[tor-bugs] #18546 [Tor Browser]: Review networking code for Firefox 45

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 8 23:03:54 UTC 2016 

#18546: Review networking code for Firefox 45
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
     Type:  task                                 |  mikeperry
 Priority:  Very High                            |         Status:
Component:  Tor Browser                          |  assigned
 Severity:  Critical                             |      Milestone:
 Keywords:  ff45-esr, MikePerry201604,           |        Version:
  TorBrowserTeam201604                           |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by mikeperry):

 I pushed my partial progress to: https://gitweb.torproject.org/tor-
 browser-spec.git/tree/audits/FF45_NETWORK_AUDIT

 Everything that could use a double-check is flagged with XXX.

 Here's the quick notes for stuff that really needs another set of eyes:
  * We need to verify the proper application of our OCSP and NSS safety
 patches in security/nss. Last time we improperly applied the DNS patch
 while rebasing. That might happen again here, too.
  * We should make sure that ./netwerk/dns/mdns/libmdns/ is Android only
 and also disabled for OrFox
  * The "Presentation API" stuff seems new, but possibly not enabled yet.
 It has lots of networking things. We should make sure it is disabled.
  * The nsDNSService patches should be verified for the same reason as the
 NSS ones
  * There's some resolver stuff in Android that uses SOCK_DGRAM. We should
 make sure this is not active in OrFox
  * It looks like ./toolkit/modules/secondscreen/SimpleServiceDiscovery.jsm
 is included now? Can we kill it? And what is this second screen stuff?
  * dom.udpsocket and dom.moztcpsocket are still off, yes?
  * We disabled/patched the debugger and related discovery stuff before,
 right? Is that still off?

 Here's some stuff we should fix:
   * We should get rid of the damn DNS lookup for localhost in
 toolkit/profile/nsProfileLock.cpp
   * We should patch the "Network Tickler" to be disabled for real, since
 it looks like it may now apply to the desktop as well. A simple return in
 nsHttpHandler::TickleWifi() should do the trick, I think.
   * We should disable all of the dom.push.* prefs. Even though it seems
 that only ServiceWorkers can use Push, it would be good for us to ensure
 now that if we decide to enable ServiceWorkers, push stays off
   * Shumway (the flash previewer/player) can bypass proxy settings. If it
 is compiled in, we should rip it out/disable it at build time, so nobody
 enables it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18546#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list