#tor-dev log

19:00:31 <GeKo> #startmeeting tor-browser
19:00:31 <MeetBot> Meeting started Mon Dec 19 19:00:31 2016 UTC.  The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:31 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:34 <GeKo> hi all!
19:00:38 <boklm> hi
19:00:43 <isabela> o/
19:00:46 <GeKo> welcome to the last meeting for this year!
19:01:01 <GeKo> i guess we start as usual with the updates.
19:01:07 <GeKo> who wants to go first today?
19:01:53 * boklm can go first
19:01:57 <GeKo> go!
19:02:14 <boklm> This past week I was at the reproducible build summit, and I worked on #17380.
19:02:21 <boklm> This week I'm planning to write a short blog post about the reproducible build summit (similar to the one from last year), and continue working on #17380.
19:02:32 <boklm> I'm also planning to take some days off
19:02:41 <boklm> That's it for me
19:03:00 <Yawning> hi browser people
19:03:15 <isabela> boklm: ximin will also work on one as part of the tor at the heart series
19:03:35 <isabela> boklm: do you want me to add you to this email thread?
19:03:46 <boklm> isabela: ah, yes
19:03:50 <isabela> :) will do
19:04:39 <GeKo> i can  go next i guess
19:04:59 <GeKo> last week i got the releases out and it seems all went well
19:05:22 <GeKo> i cut down my backlog and worked mainly on design documenation update
19:05:42 <GeKo> this week i mainly plan on traveling and continuing to work on the design doc update
19:05:53 <GeKo> that's it for me
19:06:06 <Yawning> the sandbox was released.  it had bugs
19:06:08 <Yawning> I fixed
19:06:17 <Yawning> gonna do the updater background/robustness stuff
19:06:24 <Yawning> while I can
19:06:53 <Yawning> (I assume a trivial patch to torbutton to integrate that into the UI is possible for the next release)
19:07:13 <GeKo> i think so
19:07:16 <Yawning> (it's literally, "when the check for update thing is cliecked, send a control port command if an env var is set")
19:07:32 <Yawning> I think it will be low risk, because it never will get triggered on unsandboxed builds
19:07:41 <Yawning> and it can't get more broken than "the thing does nothing"
19:08:52 <Yawning> I'm not sure what will happen past the updater changes, we'll see
19:08:56 <Yawning> that's it for me
19:09:02 <mcs> Do you mean the “Check for Tor Browser Update” menu item or also the about box, etc.?
19:09:48 <Yawning> just the menu item
19:09:53 <Yawning> the about box thing doesn't appear
19:10:14 <Yawning> it says "updates disabled by system administrator"
19:10:15 <mcs> That sound fairly easy and fairly safe then.
19:10:16 <mcs> sounds
19:10:20 <mcs> ah, right
19:13:08 * mcs will go next
19:13:16 <mcs> Last week, Kathy and I responded to OSX sandbox issues that have been reported (see #20989 and #21009).
19:13:22 <mcs> We also took another look at the Tor Browser roadmap and will send GeKo some feedback later today.
19:13:29 <mcs> In addition to that, we will continue to investigate the OSX sandbox problems this week.
19:13:33 <mcs> Coming up, we will be taking some time off to enjoy the Christmas and New Year holidays and to take care of end-of-year things for our company.
19:13:37 <mcs> That’s all for now.
19:14:33 * arthuredelstein can go
19:14:57 <arthuredelstein> Hi Everyone. :) This week I worked on #20680.
19:15:04 <arthuredelstein> I have about 18 patches left to go. I have some questions about a few of them and I will be sending out emails about these soon.
19:15:15 <arthuredelstein> So this week I will continue to work on rebasing and also I will look into #20981.
19:15:30 <GeKo> neat
19:15:33 <arthuredelstein> And I'll be taking time off next week as well. :)
19:15:40 <Yawning> (ESR52 in this context is just geck-dev?)
19:15:43 <Yawning> *gecko
19:15:45 <arthuredelstein> That's it for me.
