Changes between Version 2 and Version 3 of org/meetings/2016WinterDevMeeting/Notes/TorBrowser


Ignore:
Timestamp:
Mar 26, 2016, 8:23:48 AM (3 years ago)
Author:
bugzilla
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2016WinterDevMeeting/Notes/TorBrowser

    v2 v3  
    11[https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMeeting/Notes BACK TO 2016 WINTER DEV MEETING NOTES PAGE]
    22
    3 __Around the Tor world: Tor Browser__[[BR]][[BR]](Joke? We are moving to Chrome. We are trying to figure out how much that would cost.)[[BR]][[BR]]Good  news is: we met with Mitchell Baker (Mozilla) talking about unifying  our security models. Not sure if Tor will be an additional option to  Firefox or so, but they are very excited about discussing. We are trying  to make an effective plan for patches reviews.[[BR]]Currently: We need more resources to review the Mozilla threat model.[[BR]][[BR]]Current funder for browser: OTF. Four main areas: security and privacy, usability UI, patches, automated testing.[[BR]][[BR]]During  the crowdfunding campaign, 25-33% of donations came from the Tor  browser banner – this is a point of favour re maintaining brand  awareness in our browser, rather than being a feature in other browsers.[[BR]][[BR]][[BR]]at  the beginning of 2016 - handed over day to day operations of the  browser to Georg Koppen - managing releases, tracking tickets,[[BR]]mike  is focussing on tor protocol performance, padding, traffic analysis,  improvements, as well as getting tor labs off the ground[[BR]]still interfacing with mozilla, meeting with engineers to land privacy/security patches[[BR]]met  with ceo of mozilla, interrim cto, to talk about upstreaming as many of  patches, agreement on priacy and security threat model[[BR]]integration of tor, vpn, some other plugin network option[[BR]]seemed  to be more interested in adopting privacy/fingerprinting threat model  than committing to tor by default in private browsing[[BR]]ansewr for us -  exactly what we want as well - the most expensive part of the browser  is mantaining disagreement between what privacy/security features should  be, especially on fingerprinting front[[BR]]maintaining direct contacdt  with user base is very useful for us, during crowdfunding campaign,  25-30% of referrers from campaign were from the browser banner, browser  brought in $50k out of $250k out of[[BR]]week or two period after the browser donation banner first came up.[[BR]][[BR]]main  funding for the browser is OTF, funded 2016 for 4 main areas -  security, privacy, useability, patch-upstream and merge, and QA  (automation, testing)[[BR]]- security and privacy stuff - has in past  mostly vulnerability surface - want to do some sandboxing, mozillas  sandboxing work was delayed (supposedly 45ESR, next switch in  spring/summer 2016) but slipped[[BR]]- wont pick it up until early 2017, will probably be working on own sandboxes, seccomp, apparmor, prevent proxy bypasses[[BR]]useability and UI, working with david fifield and .. .streamline UI, automate things like bridge discovery[[BR]]-  david ?? artur edelstein - tracking all patches, rewrite to use  mozillas new API for 'contextual identity project' - multiple logins per  site, same APIs to do identifier isolation for us, reworked patches to  use[[BR]]all the same plumbing underneath for that stuff.[[BR]][[BR]]questions[[BR]][[BR]]how  does XUL discontinuation affect torbrowser. delayed until 2017 because  tied to sandboxing. need to wait until we have APIs we need. enumerated  the set of APIs likely to need. big long ticket.[[BR]]orfox - trying to pick up orfox - not sure where funding for that is coming from
     3__Around the Tor world: Tor Browser__[[BR]][[BR]](Joke? We are moving to Chrome. We are trying to figure out how much that would cost.)[[BR]][[BR]]Good news is: we met with Mitchell Baker (Mozilla) talking about unifying our security models. Not sure if Tor will be an additional option to Firefox or so, but they are very excited about discussing. We are trying to make an effective plan for patches reviews.[[BR]]Currently: We need more resources to review the Mozilla threat model.[[BR]][[BR]]Current funder for browser: OTF. Four main areas: security and privacy, usability UI, patches, automated testing.[[BR]][[BR]]During the crowdfunding campaign, 25-33% of donations came from the Tor browser banner – this is a point of favor re maintaining brand awareness in our browser, rather than being a feature in other browsers.[[BR]][[BR]][[BR]]At the beginning of 2016 - handed over day to day operations of the browser to Georg Koppen - managing releases, tracking tickets,[[BR]]Mike is focusing on Tor protocol performance, padding, traffic analysis, improvements, as well as getting Tor labs off the ground[[BR]]still interfacing with Mozilla, meeting with engineers to land privacy/security patches[[BR]]met  with CEO of Mozilla, interim CTO, to talk about upstreaming as many of patches, agreement on privacy and security threat model[[BR]]integration of Tor, VPN, some other plugin network option[[BR]]seemed to be more interested in adopting privacy/fingerprinting threat model than committing to Tor by default in private browsing[[BR]]answer for us -  exactly what we want as well - the most expensive part of the browser is maintaining disagreement between what privacy/security features should be, especially on fingerprinting front[[BR]]maintaining direct contact with user base is very useful for us, during crowdfunding campaign, 25-30% of referrers from campaign were from the browser banner, browser  brought in $50k out of $250k out of week or two period after the browser donation banner first came up.[[BR]][[BR]]Main funding for the browser is OTF, funded 2016 for 4 main areas -  security, privacy, usability, patch-upstream and merge, and QA (automation, testing)[[BR]]- security and privacy stuff - has in past  mostly vulnerability surface - want to do some sandboxing, Mozilla's sandboxing work was delayed (supposedly 45ESR, next switch in spring/summer 2016) but slipped[[BR]]- wont pick it up until early 2017, will probably be working on own sandboxes, seccomp, apparmor, prevent proxy bypasses[[BR]]usability and UI, working with David Fifield and ... streamline UI, automate things like bridge discovery[[BR]]-  David ??? Artur D. Edelstein - tracking all patches, rewrite to use Mozilla's new API for 'contextual identity project' - multiple logins per site, same APIs to do identifier isolation for us, reworked patches to use all the same plumbing underneath for that stuff.[[BR]][[BR]]Questions[[BR]][[BR]]How does XUL discontinuation affect Tor Browser? Delayed until 2017 because tied to sandboxing. Need to wait until we have APIs we need. Enumerated the set of APIs likely to need. Big long ticket.[[BR]]Orfox - trying to pick up Orfox - not sure where funding for that is coming from.