Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
posted by janrinok on Wednesday July 06 2016, @03:36PM   Printer-friendly
from the every-little-bit-helps dept.

While the Tor browser is based on Firefox ESR, it is modified with additional privacy and security settings to protect users of the browser while using the program. Considering that Tor browser is used by some in critical situations, whistleblowing, publishing news or communication, it is only natural that a stronger focus on privacy and security is necessary.

Mozilla acknowledges these modifications, and plans to integrate some of them in Firefox natively. In fact, the company has already begun to integrate some in Firefox, and plans to integrate others in the future.

Tor-specific privacy settings are often not suitable for Firefox's mainstream audience. That's why you need to enable these settings manually in Firefox before they become available.


Original Submission

Related Stories

Tor at the Heart: Firefox 15 comments

If you've used Tor, you've probably used Tor Browser, and if you've used Tor Browser you've used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we're enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.

[...] In 2016, we started an effort to take the Tor Browser patches and "uplift" them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it's disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.

Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what's in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.

First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won't have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting "privacy.firstparty.isolate" to "true".

We're excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We'll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.

takyon: Where's the long-rumored Tor integration in default Firefox? Make Firefox useful again.

Previously: Some Tor Privacy Settings Coming to Firefox
Tor Project and Mozilla Making It Harder for Malware to Unmask Users


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday July 06 2016, @03:50PM

    by Anonymous Coward on Wednesday July 06 2016, @03:50PM (#370713)

    Why???

    Are they just assuming that all non-firefox programs are unable to securely load a file? That'd be rich, considering firefox's own issues.

    This sounds more like something for a public kiosk, not that anybody should expect such a thing to be secure via the browser. There are numerous ways to escape when the user at the keyboard is trying to do so on purpose.

    It's more loss of functionality, as we've come to expect from firefox.

    • (Score: 3, Informative) by janrinok on Wednesday July 06 2016, @06:06PM

      by janrinok (52) Subscriber Badge on Wednesday July 06 2016, @06:06PM (#370817) Journal

      I assume that you have maintained the accepted practice of not reading TFA....?

      The first patch blocks enumeration of plugins and mimeTypes. Sites may retrieve the information from the browser, and use it in fingerprinting. With the patch in place, Firefox returns no information to the site blocking the requests effectively.

      The second patch works in a similar manner. Firefox returns 0 for screen.orientation.angle and "landscape-primary" for screen.orientation.type when sites or applications request the information.

      The third and final patch removes the "open with" option in the download dialog.

      The settings do not remove any functionality but give you the option of ensuring that your browser does not respond to a few queries that might permit it to be differentiated from others using the same browser. This is claimed to be to prevent some types of browser fingerprinting. How useful this will actually be - they will have your IP if you are not actually using TOR - remains to be seen. And they can hardly be accused (in this particular instance) of removing functionality - if you don't select the options then Firefox will respond to queries just as it does today.

      And, as you point out, you can still choose to use any other browser should you wish to do so.

      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 2) by SubiculumHammer on Wednesday July 06 2016, @09:24PM

      by SubiculumHammer (5191) on Wednesday July 06 2016, @09:24PM (#370967)

      Troll. Always with the Firefox bashing. Never happy.

  • (Score: 1, Funny) by Anonymous Coward on Wednesday July 06 2016, @03:50PM

    by Anonymous Coward on Wednesday July 06 2016, @03:50PM (#370714)

    That's why you need to enable these settings manually in Firefox before they become available

  • (Score: 0) by Anonymous Coward on Wednesday July 06 2016, @05:10PM

    by Anonymous Coward on Wednesday July 06 2016, @05:10PM (#370773)

    Completely pointless as long as the DOJ can backdoor Firefox and refuse to release the exploit.

  • (Score: 2) by bitstream on Wednesday July 06 2016, @05:13PM

    by bitstream (6144) on Wednesday July 06 2016, @05:13PM (#370776) Journal

    Let's see. Add filters based on regex per url for:
      * Cookie permission
      * Javascript use
      * Java
      * Flash

    Make sure one can pin which domains or urls a CA can make decisions on. And no, the Chinese may not be the CA for the local bank..