tor-webwml.git

torbutton/en/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>
torbutton/en/design/index.html.en    2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

torbutton/en/design/index.html.en    3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Torbutton Design Documentation</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="Torbutton Design Documentation"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>Torbutton Design Documentation</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry.fscked/org">mikeperry.fscked/org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Apr 10 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2666923">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt><dt><span class="sect2"><a href="#requirements">1.2. Torbutton Requirements</a></span></dt><dt><span class="sect2"><a href="#layout">1.3. Extension Layout</a></span></dt></dl></dd><dt><span class="sect1"><a href="#components">2. Components</a></span></dt><dd><dl><dt><span class="sect2"><a href="#hookedxpcom">2.1. Hooked Components</a></span></dt><dt><span class="sect2"><a href="#id2690319">2.2. New Components</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2681735">3. Chrome</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2702019">3.1. XUL Windows and Overlays</a></span></dt><dt><span class="sect2"><a href="#id2694797">3.2. Major Chrome Observers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2696524">4. Toggle Code Path</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2699452">4.1. Button Click</a></span></dt><dt><span class="sect2"><a href="#id2697978">4.2. Proxy Update</a></span></dt><dt><span class="sect2"><a href="#id2697015">4.3. Settings Update</a></span></dt><dt><span class="sect2"><a href="#preferences">4.4. Firefox preferences touched during Toggle</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2702702">5. Description of Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2704948">5.1. Proxy Settings</a></span></dt><dt><span class="sect2"><a href="#id2686645">5.2. Dynamic Content Settings</a></span></dt><dt><span class="sect2"><a href="#id2705261">5.3. History and Forms Settings</a></span></dt><dt><span class="sect2"><a href="#id2705577">5.4. Cache Settings</a></span></dt><dt><span class="sect2"><a href="#id2705686">5.5. Cookie and Auth Settings</a></span></dt><dt><span class="sect2"><a href="#id2705999">5.6. Startup Settings</a></span></dt><dt><span class="sect2"><a href="#id2706113">5.7. Shutdown Settings</a></span></dt><dt><span class="sect2"><a href="#id2706173">5.8. Header Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="#FirefoxBugs">6. Relevant Firefox Bugs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#TorBrowserBugs">6.1. Tor Browser Bugs</a></span></dt><dt><span class="sect2"><a href="#ToggleModelBugs">6.2. Toggle Model Bugs</a></span></dt></dl></dd><dt><span class="sect1"><a href="#TestPlan">7. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">7.1. Single state testing</a></span></dt><dt><span class="sect2"><a href="#id2707624">7.2. Multi-state testing</a></span></dt><dt><span class="sect2"><a href="#HackTorbutton">7.3. Active testing (aka How to Hack Torbutton)</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2666923"></a>1. Introduction</h2></div></div></div><p>

torbutton/en/design/index.html.en    4) 
torbutton/en/design/index.html.en    5) This document describes the goals, operation, and testing procedures of the

torbutton/en/design/index.html.en    6) Torbutton Firefox extension. It is current as of Torbutton 1.3.2.

torbutton/en/design/index.html.en    7) 
torbutton/en/design/index.html.en    8)   </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
torbutton/en/design/index.html.en    9) 
torbutton/en/design/index.html.en   10) A Tor web browser adversary has a number of goals, capabilities, and attack
torbutton/en/design/index.html.en   11) types that can be used to guide us towards a set of requirements for the
torbutton/en/design/index.html.en   12) Torbutton extension. Let's start with the goals.
torbutton/en/design/index.html.en   13) 
torbutton/en/design/index.html.en   14)    </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
torbutton/en/design/index.html.en   15) Tor, causing the user to directly connect to an IP of the adversary's
torbutton/en/design/index.html.en   16) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
torbutton/en/design/index.html.en   17) happily settle for the ability to correlate something a user did via Tor with
torbutton/en/design/index.html.en   18) their non-Tor activity. This can be done with cookies, cache identifiers,
torbutton/en/design/index.html.en   19) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
torbutton/en/design/index.html.en   20) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
torbutton/en/design/index.html.en   21) The adversary may also be interested in history disclosure: the ability to
torbutton/en/design/index.html.en   22) query a user's history to see if they have issued certain censored search
torbutton/en/design/index.html.en   23) queries, or visited censored sites.
torbutton/en/design/index.html.en   24)      </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
torbutton/en/design/index.html.en   25) 
torbutton/en/design/index.html.en   26) Location information such as timezone and locality can be useful for the
torbutton/en/design/index.html.en   27) adversary to determine if a user is in fact originating from one of the
torbutton/en/design/index.html.en   28) regions they are attempting to control, or to zero-in on the geographical
torbutton/en/design/index.html.en   29) location of a particular dissident or whistleblower.
torbutton/en/design/index.html.en   30) 
torbutton/en/design/index.html.en   31)      </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
torbutton/en/design/index.html.en   32) 
torbutton/en/design/index.html.en   33) Anonymity set reduction is also useful in attempting to zero in on a
torbutton/en/design/index.html.en   34) particular individual. If the dissident or whistleblower is using a rare build
torbutton/en/design/index.html.en   35) of Firefox for an obscure operating system, this can be very useful
torbutton/en/design/index.html.en   36) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
torbutton/en/design/index.html.en   37) 
torbutton/en/design/index.html.en   38)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
torbutton/en/design/index.html.en   39) information</strong></span><p>
torbutton/en/design/index.html.en   40) In some cases, the adversary may opt for a heavy-handed approach, such as
torbutton/en/design/index.html.en   41) seizing the computers of all Tor users in an area (especially after narrowing
torbutton/en/design/index.html.en   42) the field by the above two pieces of information). History records and cache
torbutton/en/design/index.html.en   43) data are the primary goals here.
torbutton/en/design/index.html.en   44)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
torbutton/en/design/index.html.en   45) The adversary can position themselves at a number of different locations in
torbutton/en/design/index.html.en   46) order to execute their attacks.
torbutton/en/design/index.html.en   47)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
torbutton/en/design/index.html.en   48) The adversary can run exit nodes, or alternatively, they may control routers
torbutton/en/design/index.html.en   49) upstream of exit nodes. Both of these scenarios have been observed in the
torbutton/en/design/index.html.en   50) wild.
torbutton/en/design/index.html.en   51)      </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p>
torbutton/en/design/index.html.en   52) The adversary can also run websites, or more likely, they can contract out
torbutton/en/design/index.html.en   53) ad space from a number of different adservers and inject content that way. For
torbutton/en/design/index.html.en   54) some users, the adversary may be the adservers themselves. It is not
torbutton/en/design/index.html.en   55) inconceivable that adservers may try to subvert or reduce a user's anonymity 
torbutton/en/design/index.html.en   56) through Tor for marketing purposes.
torbutton/en/design/index.html.en   57)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
torbutton/en/design/index.html.en   58) The adversary can also inject malicious content at the user's upstream router
torbutton/en/design/index.html.en   59) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
torbutton/en/design/index.html.en   60) activity.
torbutton/en/design/index.html.en   61)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
torbutton/en/design/index.html.en   62) Some users face adversaries with intermittent or constant physical access.
torbutton/en/design/index.html.en   63) Users in Internet cafes, for example, face such a threat. In addition, in
torbutton/en/design/index.html.en   64) countries where simply using tools like Tor is illegal, users may face
torbutton/en/design/index.html.en   65) confiscation of their computer equipment for excessive Tor usage or just
torbutton/en/design/index.html.en   66) general suspicion.
torbutton/en/design/index.html.en   67)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
torbutton/en/design/index.html.en   68) 
torbutton/en/design/index.html.en   69) The adversary can perform the following attacks from a number of different 
torbutton/en/design/index.html.en   70) positions to accomplish various aspects of their goals. It should be noted
torbutton/en/design/index.html.en   71) that many of these attacks (especially those involving IP address leakage) are
torbutton/en/design/index.html.en   72) often performed by accident by websites that simply have Javascript, dynamic 
torbutton/en/design/index.html.en   73) CSS elements, and plugins. Others are performed by adservers seeking to
torbutton/en/design/index.html.en   74) correlate users' activity across different IP addresses, and still others are
torbutton/en/design/index.html.en   75) performed by malicious agents on the Tor network and at national firewalls.
torbutton/en/design/index.html.en   76) 
torbutton/en/design/index.html.en   77)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
torbutton/en/design/index.html.en   78) If not properly disabled, Javascript event handlers and timers
torbutton/en/design/index.html.en   79) can cause the browser to perform network activity after Tor has been disabled,
torbutton/en/design/index.html.en   80) thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
torbutton/en/design/index.html.en   81) a user's non-Tor IP address. Javascript
torbutton/en/design/index.html.en   82) also allows the adversary to execute <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure attacks</a>:
torbutton/en/design/index.html.en   83) to query the history via the different attributes of 'visited' links to search

torbutton/en/design/index.html.en   84) for particular Google queries, sites, or even to <a class="ulink" href="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/" target="_top">profile

torbutton/en/design/index.html.en   85) users based on gender and other classifications</a>. Finally,
torbutton/en/design/index.html.en   86) Javascript can be used to query the user's timezone via the
torbutton/en/design/index.html.en   87) <code class="function">Date()</code> object, and to reduce the anonymity set by querying
torbutton/en/design/index.html.en   88) the <code class="function">navigator</code> object for operating system, CPU, locale, 
torbutton/en/design/index.html.en   89) and user agent information.
torbutton/en/design/index.html.en   90)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
torbutton/en/design/index.html.en   91) 
torbutton/en/design/index.html.en   92) Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
torbutton/en/design/index.html.en   93) capable of performing network activity that the author has
torbutton/en/design/index.html.en   94) investigated is also capable of performing network activity independent of
torbutton/en/design/index.html.en   95) browser proxy settings - and often independent of its own proxy settings.
torbutton/en/design/index.html.en   96) Sites that have plugin content don't even have to be malicious to obtain a
torbutton/en/design/index.html.en   97) user's
torbutton/en/design/index.html.en   98) Non-Tor IP (it usually leaks by itself), though <a class="ulink" href="http://decloak.net" target="_top">plenty of active
torbutton/en/design/index.html.en   99) exploits</a> are possible as well. In addition, plugins can be used to store unique identifiers that are more
torbutton/en/design/index.html.en  100) difficult to clear than standard cookies. 
torbutton/en/design/index.html.en  101) <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
torbutton/en/design/index.html.en  102) cookies</a> fall into this category, but there are likely numerous other
torbutton/en/design/index.html.en  103) examples.
torbutton/en/design/index.html.en  104) 
torbutton/en/design/index.html.en  105)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
torbutton/en/design/index.html.en  106) 
torbutton/en/design/index.html.en  107) CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
torbutton/en/design/index.html.en  108) Non-Tor IP address, via the usage of
torbutton/en/design/index.html.en  109) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">CSS
torbutton/en/design/index.html.en  110) popups</a> - essentially CSS-based event handlers that fetch content via
torbutton/en/design/index.html.en  111) CSS's onmouseover attribute. If these popups are allowed to perform network
torbutton/en/design/index.html.en  112) activity in a different Tor state than they were loaded in, they can easily
torbutton/en/design/index.html.en  113) correlate Tor and Non-Tor activity and reveal a user's IP address. In
torbutton/en/design/index.html.en  114) addition, CSS can also be used without Javascript to perform <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only history disclosure
torbutton/en/design/index.html.en  115) attacks</a>.
torbutton/en/design/index.html.en  116)      </p></li><li class="listitem"><span class="command"><strong>Read and insert cookies</strong></span><p>
torbutton/en/design/index.html.en  117) 
torbutton/en/design/index.html.en  118) An adversary in a position to perform MITM content alteration can inject
torbutton/en/design/index.html.en  119) document content elements to both read and inject cookies for
torbutton/en/design/index.html.en  120) arbitrary domains. In fact, many "SSL secured" websites are vulnerable to this
torbutton/en/design/index.html.en  121) sort of <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
torbutton/en/design/index.html.en  122) sidejacking</a>.
torbutton/en/design/index.html.en  123) 
torbutton/en/design/index.html.en  124)      </p></li><li class="listitem"><span class="command"><strong>Create arbitrary cached content</strong></span><p>
torbutton/en/design/index.html.en  125) 
torbutton/en/design/index.html.en  126) Likewise, the browser cache can also be used to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en  127) identifiers</a>. Since by default the cache has no same-origin policy,
torbutton/en/design/index.html.en  128) these identifiers can be read by any domain, making them an ideal target for
torbutton/en/design/index.html.en  129) adserver-class adversaries.
torbutton/en/design/index.html.en  130) 
torbutton/en/design/index.html.en  131)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
torbutton/en/design/index.html.en  132) attributes</strong></span><p>
torbutton/en/design/index.html.en  133) 
torbutton/en/design/index.html.en  134) There is an absurd amount of information available to websites via attributes
torbutton/en/design/index.html.en  135) of the browser. This information can be used to reduce anonymity set, or even
torbutton/en/design/index.html.en  136) <a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">uniquely
torbutton/en/design/index.html.en  137) fingerprint individual users</a>. </p><p>
torbutton/en/design/index.html.en  138) For illustration, let's perform a
torbutton/en/design/index.html.en  139) back-of-the-envelope calculation on the number of anonymity sets for just the
torbutton/en/design/index.html.en  140) resolution information available in the <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window" target="_top">window</a> and
torbutton/en/design/index.html.en  141) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.screen" target="_top">window.screen</a>

torbutton/en/design/index.html.en  142) objects.
torbutton/en/design/index.html.en  143) 
torbutton/en/design/index.html.en  144) 
torbutton/en/design/index.html.en  145) 
torbutton/en/design/index.html.en  146) Browser window resolution information provides something like

torbutton/en/design/index.html.en  147) (1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution
torbutton/en/design/index.html.en  148) information contributes about another factor of 5 (for about 5 resolutions in
torbutton/en/design/index.html.en  149) typical use). In addition, the dimensions and position of the desktop taskbar
torbutton/en/design/index.html.en  150) are available, which can reveal hints on OS information. This boosts the count
torbutton/en/design/index.html.en  151) by a factor of 5 (for each of the major desktop taskbars - Windows, OSX, KDE
torbutton/en/design/index.html.en  152) and Gnome, and None). Subtracting the browser content window
torbutton/en/design/index.html.en  153) size from the browser outer window size provide yet more information.
torbutton/en/design/index.html.en  154) Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give

torbutton/en/design/index.html.en  155) 2<sup>3</sup>=8). Interface effects such as title bar font size

torbutton/en/design/index.html.en  156) and window manager settings gives a factor of about 9 (say 3 common font sizes

torbutton/en/design/index.html.en  157) for the title bar and 3 common sizes for browser GUI element fonts).

torbutton/en/design/index.html.en  158) Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~=
torbutton/en/design/index.html.en  159) 2<sup>29</sup>, or a 29 bit identifier based on resolution
torbutton/en/design/index.html.en  160) information alone. </p><p>
torbutton/en/design/index.html.en  161) 

torbutton/en/design/index.html.en  162) Of course, this space is non-uniform in user density and prone to incremental
torbutton/en/design/index.html.en  163) changes. The <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">Panopticlick study
torbutton/en/design/index.html.en  164) done</a> by the EFF attempts to measure the actual entropy - the number of
torbutton/en/design/index.html.en  165) identifying bits of information encoded in browser properties.  Their result
torbutton/en/design/index.html.en  166) data is definitely useful, and the metric is probably the appropriate one for
torbutton/en/design/index.html.en  167) determining how identifying a particular browser property is. However, some
torbutton/en/design/index.html.en  168) quirks of their study means that they do not extract as much information as
torbutton/en/design/index.html.en  169) they could from display information: they only use desktop resolution (which
torbutton/en/design/index.html.en  170) Torbutton reports as the window resolution) and do not attempt to infer the
torbutton/en/design/index.html.en  171) size of toolbars.

