This release updates Firefox to 102.12.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 114.
Build-Signing Infrastructure Updates
We are once again able to code-sign our executable Windows installer, so new installations on the Windows platform no longer need to perform a build-to-build update from an older version. We apologize for all the inconvenience this caued.
Send us your feedback
If you find a bug or have a suggestion for how we could improve this release, please let us know.
I have noticed that exe files may not be identical e.g. in…
tor-expert-bundle-12.0.5-windows-x86_64.tar
tor-expert-bundle-12.0.6-windows-x86_64.tar
tor-expert-bundle-12.0.7-windows-x86_64.tar
…downloaded from the official site, even though they’re the same “Tor 0.4.7.13 (git-7c1601fb6edd780f)”.
If I’m not wrong…
Between 12.0.6 and 12.0.7: tor.exe & tor-gencert.exe are different while obfs4proxy.exe & snowflake-client.exe are identical;
Between 12.0.5 and 12.0.6: obfs4proxy.exe & snowflake-client.exe are (each) different while tor.exe & tor-gencert.exe are identical;
…where by “different” I mean “not bit-identical” - which may or may not imply “different in some essential way”
If they’re compiled from the same source code deterministically (?), even having the same time stamps, why can the same-version (0.4.7.13) binaries are sometimes bit-identical and sometimes not? Perhaps the compiler versions are different?
They’re signed by the same PGP key, so the files must be fine. So this is most probably an insignificant question, not related to any real problems; I’m just feeling curious.
Big thanks again, to richard and everyone involved, for your hard work!
So some sleuthing would be required to determine precisely why/what different versions are the same, but I can give you the following explanations which are true regardless of the current situation above.
You are correct that the tor version is the same, so why would the resulting binaries be different?
There are broadly speaking two different reasons why binaries with the same source-code version can have different build outputs over time:
toolchain changes: the suite of tools (compilers, linkers, etc) may have been updated, so we’re building the same tor commits but with different tools resulting in different outputs
dependency changes: apart from the standard libc dependencies, tor depends some other libraries as well: libevnet, zlib, and openssl. If these dependencies (which are inputs to the tor build process, even though they are dynamically rather than statically linked) change, then one can expect the tor binary may change as well.
Another consideration is that the pluggable transports are technically separate packages, each with their own source trees and version numbers.
In the stable release there are 2 pluggable transports (snowflake-client and obfs4proxy) whereas in alpha we have 4 (conjure-client and webtunnel-client in addition to the ones in stable). For convenience, we only report the Tor Browser version associated with all of the pluggable transports rather than listing versions or git commits individually. We also reason the individual PT versions aren’t terribly relevant to developers since their usage is more or less transparent/handled by the tor daemon whereas any changes will be easier to find associated with a given Tor Browser release. The tor version on the other hand is useful for developers to know at a glance since major features often are not backported to old releases. For example, the latest tor alpha (which will be in the 13.0 alpha channel) has support for onion service PoW and confluence circuits, whereas the current stable does not have those features.
Now to get down to specifics, off the top of my head the following things have changed over the past few releases that can affect the final PT and tor binaries:
openssl updates (a tor dependency a mentioned above)
go toolchain updates - used to build all of our PTs
I hope this answers your questions+concenrs and I’m happy to babble more about this if you have further questions.
@richard
Thanks for taking your precious time for very detailed explanation. Dependencies like openssl (and their version changes) are quite understandable. Also, PoW you mentioned (though not directly related) is something very interesting… Traditionally, many argue that PoW is waste of energy in the context of cryptocurrencies. If the technology works for something else - for making Tor (which many recognize as an important project) better, that may be very nice.
Btw after updating to TB 12.0.7 from 12.0.6 on Windows, I’m getting some security notices that didn’t appear before, when I open a new tab or (sometimes) new page. Does the new version set a (global?) Keyboard Hook e.g. for UI reason? Something triggers “a potential threat to keyboard logging access detected” notification. (I block them and the browser is working fine.) Is this something expected or perhaps it’s just that my environment is somehow not right? I know this kind of hook is useful if used right, as in AutoHotkey.
Seems weird, you should open an issue on our gitlab. There isn’t anything majorly different between the 12.0.6 and 12.0.7 versions beyond security updates, so I would bet on overzealous anti-virus.
ما یک بار دیگر میتوانیم نصبکننده اجرایی ویندوز خود را کد امضا کنیم، بنابراین نصبهای جدید در پلتفرم ویندوز دیگر نیازی به انجام بهروزرسانی ساختوساز از نسخه قدیمیتر ندارند. ما برای تمام ناراحتی های ایجاد شده پوزش می طلبیم.
I did a quick test and the previous version of TB (12.0.6; fx102.11.0) vanilla also tries to “read Keyboard State”. It seems that recent versions of Firefox do this by default. So nothing has changed about it and, you’re right, what I described is probably not a problem at all. It’s just that my instance of TB (non-vanilla) never tried to do this before.
Probably unrelated, I noticed possible UI issues. (1) Do “Search Bar” → “Add search bar in toolbar”. The address bar still does Search, calling a search engine if you type a word and hit enter. Perhaps by design? (2) about:config → keyword.enabled=false. The address bar doesn’t do Search anymore, but still says “Search with DuckDuckGo or enter address”.
Footnotes:
I’m aware that using non-vanilla settings may be bad w.r.t. finger-printing.
Just in case someone wonders: actively reading the current state of your keyboard is not necessarily a suspicious behavior, esp. when the process or a related process has keyboard input focus (a legit example: checking if CapsLock is on or off). It couldn’t be used as a keylogger unless doing so repeatedly like every millisecond. A global hook can be used as a keylogger more easily, but if that happens, it’s more likely that you get a maliciously modified version of TB, rather than the official version is malicious.