#tor-meeting log

15:00:02 <richard> #startmeeting Tor Browser Weekly Meeting 2022-08-15
15:00:02 <MeetBot> Meeting started Mon Aug 15 15:00:02 2022 UTC.  The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:02 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:33 <richard> meeting pad per usual: https://pad.riseup.net/p/tor-tbb-keep
15:01:01 <Jeremy_Rand_Talos_> Hi!
15:02:55 <Jeremy_Rand_Talos_> Pad onion down for anyone else?
15:03:56 <richard> what's the URL?
15:05:34 <Jeremy_Rand_Talos_> Never mind, finally loaded after about 3 mins.  I guess Riseup's onion is overloaded, or else my circuit is iffy.
15:06:45 <richard> :p
15:06:47 <richard> well anyway
15:08:13 <richard> nothing too unsual going this week ,PieroV and boklm are out until tomorrow
15:08:32 <richard> is there anything in particular you'd like to discuss? How have been your first few weeks?
15:09:09 <dan_b> good, lots to learn. I haven't worked on the FF code base before so, it's big :)
15:09:32 <richard> yeah it is A LOT
15:09:39 <dan_b> but yeah, I'm hoping today I'll find the last part I need for a #41075 patch
15:09:52 <dan_b> and then I am assuming to make it a fixup for the previous one?
15:10:09 <richard> yeah exactly
15:10:15 <dan_b> cool
15:10:26 <richard> or possibly split it up into multiple fixups depending
15:10:42 <dan_b> oh fun! how should that be evaluated?
15:11:00 <richard> for example if setting additional prefs is necessary then that portion would be a fixup to one of the initial prefrences commits
15:11:01 <dan_b> I guess I can push the branch to mine and we can look at it when ready?
15:11:07 <richard> yeah exactly
15:11:08 <dan_b> aaah cool
15:11:17 <richard> i suspect yours will be a single fixup in the end
15:11:29 <dan_b> i think so
15:11:53 <dan_b> but yeah, then I need to get anrdoid building and deploying to phone locally so I can hopefully confirm 41087 is a dup
15:12:06 <dan_b> and in prep for hte android render bug, which, I don't believe has been assigned to me yet
15:12:16 <richard> ooh i will assign it over
15:12:17 <dan_b> any idea what the ETA on the phone will be?
15:12:22 <dan_b> sweet thanks
15:12:36 <dan_b> I assume for android builds I can't do a local one, need to use tor-browser-build ?
15:12:43 * eta on the phone
15:12:50 <richard> not now eat :D
15:12:51 <richard> eta*
15:13:25 <dan_b> haha k. then if all goes well I might actually be open for another bug before end of week
15:13:27 <richard> hopefully soon'ish, the purchase was approved so I assume we just need to wait on accounting to purchase it
15:14:05 <richard> re local android builds, PieroV would be your best resource, iirc he got it working
15:14:16 <dan_b> cool
15:14:22 <richard> but the general pipeline is get all the build artifacts out of a tor-browser-build run
15:14:24 <dan_b> will bug him later this week
15:14:32 <dan_b> figured, cool!
15:14:36 <richard> and deploy them locally outside of a container to get incremental builds working
15:14:54 <dan_b> oooh interesting
15:15:22 <richard> such a strat has worked for me in the past for windows buidlds, and PieroV got it working with android a few months ago
15:16:34 <dan_b> sounds good!
15:16:54 <dan_b> ah, the tor as VPN on android stuff is semi public yes?
15:17:38 <dan_b> I ask cus I was asked to give a small presentation on Cwtch this coming weekend, including lots of history so I'll obvs be talking about tor / tor apps etc
15:17:53 <dan_b> so just checking if it's ok to mention that
15:17:57 <richard> yes it's semi-public
15:18:31 <richard> it's all on our gitlab, but we arne't like, doing marketting and telling the world about it
15:18:39 <dan_b> aaah ok
15:18:57 <dan_b> cool
15:19:00 <dan_b> thanks!
15:19:01 <richard> but also not secret
15:19:12 <richard> vOv
15:19:18 <ma1> "we can't deny or confirm" stuff :)
15:19:30 <richard> "things are happening"
15:20:33 <donuts> it's all pubilc yep, we announced it at last year's state of the onion
15:20:43 <donuts> we don't really have any updates though
15:20:47 <richard> how about you ma1? things going well, need help/guidance with anything?