torbutton/en/design/index.html.en  172) 
torbutton/en/design/index.html.en  173) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
torbutton/en/design/index.html.en  174) OS</strong></span><p>
torbutton/en/design/index.html.en  175) Last, but definitely not least, the adversary can exploit either general 
torbutton/en/design/index.html.en  176) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
torbutton/en/design/index.html.en  177) install malware and surveillance software. An adversary with physical access
torbutton/en/design/index.html.en  178) can perform similar actions. Regrettably, this last attack capability is
torbutton/en/design/index.html.en  179) outside of Torbutton's ability to defend against, but it is worth mentioning
torbutton/en/design/index.html.en  180) for completeness.
torbutton/en/design/index.html.en  181)      </p></li></ol></div></div></div><div class="sect2" title="1.2. Torbutton Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="requirements"></a>1.2. Torbutton Requirements</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
torbutton/en/design/index.html.en  182) 
torbutton/en/design/index.html.en  183) Since many settings satisfy multiple requirements, this design document is
torbutton/en/design/index.html.en  184) organized primarily by Torbutton components and settings. However, if you are
torbutton/en/design/index.html.en  185) the type that would rather read the document from the requirements
torbutton/en/design/index.html.en  186) perspective, it is in fact possible to search for each of the following
torbutton/en/design/index.html.en  187) requirement phrases in the text to find the relevant features that help meet
torbutton/en/design/index.html.en  188) that requirement.
torbutton/en/design/index.html.en  189) 
torbutton/en/design/index.html.en  190) </div><p>
torbutton/en/design/index.html.en  191) 
torbutton/en/design/index.html.en  192) From the above Adversary Model, a number of requirements become clear. 
torbutton/en/design/index.html.en  193) 
torbutton/en/design/index.html.en  194)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="proxy"></a><span class="command"><strong>Proxy Obedience</strong></span><p>The browser

torbutton/en/design/index.html.en  195) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a id="state"></a><span class="command"><strong>State Separation</strong></span><p>Browser state (cookies, cache, history, 'DOM storage'), accumulated in

torbutton/en/design/index.html.en  196)  one Tor state MUST NOT be accessible via the network in

torbutton/en/design/index.html.en  197)  another Tor state.</p></li><li class="listitem"><a id="isolation"></a><span class="command"><strong>Network Isolation</strong></span><p>Pages MUST NOT perform any network activity in a Tor state different

torbutton/en/design/index.html.en  198)  from the state they were originally loaded in.</p><p>Note that this requirement is
torbutton/en/design/index.html.en  199) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en  200) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="undiscoverability"></a><span class="command"><strong>Tor Undiscoverability</strong></span><p>With

torbutton/en/design/index.html.en  201) the advent of bridge support in Tor 0.2.0.x, there are now a class of Tor
torbutton/en/design/index.html.en  202) users whose network fingerprint does not obviously betray the fact that they
torbutton/en/design/index.html.en  203) are using Tor. This should extend to the browser as well - Torbutton MUST NOT 

torbutton/en/design/index.html.en  204) reveal its presence while Tor is disabled.
torbutton/en/design/index.html.en  205) </p><p>Note that this requirement is
torbutton/en/design/index.html.en  206) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en  207) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="disk"></a><span class="command"><strong>Disk Avoidance</strong></span><p>The browser SHOULD NOT write any Tor-related state to disk, or store it

torbutton/en/design/index.html.en  208)  in memory beyond the duration of one Tor toggle.</p></li><li class="listitem"><a id="location"></a><span class="command"><strong>Location Neutrality</strong></span><p>The browser SHOULD NOT leak location-specific information, such as
torbutton/en/design/index.html.en  209)  timezone or locale via Tor.</p></li><li class="listitem"><a id="setpreservation"></a><span class="command"><strong>Anonymity Set

torbutton/en/design/index.html.en  210) Preservation</strong></span><p>The browser SHOULD NOT leak any other anonymity
torbutton/en/design/index.html.en  211) set reducing or fingerprinting information

torbutton/en/design/index.html.en  212)  (such as user agent, extension presence, and resolution information)
torbutton/en/design/index.html.en  213) automatically via Tor. The assessment of the attacks above should make it clear
torbutton/en/design/index.html.en  214) that anonymity set reduction is a very powerful method of tracking and
torbutton/en/design/index.html.en  215) eventually identifying anonymous users.
torbutton/en/design/index.html.en  216) </p></li><li class="listitem"><a id="updates"></a><span class="command"><strong>Update Safety</strong></span><p>The browser
torbutton/en/design/index.html.en  217) SHOULD NOT perform unauthenticated updates or upgrades via Tor.</p></li><li class="listitem"><a id="interoperate"></a><span class="command"><strong>Interoperability</strong></span><p>Torbutton SHOULD interoperate with third-party proxy switchers that
torbutton/en/design/index.html.en  218)  enable the user to switch between a number of different proxies. It MUST
torbutton/en/design/index.html.en  219)  provide full Tor protection in the event a third-party proxy switcher has
torbutton/en/design/index.html.en  220)  enabled the Tor proxy settings.</p></li></ol></div></div><div class="sect2" title="1.3. Extension Layout"><div class="titlepage"><div><div><h3 class="title"><a id="layout"></a>1.3. Extension Layout</h3></div></div></div><p>Firefox extensions consist of two main categories of code: 'Components' and
torbutton/en/design/index.html.en  221) 'Chrome'. Components are a fancy name for classes that implement a given
torbutton/en/design/index.html.en  222) interface or interfaces. In Firefox, components <a class="ulink" href="https://developer.mozilla.org/en/XPCOM" target="_top">can be
torbutton/en/design/index.html.en  223) written</a> in C++,
torbutton/en/design/index.html.en  224) Javascript, or a mixture of both. Components have two identifiers: their
torbutton/en/design/index.html.en  225) '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005005" target="_top">Contract
torbutton/en/design/index.html.en  226) ID</a>' (a human readable path-like string), and their '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005329" target="_top">Class
torbutton/en/design/index.html.en  227) ID</a>' (a GUID hex-string). In addition, the interfaces they implement each have a hex
torbutton/en/design/index.html.en  228) 'Interface ID'. It is possible to 'hook' system components - to reimplement
torbutton/en/design/index.html.en  229) their interface members with your own wrappers - but only if the rest of the
torbutton/en/design/index.html.en  230) browser refers to the component by its Contract ID. If the browser refers to
torbutton/en/design/index.html.en  231) the component by Class ID, it bypasses your hooks in that use case.
torbutton/en/design/index.html.en  232) Technically, it may be possible to hook Class IDs by unregistering the
torbutton/en/design/index.html.en  233) original component, and then re-registering your own, but this relies on
torbutton/en/design/index.html.en  234) obsolete and deprecated interfaces and has proved to be less than
torbutton/en/design/index.html.en  235) stable.</p><p>'Chrome' is a combination of XML and Javascript used to describe a window.
torbutton/en/design/index.html.en  236) Extensions are allowed to create 'overlays' that are 'bound' to existing XML
torbutton/en/design/index.html.en  237) window definitions, or they can create their own windows. The DTD for this XML

torbutton/en/design/index.html.en  238) is called <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XUL</a>.</p></div></div><div class="sect1" title="2. Components"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="components"></a>2. Components</h2></div></div></div><p>

torbutton/en/design/index.html.en  239) 
torbutton/en/design/index.html.en  240) Torbutton installs components for two purposes: hooking existing components to
torbutton/en/design/index.html.en  241) reimplement their interfaces; and creating new components that provide
torbutton/en/design/index.html.en  242) services to other pieces of the extension.
torbutton/en/design/index.html.en  243) 

torbutton/en/design/index.html.en  244)   </p><div class="sect2" title="2.1. Hooked Components"><div class="titlepage"><div><div><h3 class="title"><a id="hookedxpcom"></a>2.1. Hooked Components</h3></div></div></div><p>Torbutton makes extensive use of Contract ID hooking, and implements some

torbutton/en/design/index.html.en  245) of its own standalone components as well.  Let's discuss the hooked components

torbutton/en/design/index.html.en  246) first.</p><div class="sect3" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="appblocker"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-protocol-service%3B1" target="_top">@mozilla.org/uriloader/external-protocol-service;1

torbutton/en/design/index.html.en  247) </a>, <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-helper-app-service%3B1" target="_top">@mozilla.org/uriloader/external-helper-app-service;1</a>,
torbutton/en/design/index.html.en  248) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/mime%3B1" target="_top">@mozilla.org/mime;1</a>

torbutton/en/design/index.html.en  249) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">components/external-app-blocker.js</a></h4></div></div></div><p>

torbutton/en/design/index.html.en  250) Due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a> allowing Firefox 3.x to automatically launch some
torbutton/en/design/index.html.en  251) applications without user intervention, Torbutton had to wrap the three
torbutton/en/design/index.html.en  252) components involved in launching external applications to provide user
torbutton/en/design/index.html.en  253) confirmation before doing so while Tor is enabled. Since external applications
torbutton/en/design/index.html.en  254) do not obey proxy settings, they can be manipulated to automatically connect
torbutton/en/design/index.html.en  255) back to arbitrary servers outside of Tor with no user intervention. Fixing
torbutton/en/design/index.html.en  256) this issue helps to satisfy Torbutton's <a class="link" href="#proxy">Proxy
torbutton/en/design/index.html.en  257) Obedience</a> Requirement.

torbutton/en/design/index.html.en  258)  </p></div><div class="sect3" title="@mozilla.org/browser/global-history;2 - components/ignore-history.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2696239"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>

torbutton/en/design/index.html.en  259) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a></h4></div></div></div><p>This component was contributed by <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin Jackson</a> as a method for defeating

torbutton/en/design/index.html.en  260) CSS and Javascript-based methods of history disclosure. The global-history
torbutton/en/design/index.html.en  261) component is what is used by Firefox to determine if a link was visited or not
torbutton/en/design/index.html.en  262) (to apply the appropriate style to the link). By hooking the <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#isVisited.28.29" target="_top">isVisited</a>
torbutton/en/design/index.html.en  263) and <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#addURI.28.29" target="_top">addURI</a>
torbutton/en/design/index.html.en  264) methods, Torbutton is able to selectively prevent history items from being
torbutton/en/design/index.html.en  265) added or being displayed as visited, depending on the Tor state and the user's
torbutton/en/design/index.html.en  266) preferences.
torbutton/en/design/index.html.en  267) </p><p>
torbutton/en/design/index.html.en  268) This component helps satisfy the <a class="link" href="#state">State Separation</a>

torbutton/en/design/index.html.en  269) and <a class="link" href="#disk">Disk Avoidance</a> requirements of Torbutton. It
torbutton/en/design/index.html.en  270) is only needed for Firefox 3.x. On Firefox 4, we omit this component in favor
torbutton/en/design/index.html.en  271) of the <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">built-in
torbutton/en/design/index.html.en  272) history protections</a>.

torbutton/en/design/index.html.en  273) </p></div><div class="sect3" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js"><div class="titlepage"><div><div><h4 class="title"><a id="livemarks"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">@mozilla.org/browser/livemark-service;2</a>

torbutton/en/design/index.html.en  274) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/block-livemarks.js" target="_top">components/block-livemarks.js</a></h4></div></div></div><p>

torbutton/en/design/index.html.en  275) 
torbutton/en/design/index.html.en  276) The <a class="ulink" href="http://www.mozilla.com/en-US/firefox/livebookmarks.html" target="_top">livemark</a> service
torbutton/en/design/index.html.en  277) is started by a timer that runs 5 seconds after Firefox
torbutton/en/design/index.html.en  278) startup. As a result, we cannot simply call the stopUpdateLivemarks() method to
torbutton/en/design/index.html.en  279) disable it. We must wrap the component to prevent this start() call from
torbutton/en/design/index.html.en  280) firing in the event the browser starts in Tor mode.
torbutton/en/design/index.html.en  281) 
torbutton/en/design/index.html.en  282) </p><p>
torbutton/en/design/index.html.en  283) This component helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  284) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en  285) Preservation</a> requirements.

torbutton/en/design/index.html.en  286) </p></div></div><div class="sect2" title="2.2. New Components"><div class="titlepage"><div><div><h3 class="title"><a id="id2690319"></a>2.2. New Components</h3></div></div></div><p>Torbutton creates four new components that are used throughout the

torbutton/en/design/index.html.en  287) extension. These components do not hook any interfaces, nor are they used

torbutton/en/design/index.html.en  288) anywhere besides Torbutton itself.</p><div class="sect3" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js"><div class="titlepage"><div><div><h4 class="title"><a id="cookiejar"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2

torbutton/en/design/index.html.en  289) - components/cookie-jar-selector.js</a></h4></div></div></div><p>The cookie jar selector (also based on code from <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin
torbutton/en/design/index.html.en  290) Jackson</a>) is used by the Torbutton chrome to switch between

torbutton/en/design/index.html.en  291) Tor and Non-Tor cookies. It stores an XML representation of the current
torbutton/en/design/index.html.en  292) cookie state in memory and/or on disk. When Tor is toggled, it syncs the
torbutton/en/design/index.html.en  293) current cookies to this XML store, and then loads the cookies for the other
torbutton/en/design/index.html.en  294) state from the XML store.
torbutton/en/design/index.html.en  295) </p><p>

torbutton/en/design/index.html.en  296) This component helps to address the <a class="link" href="#state">State
torbutton/en/design/index.html.en  297) Isolation</a> requirement of Torbutton.

torbutton/en/design/index.html.en  298) </p></div><div class="sect3" title="@torproject.org/torbutton-logger;1 - components/torbutton-logger.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2683534"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torbutton-logger.js" target="_top">@torproject.org/torbutton-logger;1

torbutton/en/design/index.html.en  299) - components/torbutton-logger.js</a></h4></div></div></div><p>The torbutton logger component allows on-the-fly redirection of torbutton
torbutton/en/design/index.html.en  300) logging messages to either Firefox stderr
torbutton/en/design/index.html.en  301) (<span class="command"><strong>extensions.torbutton.logmethod=0</strong></span>), the Javascript error console
torbutton/en/design/index.html.en  302) (<span class="command"><strong>extensions.torbutton.logmethod=1</strong></span>), or the DebugLogger extension (if
torbutton/en/design/index.html.en  303) available - <span class="command"><strong>extensions.torbutton.logmethod=2</strong></span>). It also allows you to
torbutton/en/design/index.html.en  304) change the loglevel on the fly by changing
torbutton/en/design/index.html.en  305) <span class="command"><strong>extensions.torbutton.loglevel</strong></span> (1-5, 1 is most verbose).

torbutton/en/design/index.html.en  306) </p></div><div class="sect3" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js"><div class="titlepage"><div><div><h4 class="title"><a id="windowmapper"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/window-mapper.js" target="_top">@torproject.org/content-window-mapper;1

torbutton/en/design/index.html.en  307) - components/window-mapper.js</a></h4></div></div></div><p>Torbutton tags Firefox <a class="ulink" href="https://developer.mozilla.org/en/XUL_Tutorial/Tabboxes" target="_top">tabs</a> with a special variable that indicates the Tor
torbutton/en/design/index.html.en  308) state the tab was most recently used under to fetch a page. The problem is
torbutton/en/design/index.html.en  309) that for many Firefox events, it is not possible to determine the tab that is
torbutton/en/design/index.html.en  310) actually receiving the event. The Torbutton window mapper allows the Torbutton
torbutton/en/design/index.html.en  311) chrome and other components to look up a <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en  312) tab</a> for a given <a class="ulink" href="https://developer.mozilla.org/en/nsIDOMWindow" target="_top">HTML content
torbutton/en/design/index.html.en  313) window</a>. It does this by traversing all windows and all browsers, until it
torbutton/en/design/index.html.en  314) finds the browser with the requested <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser#p-contentWindow" target="_top">contentWindow</a> element. Since the content policy
torbutton/en/design/index.html.en  315) and page loading in general can generate hundreds of these lookups, this
torbutton/en/design/index.html.en  316) result is cached inside the component.

torbutton/en/design/index.html.en  317) </p></div><div class="sect3" title="@torproject.org/crash-observer;1"><div class="titlepage"><div><div><h4 class="title"><a id="crashobserver"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/crash-observer.js" target="_top">@torproject.org/crash-observer;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en  318) 
torbutton/en/design/index.html.en  319) This component detects when Firefox crashes by altering Firefox prefs during
torbutton/en/design/index.html.en  320) runtime and checking for the same values at startup. It <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIPrefService#savePrefFile()" target="_top">synchronizes
torbutton/en/design/index.html.en  321) the preference service</a> to ensure the altered prefs are written to disk
torbutton/en/design/index.html.en  322) immediately.
torbutton/en/design/index.html.en  323) 
torbutton/en/design/index.html.en  324)   </p></div><div class="sect3" title="@torproject.org/torbutton-ss-blocker;1"><div class="titlepage"><div><div><h4 class="title"><a id="tbsessionstore"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/tbSessionStore.js" target="_top">@torproject.org/torbutton-ss-blocker;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en  325) 
torbutton/en/design/index.html.en  326) This component subscribes to the Firefox <a class="ulink" href="https://developer.mozilla.org/en/Observer_Notifications#Session_Store" target="_top">sessionstore-state-write</a>
torbutton/en/design/index.html.en  327) observer event to filter out URLs from tabs loaded during Tor, to prevent them
torbutton/en/design/index.html.en  328) from being written to disk. To do this, it checks the
torbutton/en/design/index.html.en  329) <span class="command"><strong>__tb_tor_fetched</strong></span> tag of tab objects before writing them out. If
torbutton/en/design/index.html.en  330) the tag is from a blocked Tor state, the tab is not written to disk.  This is
torbutton/en/design/index.html.en  331) a rather expensive operation that involves potentially very large JSON
torbutton/en/design/index.html.en  332) evaluations and object tree traversals, but it preferable to replacing the
torbutton/en/design/index.html.en  333) Firefox session store with our own implementation, which is what was done in
torbutton/en/design/index.html.en  334) years past.
torbutton/en/design/index.html.en  335) 
torbutton/en/design/index.html.en  336)   </p></div><div class="sect3" title="@torproject.org/torRefSpoofer;1"><div class="titlepage"><div><div><h4 class="title"><a id="refspoofer"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torRefSpoofer.js" target="_top">@torproject.org/torRefSpoofer;1</a></h4></div></div></div><p>

torbutton/en/design/index.html.en  337) This component handles optional referer spoofing for Torbutton. It implements a

torbutton/en/design/index.html.en  338) form of "smart" referer spoofing using <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers" target="_top">http-on-modify-request</a>

torbutton/en/design/index.html.en  339) to modify the Referer header. The code sends the default browser referer

