15:00:02 #startmeeting Tor Browser Weekly Meeting 2022-08-15 15:00:02 Meeting started Mon Aug 15 15:00:02 2022 UTC. The chair is richard. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:02 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:33 meeting pad per usual: https://pad.riseup.net/p/tor-tbb-keep 15:01:01 Hi! 15:02:55 Pad onion down for anyone else? 15:03:56 what's the URL? 15:05:34 Never mind, finally loaded after about 3 mins. I guess Riseup's onion is overloaded, or else my circuit is iffy. 15:06:45 :p 15:06:47 well anyway 15:08:13 nothing too unsual going this week ,PieroV and boklm are out until tomorrow 15:08:32 is there anything in particular you'd like to discuss? How have been your first few weeks? 15:09:09 good, lots to learn. I haven't worked on the FF code base before so, it's big :) 15:09:32 yeah it is A LOT 15:09:39 but yeah, I'm hoping today I'll find the last part I need for a #41075 patch 15:09:52 and then I am assuming to make it a fixup for the previous one? 15:10:09 yeah exactly 15:10:15 cool 15:10:26 or possibly split it up into multiple fixups depending 15:10:42 oh fun! how should that be evaluated? 15:11:00 for example if setting additional prefs is necessary then that portion would be a fixup to one of the initial prefrences commits 15:11:01 I guess I can push the branch to mine and we can look at it when ready? 15:11:07 yeah exactly 15:11:08 aaah cool 15:11:17 i suspect yours will be a single fixup in the end 15:11:29 i think so 15:11:53 but yeah, then I need to get anrdoid building and deploying to phone locally so I can hopefully confirm 41087 is a dup 15:12:06 and in prep for hte android render bug, which, I don't believe has been assigned to me yet 15:12:16 ooh i will assign it over 15:12:17 any idea what the ETA on the phone will be? 15:12:22 sweet thanks 15:12:36 I assume for android builds I can't do a local one, need to use tor-browser-build ? 15:12:43 * eta on the phone 15:12:50 not now eat :D 15:12:51 eta* 15:13:25 haha k. then if all goes well I might actually be open for another bug before end of week 15:13:27 hopefully soon'ish, the purchase was approved so I assume we just need to wait on accounting to purchase it 15:14:05 re local android builds, PieroV would be your best resource, iirc he got it working 15:14:16 cool 15:14:22 but the general pipeline is get all the build artifacts out of a tor-browser-build run 15:14:24 will bug him later this week 15:14:32 figured, cool! 15:14:36 and deploy them locally outside of a container to get incremental builds working 15:14:54 oooh interesting 15:15:22 such a strat has worked for me in the past for windows buidlds, and PieroV got it working with android a few months ago 15:16:34 sounds good! 15:16:54 ah, the tor as VPN on android stuff is semi public yes? 15:17:38 I ask cus I was asked to give a small presentation on Cwtch this coming weekend, including lots of history so I'll obvs be talking about tor / tor apps etc 15:17:53 so just checking if it's ok to mention that 15:17:57 yes it's semi-public 15:18:31 it's all on our gitlab, but we arne't like, doing marketting and telling the world about it 15:18:39 aaah ok 15:18:57 cool 15:19:00 thanks! 15:19:01 but also not secret 15:19:12 vOv 15:19:18 "we can't deny or confirm" stuff :) 15:19:30 "things are happening" 15:20:33 it's all pubilc yep, we announced it at last year's state of the onion 15:20:43 we don't really have any updates though 15:20:47 how about you ma1? things going well, need help/guidance with anything? 15:21:15 donuts: oh i didn't know we actually announced it, thought we were still in the 'you can find it if you explore our gitlab/lurk in IRC type thing' 15:21:38 That's all very exciting :) I might need to ping PieroV about building stuff if I manage to confirm the crash bug, but hopefully not being on Linux. 15:22:06 richard: yeah, matt did a whole segment on it 15:22:30 dan_b assigned fenix#40216 to you 15:23:24 The XSleak/Deanonymization thing has been taken better than I hoped. Yossi Oren, one of the authors of the paper, is an Israelian professor I already worked with (the PP0 attack), and seemed to like the solution, while I didn't receive usability complaints yet. 15:23:44 that's really good to hear 15:24:05 on boht accounts 15:24:31 BTW, the broader XSLeak vulnerability class is in the Agenda for the next W3C Web Application Security Working Group meeting (this Wed) to be included for discussion in one of the Vancouver TPAC sessions in September (our Limerick week, damn!) and I'll ask for it to be scheduled in a compatible time for remote attendance. 15:24:57 Speaking of W3C, I'd like to use next meeting (this Thu) to point out that with Manifest V3 neither Leakuidator+ nor TabGuard would have been possible as stop-gap measures for this or other emerging threats. 15:25:28 Next W3C WebExtensions Community Working Group meeting. 15:26:16 ma1, if you're talking about the recent NoScript update that adds warnings when new tabs are opened, I saw a UX complaint in #tor from yanmaani. 15:26:23 look forward to hear how they react :D 15:26:59 ma1: do you have an example website on hand that triggers the new UX? 15:27:36 richard, I think DuckDuckGo's search results page does. 15:28:09 Personally I dislike the new UX but I dislike getting deanonymized a lot more. 15:28:34 The new UX is triggered any time you open a site you have cookies for in a new tab from a different site. An example would be googling for a Youtube video and following the link from Google to Youtube *in a new tab* if you're logged in on Youtube. 15:29:06 oh i see 15:29:55 Any way you choose to deal with it (either dropping the authentication or loading normally) you won't be asked again for the session regarding similar interaction between the two sites. 15:30:49 Jeremy_Rand_Talos_, I guess I should put #tor in my auto-join list (is not yet there). Could you forward me the complaint for this time? Thanks. 15:31:52 ma1, I can paste it into #tor-browser-dev after the meeting, yes. 15:32:20 iirc firefox has a way (internally perhaps not exposed to webextenions) for determining if a request is due to user interaction or no 15:32:53 richard, in facts the attack relies on the navigation being from user interaction (otherwise it couldn't spawn popus) 15:33:26 I thought the tor-browser one worked from a programmatic pop-under? 15:34:42 there are several ways to pull the trick, but you always need to have two tabs you control, which can only happen after a click nowadays. 15:36:03 On the other hand, NoScript too checks for user-initiated navigations to minimize the hassle, by automatically cutting ties between tabs as soon as a SAME SITE user-activated navigation happens. 15:36:04 ah well 15:36:47 At that point it would be impossible for the potential attacker in another tab to actually timing their measurements, and you can call the tab "free". 15:37:27 ok, the only other thing on my todo list is to schedule monthly 1-on-1s with you, any objections to doing these on Thursdays? 15:37:38 (dan_b and ma1) 15:37:49 with each of you* 15:37:58 thursday looks good to me 15:38:31 No objection, either before or after the bi-weekly 1 hour W3C WECG meeting I was alluding to (which IIRC is at 15 UTC) 15:38:48 alright perfect 15:38:58 * ma1 goes to check the W3C calendar 15:39:25 then unless there is anything else you would like to discuss, we can call it here :) 15:41:15 ma1, the only machine of mine that has the IRC logs of the UX complaint is a machine without an OFTC account, so I need to wait for Matrix accounts to be whitelisted in #tor-browser-dev before I can paste it. 15:42:04 Jeremy_Rand_Talos_, fine, thanks, I'm not in a hurry :) 15:42:16 o/ 15:42:21 ok have a good week everyone 15:42:23 #endmeeting