Tor browser hardening features under scrutiny

http://threatpost.com/tor-browser-hardening-features-under-scrutiny

 

Glancing through it, I don't see the report taking up the subject of which browser would be the best baseline. However, it does point out that Chrome developers have implemented some things that Firefox developers haven't and TorBrowser developers would be wise to consider those. Seems like a separate study would have to be done, which assumed a Chrome baseline and tried to identify what it lacks (and, possibly, where leveraging a Firefox approach would be desired).

Moving past the pros/cons of each platform for a second, I think it absolutely essential that there be multiple, practically viable, web browsers and engines. Without some real competition, we users and consumers are pretty much guaranteed to be screwed in some ways and/or at some point. No matter what engine becomes the baseline for all other practically viable browsers. As I understand it, we've already got some lock-in on mobile platforms due to no-competing-engine clauses. It we be very troubling to see additional steps, of any sort, that further eliminated competition.

Back to the subject, aren't we in the overlap period during which ESR24 becomes ESR31? I don't recall seeing 31 mentioned anywhere in the report, and wonder whether its timing may have caused inadequate focus on ESR31 and its aspects. I thought I recently read that the Tor Browser developers were starting their transition to ESR31.

However, I did recently stumble across some discussions related to the Tor security slider and defaults in general. Seemed like there were some legitimate disagreements over what defaults should be, so I can understand Tor developers wanting some input on that now. Is anyone here following that effort closely? Are they intending to hard-code the settings for each slider position, or will users be able to adjust what settings are used for each slider position?

 

Maybe I'm not reading it correctly, but it seems to me that they're looking at FireFox and Chrome only. I don't see anything that says they've even considered looking at anything else. With Mozilla becoming largely dependent on Google, and subject to many of their wishes in the process, this is almost as bad as a choice of one. Regarding ESR31, isn't that the version that looks like a Chrome clone?

IMO, they need to look past FireFox and Chrome at some of the other browsers. One of the FireFox variants or SeaMonkey possibly. They should open a good dialogue with the developers of those variants with the possible goal of creating a team effort. It might be much simpler to import security improvements as needed instead of constantly removing the feature creep and growing Google infestation from either of the options they're considering.