torbutton/en/design/index.html.en  340) header only if the destination domain is a suffix of the source, or if the
torbutton/en/design/index.html.en  341) source is a suffix of the destination. Otherwise, it sends no referer. This
torbutton/en/design/index.html.en  342) strange suffix logic is used as a heuristic: some rare sites on the web block
torbutton/en/design/index.html.en  343) requests without proper referer headers, and this logic is an attempt to cater
torbutton/en/design/index.html.en  344) to them. Unfortunately, it may not be enough. For example, google.fr will not
torbutton/en/design/index.html.en  345) send a referer to google.com using this logic. Hence, it is off by default.
torbutton/en/design/index.html.en  346)  </p></div><div class="sect3" title="@torproject.org/cssblocker;1 - components/cssblocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="contentpolicy"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1

torbutton/en/design/index.html.en  347) - components/cssblocker.js</a></h4></div></div></div><p>This is a key component to Torbutton's security measures. When Tor is
torbutton/en/design/index.html.en  348) toggled, Javascript is disabled, and pages are instructed to stop loading.
torbutton/en/design/index.html.en  349) However, CSS is still able to perform network operations by loading styles for
torbutton/en/design/index.html.en  350) onmouseover events and other operations. In addition, favicons can still be
torbutton/en/design/index.html.en  351) loaded by the browser. The cssblocker component prevents this by implementing
torbutton/en/design/index.html.en  352) and registering an <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy" target="_top">nsIContentPolicy</a>.
torbutton/en/design/index.html.en  353) When an nsIContentPolicy is registered, Firefox checks every attempted network
torbutton/en/design/index.html.en  354) request against its <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy#shouldLoad()" target="_top">shouldLoad</a>
torbutton/en/design/index.html.en  355) member function to determine if the load should proceed. In Torbutton's case,
torbutton/en/design/index.html.en  356) the content policy looks up the appropriate browser tab using the <a class="link" href="#windowmapper" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js">window mapper</a>,
torbutton/en/design/index.html.en  357) and checks that tab's load tag against the current Tor state. If the tab was
torbutton/en/design/index.html.en  358) loaded in a different state than the current state, the fetch is denied.
torbutton/en/design/index.html.en  359) Otherwise, it is allowed.</p> This helps to achieve the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  360) Isolation</a> requirements of Torbutton.
torbutton/en/design/index.html.en  361) 
torbutton/en/design/index.html.en  362) <p>In addition, the content policy also blocks website javascript from

torbutton/en/design/index.html.en  363) <a class="ulink" href="http://webdevwonders.com/detecting-firefox-add-ons/" target="_top">querying for

torbutton/en/design/index.html.en  364) versions and existence of extension chrome</a> while Tor is enabled, and
torbutton/en/design/index.html.en  365) also masks the presence of Torbutton to website javascript while Tor is
torbutton/en/design/index.html.en  366) disabled. </p><p>
torbutton/en/design/index.html.en  367) 
torbutton/en/design/index.html.en  368) Finally, some of the work that logically belongs to the content policy is
torbutton/en/design/index.html.en  369) instead handled by the <span class="command"><strong>torbutton_http_observer</strong></span> and

torbutton/en/design/index.html.en  370) <span class="command"><strong>torbutton_weblistener</strong></span> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>. These two objects handle blocking of

torbutton/en/design/index.html.en  371) Firefox 3 favicon loads, popups, and full page plugins, which for whatever
torbutton/en/design/index.html.en  372) reason are not passed to the Firefox content policy itself (see Firefox Bugs 
torbutton/en/design/index.html.en  373) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and 
torbutton/en/design/index.html.en  374) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en  375) 
torbutton/en/design/index.html.en  376) </p><p>
torbutton/en/design/index.html.en  377) 
torbutton/en/design/index.html.en  378) This helps to fulfill both the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirements of

torbutton/en/design/index.html.en  379) Torbutton.</p></div></div></div><div class="sect1" title="3. Chrome"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2681735"></a>3. Chrome</h2></div></div></div><p>The chrome is where all the torbutton graphical elements and windows are
torbutton/en/design/index.html.en  380) located. </p><div class="sect2" title="3.1. XUL Windows and Overlays"><div class="titlepage"><div><div><h3 class="title"><a id="id2702019"></a>3.1. XUL Windows and Overlays</h3></div></div></div><p>

torbutton/en/design/index.html.en  381) Each window is described as an <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XML file</a>, with zero or more Javascript

torbutton/en/design/index.html.en  382) files attached. The scope of these Javascript files is their containing

torbutton/en/design/index.html.en  383) window. XUL files that add new elements and script to existing Firefox windows
torbutton/en/design/index.html.en  384) are called overlays.</p><div class="sect3" title="Browser Overlay - torbutton.xul"><div class="titlepage"><div><div><h4 class="title"><a id="browseroverlay"></a>Browser Overlay - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a></h4></div></div></div><p>The browser overlay, torbutton.xul, defines the toolbar button, the status
torbutton/en/design/index.html.en  385) bar, and events for toggling the button. The overlay code is in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>.

torbutton/en/design/index.html.en  386) It contains event handlers for preference update, shutdown, upgrade, and

torbutton/en/design/index.html.en  387) location change events.</p></div><div class="sect3" title="Preferences Window - preferences.xul"><div class="titlepage"><div><div><h4 class="title"><a id="id2704559"></a>Preferences Window - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences.xul</a></h4></div></div></div><p>The preferences window of course lays out the Torbutton preferences, with
torbutton/en/design/index.html.en  388) handlers located in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">chrome/content/preferences.js</a>.</p></div><div class="sect3" title="Other Windows"><div class="titlepage"><div><div><h4 class="title"><a id="id2669673"></a>Other Windows</h4></div></div></div><p>There are additional windows that describe popups for right clicking on
torbutton/en/design/index.html.en  389) the status bar, the toolbutton, and the about page.</p></div></div><div class="sect2" title="3.2. Major Chrome Observers"><div class="titlepage"><div><div><h3 class="title"><a id="id2694797"></a>3.2. Major Chrome Observers</h3></div></div></div><p>

torbutton/en/design/index.html.en  390) In addition to the <a class="link" href="#components" title="2. Components">components described
torbutton/en/design/index.html.en  391) above</a>, Torbutton also instantiates several observers in the browser
torbutton/en/design/index.html.en  392) overlay window. These mostly grew due to scoping convenience, and many should
torbutton/en/design/index.html.en  393) probably be relocated into their own components.
torbutton/en/design/index.html.en  394)  </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>torbutton_window_pref_observer</strong></span><p>
torbutton/en/design/index.html.en  395) This is an observer that listens for Torbutton state changes, for the purposes
torbutton/en/design/index.html.en  396) of updating the Torbutton button graphic as the Tor state changes.
torbutton/en/design/index.html.en  397)     </p></li><li class="listitem"><span class="command"><strong>torbutton_unique_pref_observer</strong></span><p>
torbutton/en/design/index.html.en  398) 
torbutton/en/design/index.html.en  399) This is an observer that only runs in one window, called the main window. It
torbutton/en/design/index.html.en  400) listens for changes to all of the Torbutton preferences, as well as Torbutton
torbutton/en/design/index.html.en  401) controlled Firefox preferences. It is what carries out the toggle path when
torbutton/en/design/index.html.en  402) the proxy settings change. When the main window is closed, the
torbutton/en/design/index.html.en  403) torbutton_close_window event handler runs to dub a new window the "main
torbutton/en/design/index.html.en  404) window".
torbutton/en/design/index.html.en  405) 
torbutton/en/design/index.html.en  406)     </p></li><li class="listitem"><span class="command"><strong>tbHistoryListener</strong></span><p>
torbutton/en/design/index.html.en  407) The tbHistoryListener exists to prevent client window Javascript from
torbutton/en/design/index.html.en  408) interacting with window.history to forcibly navigate a user to a tab session
torbutton/en/design/index.html.en  409) history entry from a different Tor state. It also expunges the window.history
torbutton/en/design/index.html.en  410) entries during toggle. This listener helps Torbutton
torbutton/en/design/index.html.en  411) satisfy the <a class="link" href="#isolation">Network Isolation</a> requirement as
torbutton/en/design/index.html.en  412) well as the <a class="link" href="#state">State Separation</a> requirement.
torbutton/en/design/index.html.en  413) 
torbutton/en/design/index.html.en  414)     </p></li><li class="listitem"><span class="command"><strong>torbutton_http_observer</strong></span><p>
torbutton/en/design/index.html.en  415) 
torbutton/en/design/index.html.en  416) The torbutton_http_observer performs some of the work that logically belongs
torbutton/en/design/index.html.en  417) to the content policy. This handles blocking of
torbutton/en/design/index.html.en  418) Firefox 3 favicon loads, which for whatever
torbutton/en/design/index.html.en  419) reason are not passed to the Firefox content policy itself (see Firefox Bugs
torbutton/en/design/index.html.en  420) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and
torbutton/en/design/index.html.en  421) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en  422) 
torbutton/en/design/index.html.en  423)     </p><p>
torbutton/en/design/index.html.en  424) The observer is also responsible for redirecting users to alternate
torbutton/en/design/index.html.en  425) search engines when Google presents them with a Captcha, as well as copying
torbutton/en/design/index.html.en  426) Google Captcha-related cookies between international Google domains.
torbutton/en/design/index.html.en  427)     </p></li><li class="listitem"><span class="command"><strong>torbutton_proxyservice</strong></span><p>
torbutton/en/design/index.html.en  428) The Torbutton proxy service handles redirecting Torbutton-related update
torbutton/en/design/index.html.en  429) checks on addons.mozilla.org through Tor. This is done to help satisfy the
torbutton/en/design/index.html.en  430) <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en  431)     </p></li><li class="listitem"><span class="command"><strong>torbutton_weblistener</strong></span><p>The <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener#onLocationChange" target="_top">location

torbutton/en/design/index.html.en  432) change</a> <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgress" target="_top">webprogress
torbutton/en/design/index.html.en  433) listener</a>, <span class="command"><strong>torbutton_weblistener</strong></span> is one of the most
torbutton/en/design/index.html.en  434) important parts of the chrome from a security standpoint. It is a <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en  435) listener</a> that handles receiving an event every time a page load or
torbutton/en/design/index.html.en  436) iframe load occurs. This class eventually calls down to
torbutton/en/design/index.html.en  437) <code class="function">torbutton_update_tags()</code> and
torbutton/en/design/index.html.en  438) <code class="function">torbutton_hookdoc()</code>, which apply the browser Tor load
torbutton/en/design/index.html.en  439) state tags, plugin permissions, and install the Javascript hooks to hook the
torbutton/en/design/index.html.en  440) <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en  441) object to obfuscate browser and desktop resolution information.
torbutton/en/design/index.html.en  442) 

torbutton/en/design/index.html.en  443) </p></li></ol></div></div></div><div class="sect1" title="4. Toggle Code Path"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2696524"></a>4. Toggle Code Path</h2></div></div></div><p>

torbutton/en/design/index.html.en  444) 
torbutton/en/design/index.html.en  445) The act of toggling is connected to <code class="function">torbutton_toggle()</code>
torbutton/en/design/index.html.en  446) via the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a>
torbutton/en/design/index.html.en  447) and <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/popup.xul" target="_top">popup.xul</a>
torbutton/en/design/index.html.en  448) overlay files. Most of the work in the toggling process is present in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a> 
torbutton/en/design/index.html.en  449) 

torbutton/en/design/index.html.en  450) </p><p>

torbutton/en/design/index.html.en  451) 
torbutton/en/design/index.html.en  452) Toggling is a 3 stage process: Button Click, Proxy Update, and
torbutton/en/design/index.html.en  453) Settings Update. These stages are reflected in the prefs
torbutton/en/design/index.html.en  454) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span>,
torbutton/en/design/index.html.en  455) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span>, and
torbutton/en/design/index.html.en  456) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>. The reason for the
torbutton/en/design/index.html.en  457) three stage preference update is to ensure immediate enforcement of <a class="link" href="#isolation">Network Isolation</a> via the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>. Since the content window
torbutton/en/design/index.html.en  458) javascript runs on a different thread than the chrome javascript, it is
torbutton/en/design/index.html.en  459) important to properly convey the stages to the content policy to avoid race
torbutton/en/design/index.html.en  460) conditions and leakage, especially with <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug 
torbutton/en/design/index.html.en  461) 409737</a> unfixed. The content policy does not allow any network activity
torbutton/en/design/index.html.en  462) whatsoever during this three stage transition.
torbutton/en/design/index.html.en  463) 

torbutton/en/design/index.html.en  464)  </p><div class="sect2" title="4.1. Button Click"><div class="titlepage"><div><div><h3 class="title"><a id="id2699452"></a>4.1. Button Click</h3></div></div></div><p>

torbutton/en/design/index.html.en  465) 
torbutton/en/design/index.html.en  466) This is the first step in the toggling process. When the user clicks the
torbutton/en/design/index.html.en  467) toggle button or the toolbar, <code class="function">torbutton_toggle()</code> is
torbutton/en/design/index.html.en  468) called. This function checks the current Tor status by comparing the current
torbutton/en/design/index.html.en  469) proxy settings to the selected Tor settings, and then sets the proxy settings
torbutton/en/design/index.html.en  470) to the opposite state, and sets the pref
torbutton/en/design/index.html.en  471) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> to reflect the new state.
torbutton/en/design/index.html.en  472) It is this proxy pref update that gives notification via the <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">pref
torbutton/en/design/index.html.en  473) observer</a>
torbutton/en/design/index.html.en  474) <span class="command"><strong>torbutton_unique_pref_observer</strong></span> to perform the rest of the
torbutton/en/design/index.html.en  475) toggle.
torbutton/en/design/index.html.en  476) 

torbutton/en/design/index.html.en  477)   </p></div><div class="sect2" title="4.2. Proxy Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697978"></a>4.2. Proxy Update</h3></div></div></div><p>

torbutton/en/design/index.html.en  478) 
torbutton/en/design/index.html.en  479) When Torbutton receives any proxy change notifications via its
torbutton/en/design/index.html.en  480) <span class="command"><strong>torbutton_unique_pref_observer</strong></span>, it calls
torbutton/en/design/index.html.en  481) <code class="function">torbutton_set_status()</code> which checks against the Tor
torbutton/en/design/index.html.en  482) settings to see if the Tor proxy settings match the current settings. If so,
torbutton/en/design/index.html.en  483) it calls <code class="function">torbutton_update_status()</code>, which determines if
torbutton/en/design/index.html.en  484) the Tor state has actually changed, and sets
torbutton/en/design/index.html.en  485) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span> to the appropriate Tor
torbutton/en/design/index.html.en  486) state value, and ensures that
torbutton/en/design/index.html.en  487) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> is also set to the correct
torbutton/en/design/index.html.en  488) value. This is decoupled from the button click functionality via the pref
torbutton/en/design/index.html.en  489) observer so that other addons (such as SwitchProxy) can switch the proxy
torbutton/en/design/index.html.en  490) settings between multiple proxies.
torbutton/en/design/index.html.en  491) 

torbutton/en/design/index.html.en  492)   </p></div><div class="sect2" title="4.3. Settings Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697015"></a>4.3. Settings Update</h3></div></div></div><p>

torbutton/en/design/index.html.en  493) 
torbutton/en/design/index.html.en  494) The next stage is also handled by
torbutton/en/design/index.html.en  495) <code class="function">torbutton_update_status()</code>. This function sets scores of
torbutton/en/design/index.html.en  496) Firefox preferences, saving the original values to prefs under
torbutton/en/design/index.html.en  497) <span class="command"><strong>extensions.torbutton.saved.*</strong></span>, and performs the <a class="link" href="#cookiejar" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js">cookie jarring</a>, state clearing (such as window.name
torbutton/en/design/index.html.en  498) and DOM storage), and <a class="link" href="#preferences" title="4.4. Firefox preferences touched during Toggle">preference
torbutton/en/design/index.html.en  499) toggling</a>. At the
torbutton/en/design/index.html.en  500) end of its work, it sets
torbutton/en/design/index.html.en  501) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>, which signifies the
torbutton/en/design/index.html.en  502) completion of the toggle operation to the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en  503) 
torbutton/en/design/index.html.en  504)   </p></div><div class="sect2" title="4.4. Firefox preferences touched during Toggle"><div class="titlepage"><div><div><h3 class="title"><a id="preferences"></a>4.4. Firefox preferences touched during Toggle</h3></div></div></div><p>
torbutton/en/design/index.html.en  505) There are also a number of Firefox preferences set in