19:15:55 <arthuredelstein> ESR52 is the aurora branch of gecko-dev
19:15:55 <mcs> “18 patches left to go” means we still have to many patches ;)
19:15:58 <Yawning> FF52 doesn't exist yet right?
19:16:00 <Yawning> ah k
19:16:14 <arthuredelstein> It's not ESR yet ;)
19:16:17 <mcs> too many also
19:16:19 <GeKo> no, still vaportware :)
19:16:28 <GeKo> vaporware even
19:16:36 <mcs> It is great to get an early start of the rebasing!
19:16:49 <mcs> umm… on the rebasing
19:16:56 <arthuredelstein> mcs: We do still have too many, but not having to rebase the isolation patches is definitely a big help!
19:17:04 <GeKo> + getting the compiling going
19:17:31 <Yawning> "figuring out what is broken in my sandbox"
19:17:48 <GeKo> fwiw: i spent another deal of my spare time to get all issues for mingw-w64 on our radar
19:18:07 <GeKo> i got one patch uplifted but there are still things that are broken :/
19:18:26 <GeKo> and it seems this time jacek does not have the time to fix all the tricky issues for us.
19:18:35 <GeKo> so... exciting!
19:19:33 <GeKo> anyway, who else is here for a status update?
19:19:37 <Synzvato> I could go
19:19:57 <GeKo> hi!
19:20:02 <Synzvato> Hi :)
19:20:04 <Synzvato> This week I have done some more work on 20815 - preventing multiple instances of Orfox settings tabs, adding display logic to tor-browser-settings page elements, and implementing add-on setting persistance.
19:20:12 <Synzvato> #20815
19:22:09 <Synzvato> Will be available at #tor-mobile right after this meeting to discuss the upcoming alpha release
19:22:19 <GeKo> so where are we right now?
19:22:22 <GeKo> ah, okay
19:23:00 <GeKo> do you need anything from the other tor-browser folks?
19:23:08 <GeKo> input or something?
19:23:29 <Synzvato> The foundation is done, and the UX is functional
19:24:12 <Synzvato> Perhaps feedback on the current approach, and the goal of turning this into an embeddable WebExtension "module"
19:24:30 <Synzvato> Any feedback is welcome, of course :)
19:24:57 <Synzvato> https://git.synz.io/synzvato/tor-browser-settings/tree/master
19:26:55 <GeKo> okay.
19:27:17 <GeKo> ok, i guess we move on to the discussion part
19:27:25 <GeKo> first: next meeting time
19:28:01 <GeKo> i'll be traveling jan 2nd so i'd propose having our next regular meeting on january 9th
19:28:08 <GeKo> does that work for everyone?
19:28:16 <Yawning> yeah
19:28:18 <mcs> yes
19:28:19 <Synzvato> Sure
19:28:25 <boklm> yes
19:28:55 <GeKo> seems so, good. i'll write a respective mail to tbb-dev these days then
19:29:23 <GeKo> do we have anything else up for discussion in today's meeting?
19:29:33 <Yawning> we should always kill the FF JS JIT
19:29:37 <Yawning> regardless of security slider setting
19:29:41 <Yawning> because it is dangerous and evil
19:30:05 <GeKo> oha :)
19:30:30 <Yawning> we should also consider our historical stance of "people will get confused" as a reason for defaulting the slider to low
19:30:46 <Yawning> and default it to high, so that people who want low security have to opt into it
19:31:11 <Yawning> the 2nd thing is probably more controversial than the first
19:31:12 <Yawning> :P
19:31:54 <GeKo> while i agree on JIT being scary i think the solution is a good sandbox :)
19:32:21 <Yawning> if the jit is scary that it takes containment that doesn't exist on all platforms yet
19:32:27 <Yawning> it shouldnt' be enabled in the name of performance
19:32:35 <Yawning> that's my opinion anyway >.>
19:32:53 <mcs> Is the idea of a JIT scary in general or is the Mozilla implementation scary?
