The Tor (The Onion Router) team and Mozilla are working together to implement Tor browser patches directly into Firefox and tighten their collaboration.
The Tor browser is built almost entirely on Firefox, with 95% of its code coming from Mozilla’s browser. However, it still needs a series of changes, which the team refers to as patches. As part of the strengthened collaboration, these patches are set to become part of Firefox, albeit they will be disabled by default.
The Tor browser is built based on Firefox ESR (Extended Support Release), to which the Tor team adds a series of privacy features. While these patches are extremely valuable, they also require implementation each time the Tor team wants to move to a new version of Firefox, and that takes a lot of work.
To simplify this work, the Tor and Firefox teams have decided to work together to integrate the Tor patches to Firefox, an operation they refer to as “uplifting.”
“When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it’s disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience,” the Tor team explains.
The uplifting will start with First Party Isolation, a feature designed to deliver strong anti-tracking protection. The First Party Isolation functionality from Tor will be integrated into Firefox 52, which is set to arrive in March this year. Implementation will use the same technology the Tor team used to build the containers feature.
The isolation in Firefox 52 is expected to be as strong as in Tor, and will even include some stronger protections, it seems. Thus, the team plans on building the next Tor Browser iteration on top of Firefox 52, so that it won’t have to update the First Party Isolation patches for this version.
Firefox users, however, will see the First Party Isolation disabled by default, mainly because it creates a series of compatibility issues, breaking some websites. However, users will be provided with the option to turn the feature on by going to about:config and setting “privacy.firstparty.isolate” to “true”.
Next, the Firefox team will work on uplifting patches that prevent various forms of browser fingerprinting. The plan also includes a collaboration on sandboxing, based on Yawning Angel’s work for Tor Browser and the Firefox sandboxing features meant to start shipping in early 2017.
Courtesy of a tighter collaboration between the two teams, a zero-day vulnerability in Firefox that was being abused to track Tor users was resolved in both browsers within 24 hours.