torbutton/en/design/index.html.en  506) <code class="function">torbutton_update_status()</code> that aren't governed by any
torbutton/en/design/index.html.en  507) Torbutton setting. These are:
torbutton/en/design/index.html.en  508) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.security.ports.banned" target="_top">network.security.ports.banned</a><p>
torbutton/en/design/index.html.en  509) Torbutton sets this setting to add ports 8123, 8118, 9050 and 9051 (which it
torbutton/en/design/index.html.en  510) reads from <span class="command"><strong>extensions.torbutton.banned_ports</strong></span>) to the list
torbutton/en/design/index.html.en  511) of ports Firefox is forbidden to access. These ports are Polipo, Privoxy, Tor,
torbutton/en/design/index.html.en  512) and the Tor control port, respectively. This is set for both Tor and Non-Tor
torbutton/en/design/index.html.en  513) usage, and prevents websites from attempting to do http fetches from these
torbutton/en/design/index.html.en  514) ports to see if they are open, which addresses the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en  515)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.send_pings" target="_top">browser.send_pings</a><p>
torbutton/en/design/index.html.en  516) This setting is currently always disabled. If anyone ever complains saying
torbutton/en/design/index.html.en  517) that they *want* their browser to be able to send ping notifications to a
torbutton/en/design/index.html.en  518) page or arbitrary link, I'll make this a pref or Tor-only. But I'm not holding
torbutton/en/design/index.html.en  519) my breath. I haven't checked if the content policy is called for pings, but if
torbutton/en/design/index.html.en  520) not, this setting helps with meeting the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  521) Isolation</a> requirement.
torbutton/en/design/index.html.en  522)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups" target="_top">browser.safebrowsing.remoteLookups</a><p>
torbutton/en/design/index.html.en  523) Likewise for this setting. I find it hard to imagine anyone who wants to ask
torbutton/en/design/index.html.en  524) Google in real time if each URL they visit is safe, especially when the list
torbutton/en/design/index.html.en  525) of unsafe URLs is downloaded anyway. This helps fulfill the <a class="link" href="#disk">Disk Avoidance</a> requirement, by preventing your entire
torbutton/en/design/index.html.en  526) browsing history from ending up on Google's disks.
torbutton/en/design/index.html.en  527)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.enabled" target="_top">browser.safebrowsing.enabled</a><p>
torbutton/en/design/index.html.en  528) Safebrowsing does <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=360387" target="_top">unauthenticated
torbutton/en/design/index.html.en  529) updates under Firefox 2</a>, so it is disabled during Tor usage. 
torbutton/en/design/index.html.en  530) This helps fulfill the <a class="link" href="#updates">Update
torbutton/en/design/index.html.en  531) Safety</a> requirement. Firefox 3 has the fix for that bug, and so
torbutton/en/design/index.html.en  532) safebrowsing updates are enabled during Tor usage.
torbutton/en/design/index.html.en  533)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29" target="_top">network.protocol-handler.warn-external.(protocol)</a><p>
torbutton/en/design/index.html.en  534) If Tor is enabled, we need to prevent random external applications from
torbutton/en/design/index.html.en  535) launching without at least warning the user. This group of settings only
torbutton/en/design/index.html.en  536) partially accomplishes this, however. Applications can still be launched via
torbutton/en/design/index.html.en  537) plugins. The mechanisms for handling this are described under the "Disable
torbutton/en/design/index.html.en  538) Plugins During Tor Usage" preference. This helps fulfill the <a class="link" href="#proxy">Proxy Obedience</a> requirement, by preventing external
torbutton/en/design/index.html.en  539) applications from accessing network resources at the command of Tor-fetched
torbutton/en/design/index.html.en  540) pages. Unfortunately, due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a>
torbutton/en/design/index.html.en  541) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a>,
torbutton/en/design/index.html.en  542) these prefs are no longer obeyed. They are set still anyway out of respect for
torbutton/en/design/index.html.en  543) the dead.
torbutton/en/design/index.html.en  544)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.sessionstore.max_tabs_undo" target="_top">browser.sessionstore.max_tabs_undo</a><p>
torbutton/en/design/index.html.en  545) 
torbutton/en/design/index.html.en  546) To help satisfy the Torbutton <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en  547) and <a class="link" href="#isolation">Network Isolation</a> requirements,
torbutton/en/design/index.html.en  548) Torbutton needs to purge the Undo Tab history on toggle to prevent repeat
torbutton/en/design/index.html.en  549) "Undo Close" operations from accidentally restoring tabs from a different Tor
torbutton/en/design/index.html.en  550) State. This purge is accomplished by setting this preference to 0 and then
torbutton/en/design/index.html.en  551) restoring it to the previous user value upon toggle.
torbutton/en/design/index.html.en  552) 

torbutton/en/design/index.html.en  553)    </p></li><li class="listitem"><span class="command"><strong>security.enable_ssl2</strong></span> or <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/interfaces/nsIDOMCrypto" target="_top">nsIDOMCrypto::logout()</a><p>

torbutton/en/design/index.html.en  554) TLS Session IDs can persist for an indefinite duration, providing an
torbutton/en/design/index.html.en  555) identifier that is sent to TLS sites that can be used to link activity. This
torbutton/en/design/index.html.en  556) is particularly troublesome now that we have certificate verification in place
torbutton/en/design/index.html.en  557) in Firefox 3: The OCSP server can use this Session ID to build a history of
torbutton/en/design/index.html.en  558) TLS sites someone visits, and also correlate their activity as users move from
torbutton/en/design/index.html.en  559) network to network (such as home to work to coffee shop, etc), inside and

torbutton/en/design/index.html.en  560) outside of Tor. To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>, we call the logout()
torbutton/en/design/index.html.en  561) function of nsIDOMCrypto. Since this may be absent, or may fail, we fall back
torbutton/en/design/index.html.en  562) to toggling

torbutton/en/design/index.html.en  563) <span class="command"><strong>security.enable_ssl2</strong></span>, which clears the SSL Session ID

torbutton/en/design/index.html.en  564) cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en  565)    </p></li><li class="listitem"><span class="command"><strong>security.OCSP.enabled</strong></span><p>
torbutton/en/design/index.html.en  566) Similarly, we toggle <span class="command"><strong>security.OCSP.enabled</strong></span>, which clears the OCSP certificate
torbutton/en/design/index.html.en  567) validation cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en  568) In this way, exit nodes will not be able to fingerprint you
torbutton/en/design/index.html.en  569) based the fact that non-Tor OCSP lookups were obviously previously cached.
torbutton/en/design/index.html.en  570) To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>,
torbutton/en/design/index.html.en  571)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Updating_extensions#Disabling_update_checks_for_individual_add-ons_-_Advanced_users" target="_top">extensions.e0204bd5-9d31-402b-a99d-a6aa8ffebdca.getAddons.cache.enabled</a></strong></span><p>
torbutton/en/design/index.html.en  572) We permanently disable addon usage statistic reporting to the
torbutton/en/design/index.html.en  573) addons.mozilla.org statistics engine. These statistics send version
torbutton/en/design/index.html.en  574) information about Torbutton users via non-Tor, allowing their Tor use to be
torbutton/en/design/index.html.en  575) uncovered. Disabling this reporting helps Torbutton to satisfy its <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en  576) 
torbutton/en/design/index.html.en  577)   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://www.mozilla.com/en-US/firefox/geolocation/" target="_top">geo.enabled</a></strong></span><p>

torbutton/en/design/index.html.en  578) 
torbutton/en/design/index.html.en  579) Torbutton disables Geolocation support in Firefox 3.5 and above whenever tor
torbutton/en/design/index.html.en  580) is enabled. This helps Torbutton maintain its
torbutton/en/design/index.html.en  581) <a class="link" href="#location">Location Neutrality</a> requirement.
torbutton/en/design/index.html.en  582) While Firefox does prompt before divulging geolocational information,
torbutton/en/design/index.html.en  583) the assumption is that Tor users will never want to give their
torbutton/en/design/index.html.en  584) location away during Tor usage, and even allowing websites to prompt
torbutton/en/design/index.html.en  585) them to do so will only cause confusion and accidents to happen. Moreover,
torbutton/en/design/index.html.en  586) just because users may approve a site to know their location in non-Tor mode
torbutton/en/design/index.html.en  587) does not mean they want it divulged during Tor mode.
torbutton/en/design/index.html.en  588) 
torbutton/en/design/index.html.en  589)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.zoom.siteSpecific" target="_top">browser.zoom.siteSpecific</a></strong></span><p>
torbutton/en/design/index.html.en  590) 
torbutton/en/design/index.html.en  591) Firefox actually remembers your zoom settings for certain sites. CSS
torbutton/en/design/index.html.en  592) and Javascript rule can use this to recognize previous visitors to a site.
torbutton/en/design/index.html.en  593) This helps Torbutton fulfill its <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en  594) requirement.
torbutton/en/design/index.html.en  595) 
torbutton/en/design/index.html.en  596)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="https://developer.mozilla.org/en/controlling_dns_prefetching" target="_top">network.dns.disablePrefetch</a></strong></span><p>
torbutton/en/design/index.html.en  597) 
torbutton/en/design/index.html.en  598) Firefox 3.5 and above implement prefetching of DNS resolution for hostnames in
torbutton/en/design/index.html.en  599) links on a page to decrease page load latency. While Firefox does typically
torbutton/en/design/index.html.en  600) disable this behavior when proxies are enabled, we set this pref for added
torbutton/en/design/index.html.en  601) safety during Tor usage. Additionally, to prevent Tor-loaded tabs from having
torbutton/en/design/index.html.en  602) their links prefetched after a toggle to Non-Tor mode occurs,
torbutton/en/design/index.html.en  603) we also set the docShell attribute
torbutton/en/design/index.html.en  604) <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell" target="_top">
torbutton/en/design/index.html.en  605) allowDNSPrefetch</a> to false on Tor loaded tabs. This happens in the same
torbutton/en/design/index.html.en  606) positions in the code as those for disabling plugins via the allowPlugins
torbutton/en/design/index.html.en  607) docShell attribute. This helps Torbutton fulfill its <a class="link" href="#isolation">Network Isolation</a> requirement.
torbutton/en/design/index.html.en  608) 
torbutton/en/design/index.html.en  609)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.cache.offline.enable" target="_top">browser.cache.offline.enable</a></strong></span><p>
torbutton/en/design/index.html.en  610) 
torbutton/en/design/index.html.en  611) Firefox has the ability to store web applications in a special cache to allow
torbutton/en/design/index.html.en  612) them to continue to operate while the user is offline. Since this subsystem
torbutton/en/design/index.html.en  613) is actually different than the normal disk cache, it must be dealt with
torbutton/en/design/index.html.en  614) separately. Thus, Torbutton sets this preference to false whenever Tor is
torbutton/en/design/index.html.en  615) enabled. This helps Torbutton fulfill its <a class="link" href="#disk">Disk
torbutton/en/design/index.html.en  616) Avoidance</a> and <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en  617) requirements.
torbutton/en/design/index.html.en  618) 

torbutton/en/design/index.html.en  619)    </p></li></ol></div></div></div><div class="sect1" title="5. Description of Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2702702"></a>5. Description of Options</h2></div></div></div><p>This section provides a detailed description of Torbutton's options. Each

torbutton/en/design/index.html.en  620) option is presented as the string from the preferences window, a summary, the
torbutton/en/design/index.html.en  621) preferences it touches, and the effect this has on the components, chrome, and

torbutton/en/design/index.html.en  622) browser properties.</p><div class="sect2" title="5.1. Proxy Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2704948"></a>5.1. Proxy Settings</h3></div></div></div><div class="sect3" title="Test Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2683681"></a>Test Settings</h4></div></div></div><p>

torbutton/en/design/index.html.en  623) This button under the Proxy Settings tab provides a way to verify that the 
torbutton/en/design/index.html.en  624) proxy settings are correct, and actually do route through the Tor network. It
torbutton/en/design/index.html.en  625) performs this check by issuing an <a class="ulink" href="http://developer.mozilla.org/en/docs/XMLHttpRequest" target="_top">XMLHTTPRequest</a>
torbutton/en/design/index.html.en  626) for <a class="ulink" href="https://check.torproject.org/?TorButton=True" target="_top">https://check.torproject.org/?Torbutton=True</a>.
torbutton/en/design/index.html.en  627) This is a special page that returns very simple, yet well-formed XHTML that
torbutton/en/design/index.html.en  628) Torbutton can easily inspect for a hidden link with an id of
torbutton/en/design/index.html.en  629) <span class="command"><strong>TorCheckResult</strong></span> and a target of <span class="command"><strong>success</strong></span>
torbutton/en/design/index.html.en  630) or <span class="command"><strong>failure</strong></span> to indicate if the
torbutton/en/design/index.html.en  631) user hit the page from a Tor IP, a non-Tor IP. This check is handled in

torbutton/en/design/index.html.en  632) <code class="function">torbutton_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>.
torbutton/en/design/index.html.en  633) Presenting the results to the user is handled by the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences

torbutton/en/design/index.html.en  634) window</a>

torbutton/en/design/index.html.en  635) callback <code class="function">torbutton_prefs_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">preferences.js</a>.  

torbutton/en/design/index.html.en  636) 

torbutton/en/design/index.html.en  637)   </p></div></div><div class="sect2" title="5.2. Dynamic Content Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2686645"></a>5.2. Dynamic Content Settings</h3></div></div></div><div class="sect3" title="Disable plugins on Tor Usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="plugins"></a>Disable plugins on Tor Usage (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_tor_plugins</strong></span></p><p>Java and plugins <a class="ulink" href="http://java.sun.com/j2se/1.5.0/docs/api/java/net/class-use/NetworkInterface.html" target="_top">can query</a> the <a class="ulink" href="http://www.rgagnon.com/javadetails/java-0095.html" target="_top">local IP

torbutton/en/design/index.html.en  638) address</a> and report it back to the
torbutton/en/design/index.html.en  639) remote site. They can also <a class="ulink" href="http://decloak.net" target="_top">bypass proxy settings</a> and directly connect to a
torbutton/en/design/index.html.en  640) remote site without Tor. Every browser plugin we have tested with Firefox has
torbutton/en/design/index.html.en  641) some form of network capability, and every one ignores proxy settings or worse - only
torbutton/en/design/index.html.en  642) partially obeys them. This includes but is not limited to:
torbutton/en/design/index.html.en  643) QuickTime, Windows Media Player, RealPlayer, mplayerplug-in, AcroRead, and
torbutton/en/design/index.html.en  644) Flash. 
torbutton/en/design/index.html.en  645) 
torbutton/en/design/index.html.en  646)  </p><p>
torbutton/en/design/index.html.en  647) Enabling this preference causes the above mentioned Torbutton chrome web progress
torbutton/en/design/index.html.en  648)  listener <span class="command"><strong>torbutton_weblistener</strong></span> to disable Java via <span class="command"><strong>security.enable_java</strong></span> and to disable
torbutton/en/design/index.html.en  649)  plugins via the browser <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a>
torbutton/en/design/index.html.en  650)  attribute <span class="command"><strong>allowPlugins</strong></span>. These flags are set every time a new window is
torbutton/en/design/index.html.en  651)  created (<code class="function">torbutton_tag_new_browser()</code>), every time a web
torbutton/en/design/index.html.en  652) load
torbutton/en/design/index.html.en  653) event occurs
torbutton/en/design/index.html.en  654)  (<code class="function">torbutton_update_tags()</code>), and every time the tor state is changed
torbutton/en/design/index.html.en  655)  (<code class="function">torbutton_update_status()</code>). As a backup measure, plugins are also

torbutton/en/design/index.html.en  656)  prevented from loading by the content policy in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> if Tor is

torbutton/en/design/index.html.en  657)  enabled and this option is set.
torbutton/en/design/index.html.en  658)  </p><p>All of this turns out to be insufficient if the user directly clicks
torbutton/en/design/index.html.en  659) on a plugin-handled mime-type. <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">In this case</a>,
torbutton/en/design/index.html.en  660) the browser decides that maybe it should ignore all these other settings and
torbutton/en/design/index.html.en  661) load the plugin anyways, because maybe the user really did want to load it
torbutton/en/design/index.html.en  662) (never mind this same load-style could happen automatically  with meta-refresh
torbutton/en/design/index.html.en  663) or any number of other ways..). To handle these cases, Torbutton stores a list
torbutton/en/design/index.html.en  664) of plugin-handled mime-types, and sets the pref
torbutton/en/design/index.html.en  665) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to this list.
torbutton/en/design/index.html.en  666) Additionally, (since nothing can be assumed when relying on Firefox
torbutton/en/design/index.html.en  667) preferences and internals) if it detects a load of one of them from the web
torbutton/en/design/index.html.en  668) progress listener, it cancels the request, tells the associated DOMWindow to
torbutton/en/design/index.html.en  669) stop loading, clears the document, AND throws an exception. Anything short of
torbutton/en/design/index.html.en  670) all this and the plugin managed to find some way to load.
torbutton/en/design/index.html.en  671)  </p><p>
torbutton/en/design/index.html.en  672)  All this could be avoided, of course, if Firefox would either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">obey
torbutton/en/design/index.html.en  673)  allowPlugins</a> for directly visited URLs, or notify its content policy for such
torbutton/en/design/index.html.en  674)  loads either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">via</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">shouldProcess</a> or shouldLoad. The fact that it does not is
torbutton/en/design/index.html.en  675)  not very encouraging.
torbutton/en/design/index.html.en  676)  </p><p>
torbutton/en/design/index.html.en  677) 
torbutton/en/design/index.html.en  678) Since most plugins completely ignore browser proxy settings, the actions
torbutton/en/design/index.html.en  679) performed by this setting are crucial to satisfying the <a class="link" href="#proxy">Proxy Obedience</a> requirement.
torbutton/en/design/index.html.en  680) 

torbutton/en/design/index.html.en  681)  </p></div><div class="sect3" title="Isolate Dynamic Content to Tor State (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2688604"></a>Isolate Dynamic Content to Tor State (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.isolate_content</strong></span></p><p>Enabling this preference is what enables the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> content policy

torbutton/en/design/index.html.en  682) mentioned above, and causes it to block content load attempts in pages an
torbutton/en/design/index.html.en  683) opposite Tor state from the current state. Freshly loaded <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en  684) tabs</a> are tagged
torbutton/en/design/index.html.en  685) with a <span class="command"><strong>__tb_load_state</strong></span> member in
torbutton/en/design/index.html.en  686) <code class="function">torbutton_update_tags()</code> and this
torbutton/en/design/index.html.en  687) value is compared against the current tor state in the content policy.</p><p>It also kills all Javascript in each page loaded under that state by
torbutton/en/design/index.html.en  688) toggling the <span class="command"><strong>allowJavascript</strong></span> <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a> property, and issues a
torbutton/en/design/index.html.en  689) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIWebNavigation#stop()" target="_top">webNavigation.stop(webNavigation.STOP_ALL)</a> to each browser tab (the
torbutton/en/design/index.html.en  690) equivalent of hitting the STOP button).</p><p>
torbutton/en/design/index.html.en  691) 
torbutton/en/design/index.html.en  692) Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox bug
torbutton/en/design/index.html.en  693) 409737</a> prevents <span class="command"><strong>docShell.allowJavascript</strong></span> from killing
torbutton/en/design/index.html.en  694) all event handlers, and event handlers registered with <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:element.addEventListener" target="_top">addEventListener()</a>
torbutton/en/design/index.html.en  695) are still able to execute. The <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton Content
torbutton/en/design/index.html.en  696) Policy</a> should prevent such code from performing network activity within
torbutton/en/design/index.html.en  697) the current tab, but activity that happens via a popup window or via a
torbutton/en/design/index.html.en  698) Javascript redirect can still slip by. For this reason, Torbutton blocks
torbutton/en/design/index.html.en  699) popups by checking for a valid <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.opener" target="_top">window.opener</a>
torbutton/en/design/index.html.en  700) attribute in <code class="function">torbutton_check_progress()</code>. If the window
torbutton/en/design/index.html.en  701) has an opener from a different Tor state, its load is blocked. The content
torbutton/en/design/index.html.en  702) policy also takes similar action to prevent Javascript redirects. This also
torbutton/en/design/index.html.en  703) has the side effect/feature of preventing the user from following any links
torbutton/en/design/index.html.en  704) from a page loaded in an opposite Tor state.
torbutton/en/design/index.html.en  705) 
torbutton/en/design/index.html.en  706) </p><p>
torbutton/en/design/index.html.en  707) This setting is responsible for satisfying the <a class="link" href="#isolation">Network Isolation</a> requirement.

