Tor Browser Security Under Scrutiny 80
msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.
Re:Why not work with Mozilla (Score:1, Informative)
They already do work with Mozilla.
Re:Why not work with Mozilla (Score:2, Informative)
Mozilla doesn't care. They are actively undermining features needed to use Tor safely (and, arguably, to browse at all safely).
Firefox has lost the ability to disable javascript;
Let's see.. *clicks on about:config?filter=javascript.enabled in my bookmarks* Nope, still able to do that.
it's gained tons of privacy-violating tracking features, some of which report every URL you visit to Google;
it keeps cookies forever by default; and it's gaining more and more browser fingerprinting sources with every release.
Nope again, [mozilla.org] and defaults are easy to change when you're building your own TOR browser.
There's plenty of room elsewhere in Firefox for improvement, and patches are welcome, so there's really no need for this FUD.
The report doesn't say "use Chrome" (Score:4, Informative)
Maybe I'm missing something, but I've read the whole report and I can't find anything that says "don't favor Firefox as a baseline for Tor, rather Google Chrome".
Re:The report doesn't say "use Chrome" (Score:3, Informative)
They don't. They simply acknowledge that Chrome has a safer memory deallocator, and that the Chrome team has some put some actual effort into security in their browser.
There is just an active effort now to discredit Firefox at every possible opportunity. It has cropped up in pretty much every browser discussion, at pretty much every opportunity. For every negative point that might have some merit or at least tries to be level-headed, there are two or more that blindly paint Firefox and Mozilla in a negative light. They all follow the usual "us vs them" mentality and chant a mantra that nothing good has happened to Firefox since version 3, that Mozilla is doing nothing but ignoring users, and so forth.
It's actually getting rather disconcerting. It reminds me of the period where the anti-Internet Explorer hype machine kicked into overdrive. Except this time it's almost entirely unwarranted.
Re:The report doesn't say "use Chrome" (Score:4, Informative)
I was wondering the same thing. The only thing the report says is "implementing security features that Chromium has and work in Firefox would help Tor".
The headline is a lie.
That's not what it says at all vs Chrome (Score:4, Informative)
"The Chrome Security team has been a source of innovation in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes."
Basically it's saying: Chrome is also doing good stuff, combine it with the stuff you get from Mozilla for a better result.