that be are doing their best
dont get me wrong
cacahuatl
There was a config option to be changed that'd triage that.
shibboleth
oh yes
should have been disabled/set to prompt by default IMHO
cacahuatl
Vulns are going to happen, use something like tails where your browser is constrained by apparmor and the pdf.js wouldn't be a serious issue
shibboleth
there have been quite a few pdf.js-cases over the years :)
suelin
the javascript reader works in tor browser even without javascript enabled now it seems to me
not in tails but on the independent tor browser
shibboleth
suelin, correct
suelin
I have javascript disabled and it still loads pdf in the reader
shibboleth
and even with js disabled, pdf files can do canvas fingerprinting when opened through pdf.js
cacahuatl
shibboleth it's fix'd in 5.0.2
shibboleth
it would seem. I do get prompt
cacahuatl, its out now?
cacahuatl
shibboleth
aha
that was fast :P
cacahuatl
It was already there it seems :P
my browser just hadn't prompted me yet
         

shibboleth
i checked the dirtree manually just 30 minutes ago :)
now that falls in under the category "stellar" imho
x96
...
arony
so im hearing something about tor being shut down temporary because of an new attack on tor. is anyone else worried about this?
http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-exploited-prompt-dark-market-shut-down/
cacahuatl
No
murb
there are so many opsec fu*kups to be made by sites such as the one described, that it doesn't seem particularly wise to run one.
you only need to screw up once etc.
and that doesn't require any magic new attack on tor.
cacahuatl
They're not specific about what they think the threat is or what the supposed weakness is and then proceed to continue running the hidden service anyway, just stopping registrations.
shibboleth
did the staff comment on HORNET
sounds good, hasn't been community-tested though :P
cacahuatl
You should probably subscribe to the mailinglists rather than asking in IRC, or look through the archives at https://lists.torproject.org/
There is not a line of code for HORNET, it's just a paper.
shibboleth
well, hopefully tor will adopt some of the underlying tech
arony
thanks for the advice
shibboleth
but its not really compatible
so...
anyone notice weird HTTPS Everywhere xpi update behaviour?
TBB 5.0.2 prompted for update to 5.1.0, changed to 5.0.7 during update
so i nuked that snapshot ;)
arony
i use it on my phone firefoxe is restarting morethen often
shibboleth
signed xpis on current ESR?
arony
does anyone use orfox?
shibboleth
well, the one on fdroid is aaaancient
so no
there have been quite a few updates to tor itself since the version on fdroid
and i suppose the bundled browser is equally outdated
arony
do you think it would be safe to still use?
shibboleth
well, considering the tor vulns > current orfox? no
besides, browsing on the black box that is your phone?
lets just say that /me is not really comfortable with that
i just use the browser for local webservices, not for public web browsing
arony
thank you for the advice
shibboleth
arony, times are *really* tough
most users wander around, doing their private surfing on black boxes with closed source browsers and default settings that leak data as there will be no tomorrow
arony
thats very true thats why ive taken my privacy serious
shibboleth
sms, contacts, pictures, videos, notes, browsing history is being synced with PRISM
but lets not worry about that
instead, worry about the stuff that really matters
like, should I buy the gold or silver iBone come september?
white people problems...
arony
so what if ive rooted encrpyed my phone and im use only open source apps
shibboleth
stock android?
and the android encryption is.... rather lackluster
arony
end to end encryped communication?
like red phone, whisper apps etc.
shibboleth
low iter-count, most passphrases are six-to-eight numerals
arony, the alleged quality of those apps wont help you
arony
.......
shibboleth
remember: the platform itself was made by the worlds biggest ad agency
and there a lots of blobs, like the baseband/modem firmware which we have no way of keeping in check
cacahuatl
Not really on topic for #tor
shibboleth
arony, researchers uncovered a backdoor in samsungs modem firmware
cacahuatl, true
« prev 1 2 3 4 next »