torbutton/en/design/index.html.en  708) </p></div><div class="sect3" title="Hook Dangerous Javascript"><div class="titlepage"><div><div><h4 class="title"><a id="jshooks"></a>Hook Dangerous Javascript</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.kill_bad_js</strong></span></p><p>This setting enables injection of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/jshooks.js" target="_top">Javascript

torbutton/en/design/index.html.en  709) hooking code</a>. This is done in the chrome in
torbutton/en/design/index.html.en  710) <code class="function">torbutton_hookdoc()</code>, which is called ultimately by both the 
torbutton/en/design/index.html.en  711) <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en  712) listener</a> <span class="command"><strong>torbutton_weblistener</strong></span> and the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> (the latter being a hack to handle
torbutton/en/design/index.html.en  713) javascript: urls).
torbutton/en/design/index.html.en  714) 
torbutton/en/design/index.html.en  715) In the Firefox 2 days, this option did a lot more than
torbutton/en/design/index.html.en  716) it does now. It used to be responsible for timezone and improved useragent
torbutton/en/design/index.html.en  717) spoofing, and history object cloaking. However, now it only provides
torbutton/en/design/index.html.en  718) obfuscation of the <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en  719) object to mask your browser and desktop resolution.
torbutton/en/design/index.html.en  720) The resolution hooks
torbutton/en/design/index.html.en  721) effectively make the Firefox browser window appear to websites as if the renderable area
torbutton/en/design/index.html.en  722) takes up the entire desktop, has no toolbar or other GUI element space, and
torbutton/en/design/index.html.en  723) the desktop itself has no toolbars.
torbutton/en/design/index.html.en  724) These hooks drastically reduce the amount of information available to do <a class="link" href="#fingerprinting">anonymity set reduction attacks</a> and help to
torbutton/en/design/index.html.en  725) meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en  726) requirements. Unfortunately, Gregory Fleischer discovered it is still possible
torbutton/en/design/index.html.en  727) to retrieve the original screen values by using <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-sandbox-xpcnativewrapper.html" target="_top">XPCNativeWrapper</a>
torbutton/en/design/index.html.en  728) or <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-components-lookupmethod.html" target="_top">Components.lookupMethod</a>.

torbutton/en/design/index.html.en  729) We are still looking for a workaround as of Torbutton 1.3.2.

torbutton/en/design/index.html.en  730) 
torbutton/en/design/index.html.en  731) 
torbutton/en/design/index.html.en  732) 

torbutton/en/design/index.html.en  733) 
torbutton/en/design/index.html.en  734) </p></div><div class="sect3" title="Resize windows to multiples of 50px during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663307"></a>Resize windows to multiples of 50px during Tor usage (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.resize_windows</strong></span></p><p>

torbutton/en/design/index.html.en  735) 
torbutton/en/design/index.html.en  736) This option drastically cuts down on the number of distinct anonymity sets
torbutton/en/design/index.html.en  737) that divide the Tor web userbase. Without this setting, the dimensions for a
torbutton/en/design/index.html.en  738) typical browser window range from 600-1200 horizontal pixels and 400-1000
torbutton/en/design/index.html.en  739) vertical pixels, or about 600x600 = 360000 different sets. Resizing the
torbutton/en/design/index.html.en  740) browser window to multiples of 50 on each side reduces the number of sets by
torbutton/en/design/index.html.en  741) 50^2, bringing the total number of sets to 144. Of course, the distribution
torbutton/en/design/index.html.en  742) among these sets are not uniform, but scaling by 50 will improve the situation
torbutton/en/design/index.html.en  743) due to this non-uniformity for users in the less common resolutions.
torbutton/en/design/index.html.en  744) Obviously the ideal situation would be to lie entirely about the browser
torbutton/en/design/index.html.en  745) window size, but this will likely cause all sorts of rendering issues, and is
torbutton/en/design/index.html.en  746) also not implementable in a foolproof way from extension land.
torbutton/en/design/index.html.en  747) 
torbutton/en/design/index.html.en  748) </p><p>
torbutton/en/design/index.html.en  749) 
torbutton/en/design/index.html.en  750) The implementation of this setting is spread across a couple of different

torbutton/en/design/index.html.en  751) locations in the Torbutton javascript <a class="link" href="#browseroverlay" title="Browser Overlay - torbutton.xul">browser

torbutton/en/design/index.html.en  752) overlay</a>. Since resizing minimized windows causes them to be restored,
torbutton/en/design/index.html.en  753) and since maximized windows remember their previous size to the pixel, windows
torbutton/en/design/index.html.en  754) must be resized before every document load (at the time of browser tagging)
torbutton/en/design/index.html.en  755) via <code class="function">torbutton_check_round()</code>, called by
torbutton/en/design/index.html.en  756) <code class="function">torbutton_update_tags()</code>. To prevent drift, the extension
torbutton/en/design/index.html.en  757) tracks the original values of the windows and uses this to perform the
torbutton/en/design/index.html.en  758) rounding on document load. In addition, to prevent the user from resizing a
torbutton/en/design/index.html.en  759) window to a non-50px multiple, a resize listener
torbutton/en/design/index.html.en  760) (<code class="function">torbutton_do_resize()</code>) is installed on every new browser
torbutton/en/design/index.html.en  761) window to record the new size and round it to a 50px multiple while Tor is
torbutton/en/design/index.html.en  762) enabled. In all cases, the browser's contentWindow.innerWidth and innerHeight
torbutton/en/design/index.html.en  763) are set. This ensures that there is no discrepancy between the 50 pixel cutoff
torbutton/en/design/index.html.en  764) and the actual renderable area of the browser (so that it is not possible to
torbutton/en/design/index.html.en  765) infer toolbar size/presence by the distance to the nearest 50 pixel roundoff).
torbutton/en/design/index.html.en  766) 
torbutton/en/design/index.html.en  767) </p><p>
torbutton/en/design/index.html.en  768) This setting helps to meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirements.

torbutton/en/design/index.html.en  769) </p></div><div class="sect3" title="Disable Search Suggestions during Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663391"></a>Disable Search Suggestions during Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_search</strong></span></p><p>

torbutton/en/design/index.html.en  770) This setting causes Torbutton to disable <a class="ulink" href="http://kb.mozillazine.org/Browser.search.suggest.enabled" target="_top"><span class="command"><strong>browser.search.suggest.enabled</strong></span></a>
torbutton/en/design/index.html.en  771) during Tor usage.
torbutton/en/design/index.html.en  772) This governs if you get Google search suggestions during Tor
torbutton/en/design/index.html.en  773) usage. Your Google cookie is transmitted with google search suggestions, hence
torbutton/en/design/index.html.en  774) this is recommended to be disabled.
torbutton/en/design/index.html.en  775) 
torbutton/en/design/index.html.en  776) </p><p>
torbutton/en/design/index.html.en  777) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en  778) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en  779) for Tor usage.

torbutton/en/design/index.html.en  780) </p></div><div class="sect3" title="Disable Updates During Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2663430"></a>Disable Updates During Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_updates</strong></span></p><p>This setting causes Torbutton to disable the four <a class="ulink" href="http://wiki.mozilla.org/Update:Users/Checking_For_Updates#Preference_Controls_and_State" target="_top">Firefox

torbutton/en/design/index.html.en  781) update settings</a> during Tor
torbutton/en/design/index.html.en  782)   usage: <span class="command"><strong>extensions.update.enabled</strong></span>,
torbutton/en/design/index.html.en  783) <span class="command"><strong>app.update.enabled</strong></span>,
torbutton/en/design/index.html.en  784)   <span class="command"><strong>app.update.auto</strong></span>, and
torbutton/en/design/index.html.en  785) <span class="command"><strong>browser.search.update</strong></span>.  These prevent the
torbutton/en/design/index.html.en  786)   browser from updating extensions, checking for Firefox upgrades, and
torbutton/en/design/index.html.en  787)   checking for search plugin updates while Tor is enabled.
torbutton/en/design/index.html.en  788)   </p><p>
torbutton/en/design/index.html.en  789) This setting satisfies the <a class="link" href="#updates">Update Safety</a> requirement.

torbutton/en/design/index.html.en  790) </p></div><div class="sect3" title="Redirect Torbutton Updates Via Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663492"></a>Redirect Torbutton Updates Via Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.update_torbutton_via_tor</strong></span></p><p>This setting causes Torbutton to install an

torbutton/en/design/index.html.en  791) 
torbutton/en/design/index.html.en  792) <a class="ulink" href="https://developer.mozilla.org/en/nsIProtocolProxyFilter" target="_top">nsIProtocolProxyFilter</a>
torbutton/en/design/index.html.en  793) in order to redirect all version update checks and Torbutton update downloads
torbutton/en/design/index.html.en  794) via Tor, regardless of if Tor is enabled or not. This was done both to address
torbutton/en/design/index.html.en  795) concerns about data retention done by <a class="ulink" href="https://www.addons.mozilla.org" target="_top">addons.mozilla.org</a>, as well as to
torbutton/en/design/index.html.en  796) help censored users meet the <a class="link" href="#undiscoverability">Tor
torbutton/en/design/index.html.en  797) Undiscoverability</a> requirement.
torbutton/en/design/index.html.en  798) 

torbutton/en/design/index.html.en  799)   </p></div><div class="sect3" title="Disable livemarks updates during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663536"></a>Disable livemarks updates during Tor usage (recommended)</h4></div></div></div><p>Option:

torbutton/en/design/index.html.en  800)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.disable_livemarks</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en  801)   </p><p>

torbutton/en/design/index.html.en  802) 

torbutton/en/design/index.html.en  803) This option causes Torbutton to prevent Firefox from loading <a class="ulink" href="http://www.mozilla.com/firefox/livebookmarks.html" target="_top">Livemarks</a> during
torbutton/en/design/index.html.en  804) Tor usage. Because people often have very personalized Livemarks (such as RSS
torbutton/en/design/index.html.en  805) feeds of Wikipedia articles they maintain, etc). This is accomplished both by
torbutton/en/design/index.html.en  806) <a class="link" href="#livemarks" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js">wrapping the livemark-service component</a> and
torbutton/en/design/index.html.en  807) by calling stopUpdateLivemarks() on the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">Livemark
torbutton/en/design/index.html.en  808) service</a> when Tor is enabled.
torbutton/en/design/index.html.en  809) 
torbutton/en/design/index.html.en  810) </p><p>
torbutton/en/design/index.html.en  811) This helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  812) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en  813) Preservation</a> requirements.

torbutton/en/design/index.html.en  814) </p></div><div class="sect3" title="Block Tor/Non-Tor access to network from file:// urls (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663607"></a>Block Tor/Non-Tor access to network from file:// urls (recommended)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  815)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tor_file_net</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nontor_file_net</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en  816)   </p><p>
torbutton/en/design/index.html.en  817) 
torbutton/en/design/index.html.en  818) These settings prevent file urls from performing network operations during the
torbutton/en/design/index.html.en  819) respective Tor states. Firefox 2's implementation of same origin policy allows
torbutton/en/design/index.html.en  820) file urls to read and <a class="ulink" href="http://www.gnucitizen.org/blog/content-disposition-hacking/" target="_top">submit
torbutton/en/design/index.html.en  821) arbitrary files from the local filesystem</a> to arbitrary websites. To
torbutton/en/design/index.html.en  822) make matters worse, the 'Content-Disposition' header can be injected
torbutton/en/design/index.html.en  823) arbitrarily by exit nodes to trick users into running arbitrary html files in
torbutton/en/design/index.html.en  824) the local context. These preferences cause the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> to block access to any network
torbutton/en/design/index.html.en  825) resources from File urls during the appropriate Tor state.
torbutton/en/design/index.html.en  826) 
torbutton/en/design/index.html.en  827) </p><p>
torbutton/en/design/index.html.en  828) 
torbutton/en/design/index.html.en  829) This preference helps to ensure Tor's <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  830) Isolation</a> requirement, by preventing file urls from executing network
torbutton/en/design/index.html.en  831) operations in opposite Tor states. Also, allowing pages to submit arbitrary
torbutton/en/design/index.html.en  832) files to arbitrary sites just generally seems like a bad idea.
torbutton/en/design/index.html.en  833) 

torbutton/en/design/index.html.en  834) </p></div><div class="sect3" title="Close all Tor/Non-Tor tabs and windows on toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663679"></a>Close all Tor/Non-Tor tabs and windows on toggle (optional)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  835)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.close_nontor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.close_tor</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en  836)   </p><p>
torbutton/en/design/index.html.en  837) 
torbutton/en/design/index.html.en  838) These settings cause Torbutton to enumerate through all windows and close all
torbutton/en/design/index.html.en  839) tabs in each window for the appropriate Tor state. This code can be found in
torbutton/en/design/index.html.en  840) <code class="function">torbutton_update_status()</code>.  The main reason these settings
torbutton/en/design/index.html.en  841) exist is as a backup mechanism in the event of any Javascript or content policy
torbutton/en/design/index.html.en  842) leaks due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en  843) 409737</a>.  Torbutton currently tries to block all Javascript network
torbutton/en/design/index.html.en  844) activity via the content policy, but until that bug is fixed, there is some
torbutton/en/design/index.html.en  845) risk that there are alternate ways to bypass the policy. This option is
torbutton/en/design/index.html.en  846) available as an extra assurance of <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en  847) Isolation</a> for those who would like to be sure that when Tor is toggled
torbutton/en/design/index.html.en  848) all page activity has ceased. It also serves as a potential future workaround
torbutton/en/design/index.html.en  849) in the event a content policy failure is discovered, and provides an additional
torbutton/en/design/index.html.en  850) level of protection for the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en  851) protection so that browser state is not sitting around waiting to be swapped
torbutton/en/design/index.html.en  852) out longer than necessary.
torbutton/en/design/index.html.en  853) 
torbutton/en/design/index.html.en  854) </p><p>
torbutton/en/design/index.html.en  855) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en  856) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en  857) for Tor usage.

