#tor-meeting2 log

18:29:44 <sysrqb> #startmeeting Tor Browser Team Meeting 24 February 2020
18:29:44 <MeetBot> Meeting started Mon Feb 24 18:29:44 2020 UTC.  The chair is sysrqb. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:29:44 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:29:52 * sysrqb updates pad
18:29:53 <boklm> hi
18:29:54 <mcs> hi to all
18:30:04 <pospeselr> hi
18:30:10 <brade> hi
18:30:19 <acat> hi
18:30:19 <sisbell> hi
18:31:32 <sysrqb> hi everyone
18:31:36 <Jeremy_Rand_Talos> hello!
18:31:47 <antonela> hello folks!
18:31:55 <sysrqb> Jeremy_Rand_Talos: I will reply to you today (maybe tonight)
18:33:04 <Jeremy_Rand_Talos> sysrqb, ok thanks.  (Hope I'm not pestering you too much about it, I know you have a lot of things to be doing)
18:33:14 <sysrqb> nope, just enough
18:33:32 <Jeremy_Rand_Talos> cool :)
18:35:55 * antonela the pad just in case https://pad.riseup.net/p/TorBrowserTeamMeetingNotes-keep
18:36:12 <sysrqb> ^^ :)
18:36:13 <sysrqb> thanks antonela
18:37:18 <sysrqb> okay, let's get started
18:38:15 <sysrqb> boklm: i'm available after this meeting for chatting with GeKo, if that works for you, too
18:38:23 <boklm> that works for me too
18:39:05 <sysrqb> great
18:40:00 <sysrqb> acat: how is the rebasing going? is it difficult? like, are there a lot of merge conflicts?
18:41:02 <sysrqb> pospeselr: have you had any time for reading through the recent-past Firefox release notes?
18:41:18 <sysrqb> i know you've been tied up with some other tickets, too
18:41:20 <acat> there are some, although i would say not in the most critical ones
18:41:21 <pospeselr> i haven't, been focusing on the S27 stuff
18:41:33 <sysrqb> acat: okay, that's good
18:41:35 <acat> for example, the updater ones applied mostly fine
18:41:40 <pospeselr> i can shift over if we're getting close on time
18:42:20 <sysrqb> pospeselr: okay. i'm really not sure how we should prioritise these
18:42:25 <sysrqb> pospeselr: stick with s27 right now
18:42:38 <sysrqb> acat: nice
18:42:43 <sysrqb> that is good news
18:43:31 <sysrqb> pospeselr: we don't need to finish reviewing the release notes this month, and obviously that won't happen
18:44:23 <pospeselr> i can skip over #33298 for now
18:44:24 <sysrqb> but i think we should prioritize finishing s27 tickets and then working on fixing the test suite
18:44:38 <pospeselr> since we only run into it very rarely compared to #13410
18:45:18 <sysrqb> #33298 is ugly though
18:45:28 <sysrqb> like, that is pretty bad
18:45:42 <sysrqb> hrm. okay
18:45:47 <pospeselr> true
18:45:51 <antonela> a pop-up?
18:45:58 <antonela> will add a ux-team label to take a look
18:46:03 <sysrqb> yeah, skip it for now and i'll keep it on our radar and we can squeeze it in somewhere
18:47:56 <sysrqb> okay, i don't have comments on anything else
18:48:18 <sysrqb> i'll just remind everyone that this is the last week before the peer feedback is due
18:48:24 <Jeremy_Rand_Talos> Regarding #13410, is there any interest and/or ongoing work on actually valiidating trust on certs for onion services, e.g. via a TLSA-style record in the onion service descriptor?
18:48:43 <sysrqb> nope
18:49:19 <sysrqb> We could do a SOOP-like check, if the CN or SAN contain a matching onion address, then it's good
18:49:41 <Jeremy_Rand_Talos> sysrqb, Any particular reason for not doing so?  Just lack of prioritization, or is there an argument for not doing so?
18:50:01 <sysrqb> but the threat model where we are concerned about MITM attacks against a TLS connection over an onion is pretty obscure
18:50:16 <sysrqb> *attack
18:50:26 <pospeselr> antonela: #33298 is for fixing the onion equivalent of this: https://mixed-form.badssl.com/
18:51:02 <sysrqb> Jeremy_Rand_Talos: also, this would be for onion address that (probably) don't have a domain name associated with them
18:51:29 <sysrqb> so I'm not sure where the TLSA-style lookup would happen
18:51:37 <sysrqb> like, within which database
18:51:38 <Jeremy_Rand_Talos> sysrqb, well, Whonix-style threat models where the Tor daemon is in a separate trust domain from the HTTPS server/client seems to be an example where it would make sense to validate TLS certs (though for that use case trusting the onion service descriptor isn't exactly sane)
18:52:47 <sysrqb> right, i agree the attack is practical (for some definition)
18:52:49 <antonela> pospeselr: yep
18:53:11 <sysrqb> Jeremy_Rand_Talos: but i don't know what that "check" looks like, in practice
18:53:52 <Jeremy_Rand_Talos> sysrqb, main reason I'm curious is that Namecoin makes that kind of validation interesting (i.e. put a TLSA record in Namecoin along with the TXT record for the onion service); trying to gauge if there might be some interest in the future in doing that in Tor Browser (in the hypothetical scenario that Namecoin integration is adopted)
18:55:10 <Jeremy_Rand_Talos> For pure onion services without Namecoin, I suppose some users might like to manually specify cert pins, but that's not something typical users will be expected to want to touch
18:55:13 <sysrqb> Firefox ripped out DANE support a while ago
18:55:25 <sysrqb> i don't see up re-implementing it anytime soon, to be honest
18:56:18 <sysrqb> i'm not opposed to this, and i think it has a use case
18:56:19 <Jeremy_Rand_Talos> sysrqb, yes, I know Firefox doesn't natively support DANE; Namecoin found a way to make it work again without any code patches to Firefox (subject to some limitations that aren't a problem for this use case)
18:56:37 <sysrqb> okay, that's interesting
18:57:02 <sysrqb> if we get support for something like this "for free" then it is worth considering
18:57:27 <sysrqb> but it is out-of-scope for #13410
18:57:56 <sysrqb> can you open a ticket for this?
18:59:05 <Jeremy_Rand_Talos> sysrqb, sure.  Should the ticket be specifically about doing it with Namecoin, or more generally about DANE-style stuff for Tor Browser, or even more generally about cert trust validation for TLS on .onion?
19:00:09 <sysrqb> Jeremy_Rand_Talos: open it for namecoin, and we can always repurpose it (or open other parent/child tickets), if that makes sense
19:00:14 <sysrqb> thanks
19:00:16 <Jeremy_Rand_Talos> (I assume that this is going to be much lower-priority than the Namecoin integration that's already in Nightly?)
19:00:32 <sysrqb> yes, that's probably true
19:01:47 <Jeremy_Rand_Talos> ok.  I'll open a ticket about it, with the assumption that we won't worry too much about it until/unless the existing Namecoin integration advances some more
19:02:09 <sysrqb> that's fair
19:02:22 <sysrqb> we can always reprioritize later
19:03:05 <sysrqb> okay, i don't have anything for this meeting. do any of you want to discuss any other topics?
19:03:28 <sysrqb> otherwise i'll end this
19:03:36 <sysrqb> *anything else
19:04:18 * sysrqb hears nothing
19:04:51 <sysrqb> ciao o/
19:04:57 <sysrqb> #endmeeting