Opened 3 years ago

Last modified 7 months ago

#16285 assigned task

Make sure EME is no tracking risk in Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, GeorgKoppen201705, TorBrowserTeam201705, ff60-esr, tbb-no-uplift-60
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

The EME architecture got uplifted to Firefox 37 (https://bugzilla.mozilla.org/show_bug.cgi?id=1137045) and is included in ESR 38 as well. We should make sure there are no accompanying tracking/fingerprinting risks. The best plan is probably to disable EME as Mozilla is doing in its ESR 38 release. We may need a custom patch as Mozilla is basically enabling it

#if !defined(MOZ_UPDATE_CHANNEL) || MOZ_UPDATE_CHANNEL != esr

While we may want to take a deeper look at it when we switch to ESR 45 we should make sure that everything related to EME is really disabled if the respective prefs are set to false.

Child Tickets

Change History (32)

comment:1 Changed 3 years ago by gk

Description: modified (diff)

comment:2 Changed 3 years ago by gk

Another option would be trying to not compile it in at all in the first place which would allow us to get rid of the gmp-clearkey system which is used for testing purposes only anyway.

comment:3 Changed 3 years ago by gk

Keywords: GeorgKoppen201506 added

comment:4 Changed 3 years ago by gk

comment:5 in reply to:  4 Changed 3 years ago by gk

Replying to gk:

https://bugzilla.mozilla.org/show_bug.cgi?id=1144903#c4: ac_add_options --disable-eme ftw!

But hsivonen has a point (in https://bugzilla.mozilla.org/show_bug.cgi?id=1144903#c16):

If you want to persuade streaming providers not to use *DRM*, it's probably easier to persuade them to move to Clear Key, which is Free Software-implementable non-DRM encryption, which is technically equivalent to HLS with keys in the clear, which is already familiar to the providers and makes stream ripping with curl or wget take more effort, than to persuade them to drop media file-level encryption completely as the first step. In that sense, having the anti-DRM constituency use a browser that doesn't have Clear Key makes it harder to get streaming providers to make a shift off-DRM, which is presumably what the anti-DRM constituency wants!

comment:6 Changed 3 years ago by gk

https://support.mozilla.org/en-US/kb/enable-drm has some decent info. The bottom line is there is only EME on Windows Vista+ and as we don't build any sandbox on Windows and the sandbox is needed for EME we won't get it to run on Vista+ either. Thus, I'll go with the idea in comment:4 and audit the result. As mentioned in the description we want to revisit this during the preparation for ESR 45 when we have fixed #16010 and https://bugzilla.mozilla.org/show_bug.cgi?id=1136707 got solved by Mozilla.

comment:7 Changed 3 years ago by mikeperry

Keywords: tbb-5.0a3-essential added

Tag the set of things we should aim to understand/fix for the fist FF38-based TBB (5.0a3, on June 30th).

comment:8 Changed 3 years ago by mikeperry

Keywords: TorBrowserTeam201506 added

Ensure all tbb-5.0a items are on the June radar.

comment:9 Changed 3 years ago by gk

Keywords: TorBrowserTeam201506R added; TorBrowserTeam201506 removed
Status: newneeds_review

bug_16285 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_16285) in my tor-browser repo has the two commits needed to fix this bug. The backport of the Mozilla patch is required for fixing a build bustage on Windows if we use the --disabl-eme-switch.

The more general GMP related issues (like not contacting the GMP update server) will be handled in #15910.

We should leave that ticket open (and adapt its subject) to revisit developments happening up to and including ESR 45.

comment:10 Changed 3 years ago by mcs

Looks good to me. r=mcs

I guess we probably don't need to set all those prefs to false (because we will compile with --disable-eme), but better to be safe (and I did not look at how the prefs are used in Mozilla's code).

comment:11 in reply to:  10 ; Changed 3 years ago by gk

Replying to mcs:

Looks good to me. r=mcs

I guess we probably don't need to set all those prefs to false (because we will compile with --disable-eme), but better to be safe (and I did not look at how the prefs are used in Mozilla's code).

Yeah, I mentioned the purpose of disabling the prefs in my commit message. Might not have been obvious enough. bug_16285_v3 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_16285_v3) has the reasoning now in the prefs file (as well).

comment:12 in reply to:  11 Changed 3 years ago by mcs

Replying to gk:

Yeah, I mentioned the purpose of disabling the prefs in my commit message. Might not have been obvious enough. bug_16285_v3 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_16285_v3) has the reasoning now in the prefs file (as well).

I think I must have skimmed over the commit message earlier because it did not really register in my brain. Sorry about that. In any case, your new comment in the prefs file makes things 100% clear.

comment:13 Changed 3 years ago by arthuredelstein

I have merged this patch to https://github.com/arthuredelstein/tor-browser/commits/tb_GECKO380esr_2015050513_RELBRANCH%2B1

gk, can you check that I've handled the conflict correctly?

comment:14 in reply to:  13 Changed 3 years ago by gk

Keywords: ff45-esr TorBrowserTeam201506 added; ff38-esr TorBrowserTeam201506R removed
Status: needs_reviewassigned
Summary: Make sure EME is no tracking risk in Tor Browser based on ESR 38Make sure EME is no tracking risk in Tor Browser

Replying to arthuredelstein:

I have merged this patch to https://github.com/arthuredelstein/tor-browser/commits/tb_GECKO380esr_2015050513_RELBRANCH%2B1

gk, can you check that I've handled the conflict correctly?