torbutton/en/design/index.html.en  858) </p></div></div><div class="sect2" title="5.3. History and Forms Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705261"></a>5.3. History and Forms Settings</h3></div></div></div><div class="sect3" title="Isolate Access to History navigation to Tor state (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705267"></a>Isolate Access to History navigation to Tor state (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_js_history</strong></span></p><p>

torbutton/en/design/index.html.en  859) This setting determines if Torbutton installs an <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistoryListener" target="_top">nsISHistoryListener</a>
torbutton/en/design/index.html.en  860) attached to the <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">sessionHistory</a> of 
torbutton/en/design/index.html.en  861) of each browser's <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3awebNavigation" target="_top">webNavigatator</a>.
torbutton/en/design/index.html.en  862) The nsIShistoryListener is instantiated with a reference to the containing
torbutton/en/design/index.html.en  863) browser window and blocks the back, forward, and reload buttons on the browser
torbutton/en/design/index.html.en  864) navigation bar when Tor is in an opposite state than the one to load the
torbutton/en/design/index.html.en  865) current tab. In addition, Tor clears the session history during a new document
torbutton/en/design/index.html.en  866) load if this setting is enabled. 
torbutton/en/design/index.html.en  867) 
torbutton/en/design/index.html.en  868)   </p><p>
torbutton/en/design/index.html.en  869) 
torbutton/en/design/index.html.en  870) This is marked as a crucial setting in part
torbutton/en/design/index.html.en  871) because Javascript access to the history object is indistinguishable from 
torbutton/en/design/index.html.en  872) user clicks, and because
torbutton/en/design/index.html.en  873) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en  874) 409737</a> allows javascript to execute in opposite Tor states, javascript
torbutton/en/design/index.html.en  875) can issue reloads after Tor toggle to reveal your original IP. Even without
torbutton/en/design/index.html.en  876) this bug, however, Javascript is still able to access previous pages in your
torbutton/en/design/index.html.en  877) session history that may have been loaded under a different Tor state, to
torbutton/en/design/index.html.en  878) attempt to correlate your activity.
torbutton/en/design/index.html.en  879) 
torbutton/en/design/index.html.en  880)    </p><p>
torbutton/en/design/index.html.en  881) 
torbutton/en/design/index.html.en  882) This setting helps to fulfill Torbutton's <a class="link" href="#state">State
torbutton/en/design/index.html.en  883) Separation</a> and (until Bug 409737 is fixed) <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en  884) requirements.
torbutton/en/design/index.html.en  885) 

torbutton/en/design/index.html.en  886)    </p></div><div class="sect3" title="History Access Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2705344"></a>History Access Settings</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  887)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_thread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_thwrite</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthwrite</strong></span></td></tr></table><p>

torbutton/en/design/index.html.en  888)   </p><p>On Firefox 3.x, these four settings govern the behavior of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a>

torbutton/en/design/index.html.en  889) history blocker component mentioned above. By hooking the browser's view of
torbutton/en/design/index.html.en  890) the history itself via the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
torbutton/en/design/index.html.en  891) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/nav-history-service;1" target="_top">@mozilla.org/browser/nav-history-service;1</a>
torbutton/en/design/index.html.en  892) components, this mechanism defeats all document-based <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure
torbutton/en/design/index.html.en  893) attacks</a>, including <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only attacks</a>.
torbutton/en/design/index.html.en  894) 
torbutton/en/design/index.html.en  895) The component also hooks functions involved in writing history to disk via
torbutton/en/design/index.html.en  896) both the <a class="ulink" href="http://developer.mozilla.org/en/docs/Places_migration_guide#History" target="_top">Places
torbutton/en/design/index.html.en  897) Database</a> and the older Firefox 2 mechanisms.
torbutton/en/design/index.html.en  898) 

torbutton/en/design/index.html.en  899) </p><p>
torbutton/en/design/index.html.en  900) On Firefox 4, Mozilla finally <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">addressed
torbutton/en/design/index.html.en  901) these issues</a>, so we can effectively ignore the "read" pair of the
torbutton/en/design/index.html.en  902) above prefs. We then only need to link the write prefs to
torbutton/en/design/index.html.en  903) <span class="command"><strong>places.history.enabled</strong></span>, which disabled writing to the
torbutton/en/design/index.html.en  904) history store while set.

torbutton/en/design/index.html.en  905) </p><p>
torbutton/en/design/index.html.en  906) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  907) </p></div><div class="sect3" title="Clear History During Tor Toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705472"></a>Clear History During Tor Toggle (optional)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_history</strong></span></p><p>This setting governs if Torbutton calls

torbutton/en/design/index.html.en  908) <a class="ulink" href="https://developer.mozilla.org/en/nsIBrowserHistory#removeAllPages.28.29" target="_top">nsIBrowserHistory.removeAllPages</a>
torbutton/en/design/index.html.en  909) and <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">nsISHistory.PurgeHistory</a>
torbutton/en/design/index.html.en  910) for each tab on Tor toggle.</p><p>
torbutton/en/design/index.html.en  911) This setting is an optional way to help satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en  912) </p></div><div class="sect3" title="Block Password+Form saving during Tor/Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705515"></a>Block Password+Form saving during Tor/Non-Tor</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  913)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tforms</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_ntforms</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en  914)   </p><p>These settings govern if Torbutton disables
torbutton/en/design/index.html.en  915) <span class="command"><strong>browser.formfill.enable</strong></span>
torbutton/en/design/index.html.en  916) and <span class="command"><strong>signon.rememberSignons</strong></span> during Tor and Non-Tor usage.
torbutton/en/design/index.html.en  917) Since form fields can be read at any time by Javascript, this setting is a lot
torbutton/en/design/index.html.en  918) more important than it seems.
torbutton/en/design/index.html.en  919) </p><p>
torbutton/en/design/index.html.en  920) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  921) </p></div></div><div class="sect2" title="5.4. Cache Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705577"></a>5.4. Cache Settings</h3></div></div></div><div class="sect3" title="Block Tor disk cache and clear all cache on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705582"></a>Block Tor disk cache and clear all cache on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cache</strong></span>

torbutton/en/design/index.html.en  922)   </p><p>This option causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICacheService#evictEntries.28.29" target="_top">nsICacheService.evictEntries(0)</a>
torbutton/en/design/index.html.en  923) on Tor toggle to remove all entries from the cache. In addition, this setting
torbutton/en/design/index.html.en  924) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> to false.
torbutton/en/design/index.html.en  925) </p><p>
torbutton/en/design/index.html.en  926) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  927) </p></div><div class="sect3" title="Block disk and memory cache during Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705632"></a>Block disk and memory cache during Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_cache</strong></span></p><p>This setting

torbutton/en/design/index.html.en  928) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.memory.enable" target="_top">browser.cache.memory.enable</a>,
torbutton/en/design/index.html.en  929) <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> and
torbutton/en/design/index.html.en  930) <a class="ulink" href="http://kb.mozillazine.org/Network.http.use-cache" target="_top">network.http.use-cache</a> to false during tor usage.
torbutton/en/design/index.html.en  931) </p><p>
torbutton/en/design/index.html.en  932) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  933) </p></div></div><div class="sect2" title="5.5. Cookie and Auth Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705686"></a>5.5. Cookie and Auth Settings</h3></div></div></div><div class="sect3" title="Clear Cookies on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705691"></a>Clear Cookies on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cookies</strong></span>

torbutton/en/design/index.html.en  934)   </p><p>
torbutton/en/design/index.html.en  935) 
torbutton/en/design/index.html.en  936) This setting causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICookieManager#removeAll.28.29" target="_top">nsICookieManager.removeAll()</a> on
torbutton/en/design/index.html.en  937) every Tor toggle. In addition, this sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en  938) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en  939) which prevents them from being written to disk. 
torbutton/en/design/index.html.en  940) 
torbutton/en/design/index.html.en  941) </p><p>
torbutton/en/design/index.html.en  942) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  943) </p></div><div class="sect3" title="Store Non-Tor cookies in a protected jar"><div class="titlepage"><div><div><h4 class="title"><a id="id2705742"></a>Store Non-Tor cookies in a protected jar</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.cookie_jars</strong></span>

torbutton/en/design/index.html.en  944)   </p><p>
torbutton/en/design/index.html.en  945) 

torbutton/en/design/index.html.en  946) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store

torbutton/en/design/index.html.en  947) non-tor cookies in a cookie jar during Tor usage, and clear the Tor cookies
torbutton/en/design/index.html.en  948) before restoring the jar.
torbutton/en/design/index.html.en  949) </p><p>
torbutton/en/design/index.html.en  950) This setting also sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en  951) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en  952) which prevents them from being written to disk. 
torbutton/en/design/index.html.en  953) 
torbutton/en/design/index.html.en  954) </p><p>
torbutton/en/design/index.html.en  955) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en  956) </p></div><div class="sect3" title="Store both Non-Tor and Tor cookies in a protected jar (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705799"></a>Store both Non-Tor and Tor cookies in a protected jar (dangerous)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.dual_cookie_jars</strong></span>

torbutton/en/design/index.html.en  957)   </p><p>
torbutton/en/design/index.html.en  958) 

torbutton/en/design/index.html.en  959) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store

torbutton/en/design/index.html.en  960) both Tor and Non-Tor cookies into protected jars.
torbutton/en/design/index.html.en  961) </p><p>
torbutton/en/design/index.html.en  962) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en  963) </p></div><div class="sect3" title="Manage My Own Cookies (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705841"></a>Manage My Own Cookies (dangerous)</h4></div></div></div><p>Options: None</p><p>This setting disables all Torbutton cookie handling by setting the above
torbutton/en/design/index.html.en  964) cookie prefs all to false.</p></div><div class="sect3" title="Disable DOM Storage during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705856"></a>Disable DOM Storage during Tor usage (crucial)</h4></div></div></div><div class="sect3" title="Do not write Tor/Non-Tor cookies to disk"><div class="titlepage"><div><div><h4 class="title"><a id="id2705859"></a>Do not write Tor/Non-Tor cookies to disk</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  965)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.tor_memory_jar</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.nontor_memory_jar</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en  966)   </p><p>
torbutton/en/design/index.html.en  967) These settings (contributed by arno) cause Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en  968) to 2 during the appropriate Tor state, and to store cookies acquired in that
torbutton/en/design/index.html.en  969) state into a Javascript
torbutton/en/design/index.html.en  970) <a class="ulink" href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Processing_XML_with_E4X" target="_top">E4X</a>
torbutton/en/design/index.html.en  971) object as opposed to writing them to disk.
torbutton/en/design/index.html.en  972) </p><p>
torbutton/en/design/index.html.en  973) This allows Torbutton to provide an option to preserve a user's 
torbutton/en/design/index.html.en  974) cookies while still satisfying the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en  975) requirement.
torbutton/en/design/index.html.en  976) </p></div><p>Option: <span class="command"><strong>extensions.torbutton.disable_domstorage</strong></span>
torbutton/en/design/index.html.en  977)   </p><p>
torbutton/en/design/index.html.en  978) 
torbutton/en/design/index.html.en  979) This setting causes Torbutton to toggle <span class="command"><strong>dom.storage.enabled</strong></span> during Tor
torbutton/en/design/index.html.en  980) usage to prevent 
torbutton/en/design/index.html.en  981) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:Storage" target="_top">DOM Storage</a> from
torbutton/en/design/index.html.en  982)   being used to store persistent information across Tor states.</p><p>
torbutton/en/design/index.html.en  983) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en  984) </p></div><div class="sect3" title="Clear HTTP Auth on Tor Toggle (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705960"></a>Clear HTTP Auth on Tor Toggle (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_http_auth</strong></span>

torbutton/en/design/index.html.en  985)   </p><p>
torbutton/en/design/index.html.en  986) This setting causes Torbutton to call <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIHttpAuthManager" target="_top">nsIHttpAuthManager.clearAll()</a>
torbutton/en/design/index.html.en  987) every time Tor is toggled.
torbutton/en/design/index.html.en  988) </p><p>
torbutton/en/design/index.html.en  989) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en  990) </p></div></div><div class="sect2" title="5.6. Startup Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705999"></a>5.6. Startup Settings</h3></div></div></div><div class="sect3" title="On Browser Startup, set Tor state to: Tor, Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2706004"></a>On Browser Startup, set Tor state to: Tor, Non-Tor</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en  991)    <span class="command"><strong>extensions.torbutton.restore_tor</strong></span>
torbutton/en/design/index.html.en  992)   </p><p>This option governs what Tor state tor is loaded in to.
torbutton/en/design/index.html.en  993) <code class="function">torbutton_set_initial_state()</code> covers the case where the
torbutton/en/design/index.html.en  994) browser did not crash, and <code class="function">torbutton_crash_recover()</code>
torbutton/en/design/index.html.en  995) covers the case where the <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash observer</a>
torbutton/en/design/index.html.en  996) detected a crash.

torbutton/en/design/index.html.en  997) </p><p>
torbutton/en/design/index.html.en  998) 
torbutton/en/design/index.html.en  999) Since the Tor state after a Firefox crash is unknown/indeterminate, this
torbutton/en/design/index.html.en 1000) setting helps to satisfy the <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 1001) requirement in the event of Firefox crashes by ensuring all cookies,
torbutton/en/design/index.html.en 1002) settings and saved sessions are reloaded from a fixed Tor state.
torbutton/en/design/index.html.en 1003)  

torbutton/en/design/index.html.en 1004) </p></div><div class="sect3" title="Prevent session store from saving Non-Tor/Tor-loaded tabs"><div class="titlepage"><div><div><h4 class="title"><a id="id2706055"></a>Prevent session store from saving Non-Tor/Tor-loaded tabs</h4></div></div></div><p>Options: 

torbutton/en/design/index.html.en 1005)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.nonontor_sessionstore</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.notor_sessionstore</strong></span></td></tr></table><p>

torbutton/en/design/index.html.en 1006)   </p><p>If these options are enabled, the <a class="link" href="#tbsessionstore" title="@torproject.org/torbutton-ss-blocker;1">tbSessionStore.js</a> component uses the session
torbutton/en/design/index.html.en 1007) store listeners to filter out the appropriate tabs before writing the session
torbutton/en/design/index.html.en 1008) store data to disk.
torbutton/en/design/index.html.en 1009) </p><p>

torbutton/en/design/index.html.en 1010) This setting helps to satisfy the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en 1011) requirement, and also helps to satisfy the <a class="link" href="#state">State Separation</a> requirement in the event of Firefox
torbutton/en/design/index.html.en 1012) crashes.
torbutton/en/design/index.html.en 1013) 

torbutton/en/design/index.html.en 1014) </p></div></div><div class="sect2" title="5.7. Shutdown Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706113"></a>5.7. Shutdown Settings</h3></div></div></div><div class="sect3" title="Clear cookies on Tor/Non-Tor shutdown"><div class="titlepage"><div><div><h4 class="title"><a id="id2706119"></a>Clear cookies on Tor/Non-Tor shutdown</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.shutdown_method</strong></span>

torbutton/en/design/index.html.en 1015)   </p><p> This option variable can actually take 3 values: 0, 1, and 2. 0 means no
torbutton/en/design/index.html.en 1016) cookie clearing, 1 means clear only during Tor-enabled shutdown, and 2 means
torbutton/en/design/index.html.en 1017) clear for both Tor and Non-Tor shutdown. When set to 1 or 2, Torbutton listens
torbutton/en/design/index.html.en 1018) for the <a class="ulink" href="http://developer.mozilla.org/en/docs/Observer_Notifications#Application_shutdown" target="_top">quit-application-granted</a> event in
torbutton/en/design/index.html.en 1019) <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash-observer.js</a> and use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a>
torbutton/en/design/index.html.en 1020) to clear out all cookies and all cookie jars upon shutdown.
torbutton/en/design/index.html.en 1021) </p><p>
torbutton/en/design/index.html.en 1022) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en 1023) </p></div></div><div class="sect2" title="5.8. Header Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706173"></a>5.8. Header Settings</h3></div></div></div><div class="sect3" title="Set user agent during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706179"></a>Set user agent during Tor usage (crucial)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en 1024)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.set_uagent</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.platform_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.oscpu_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.buildID_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.productsub_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appname_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appversion_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendorSub</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1025)    </p><p>On face, user agent switching appears to be straight-forward in Firefox.
torbutton/en/design/index.html.en 1026) It provides several options for controlling the browser user agent string:
torbutton/en/design/index.html.en 1027) <span class="command"><strong>general.appname.override</strong></span>,
torbutton/en/design/index.html.en 1028) <span class="command"><strong>general.appversion.override</strong></span>,
torbutton/en/design/index.html.en 1029) <span class="command"><strong>general.platform.override</strong></span>,
torbutton/en/design/index.html.en 1030) <span class="command"><strong>general.oscpu.override</strong></span>,
torbutton/en/design/index.html.en 1031) <span class="command"><strong>general.productSub.override</strong></span>,
torbutton/en/design/index.html.en 1032) <span class="command"><strong>general.buildID.override</strong></span>,
torbutton/en/design/index.html.en 1033) <span class="command"><strong>general.useragent.override</strong></span>,
torbutton/en/design/index.html.en 1034) <span class="command"><strong>general.useragent.vendor</strong></span>, and
torbutton/en/design/index.html.en 1035) <span class="command"><strong>general.useragent.vendorSub</strong></span>. If
torbutton/en/design/index.html.en 1036) the Torbutton preference <span class="command"><strong>extensions.torbutton.set_uagent</strong></span> is
torbutton/en/design/index.html.en 1037) true, Torbutton copies all of the other above prefs into their corresponding
torbutton/en/design/index.html.en 1038) browser preferences during Tor usage.</p><p>
torbutton/en/design/index.html.en 1039) 
torbutton/en/design/index.html.en 1040) It also turns out that it is possible to detect the original Firefox version
torbutton/en/design/index.html.en 1041) by <a class="ulink" href="http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/" target="_top">inspecting
torbutton/en/design/index.html.en 1042) certain resource:// files</a>. These cases are handled by Torbutton's
torbutton/en/design/index.html.en 1043) <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en 1044) 
torbutton/en/design/index.html.en 1045) </p><p>
torbutton/en/design/index.html.en 1046) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.

torbutton/en/design/index.html.en 1047) </p></div><div class="sect3" title="Spoof US English Browser"><div class="titlepage"><div><div><h4 class="title"><a id="id2706353"></a>Spoof US English Browser</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en 1048) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.spoof_english</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_charset</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_language</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1049) </p><p> This option causes Torbutton to set
torbutton/en/design/index.html.en 1050) <span class="command"><strong>general.useragent.locale</strong></span>
torbutton/en/design/index.html.en 1051) <span class="command"><strong>intl.accept_languages</strong></span> to the value specified in
torbutton/en/design/index.html.en 1052) <span class="command"><strong>extensions.torbutton.spoof_locale</strong></span>,
torbutton/en/design/index.html.en 1053) <span class="command"><strong>extensions.torbutton.spoof_charset</strong></span> and
torbutton/en/design/index.html.en 1054) <span class="command"><strong>extensions.torbutton.spoof_language</strong></span> during Tor usage, as

torbutton/en/design/index.html.en 1055) well as hooking <span class="command"><strong>navigator.language</strong></span> via its <a class="link" href="#jshooks" title="Hook Dangerous Javascript">javascript hooks</a>.

