Around the Tor world: Tor Browser

(Joke? We are moving to Chrome. We are trying to figure out how much that would cost.)

Good news is: we met with Mitchell Baker (Mozilla) talking about unifying our security models. Not sure if Tor will be an additional option to Firefox or so, but they are very excited about discussing. We are trying to make an effective plan for patches reviews.
Currently: We need more resources to review the Mozilla threat model.

Current funder for browser: OTF. Four main areas: security and privacy, usability UI, patches, automated testing.

During the crowdfunding campaign, 25-33% of donations came from the Tor browser banner – this is a point of favor re maintaining brand awareness in our browser, rather than being a feature in other browsers.

At the beginning of 2016 - handed over day to day operations of the browser to Georg Koppen - managing releases, tracking tickets,
Mike is focusing on Tor protocol performance, padding, traffic analysis, improvements, as well as getting Tor labs off the ground
still interfacing with Mozilla, meeting with engineers to land privacy/security patches
met with CEO of Mozilla, interim CTO, to talk about upstreaming as many of patches, agreement on privacy and security threat model
integration of Tor, VPN, some other plugin network option
seemed to be more interested in adopting privacy/fingerprinting threat model than committing to Tor by default in private browsing
answer for us - exactly what we want as well - the most expensive part of the browser is maintaining disagreement between what privacy/security features should be, especially on fingerprinting front
maintaining direct contact with user base is very useful for us, during crowdfunding campaign, 25-30% of referrers from campaign were from the browser banner, browser brought in $50k out of $250k out of week or two period after the browser donation banner first came up.

Main funding for the browser is OTF, funded 2016 for 4 main areas - security, privacy, usability, patch-upstream and merge, and QA (automation, testing)
- security and privacy stuff - has in past mostly vulnerability surface - want to do some sandboxing, Mozilla's sandboxing work was delayed (supposedly 45ESR, next switch in spring/summer 2016) but slipped
- wont pick it up until early 2017, will probably be working on own sandboxes, seccomp, apparmor, prevent proxy bypasses
usability and UI, working with David Fifield and ... streamline UI, automate things like bridge discovery
- David ??? Artur D. Edelstein - tracking all patches, rewrite to use Mozilla's new API for 'contextual identity project' - multiple logins per site, same APIs to do identifier isolation for us, reworked patches to use all the same plumbing underneath for that stuff.


How does XUL discontinuation affect Tor Browser? Delayed until 2017 because tied to sandboxing. Need to wait until we have APIs we need. Enumerated the set of APIs likely to need. Big long ticket.
Orfox - trying to pick up Orfox - not sure where funding for that is coming from.

Last modified 18 months ago Last modified on Mar 26, 2016, 8:23:48 AM