Opened 3 years ago

Last modified 4 weeks ago

#4234 needs_information task

Investigate the Firefox update process

Reported by: mikeperry Owned by: mikeperry
Priority: major Milestone: TorBrowserBundle 2.3.x-stable
Component: Firefox Patch Issues Version:
Keywords: tbb-bounty tbb-usability pantheon chronos Cc: g.koppen@…, Sebastian, nickm, rransom, chiiph, mcs, brade
Actual Points: Parent ID:


Sure, it's probably not hardened against version downgrade attacks, interruption attacks, no-progress attacks, and maybe not even against CA compromises.

But it's gotta be better than nothing, and maybe it is easily serviceable into something that will work for us.

Users are having a hard time manually working with our TBB packages if they want to preserve bookmarks, settings, and history, and are getting themselves into trouble by copying pieces of them over each other incorrectly while trying to manually upgrade:

I think any form of process that automates this for them is a step above status quo. It's just a matter of finding out if it is significantly less time+effort to deploy than Thandy, and what the security tradeoffs are.

Child Tickets

#9114Reorganize bundle directory structure for TBB 3.0brade

Attachments (5)

FFUpdate (3.0 KB) - added by gk 2 years ago.
aboutDialog.patch (1.1 KB) - added by gk 2 years ago.
updateService.patch (3.9 KB) - added by gk 2 years ago.
updateDriver.patch (2.8 KB) - added by gk 2 years ago.
4234-work-in-progress-patch.txt (52.3 KB) - added by mcs 8 months ago.
Firefox 17.x patch (work in progress)

Download all attachments as: .zip

Change History (27)

comment:1 Changed 3 years ago by mikeperry

#3944 is one of the bugs on our side that will make this harder. There is also a bug on Mac OS with Vidalia exiting (#4235) that might make it difficult to replace Vidalia and Tor-related files.

comment:2 Changed 3 years ago by gk

  • Cc g.koppen@… added

comment:3 Changed 2 years ago by mikeperry

FYI: #1878 is the TBB Thandy bug.

comment:4 Changed 2 years ago by gk

Finally, I got the update process modified in a way that it updated my JonDoBrowser prototype. Thus, this is working and not so difficult. The patches are mostly in JS and not many as far as I can see.

There are some nice features one gets: first, you can ship partial updates as well, second, there is a kind of certificate pinning funcionality built-in (I have not tested it yet) where you can advise that TBB should only accept built-in (i.e. TorProject) certs, third, I think there is some mitigatioin against downgrade attacks as well (at least it could, depending on how you create your update.xml).

Thus, the most important question to me seems to be whether you really want to have it or would be more happy with Thandy (even if that lasts longer to get ready). The current work was something I did in my spare time and alas it won't be high prio in the near future (i.e. remain spare-time work). Nevertheless, I would help you here if you want to get that implemented for TBB.

comment:5 Changed 2 years ago by gk

Rereading the ticket description I was maybe a bit too fast in offering you help to implement a modified Firefox update process. Instead, I could look at the security trade-offs if that helps, dunno. Regarding the time/effort to deploy it: As I do not know the time and effort to deploy Thandy yet in all details I am only guessing but looking at the needed patches of Firefox' update process and the .mar generation etc. I would say modifying and deploying the Firefox update is much easier. I'll try do add some document to this ticket within the next days detailing what needs to get patched and describing the update process and the tools needed in order to give you some facts to consider.

comment:6 Changed 2 years ago by mikeperry

  • Cc Sebastian nickm rransom chiiph added

gk: Any prototype patches and/or documentation you could provide would be very much appreciated. Even just a prototype patch alone would let us start experimenting and reviewing the relevant code bits.

Changed 2 years ago by gk

Changed 2 years ago by gk

Changed 2 years ago by gk

Changed 2 years ago by gk

comment:7 Changed 2 years ago by gk

I just added everything I have so far. Tell me if/when you need a hand.

comment:8 Changed 2 years ago by mikeperry

  • Keywords MikePerry201205 added

Adding keyword to keep this on my radar for next month.

comment:9 Changed 23 months ago by mikeperry

  • Keywords MikePerry201206 added; MikePerry201205 removed
  • Status changed from new to needs_information

