Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#18885 closed enhancement (fixed)

Disable logging of TLS/SSL key material by default in Tor Browser

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, TorBrowserTeam201605R, GeorgKoppen201605, tbb-6.0-must
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should think about backporting the fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1183318 as another defense-in-depth measure.

Child Tickets

Change History (7)

comment:1 Changed 3 years ago by gk

Keywords: TorBrowserTeam201605 added

Dragging into May to have it on our 6.0 radar.

comment:2 Changed 3 years ago by gk

Keywords: GeorgKoppen201605 added
Owner: changed from tbb-team to gk
Status: newassigned

comment:3 Changed 3 years ago by gk

Keywords: tbb-6.0-must added

comment:4 Changed 3 years ago by gk

Keywords: TorBrowserTeam201605R added; TorBrowserTeam201605 removed
Status: assignedneeds_review

bug_18885 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_18885) has a possible backport for us up for review.

comment:5 Changed 3 years ago by mcs

r=brade, r=mcs
The backport looks good. I guess Mozilla may tweak the patch some more, but what you have is fine for 6.0.

comment:6 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Fixed in commit f5c58c88029648b608d75cdb06d82b06f0d30953. I actually doubt Mozilla is tweaking the patch more. In fact, curiously, Firefox is not even using it as the necko people and others got their pitchforks out and argued they needed that feature for debugging purposes even in optimized, non-debug builds. But in NSS it is still there.

comment:7 in reply to:  6 Changed 3 years ago by mcs

Replying to gk:

Fixed in commit f5c58c88029648b608d75cdb06d82b06f0d30953. I actually doubt Mozilla is tweaking the patch more. In fact, curiously, Firefox is not even using it as the necko people and others got their pitchforks out and argued they needed that feature for debugging purposes even in optimized, non-debug builds. But in NSS it is still there.

Interesting. I guess I did not read the Bugzilla bug carefully and thought the fix was still pending on the NSS side (I think I saw https://bugzilla.mozilla.org/show_bug.cgi?id=1183318#c35 while reading in newest-to-oldest comment order and missed the fact that the status is RESOLVED FIXED). So never mind.

Note: See TracTickets for help on using tickets.