Rust logo

The Tor Browser, a heavily modified version of the Firefox browser with many privacy-enhancing features, will include more code written in the Rust programming language.

Tor Project developers have first proposed featuring more Rust code in 2014, but the proposal never got anywhere.

Rust, which is a programming language developed by Mozilla, is a safer version of C++ that makes it more difficult for developers to accidentally introduce memory corruption errors in their code.

Firefox already includes Rust code

Mozilla started shipping its first Rust-based components in Firefox in the summer of 2016, and the programming language is expected to take a dominant role in Firefox development, eventually replacing most of its ancient C and C++ code.

Since Firefox versions featuring more and more Rust code started coming out of Mozilla's HQ, it was only a matter of time since the Tor Project had to address the issue.

In a meeting held last week in Amsterdam, Tor developers got together and decided what would happen to the Tor Browser in the future.

Tor Project choose Rust

The decision was to slowly start using Rust to replace the C++ code they used on top of the Firefox codebase.

"We didn't fight about Rust or Go or modern C++. Instead, we focused on identifying goals for migrating Tor to a memory-safe language, and how to get there," said Sebastian Hahn, Tor developer. "With that frame of reference, Rust emerged as a extremely strong candidate for the incremental improvement style that we considered necessary."

As Tor developers get acquainted and learn to use Rust, the percentage of Rust code in the Tor Browser will also grow. Other plans include:

Define conventions for the API boundary between Rust and C
Add a non-trivial Rust API and deploy with a flag to optionally use (to test support with a safe fallback)
Learn from similar projects
Add automated tooling for Rust, such as linting and testing

Mozilla decision to go Rust for Firefox was crucial

"Part of our interest in using safer languages like [Rust] in Tor is [because] a tiny mistake in C could have real consequences for real people," said Tor developer Isis Agora Lovecruft on Twitter, regarding the Project's decision to choose Rust.

"A tipping point in our conversation around 'which safe language' is the Tor Browser team needs Rust because more & more Firefox is in Rust," she added. "Also the barrier to entry for contributing to large OSS projects written in C is insanely high."

Go, which is also another memory-safe language, was briefly considered as an alternative during the meeting. A modern version of the C++ programming language, C++11, was also discussed.

Final session notes will be published next week on a Tor Project wiki page, here. Preliminary session notes are available on the Tor Project mailing list, here.

Related Articles:

Mozilla Has Started Gradually Enabling TLS 1.3 in Firefox

Firefox 64 To Add a Report Abuse Option When Removing Extensions

Exploit Affecting Tor Browser Burned In A Tweet

Firefox to Recommend Extensions Related to Sites You Visit

Mozilla Firefox Will Soon Block All Trackers by Default