torbutton/en/design/index.html.en 1056)  </p><p>
torbutton/en/design/index.html.en 1057) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and <a class="link" href="#location">Location Neutrality</a> requirements.

torbutton/en/design/index.html.en 1058) </p></div><div class="sect3" title="Referer Spoofing Options"><div class="titlepage"><div><div><h4 class="title"><a id="id2706446"></a>Referer Spoofing Options</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.refererspoof</strong></span>

torbutton/en/design/index.html.en 1059) </p><p>
torbutton/en/design/index.html.en 1060) This option variable has three values. If it is 0, "smart" referer spoofing is
torbutton/en/design/index.html.en 1061) enabled. If it is 1, the referer behaves as normal. If it is 2, no referer is
torbutton/en/design/index.html.en 1062) sent. The default value is 1. The smart referer spoofing is implemented by the
torbutton/en/design/index.html.en 1063) <a class="link" href="#refspoofer" title="@torproject.org/torRefSpoofer;1">torRefSpoofer</a> component.
torbutton/en/design/index.html.en 1064) 
torbutton/en/design/index.html.en 1065) </p><p>

torbutton/en/design/index.html.en 1066) This setting also does not directly satisfy any Torbutton requirement, but

torbutton/en/design/index.html.en 1067) some may desire to mask their referer for general privacy concerns.

torbutton/en/design/index.html.en 1068) </p></div><div class="sect3" title="Strip platform and language off of Google Search Box queries"><div class="titlepage"><div><div><h4 class="title"><a id="id2706480"></a>Strip platform and language off of Google Search Box queries</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.fix_google_srch</strong></span>

torbutton/en/design/index.html.en 1069) </p><p> 
torbutton/en/design/index.html.en 1070) 
torbutton/en/design/index.html.en 1071) This option causes Torbutton to use the <a class="ulink" href="https://wiki.mozilla.org/Search_Service:API" target="_top">@mozilla.org/browser/search-service;1</a>
torbutton/en/design/index.html.en 1072) component to wrap the Google search plugin. On many platforms, notably Debian
torbutton/en/design/index.html.en 1073) and Ubuntu, the Google search plugin is set to reveal a lot of language and
torbutton/en/design/index.html.en 1074) platform information. This setting strips off that info while Tor is enabled.
torbutton/en/design/index.html.en 1075) 
torbutton/en/design/index.html.en 1076) </p><p>
torbutton/en/design/index.html.en 1077) This setting helps Torbutton to fulfill its <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.

torbutton/en/design/index.html.en 1078) </p></div><div class="sect3" title="Automatically use an alternate search engine when presented with a Google Captcha"><div class="titlepage"><div><div><h4 class="title"><a id="id2706521"></a>Automatically use an alternate search engine when presented with a

torbutton/en/design/index.html.en 1079) Google Captcha</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en 1080) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.asked_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.dodge_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.google_redir_url</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1081) </p><p>
torbutton/en/design/index.html.en 1082) 
torbutton/en/design/index.html.en 1083) Google's search engine has rate limiting features that cause it to
torbutton/en/design/index.html.en 1084) <a class="ulink" href="http://googleonlinesecurity.blogspot.com/2007/07/reason-behind-were-sorry-message.html" target="_top">present
torbutton/en/design/index.html.en 1085) captchas</a> and sometimes even outright ban IPs that issue large numbers
torbutton/en/design/index.html.en 1086) of search queries, especially if a lot of these queries appear to be searching
torbutton/en/design/index.html.en 1087) for software vulnerabilities or unprotected comment areas.
torbutton/en/design/index.html.en 1088) 
torbutton/en/design/index.html.en 1089) </p><p>
torbutton/en/design/index.html.en 1090) 
torbutton/en/design/index.html.en 1091) Despite multiple discussions with Google, we were unable to come to a solution
torbutton/en/design/index.html.en 1092) or any form of compromise that would reduce the number of captchas and
torbutton/en/design/index.html.en 1093) outright bans seen by Tor users issuing regular queries.
torbutton/en/design/index.html.en 1094) 
torbutton/en/design/index.html.en 1095) </p><p>
torbutton/en/design/index.html.en 1096) As a result, we've implemented this option as an <a class="ulink" href="https://developer.mozilla.org/en/XUL_School/Intercepting_Page_Loads#HTTP_Observers" target="_top">'http-on-modify-request'</a>
torbutton/en/design/index.html.en 1097) http observer to optionally redirect banned or captcha-triggering Google
torbutton/en/design/index.html.en 1098) queries to search engines that do not rate limit Tor users. The current

torbutton/en/design/index.html.en 1099) options are duckduckgo.com, ixquick.com, bing.com, yahoo.com and scroogle.org. These are

torbutton/en/design/index.html.en 1100) encoded in the preferences

torbutton/en/design/index.html.en 1101) <span class="command"><strong>extensions.torbutton.redir_url.[1-5]</strong></span>.

torbutton/en/design/index.html.en 1102) 

torbutton/en/design/index.html.en 1103) </p></div><div class="sect3" title="Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706601"></a>Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en 1104) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.jar_certs</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.jar_ca_certs</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1105) </p><p>
torbutton/en/design/index.html.en 1106) 
torbutton/en/design/index.html.en 1107) These settings govern if Torbutton attempts to isolate the user's SSL
torbutton/en/design/index.html.en 1108) certificates into separate jars for each Tor state. This isolation is

torbutton/en/design/index.html.en 1109) implemented in <code class="function">torbutton_jar_certs()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>,

torbutton/en/design/index.html.en 1110) which calls <code class="function">torbutton_jar_cert_type()</code> and
torbutton/en/design/index.html.en 1111) <code class="function">torbutton_unjar_cert_type()</code> for each certificate type in
torbutton/en/design/index.html.en 1112) the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/nsscertcache;1" target="_top">@mozilla.org/security/nsscertcache;1</a>.
torbutton/en/design/index.html.en 1113) Certificates are deleted from and imported to the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/x509certdb;1" target="_top">@mozilla.org/security/x509certdb;1</a>.
torbutton/en/design/index.html.en 1114) </p><p>
torbutton/en/design/index.html.en 1115) The first time this pref is used, a backup of the user's certificates is
torbutton/en/design/index.html.en 1116) created in their profile directory under the name
torbutton/en/design/index.html.en 1117) <code class="filename">cert8.db.bak</code>. This file can be copied back to
torbutton/en/design/index.html.en 1118) <code class="filename">cert8.db</code> to fully restore the original state of the
torbutton/en/design/index.html.en 1119) user's certificates in the event of any error.
torbutton/en/design/index.html.en 1120) </p><p>
torbutton/en/design/index.html.en 1121) Since exit nodes and malicious sites can insert content elements sourced to
torbutton/en/design/index.html.en 1122) specific SSL sites to query if a user has a certain certificate,
torbutton/en/design/index.html.en 1123) this setting helps to satisfy the <a class="link" href="#state">State
torbutton/en/design/index.html.en 1124) Separation</a> requirement of Torbutton. Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Firefox Bug
torbutton/en/design/index.html.en 1125) 435159</a> prevents it from functioning correctly in the event of rapid Tor toggle, so it
torbutton/en/design/index.html.en 1126) is currently not exposed via the preferences UI.
torbutton/en/design/index.html.en 1127) 

torbutton/en/design/index.html.en 1128) </p></div></div></div><div class="sect1" title="6. Relevant Firefox Bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="FirefoxBugs"></a>6. Relevant Firefox Bugs</h2></div></div></div><p>

torbutton/en/design/index.html.en 1129) Future releases of Torbutton are going to be designed around supporting only
torbutton/en/design/index.html.en 1130) <a class="ulink" href="https://www.torproject.org/projects/torbrowser.html.en" target="_top">Tor
torbutton/en/design/index.html.en 1131) Browser Bundle</a>, which greatly simplifies the number and nature of Firefox
torbutton/en/design/index.html.en 1132) bugs we must fix. This allows us to abandon the complexities of <a class="link" href="#state">State
torbutton/en/design/index.html.en 1133) Separation</a> and <a class="link" href="#isolation">Network Isolation</a> requirements
torbutton/en/design/index.html.en 1134) associated with the Toggle Model.
torbutton/en/design/index.html.en 1135)   </p><div class="sect2" title="6.1. Tor Browser Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="TorBrowserBugs"></a>6.1. Tor Browser Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en 1136) The list of Firefox patches we must create to improve privacy on the
torbutton/en/design/index.html.en 1137) Tor Browser Bundle are collected in the Tor Bug Tracker under <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2871" target="_top">ticket
torbutton/en/design/index.html.en 1138) #2871</a>. These bugs are also applicable to the Toggle Model, and
torbutton/en/design/index.html.en 1139) should be considered higher priority than all Toggle Model specific bugs
torbutton/en/design/index.html.en 1140) below.
torbutton/en/design/index.html.en 1141)    </p></div><div class="sect2" title="6.2. Toggle Model Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="ToggleModelBugs"></a>6.2. Toggle Model Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en 1142) In addition to the Tor Browser bugs, the Torbutton Toggle Model suffers from
torbutton/en/design/index.html.en 1143) additional bugs specific to the need to isolate state across the toggle.
torbutton/en/design/index.html.en 1144) Toggle model bugs are considered a lower priority than the bugs against the
torbutton/en/design/index.html.en 1145) Tor Browser model.
torbutton/en/design/index.html.en 1146)    </p><div class="sect3" title="Bugs impacting security"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxSecurity"></a>Bugs impacting security</h4></div></div></div><p>

torbutton/en/design/index.html.en 1147) 
torbutton/en/design/index.html.en 1148) Torbutton has to work around a number of Firefox bugs that impact its
torbutton/en/design/index.html.en 1149) security. Most of these are mentioned elsewhere in this document, but they
torbutton/en/design/index.html.en 1150) have also been gathered here for reference. In order of decreasing severity,
torbutton/en/design/index.html.en 1151) they are:
torbutton/en/design/index.html.en 1152) 

torbutton/en/design/index.html.en 1153)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Bug 435159 -

torbutton/en/design/index.html.en 1154) nsNSSCertificateDB::DeleteCertificate has race conditions</a><p>
torbutton/en/design/index.html.en 1155) 
torbutton/en/design/index.html.en 1156) In Torbutton 1.2.0rc1, code was added to attempt to isolate SSL certificates
torbutton/en/design/index.html.en 1157) the user has installed. Unfortunately, the method call to delete a certificate
torbutton/en/design/index.html.en 1158) from the current certificate database acts lazily: it only sets a variable
torbutton/en/design/index.html.en 1159) that marks a cert for deletion later, and it is not cleared if that
torbutton/en/design/index.html.en 1160) certificate is re-added. This means that if the Tor state is toggled quickly,
torbutton/en/design/index.html.en 1161) that certificate could remain present until it is re-inserted (causing an
torbutton/en/design/index.html.en 1162) error dialog), and worse, it would still be deleted after that.  The lack of
torbutton/en/design/index.html.en 1163) this functionality is considered a Torbutton security bug because cert
torbutton/en/design/index.html.en 1164) isolation is considered a <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 1165) feature.
torbutton/en/design/index.html.en 1166) 

torbutton/en/design/index.html.en 1167)       </p></li><li class="listitem">Give more visibility into and control over TLS
torbutton/en/design/index.html.en 1168) negotiation
torbutton/en/design/index.html.en 1169)      <p>
torbutton/en/design/index.html.en 1170) 
torbutton/en/design/index.html.en 1171) There are several <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2482" target="_top">TLS issues
torbutton/en/design/index.html.en 1172) impacting Torbutton security</a>. It is not clear if these should be one
torbutton/en/design/index.html.en 1173) Firefox bug or several, but in particular we need better control over various
torbutton/en/design/index.html.en 1174) aspects of TLS connections. Firefox currently provides no observer capable of
torbutton/en/design/index.html.en 1175) extracting TLS parameters or certificates early enough to cancel a TLS
torbutton/en/design/index.html.en 1176) request. We would like to be able to provide <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a> users with
torbutton/en/design/index.html.en 1177) the ability to <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission" target="_top">have
torbutton/en/design/index.html.en 1178) their certificates audited</a> by a <a class="ulink" href="http://www.networknotary.org/" target="_top">Perspectives</a>-style set of
torbutton/en/design/index.html.en 1179) notaries. The problem with this is that the API observer points do not exist
torbutton/en/design/index.html.en 1180) for any Firefox addon to actually block authentication token submission over a
torbutton/en/design/index.html.en 1181) TLS channel, so every addon to date (including Perspectives) is actually
torbutton/en/design/index.html.en 1182) providing users with notification *after* their authentication tokens have
torbutton/en/design/index.html.en 1183) already been compromised. This obviously needs to be fixed.

torbutton/en/design/index.html.en 1184)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=122752" target="_top">Bug 122752 - SOCKS

torbutton/en/design/index.html.en 1185) Username/Password Support</a><p>
torbutton/en/design/index.html.en 1186) We need <a class="ulink" href="https://developer.mozilla.org/en/nsIProxyInfo" target="_top">Firefox

torbutton/en/design/index.html.en 1187) APIs</a> or about:config settings to control the SOCKS Username and

torbutton/en/design/index.html.en 1188) Password fields. The reason why we need this support is to utilize an (as yet
torbutton/en/design/index.html.en 1189) unimplemented) scheme to separate Tor traffic based <a class="ulink" href="https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/171-separate-streams.txt" target="_top">on
torbutton/en/design/index.html.en 1190) SOCKS username/password</a>.
torbutton/en/design/index.html.en 1191)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Bug 409737 -

torbutton/en/design/index.html.en 1192) javascript.enabled and docShell.allowJavascript do not disable all event
torbutton/en/design/index.html.en 1193) handlers</a><p>
torbutton/en/design/index.html.en 1194) 
torbutton/en/design/index.html.en 1195) This bug allows pages to execute javascript via addEventListener and perhaps
torbutton/en/design/index.html.en 1196) other callbacks. In order to prevent this bug from enabling an attacker to
torbutton/en/design/index.html.en 1197) break the <a class="link" href="#isolation">Network Isolation</a> requirement,
torbutton/en/design/index.html.en 1198) Torbutton 1.1.13 began blocking popups and history manipulation from different
torbutton/en/design/index.html.en 1199) Tor states.  So long as there are no ways to open popups or redirect the user
torbutton/en/design/index.html.en 1200) to a new page, the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton content
torbutton/en/design/index.html.en 1201) policy</a> should block Javascript network access. However, if there are
torbutton/en/design/index.html.en 1202) ways to open popups or perform redirects such that Torbutton cannot block
torbutton/en/design/index.html.en 1203) them, pages may still have free reign to break that requirement and reveal a
torbutton/en/design/index.html.en 1204) user's original IP address.
torbutton/en/design/index.html.en 1205) 
torbutton/en/design/index.html.en 1206)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448743" target="_top">Bug 448743 -
torbutton/en/design/index.html.en 1207) Decouple general.useragent.locale from spoofing of navigator.language</a><p>
torbutton/en/design/index.html.en 1208) 
torbutton/en/design/index.html.en 1209) Currently, Torbutton spoofs the <span class="command"><strong>navigator.language</strong></span>

torbutton/en/design/index.html.en 1210) attribute via <a class="link" href="#jshooks" title="Hook Dangerous Javascript">Javascript hooks</a>. Unfortunately,

torbutton/en/design/index.html.en 1211) these do not work on Firefox 3. It would be ideal to have
torbutton/en/design/index.html.en 1212) a pref to set this value (something like a
torbutton/en/design/index.html.en 1213) <span class="command"><strong>general.useragent.override.locale</strong></span>),
torbutton/en/design/index.html.en 1214) to avoid fragmenting the anonymity set of users of foreign locales. This issue
torbutton/en/design/index.html.en 1215) impedes Torbutton from fully meeting its <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en 1216) requirement on Firefox 3.
torbutton/en/design/index.html.en 1217) 

torbutton/en/design/index.html.en 1218)      </p></li></ol></div></div><div class="sect3" title="Bugs blocking functionality"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxWishlist"></a>Bugs blocking functionality</h4></div></div></div><p>

torbutton/en/design/index.html.en 1219) The following bugs impact Torbutton and similar extensions' functionality.

