Security Experts:

Connect with us

Hi, what are you looking for?



Tor Browser Patches Start Being Uplifted into Firefox

The Tor (The Onion Router) team and Mozilla are working together to implement Tor browser patches directly into Firefox and tighten their collaboration.

The Tor (The Onion Router) team and Mozilla are working together to implement Tor browser patches directly into Firefox and tighten their collaboration.

The Tor browser is built almost entirely on Firefox, with 95% of its code coming from Mozilla’s browser. However, it still needs a series of changes, which the team refers to as patches. As part of the strengthened collaboration, these patches are set to become part of Firefox, albeit they will be disabled by default.

The Tor browser is built based on Firefox ESR (Extended Support Release), to which the Tor team adds a series of privacy features. While these patches are extremely valuable, they also require implementation each time the Tor team wants to move to a new version of Firefox, and that takes a lot of work.

To simplify this work, the Tor and Firefox teams have decided to work together to integrate the Tor patches to Firefox, an operation they refer to as “uplifting.”

“When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it’s disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience,” the Tor team explains.

The uplifting will start with First Party Isolation, a feature designed to deliver strong anti-tracking protection. The First Party Isolation functionality from Tor will be integrated into Firefox 52, which is set to arrive in March this year. Implementation will use the same technology the Tor team used to build the containers feature.

The isolation in Firefox 52 is expected to be as strong as in Tor, and will even include some stronger protections, it seems. Thus, the team plans on building the next Tor Browser iteration on top of Firefox 52, so that it won’t have to update the First Party Isolation patches for this version.

Firefox users, however, will see the First Party Isolation disabled by default, mainly because it creates a series of compatibility issues, breaking some websites. However, users will be provided with the option to turn the feature on by going to about:config and setting “privacy.firstparty.isolate” to “true”.

Next, the Firefox team will work on uplifting patches that prevent various forms of browser fingerprinting. The plan also includes a collaboration on sandboxing, based on Yawning Angel’s work for Tor Browser and the Firefox sandboxing features meant to start shipping in early 2017.

Courtesy of a tighter collaboration between the two teams, a zero-day vulnerability in Firefox that was being abused to track Tor users was resolved in both browsers within 24 hours.

Related: Tor Implements Improved Anonymity Protection

Related: DNS Data Can Help Attackers Deanonymize Tor Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...