The binary blob is not built reproducibly which poses security risks. Although there seems to be kind of a mechanism for Mozilla to verify things:
Mozilla and Cisco have established a process by which the binary is verified as having been built from the publicly available source, thereby enhancing the transparency and trustworthiness of the system.
The download uses essentially Mozilla's "cert pinning". We might want to have something stronger in place.
The binary blob is not built reproducibly which poses security risks. Although there seems to be kind of a mechanism for Mozilla to verify things:
Mozilla and Cisco have established a process by which the binary is verified as having been built from the publicly available source, thereby enhancing the transparency and trustworthiness of the system.
The download uses essentially Mozilla's "cert pinning". We might want to have something stronger in place.
The binary blob is not built reproducibly which poses security risks. Although there seems to be kind of a mechanism for Mozilla to verify things:
Mozilla and Cisco have established a process by which the binary is verified as having been built from the publicly available source, thereby enhancing the transparency and trustworthiness of the system.
The download uses essentially Mozilla's "cert pinning". We might want to have something stronger in place.
Aha, I've been too fast. It is basically the same infrastructure as the application updater: A server is contacted via HTTPS (aus4.mozilla.org in this case), an update.xml file is sent which contains the above mentioned URL and a SHA512 hash etc. (in case there is a version to be installed/updated)
bug_15910 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_15910) in my public tor-browser repo has a fix for this bug with some motivation for the implemented solution: we basically don't show GMPs at all on the Add-ons pane in order to not confuse users and make sure that update pings are not hitting the network.
I'd like to keep this bug open in order to revisit this decision for ESR 45.
bug_15910 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_15910) in my public tor-browser repo has a fix for this bug with some motivation for the implemented solution: we basically don't show GMPs at all on the Add-ons pane in order to not confuse users and make sure that update pings are not hitting the network.
12:27:16.047 1458304036000 Toolkit.GMP ERROR GMPInstallManager.onLoadXML could not load xml: [Exception... "SSL is required and URI scheme is not https." nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: re[/gre/modules/CertUtils.jsm](/gre/modules/CertUtils.jsm) :: checkCert :: line 142" data: no]1 Log.jsm:749:0 12:27:16.050 1458304036000 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: {"target":{},"status":200,"message":"[Exception... \"SSL is required and URI scheme is not https.\" nsresult: \"0x8000ffff (NS_ERROR_UNEXPECTED)\" location: \"JS frame :: re[/gre/modules/CertUtils.jsm](/gre/modules/CertUtils.jsm) :: checkCert :: line 142\" data: no]"}1 Log.jsm:749:0
Trac: Severity: N/Ato Normal Sponsor: N/AtoN/A Reviewer: N/AtoN/A
As long as there are ports of the source code and automatic build scripts contributed as part of the open source, we do not see difficulties in adding additional platforms.
http://www.openh264.org/faq.html
So only The Tor Project can teach Cisco to make deterministic binaries for all required platforms.
In Tor Browser 7.0a3-build4 the OpenH264 plugin is downloaded automatically in the background if automatic addon updates are enabled or if one checks for addon updates manually. In Firefox this happens because of a change in Firefox 50, citing the release notes (https://www.mozilla.org/en-US/firefox/50.0/releasenotes):
"The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates"
The plugin is saved under /Browser/TorBrowser/Data/Browser/profile.default/gmp-gmpopenh264. Note that the plugin is downloaded although I have
"media.gmp-manager.url.override" set to "data:text/plain," (default)
"media.gmp-provider.enabled" set to "false" (default)
The plugin is not listed in about:addons or about:plugins because of the second option, so it is not used either, and I think WebRTC is deactivated anyway. But I wonder why it is downloaded. I don't know any other option to prevent the download, any of the two above work in Firefox as far as I know.
In Tor Browser 7.0a3-build4 the OpenH264 plugin is downloaded automatically in the background if automatic addon updates are enabled or if one checks for addon updates manually.
I have to correct this: It is downloaded even if automatic add-on updates are disabled, but it is NOT downloaded if one checks for add-on updates manually. The automatic download happens during the first minute in which Tor Browser is running. To see this, I disabled automatic add-on updates and automatic updates of Tor Browser after the start as fast as I could to confirm that these settings have nothing to do with it.
So it seems that there is something different going on to what I can observe in Firefox.
override pref is still active in the codebase, and nothing is downloaded on Windows.
@viktorj: you can set extensions.logging.enabled to true and see in the Browser Console of a new clean installation what is happening during GMP update check.
Thus, the browser thinks the download server is down
Does the proper server response spoofing (data:,<updates></updates>) solve your problem?
And this is no issue on Windows as we are not compiling with MSVC.
As they are not compiling for MinGW (for now ;).
Thanks. It seems we won't get it anytime soon for support (https://bugzilla.mozilla.org/show_bug.cgi?id=1057646#c18). Thus, only the WebRTC usecase remains. We are still disabling that one, though. Moving this on our ESR59 radar then.
Trac: Owner: gk to tbb-team Keywords: tbb-7.0-must-alpha, TorBrowserTeam201704R, ff52-esr deleted, ff59-esr added Status: needs_review to assigned
Q: If I use the source code in my product, and then distribute that product on myown, will Cisco cover the MPEG LA licensing fees which I'd otherwise have to pay?A: No. Cisco is only covering the licensing fees for its own binary module, andproducts or projects that utilize it must download it at the time the product orproject is installed on the user's computer or device. Cisco will not be liable forany licensing fees incurred by other parties.
And? What's the problem to upstream deterministic builds to them?
Yeah, I've been thinking about this a lot but then I did not want to support the MPEG LA licensing bullshit, so I dropped spending time on this one. But, generally, I guess if someone manages to build exactly the same binary that could be an option.
FWIW, the Android situation for Google Play store apps is described in https://bugzilla.mozilla.org/show_bug.cgi?id=1548679: Firefox is not downloading OpenH264 anymore because Google prohibits that as they want to be able to scan the whole app for malware (OpenH263 being automatically downloaded and installed being essentially a part of it).