torbutton/en/design/index.html.en 1220)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=629820" target="_top">Bug 629820 - nsIContentPolicy::shouldLoad not

torbutton/en/design/index.html.en 1221) called for web request in Firefox Mobile</a><p>
torbutton/en/design/index.html.en 1222) 
torbutton/en/design/index.html.en 1223) The new <a class="ulink" href="https://wiki.mozilla.org/Mobile/Fennec/Extensions/Electrolysis" target="_top">Electrolysis</a>
torbutton/en/design/index.html.en 1224) multiprocess system appears to have some pretty rough edge cases with respect
torbutton/en/design/index.html.en 1225) to registering XPCOM category managers such as the nsIContentPolicy, which
torbutton/en/design/index.html.en 1226) make it difficult to do a straight-forward port of Torbutton or
torbutton/en/design/index.html.en 1227) HTTPS-Everywhere to Firefox Mobile.  It probably also has similar issues with
torbutton/en/design/index.html.en 1228) wrapping existing <a class="link" href="#hookedxpcom" title="2.1. Hooked Components">Firefox XPCOM components</a>,
torbutton/en/design/index.html.en 1229) which will also cause more problems for porting Torbutton.
torbutton/en/design/index.html.en 1230) 

torbutton/en/design/index.html.en 1231)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=417869" target="_top">Bug 417869 -

torbutton/en/design/index.html.en 1232) Browser context is difficult to obtain from many XPCOM callbacks</a><p>
torbutton/en/design/index.html.en 1233) 
torbutton/en/design/index.html.en 1234) It is difficult to determine which tabbrowser many XPCOM callbacks originate
torbutton/en/design/index.html.en 1235) from, and in some cases absolutely no context information is provided at all.
torbutton/en/design/index.html.en 1236) While this doesn't have much of an effect on Torbutton, it does make writing
torbutton/en/design/index.html.en 1237) extensions that would like to do per-tab settings and content filters (such as
torbutton/en/design/index.html.en 1238) FoxyProxy) difficult to impossible to implement securely.
torbutton/en/design/index.html.en 1239) 

torbutton/en/design/index.html.en 1240)    </p></li></ol></div></div><div class="sect3" title="Low Priority Bugs"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxMiscBugs"></a>Low Priority Bugs</h4></div></div></div><p>

torbutton/en/design/index.html.en 1241) The following bugs have an effect upon Torbutton, but are superseded by more
torbutton/en/design/index.html.en 1242) practical and more easily fixable variant bugs above; or have stable, simple
torbutton/en/design/index.html.en 1243) workarounds.

torbutton/en/design/index.html.en 1244)   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">Bug 440892 -

torbutton/en/design/index.html.en 1245) network.protocol-handler.warn-external are ignored</a><p>
torbutton/en/design/index.html.en 1246) 
torbutton/en/design/index.html.en 1247) Sometime in the Firefox 3 development cycle, the preferences that governed
torbutton/en/design/index.html.en 1248) warning a user when external apps were launched got disconnected from the code
torbutton/en/design/index.html.en 1249) that does the launching. Torbutton depended on these prefs to prevent websites
torbutton/en/design/index.html.en 1250) from launching specially crafted documents and application arguments that
torbutton/en/design/index.html.en 1251) caused Proxy Bypass. We currently work around this issue by <a class="link" href="#appblocker" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js">wrapping the app launching components</a> to present a
torbutton/en/design/index.html.en 1252) popup before launching external apps while Tor is enabled. While this works,
torbutton/en/design/index.html.en 1253) it would be nice if these prefs were either fixed or removed.
torbutton/en/design/index.html.en 1254) 
torbutton/en/design/index.html.en 1255)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">Bug 437014 -
torbutton/en/design/index.html.en 1256) nsIContentPolicy::shouldLoad no longer called for favicons</a><p>
torbutton/en/design/index.html.en 1257) 
torbutton/en/design/index.html.en 1258) Firefox 3.0 stopped calling the shouldLoad call of content policy for favicon
torbutton/en/design/index.html.en 1259) loads. Torbutton had relied on this call to block favicon loads for opposite
torbutton/en/design/index.html.en 1260) Tor states. The workaround it employs for Firefox 3 is to cancel the request
torbutton/en/design/index.html.en 1261) when it arrives in the <span class="command"><strong>torbutton_http_observer</strong></span> used for
torbutton/en/design/index.html.en 1262) blocking full page plugin loads. This seems to work just fine, but is a bit
torbutton/en/design/index.html.en 1263) dirty.
torbutton/en/design/index.html.en 1264) 
torbutton/en/design/index.html.en 1265)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">Bug 309524</a>
torbutton/en/design/index.html.en 1266) and <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">Bug
torbutton/en/design/index.html.en 1267) 380556</a> - nsIContentPolicy::shouldProcess is not called.
torbutton/en/design/index.html.en 1268)      <p>
torbutton/en/design/index.html.en 1269) 
torbutton/en/design/index.html.en 1270) This is a call that would be useful to develop a better workaround for the
torbutton/en/design/index.html.en 1271) allowPlugins issue above. If the content policy were called before a URL was
torbutton/en/design/index.html.en 1272) handed over to a plugin or helper app, it would make the workaround for the
torbutton/en/design/index.html.en 1273) above allowPlugins bug a lot cleaner. Obviously this bug is not as severe as
torbutton/en/design/index.html.en 1274) the others though, but it might be nice to have this API as a backup.
torbutton/en/design/index.html.en 1275) 
torbutton/en/design/index.html.en 1276)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">Bug 401296 - docShell.allowPlugins
torbutton/en/design/index.html.en 1277) not honored for direct links</a> (Perhaps subset of <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=282106" target="_top">Bug 282106</a>?)
torbutton/en/design/index.html.en 1278)      <p>
torbutton/en/design/index.html.en 1279) 
torbutton/en/design/index.html.en 1280) Similar to the javascript plugin disabling attribute, the plugin disabling
torbutton/en/design/index.html.en 1281) attribute is also not perfect — it is ignored for direct links to plugin
torbutton/en/design/index.html.en 1282) handled content, as well as meta-refreshes to plugin handled content.  This
torbutton/en/design/index.html.en 1283) requires Torbutton to listen to a number of different http events to intercept
torbutton/en/design/index.html.en 1284) plugin-related mime type URLs and cancel their requests. Again, since plugins
torbutton/en/design/index.html.en 1285) are quite horrible about obeying proxy settings, loading a plugin pretty much
torbutton/en/design/index.html.en 1286) ensures a way to break the <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en 1287) requirement and reveal a user's original IP address. Torbutton's code to
torbutton/en/design/index.html.en 1288) perform this workaround has been subverted at least once already by Kyle
torbutton/en/design/index.html.en 1289) Williams.
torbutton/en/design/index.html.en 1290) 

torbutton/en/design/index.html.en 1291)      </p></li></ol></div></div></div></div><div class="sect1" title="7. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="TestPlan"></a>7. Testing</h2></div></div></div><p>

torbutton/en/design/index.html.en 1292) 
torbutton/en/design/index.html.en 1293) The purpose of this section is to cover all the known ways that Tor browser
torbutton/en/design/index.html.en 1294) security can be subverted from a penetration testing perspective. The hope
torbutton/en/design/index.html.en 1295) is that it will be useful both for creating a "Tor Safety Check"
torbutton/en/design/index.html.en 1296) page, and for developing novel tests and actively attacking Torbutton with the
torbutton/en/design/index.html.en 1297) goal of finding vulnerabilities in either it or the Mozilla components,
torbutton/en/design/index.html.en 1298) interfaces and settings upon which it relies.
torbutton/en/design/index.html.en 1299) 
torbutton/en/design/index.html.en 1300)   </p><div class="sect2" title="7.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>7.1. Single state testing</h3></div></div></div><p>
torbutton/en/design/index.html.en 1301) 
torbutton/en/design/index.html.en 1302) Torbutton is a complicated piece of software. During development, changes to
torbutton/en/design/index.html.en 1303) one component can affect a whole slough of unrelated features.  A number of
torbutton/en/design/index.html.en 1304) aggregated test suites exist that can be used to test for regressions in
torbutton/en/design/index.html.en 1305) Torbutton and to help aid in the development of Torbutton-like addons and
torbutton/en/design/index.html.en 1306) other privacy modifications of other browsers. Some of these test suites exist
torbutton/en/design/index.html.en 1307) as a single automated page, while others are a series of pages you must visit
torbutton/en/design/index.html.en 1308) individually. They are provided here for reference and future regression
torbutton/en/design/index.html.en 1309) testing, and also in the hope that some brave soul will one day decide to
torbutton/en/design/index.html.en 1310) combine them into a comprehensive automated test suite.
torbutton/en/design/index.html.en 1311) 
torbutton/en/design/index.html.en 1312)      </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
torbutton/en/design/index.html.en 1313) 
torbutton/en/design/index.html.en 1314) Decloak.net is the canonical source of plugin and external-application based
torbutton/en/design/index.html.en 1315) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
torbutton/en/design/index.html.en 1316) use to test their anonymity systems.
torbutton/en/design/index.html.en 1317) 
torbutton/en/design/index.html.en 1318)        </p></li><li class="listitem"><a class="ulink" href="https://www.jondos.de/en/anontest" target="_top">JonDos
torbutton/en/design/index.html.en 1319) AnonTest</a><p>
torbutton/en/design/index.html.en 1320) 
torbutton/en/design/index.html.en 1321) The <a class="ulink" href="https://www.jondos.de" target="_top">JonDos people</a> also provide an
torbutton/en/design/index.html.en 1322) anonymity tester. It is more focused on HTTP headers than plugin bypass, and
torbutton/en/design/index.html.en 1323) points out a couple of headers Torbutton could do a better job with
torbutton/en/design/index.html.en 1324) obfuscating.
torbutton/en/design/index.html.en 1325) 
torbutton/en/design/index.html.en 1326)        </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
torbutton/en/design/index.html.en 1327) 
torbutton/en/design/index.html.en 1328) Browserspy.dk provides a tremendous collection of browser fingerprinting and
torbutton/en/design/index.html.en 1329) general privacy tests. Unfortunately they are only available one page at a
torbutton/en/design/index.html.en 1330) time, and there is not really solid feedback on good vs bad behavior in
torbutton/en/design/index.html.en 1331) the test results.
torbutton/en/design/index.html.en 1332) 
torbutton/en/design/index.html.en 1333)        </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
torbutton/en/design/index.html.en 1334) Analyzer</a><p>
torbutton/en/design/index.html.en 1335) 
torbutton/en/design/index.html.en 1336) The Privacy Analyzer provides a dump of all sorts of browser attributes and
torbutton/en/design/index.html.en 1337) settings that it detects, including some information on your origin IP
torbutton/en/design/index.html.en 1338) address. Its page layout and lack of good vs bad test result feedback makes it
torbutton/en/design/index.html.en 1339) not as useful as a user-facing testing tool, but it does provide some
torbutton/en/design/index.html.en 1340) interesting checks in a single page.
torbutton/en/design/index.html.en 1341) 
torbutton/en/design/index.html.en 1342)        </p></li><li class="listitem"><a class="ulink" href="http://ha.ckers.org/mr-t/" target="_top">Mr. T</a><p>
torbutton/en/design/index.html.en 1343) 
torbutton/en/design/index.html.en 1344) Mr. T is a collection of browser fingerprinting and deanonymization exploits
torbutton/en/design/index.html.en 1345) discovered by the <a class="ulink" href="http://ha.ckers.org" target="_top">ha.ckers.org</a> crew
torbutton/en/design/index.html.en 1346) and others. It is also not as user friendly as some of the above tests, but it
torbutton/en/design/index.html.en 1347) is a useful collection.
torbutton/en/design/index.html.en 1348) 
torbutton/en/design/index.html.en 1349)        </p></li><li class="listitem">Gregory Fleischer's <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">Torbutton</a> and
torbutton/en/design/index.html.en 1350) <a class="ulink" href="http://pseudo-flaw.net/content/defcon/dc-17-demos/d.html" target="_top">Defcon
torbutton/en/design/index.html.en 1351) 17</a> Test Cases
torbutton/en/design/index.html.en 1352)        <p>
torbutton/en/design/index.html.en 1353) 
torbutton/en/design/index.html.en 1354) Gregory Fleischer has been hacking and testing Firefox and Torbutton privacy
torbutton/en/design/index.html.en 1355) issues for the past 2 years. He has an excellent collection of all his test
torbutton/en/design/index.html.en 1356) cases that can be used for regression testing. In his Defcon work, he
torbutton/en/design/index.html.en 1357) demonstrates ways to infer Firefox version based on arcane browser properties.
torbutton/en/design/index.html.en 1358) We are still trying to determine the best way to address some of those test
torbutton/en/design/index.html.en 1359) cases.
torbutton/en/design/index.html.en 1360) 
torbutton/en/design/index.html.en 1361)        </p></li><li class="listitem"><a class="ulink" href="https://torcheck.xenobite.eu/index.php" target="_top">Xenobite's
torbutton/en/design/index.html.en 1362) TorCheck Page</a><p>
torbutton/en/design/index.html.en 1363) 
torbutton/en/design/index.html.en 1364) This page checks to ensure you are using a valid Tor exit node and checks for
torbutton/en/design/index.html.en 1365) some basic browser properties related to privacy. It is not very fine-grained
torbutton/en/design/index.html.en 1366) or complete, but it is automated and could be turned into something useful
torbutton/en/design/index.html.en 1367) with a bit of work.
torbutton/en/design/index.html.en 1368) 
torbutton/en/design/index.html.en 1369)        </p></li></ol></div><p>

torbutton/en/design/index.html.en 1370)     </p></div><div class="sect2" title="7.2. Multi-state testing"><div class="titlepage"><div><div><h3 class="title"><a id="id2707624"></a>7.2. Multi-state testing</h3></div></div></div><p>

torbutton/en/design/index.html.en 1371) 
torbutton/en/design/index.html.en 1372) The tests in this section are geared towards a page that would instruct the
torbutton/en/design/index.html.en 1373) user to toggle their Tor state after the fetch and perform some operations:
torbutton/en/design/index.html.en 1374) mouseovers, stray clicks, and potentially reloads.
torbutton/en/design/index.html.en 1375) 

torbutton/en/design/index.html.en 1376)    </p><div class="sect3" title="Cookies and Cache Correlation"><div class="titlepage"><div><div><h4 class="title"><a id="id2707636"></a>Cookies and Cache Correlation</h4></div></div></div><p>

torbutton/en/design/index.html.en 1377) The most obvious test is to set a cookie, ask the user to toggle tor, and then
torbutton/en/design/index.html.en 1378) have them reload the page. The cookie should no longer be set if they are
torbutton/en/design/index.html.en 1379) using the default Torbutton settings. In addition, it is possible to leverage
torbutton/en/design/index.html.en 1380) the cache to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en 1381) identifiers</a>. The default settings of Torbutton should also protect
torbutton/en/design/index.html.en 1382) against these from persisting across Tor Toggle.
torbutton/en/design/index.html.en 1383) 

torbutton/en/design/index.html.en 1384)     </p></div><div class="sect3" title="Javascript timers and event handlers"><div class="titlepage"><div><div><h4 class="title"><a id="id2707658"></a>Javascript timers and event handlers</h4></div></div></div><p>

torbutton/en/design/index.html.en 1385) 
torbutton/en/design/index.html.en 1386) Javascript can set timers and register event handlers in the hopes of fetching
torbutton/en/design/index.html.en 1387) URLs after the user has toggled Torbutton. 

torbutton/en/design/index.html.en 1388)     </p></div><div class="sect3" title="CSS Popups and non-script Dynamic Content"><div class="titlepage"><div><div><h4 class="title"><a id="id2707671"></a>CSS Popups and non-script Dynamic Content</h4></div></div></div><p>

torbutton/en/design/index.html.en 1389) 
torbutton/en/design/index.html.en 1390) Even if Javascript is disabled, CSS is still able to 
torbutton/en/design/index.html.en 1391) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">create popup-like
torbutton/en/design/index.html.en 1392) windows</a>
torbutton/en/design/index.html.en 1393) via the 'onmouseover' CSS attribute, which can cause arbitrary browser
torbutton/en/design/index.html.en 1394) activity as soon as the mouse enters into the content window. It is also
torbutton/en/design/index.html.en 1395) possible for meta-refresh tags to set timers long enough to make it likely
torbutton/en/design/index.html.en 1396) that the user has toggled Tor before fetching content.
torbutton/en/design/index.html.en 1397) 
torbutton/en/design/index.html.en 1398)     </p></div></div><div class="sect2" title="7.3. Active testing (aka How to Hack Torbutton)"><div class="titlepage"><div><div><h3 class="title"><a id="HackTorbutton"></a>7.3. Active testing (aka How to Hack Torbutton)</h3></div></div></div><p>
torbutton/en/design/index.html.en 1399) 
torbutton/en/design/index.html.en 1400) The idea behind active testing is to discover vulnerabilities in Torbutton to
torbutton/en/design/index.html.en 1401) bypass proxy settings, run script in an opposite Tor state, store unique
torbutton/en/design/index.html.en 1402) identifiers, leak location information, or otherwise violate <a class="link" href="#requirements" title="1.2. Torbutton Requirements">its requirements</a>. Torbutton has ventured out
torbutton/en/design/index.html.en 1403) into a strange and new security landscape. It depends on Firefox mechanisms
torbutton/en/design/index.html.en 1404) that haven't necessarily been audited for security, certainly not for the
torbutton/en/design/index.html.en 1405) threat model that Torbutton seeks to address. As such, it and the interfaces
torbutton/en/design/index.html.en 1406) it depends upon still need a 'trial by fire' typical of new technologies. This
torbutton/en/design/index.html.en 1407) section of the document was written with the intention of making that period
torbutton/en/design/index.html.en 1408) as fast as possible. Please help us get through this period by considering
torbutton/en/design/index.html.en 1409) these attacks, playing with them, and reporting what you find (and potentially
torbutton/en/design/index.html.en 1410) submitting the test cases back to be run in the standard batch of Torbutton
torbutton/en/design/index.html.en 1411) tests.
torbutton/en/design/index.html.en 1412) 

torbutton/en/design/index.html.en 1413)    </p><div class="sect3" title="Some suggested vectors to investigate"><div class="titlepage"><div><div><h4 class="title"><a id="id2707726"></a>Some suggested vectors to investigate</h4></div></div></div><p>