19:32:59 <arthuredelstein> Also even with a sandbox a JIT doesn't necessarily stop deanonymization.
19:33:02 <Yawning> it's scary in general
19:33:06 <Yawning> arthuredelstein: correct
19:33:26 <Yawning> #21011
19:33:27 <arthuredelstein> If we had perfect memory hardening then maybe it would be OK. But the world is a long way from that still.
19:33:45 <Yawning> the jit still would let bitfipping attacks and stuff work
19:33:53 <Yawning> better even with memory hardening
19:34:04 <Yawning> because most people don't have DDR4 or ECC memory
19:35:09 <Yawning> nb: I'm not sure if newer DDR is sufficient to solve the read disturb problem
19:35:49 <Yawning> (i changed the sandbox security slider default to high, so people need to opt into the JIT, but still)
19:37:03 <GeKo> looking at the fun in #19400
19:37:27 <GeKo> we got an idea who is using these things:
19:37:33 <GeKo> facebook and the like
19:37:58 <Yawning> ooof
19:38:09 <Yawning> it's just performance right?
19:38:23 <Yawning> like, with the JIT disabled stuff will just be slower rather than non-functional?
19:38:35 <arthuredelstein> yes, afaik
19:38:39 <GeKo> slower in a way that it is basically non-functional
19:39:06 <Yawning> the fuck are they doing
19:39:13 <GeKo> i myself thought once debugging mega.nz issues that this breaks functionality
19:39:18 <Yawning> this isn't like "I want to play quak2 in my browser" or something right?
19:39:26 <Yawning> *quake
19:39:31 <GeKo> but no it took just minutes to load (literally) instead of seconds
19:39:37 <GeKo> no
19:39:51 <Yawning> my burning hatred for javascript rises
19:40:23 <GeKo> if it were just some gaming stuff that would be pretty easy to handle
19:40:39 <Yawning> Do we have any idea on how many people use tor browser with the security slider set to "YOLO"
19:40:53 <Yawning> vs increasing it?
19:41:30 <GeKo> i have no hard data
19:41:53 <Yawning> I have no sensible solution to this
19:42:06 <Yawning> that doesn't boil down to "change the default and educate people better about the risks"
19:42:14 <Yawning> "and set everyone that uses asm.js on fire"
19:42:22 <GeKo> yeah, i know
19:42:58 <arthuredelstein> Do we care about mega.nz? Maybe turning of JIT is worth the few sites that break.
19:43:17 <Yawning> it's what, a file host?
19:43:19 <arthuredelstein> The scripts in mega.nz are super sketchy for multiple reasons.
19:43:22 <Yawning> people will probably complain
19:43:24 <arthuredelstein> yes
19:43:36 <GeKo> sure. but facebook?
19:43:45 <Yawning> we should rename "Low" to "Unsafe"
19:43:51 <arthuredelstein> Does facebook not work with JIT disabled?
19:44:32 <GeKo> well "work", i don't know i did not spend my time doing performance measurements there
19:44:43 <Yawning> is it unusably slow?
19:44:52 <Yawning> I've never used spacebook
19:45:21 <GeKo> and it it is not facebook then it is an other major site that deploys that shit and makes our users screaming "Tor Browser is broken!1!"
19:45:26 <GeKo> *and if
19:45:29 <Yawning> yeah
19:45:41 <arthuredelstein> One option could be to disable JIT for non-https.
19:45:51 <Yawning> I think renaming the seucirty slider to Unsafe and making uses having to opt into it is a good idea
19:45:53 <arthuredelstein> Though I don't know how hard that is.
19:45:54 <Yawning> arthuredelstein: that solves nothing
19:46:02 <arthuredelstein> Yawning: why?
19:46:06 <Yawning> "now the badguys need a Lets encrypt cert to heap spray you"
19:46:22 <Yawning> I do not see that as a large improvement
19:46:25 <Yawning> >.>
19:46:39 <arthuredelstein> I think it would be a significant improvement over the status quo.