15:21:15 <richard> donuts: oh i didn't know we actually announced it, thought we were still in the 'you can find it if you explore our gitlab/lurk in IRC type thing'
15:21:38 <ma1> That's all very exciting :) I might need to ping PieroV about building stuff if I manage to confirm the crash bug, but hopefully not being on Linux.
15:22:06 <donuts> richard: yeah, matt did a whole segment on it
15:22:30 <richard> dan_b assigned fenix#40216 to you
15:23:24 <ma1> The XSleak/Deanonymization thing has been taken better than I hoped. Yossi Oren, one of the authors of the paper, is an Israelian professor I already worked with (the PP0 attack), and seemed to like the solution, while I didn't receive usability complaints yet.
15:23:44 <richard> that's really good to hear
15:24:05 <richard> on boht accounts
15:24:31 <ma1> BTW, the broader XSLeak vulnerability class is in the Agenda for the next W3C Web Application Security Working Group meeting (this Wed) to be included for discussion in one of the Vancouver TPAC sessions in September (our Limerick week, damn!) and I'll ask for it to be scheduled in a compatible time for remote attendance.
15:24:57 <ma1> Speaking of W3C, I'd like to use next meeting (this Thu) to point out that with Manifest V3 neither Leakuidator+ nor TabGuard would have been possible as stop-gap measures for this or other emerging threats.
15:25:28 <ma1> Next W3C WebExtensions Community Working Group meeting.
15:26:16 <Jeremy_Rand_Talos_> ma1, if you're talking about the recent NoScript update that adds warnings when new tabs are opened, I saw a UX complaint in #tor from yanmaani.
15:26:23 <richard> look forward to hear how they react :D
15:26:59 <richard> ma1: do you have an example website on hand that triggers the new UX?
15:27:36 <Jeremy_Rand_Talos_> richard, I think DuckDuckGo's search results page does.
15:28:09 <Jeremy_Rand_Talos_> Personally I dislike the new UX but I dislike getting deanonymized a lot more.
15:28:34 <ma1> The new UX is triggered any time you open a site you have cookies for in a new tab from a different site. An example would be googling for a Youtube video and following the link from Google to Youtube *in a new tab* if you're logged in on Youtube.
15:29:06 <richard> oh i see
15:29:55 <ma1> Any way you choose to deal with it (either dropping the authentication or loading normally) you won't be asked again for the session regarding similar interaction between the two sites.
15:30:49 <ma1> Jeremy_Rand_Talos_, I guess I should put #tor in my auto-join list (is not yet there). Could you forward me the complaint for this time? Thanks.
15:31:52 <Jeremy_Rand_Talos_> ma1, I can paste it into #tor-browser-dev after the meeting, yes.
15:32:20 <richard> iirc firefox has a way (internally perhaps not exposed to webextenions) for determining if a request is due to user interaction or no
15:32:53 <ma1> richard, in facts the attack relies on the navigation being from user interaction (otherwise it couldn't spawn popus)
15:33:26 <richard> I thought the tor-browser one worked from a programmatic pop-under?
15:34:42 <ma1> there are several ways to pull the trick, but you always need to have two tabs you control, which can only happen after a click nowadays.
15:36:03 <ma1> On the other hand,  NoScript too checks for user-initiated navigations to minimize the hassle, by  automatically cutting ties between tabs as soon as a SAME SITE user-activated navigation happens.
15:36:04 <richard> ah well
15:36:47 <ma1> At that point it would be impossible for the potential attacker in another tab to actually timing their measurements, and you can call the tab "free".
15:37:27 <richard> ok, the only other thing on my todo list is to schedule monthly 1-on-1s with you, any objections to doing these on Thursdays?
15:37:38 <richard> (dan_b and ma1)
15:37:49 <richard> with each of you*
15:37:58 <dan_b> thursday looks good to me
15:38:31 <ma1> No objection, either before or after the bi-weekly 1 hour W3C WECG meeting I was alluding to (which IIRC is at 15 UTC)
15:38:48 <richard> alright perfect
15:38:58 * ma1 goes to check the W3C calendar
15:39:25 <richard> then unless there is anything else you would like to discuss, we can call it here :)
15:41:15 <Jeremy_Rand_Talos_> ma1, the only machine of mine that has the IRC logs of the UX complaint is a machine without an OFTC account, so I need to wait for Matrix accounts to be whitelisted in #tor-browser-dev before I can paste it.
15:42:04 <ma1> Jeremy_Rand_Talos_, fine, thanks, I'm not in a hurry :)
15:42:16 <richard> o/
15:42:21 <richard> ok have a good week everyone
15:42:23 <richard> #endmeeting