Looks good.

comment:15 Changed 3 years ago by mikeperry

Keywords: tbb-5.0a3-essential TorBrowserTeam201506 removed

Cleaning the tags off this if we're going to keep it open until ff45-esr.

comment:16 Changed 2 years ago by gk

Keywords: TorBrowserTeam201605 added

Dragging into May to have it on our 6.0 radar.

comment:17 Changed 2 years ago by gk

Keywords: tbb-6.0-must added

comment:18 Changed 2 years ago by gk

Description: modified (diff)
Keywords: GeorgKoppen201605 added; GeorgKoppen201506 removed
Severity: Normal

comment:19 in reply to:  6 Changed 2 years ago by gk

Keywords: ff52-esr added; ff45-esr tbb-6.0-must removed

Replying to gk:

https://support.mozilla.org/en-US/kb/enable-drm has some decent info. The bottom line is there is only EME on Windows Vista+ and as we don't build any sandbox on Windows and the sandbox is needed for EME we won't get it to run on Vista+ either. Thus, I'll go with the idea in comment:4 and audit the result. As mentioned in the description we want to revisit this during the preparation for ESR 45 when we have fixed #16010 and https://bugzilla.mozilla.org/show_bug.cgi?id=1136707 got solved by Mozilla.

Neither #16010 nor the Mozilla bug are fixed yet. Thus, I postpone revisiting our current decision. So far, for ESR45, we are still good with the things we currently have in place.

comment:20 Changed 2 years ago by gk

Keywords: TorBrowserTeam201606 added; TorBrowserTeam201605 removed

comment:21 Changed 16 months ago by gk

There have been quite some changes in EME-land since esr45. macOS and Linux have now DRM support as well and it seems EME is treated differently build-wise: now it is only disabled by pref: https://bugzilla.mozilla.org/show_bug.cgi?id=1300654. That might be related to clearkey getting built now even if we specify --disable-eme` in the .mozconfig file (adding exposure to security vulnerabilities: https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/). And there is a different download path available in case AUS is down: https://bugzilla.mozilla.org/show_bug.cgi?id=1267495.

That's just mentioning the "top highlights". We need to have a close look at EME for esr52.

comment:22 Changed 16 months ago by gk

Keywords: tbb-7.0-must added

More tickets for 7.0.

comment:23 Changed 16 months ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Moving tickets onto our alpha radar.

comment:24 Changed 16 months ago by gk

Keywords: GeorgKoppen201705 TorBrowserTeam201705 added; GeorgKoppen201605 TorBrowserTeam201606 removed

comment:25 Changed 15 months ago by gk

Keywords: tbb-7.0-must added; tbb-7.0-must-alpha removed

We are beyond the alpha testing. Moving tickets for tbb-7.0-must.

comment:26 Changed 15 months ago by gk

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201705 removed
Status: assignedneeds_review

bug_16285_v4 (https://gitweb.torproject.org/user/gk/tor-browser.git/log/?h=bug_16285_v4) has three patches that adapt our code to the EME changes done between esr45 and esr52. The major change is that we don't have a switch for not compiling the code in in the first place anymore. Instead everything is bound to preferences now (even though --disable-eme is still available and should set the proper defaults).

comment:27 Changed 15 months ago by mcs

r=brade, r=mcs
This looks good to us.

comment:28 Changed 15 months ago by gk

Keywords: ff59-esr TorBrowserTeam201705 added; ff52-esr TorBrowserTeam201705R tbb-7.0-must removed
Owner: changed from gk to tbb-team
Status: needs_reviewassigned

Thanks. Applied to tor-browser-52.1.1esr-7.0-1 (commit 100fea0348ed02fd181080fbc2b131994adaab4b, e948ae5d404321a1ed0316ffb97baf45ee0163a5, and ba7cbd186c5692267ba80eb6a998c7abab2a76a9) and tor-browser-52.1.0esr-7.0-2 (commit 62546181d759aaf44216e6f32a79c89e55335c4e, 46d6d3a534c8f8c56194415c0839a4a90d17049b, and 726b6d699e101570b14e3eb091ec94e9d5ee1946). Moving this ticket off our esr52 radar to the one for esr59.

comment:29 Changed 15 months ago by gk

Seem I forgot to remove the library stripping we do in the Linux descriptor. This is fixed with commit e8d869e142439436104b8b1f8b807406fd68e104 on master.

comment:30 in reply to:  29 Changed 15 months ago by gk

Replying to gk:

Seem I forgot to remove the library stripping we do in the Linux descriptor. This is fixed with commit e8d869e142439436104b8b1f8b807406fd68e104 on master.

Which needed a fixup, *sigh*: commit c18c6f80c49d7da97d006d3fd5201b11f1312bbc.

comment:31 Changed 7 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:32 Changed 7 months ago by arthuredelstein

Keywords: tbb-no-uplift-60 added
Note: See TracTickets for help on using tickets.