If you've used Tor, you've probably used Tor Browser, and if you've used Tor Browser you've used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we're enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.
[...] In 2016, we started an effort to take the Tor Browser patches and "uplift" them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it's disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.
Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what's in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.
First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won't have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting "privacy.firstparty.isolate" to "true".
We're excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We'll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.
takyon: Where's the long-rumored Tor integration in default Firefox? Make Firefox useful again.
Previously: Some Tor Privacy Settings Coming to Firefox
Tor Project and Mozilla Making It Harder for Malware to Unmask Users
(Score: -1, Flamebait) by Anonymous Coward on Friday January 06 2017, @08:18AM
Hey here's an idea since you're integrating shady crap into firefox. Make the browser automatically tunnel past Comcast login portals and make every xfinitywifi spot go straight to tor effortlessly. Seriously. Do it. I want to see which method you idiots choose to use (there are at least four ways into xfinitywifi) and how soon Comcast locks you out.
(Score: 0) by Anonymous Coward on Friday January 06 2017, @08:30AM
Post all four ways.
(Score: -1, Troll) by Anonymous Coward on Friday January 06 2017, @08:48AM
Dude you're supposed to whine "you lying bro cuz I seen every video on youtub and mac spoofing is the only way so fuk u their cant be 4 like no."
(Score: 0) by Anonymous Coward on Friday January 06 2017, @08:52AM
If FireTorFox does MAC spoofing I will laugh my fucking ass off.
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @01:10AM
is lame, lame, lame. Lame!
Tor is for morons, right? Morons who can't even get around a captive portal. Bunch of dudebros being all nonymous like whoa. Morons.
(Score: -1, Troll) by Anonymous Coward on Saturday January 07 2017, @01:42AM
Show proper respect for the undeniable awesomeness of TOR.
Onion onion onion jihad.
(Score: 1, Interesting) by Anonymous Coward on Friday January 06 2017, @09:00AM
Yawning Angel was the ship who was sent by the Culture to spy on the Sleeper Service. Yep. No way Yawning Angel is a government spy tasked with ensuring Tor Browser is insecure by design. Not even possible.
(Score: 0) by Anonymous Coward on Friday January 06 2017, @04:02PM
Yeah because when you are a government spy you deliberately chose a name that gives away your intentions.
That's totally how professional spies work. Opsec? We don't need any stinking opsec,
(Score: 4, Touché) by PiMuNu on Friday January 06 2017, @10:48AM
This is great. Mozilla actually implementing a useful new feature in firefox...
(Score: 2) by opinionated_science on Friday January 06 2017, @12:17PM
a process/task manager would be nice - now they have multiprocessing ;-)
(Score: 1, Interesting) by Anonymous Coward on Friday January 06 2017, @05:28PM
I still think there are two huge improvements for security on the web. First would be to gut the user-agent header to just be a generic "Firefox" string. The reason is that this would drastically cut down the ability to track based on things like OS and processor architecture and would also affect how easy it is to get new 0-days. The reason for the latter is that once a few versions get out like that, it will be impossible to tell them apart and the malware people would have to decide to try and infect everyone with the latest or give themselves away by potentially using patched vulnerabilities.
Second would be to add salt and hashing on the client side for passwords or other data. The reason is that it would help with MITM and other attacks. And yes, I know it isn't a replacement for doing it on the server side as well.
(Score: 2) by LoRdTAW on Friday January 06 2017, @03:02PM
FTFY
On a more serious note: (tl;dr) web page should only render content, no play/stream media or control anything outside of the page rendering layout.)
If you want to truly make the web browser great again, give the user back full control. I want to see all window control disabled either permanently or by default. No resizing (which is already thankfully default), no opening new tabs, windows or anything. Completely kill any ability to ever enable pop-overs/unders. And kill the dialogue box while your at it ("Are you sure you want to close this page?" - yes motherfucker, I'm quite sure.) How many nefarious sites and poison ads have trapped stupid fucking chrome and FF in an endless loop of dialogue boxes (chrome only fixed last year FFS). The most insulting part is chrome locks up and gives only focus to the dialogue box, cant open the menu, cant switch tabs, can't even close the damn browser. What ever retard though that was a good idea should be stoned to death with mouse balls. Next is to disable HTML 5 audio and video playback by default to thwart infrasound de-anonymizing attacks and hyper annoying video ads. It can be designed so a warning is displayed saying this page is attempting to play audio/video, allow/deny?
Yea yea, there are add-on's. But think about it, we need third party add-on's to make a browser useful. How stupid is that? It was like people defending the Windows 8 UI disaster by telling complainers to buy a windows shell utility to restore classic start menu functionality. Fuck you, fix the shitty anti-consumer designs.
(Score: 2, Insightful) by Anonymous Coward on Friday January 06 2017, @03:55PM
The page about first party isolation, linked in the summary, is a great read. At least it was for me as I've been thinking a lot about the issue - especially using the URL in the urlbar as the key for each "identity." Their thoughts on spoofing (they call it randomization) were insightful and have almost convinced me that spoofing is not worth the effort because spoofing requires more developer work than equivalent uniformity coverage and developer resources are the gating factor.
I just hope that in implementing uniformity they don't exclude the potential for spoofing via plugins. I could see Mozilla thinking that they don't want to let a plugin deliberately fiddle with fingerprintable characteristics because of the potential for a malicious plugin deliberately making the browser fingerprintable. But, Even if spoofing is not effective against the most dedicated fingerprinters it still has potential against 'casual' fingerprinters and sites that just do stupid things because they think they know your browser better than you do.
(Score: 0) by Anonymous Coward on Friday January 06 2017, @08:23PM
its 2017, tor is still a thing? really?!?
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @01:18AM
Totally still a thing. It's so fucking trendy to see movies about the dark web now.