Opened 3 months ago

Last modified 6 weeks ago

#31019 new task

Investigate update on Windows via BITS

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff68-esr, tbb-update, tbb-proxy-bypass
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor44-can

Description

It seems there is coming a new update method for Windows users with Firefox 68 ESR which is called BITS (Background Intelligent Transfer Service), which is a Windows component.[1] The marketing promise is that "This change will allow Firefox to continue downloading an update
after Firefox has been closed." [2] which seems to be dangerous in the Tor Browser context.

There is a pref we can flip, though to use the older internal updater [3]. However, we should make sure the potential proxy bypass I am seeing here is actually mitigated by that.

[1] https://www.ghacks.net/2019/06/24/firefox-will-use-bits-on-windows-for-updates-going-forward/
[2] https://groups.google.com/forum/#!topic/mozilla.dev.platform/PCzoYCfi_fk
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1553977

Child Tickets

Change History (3)

comment:1 Changed 3 months ago by cypherpunks

Background Update Agent updates system-wide installation of Tor Browser without user intervention, downloading update through system Tor proxy via BITS... very far future...

comment:2 Changed 3 months ago by mcs

We will need to confirm, but it looks like the code that interacts with BITS can be omitted from the build by adding --disable-bits-download to our .mozconfig-mingw file.

comment:3 Changed 6 weeks ago by pili

Sponsor: Sponsor44-can

Adding Sponsor 44 to ESR68 tickets

Note: See TracTickets for help on using tickets.