I took a look at these patches, and it looks like we've still got a lot more open questions. I'll tag it for June to keep an eye on it, but I might not answer those questions myself by then. :/

comment:10 Changed 22 months ago by mikeperry

  • Keywords MikePerry201206 removed

comment:11 Changed 19 months ago by gk

I'll start patching the Firefox update process in the near future (looking at my ToDo list I'm beginning in 2-3 weeks I guess) as this is critical for the 1.0 release of the JonDoBrowser and I am inclined to patch it in a way that you'll be able to use the result as well (out of the box on the client side). Thus, if you (Mike or whoever is responsible for the issue(s) at hand) are (still) interested in this work it would be good to know the requirements/expectations you have. I would especially like to know the minimal feature set you need and optional features you would like to have (but which might not be available in the first version of the patch).

comment:12 Changed 18 months ago by mikeperry

  • Keywords tbb-bounty tbb-usability added

comment:13 Changed 18 months ago by mikeperry

gk: I think we're most likely going to wait until the FF17-ESR timescale to investigate this again, as I assume the updater has changed a bit from FF10-ESR.

comment:14 Changed 18 months ago by mcs

  • Cc mcs brade added

comment:15 Changed 17 months ago by gk

You might want to think about exactly which parts of the bundle you want to get updated with this updater and which not (if there are some at all). E.g. what about a user's profile directory? Not messing with it seems pretty straightforward as it contains user customizations and other user related stuff that should not get touched by an application updater. But that implies for instance that the current TBB build process needs to get changed as there is then no way anymore to just ship the language pack as an extension with the browser to get a localized build and this implies as well that one abandons the idea to ship the latest versions of add-ons included into the browser (e.g. NoScript) only via the updater and only after their latest changes passed a security review which seems quite appealing as well. There might be other issues here too like getting preferences in the prefs.js file updated (dunno if you store some version numbers there)...

comment:16 Changed 16 months ago by gk

I just realized that we don't need to rely solely on PKI here (at least on Windows) as Mozilla supports signed .mar files since Gecko12. See:, and Would be nice to have that capability on GNU/Linux and Mac OS X as well and if it is not done by Mozilla to merge that back...

comment:17 Changed 16 months ago by brade

In preparation to work on this issue, I would like to pull and build a Firefox ESR 17-based Tor Browser Bundle. What is the best repository / branch to pull from?

comment:18 Changed 16 months ago by mikeperry

brade: For now, you should use my remote, I still haven't merged it yet:

git remote add mikeperry git://
git fetch mikeperry
git checkout firefox17-esr

That branch is branched off of origin/maint-2.4, which may have updated other pieces of TBB to unstable versions. If that causes problems, let me know and I can rebase to maint-2.3.

comment:19 Changed 8 months ago by mcs

Using a patched version of Mozilla's update mechanism, Kathy Brade and I have successfully updated TBB on Linux, Windows, and Mac OS "in the lab" using both incremental and "full replace" updates. There is still significant work to do, but we will post a work in progress patch here shortly.

One of the remaining issues is that the Mozilla code needs access to the TBB version before the preference system has been initialized. We may need to pass knowledge of the TBB version through the Firefox build process (rather than just setting the torbrowser.version pref.).

There are also some Windows Vista (and newer) OS security issues that we somewhat ignored. Because TBB is not typically stored under Program Files or other "locked down" areas, this is probably not a big concern. Our patch always downloads and applies updates within the TBB package directory.

Finally, updating the bundled browser extensions (e.g., HTTPS-Everywhere) is a little tricky because an extension may have been updated by the user. We could always overwrite the bundled extensions (which may cause the user's updates to be lost) or we could never update them (that seems like a bad idea). Kathy and I lean toward always overwriting the extensions.

Our high-level understanding of the security aspects of the Firefox mechanism:

1) The update meta-information is retrieved over TLS. A special check is done to ensure that the issuer name and common name of the server's TLS certificate match values that are stored in bundled Firefox preferences.

2) After an update is downloaded (partial MAR or complete MAR), a SHA512 checksum of the MAR file is checked against a value that was returned in the update meta-information.

Mozilla also has a build option to require signed MAR files, but we have not tried to use it yet.

Changed 8 months ago by mcs

Firefox 17.x patch (work in progress)

comment:20 Changed 5 months ago by gk

See comment 6f. of #9837 regarding the question whether we need helper.exe (again) as soon as the updater is ready.

comment:21 Changed 4 months ago by StrangeCharm

  • Keywords pantheon chronos added
Note: See TracTickets for help on using tickets.