19:46:45 <arthuredelstein> Where any exit node can do it.
19:46:46 <Yawning> yeah
19:46:51 <Yawning> true
19:47:10 <arthuredelstein> I agree better still is to disable the JIT completely.
19:47:14 <Yawning> the more I think about it, the more renaming low to something that conveys that it is really dangerous
19:47:17 <Yawning> is a good idea
19:47:27 <Yawning> and new installs should be set to something higher
19:47:39 <Yawning> so when sites break on everything but "Unsafe"
19:47:42 <Yawning> it's obvious who to blame
19:48:04 <GeKo> and your users are already gone
19:48:10 <Yawning> mm
19:49:21 <Yawning> I dunno, have we had a browser vuln that didn't require JS apart from RELAY_EARLY
19:49:36 <Yawning> at some point I think we should say "enough is enough, that shit is off by default"
19:49:46 <Yawning> but I'm starting to rant, so I'll stop now
19:49:51 <GeKo> well JS is not necessarily JIT
19:49:55 <Yawning> because this is a complicated problem
19:50:15 <GeKo> or did you want to get rid of JS as well while you are at it?
19:50:24 <GeKo> :)
19:50:28 <Yawning> well
19:50:38 <Yawning> I think people should have to explicitly increase their attack surface
19:50:40 <Yawning> yes
19:50:48 <Yawning> rather than explicitly increase their security
19:51:09 <arthuredelstein> One problem is the security slider is browser-wide instead of site-specific.
19:51:16 <arthuredelstein> Not that that's easy to solve.
19:51:22 <Yawning> yeah
19:51:34 <Yawning> it'd be nice if it was like noscript
19:51:42 <Yawning> "allow unsafe browser things for this site"
19:51:44 <Yawning> or whatever
19:51:49 <Yawning> but that's probably a huge rat's netst
19:51:57 <Yawning> and months of dev time if not ore
19:52:58 <Yawning> sorry to rant
19:53:00 <Yawning> :/
19:53:14 <GeKo> alright, i guess this is one of the discussions that will keep on our plate for the near future :)
19:53:19 <GeKo> no worries
19:53:39 <arthuredelstein> I think Yawning is making an important point. We need more data to decide what we can afford to turn off.
19:53:51 <arthuredelstein> Not sure how to get that data though.
19:54:25 <mcs> We can also consider adding more text to help people choose wisely (and maybe prompting them).
19:54:41 <Yawning> maybe make setting it part of the setup wizard
19:54:56 <Yawning> like, after you configure tor, add a step where it's like
19:55:14 <Yawning> "pick your poison using mega/facebook and geting owned by the FBI, or being secure"
19:55:15 <Yawning> >.>
19:55:23 <GeKo> hah
19:55:30 <GeKo> i think we had this idea back then
19:55:48 <GeKo> but we seemed to think that this would be pretty overwhelming for the normal user
19:56:04 <GeKo> who is usually just opening the browser and starts surfing
19:56:36 <arthuredelstein> What about a periodic reminder to users who are in the low setting?
19:56:52 <arthuredelstein> Like "We notice you are still on the low security setting? Would you like to increase it by any chance?"
19:56:54 <Yawning> like, I know we display the thing on first launch directing people to it
19:57:11 <Yawning> maybe we should bother the UI/UX team
19:57:19 <GeKo> we should
19:58:29 <GeKo> alright. i think we are done for today. thanks for the meeting and i hope all of you get some rest over the holidays
19:58:39 <Yawning> safe travels to those that are
19:58:51 <mcs> yes, have a great Christmas everyone!
19:58:58 <GeKo> + hopefully 2017 will be less crazy
19:59:14 <Synzvato> Thanks, same, happy holidays everyone!
19:59:15 <arthuredelstein> Happy holidays everybody!
19:59:18 <GeKo> (i know, i know but one can still dream)
19:59:23 <GeKo> *BAF*
19:59:26 <GeKo> #endmeeting