Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Georg</span> <span class="surname">Koppen</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:gk#torproject org">gk#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">March 10th, 2017</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idm29">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idm1010">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idm1042">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idm1049">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idm1090">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm29"></a>1. Introduction</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 3)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 4) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 5) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 6) 6.5.1.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 7)
projects/en/torbrowser/design/index.html.en 8) </p><p>
projects/en/torbrowser/design/index.html.en 9)
projects/en/torbrowser/design/index.html.en 10) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en 11) describe a reference implementation of a Private Browsing Mode that defends
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 12) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en 13) adversary currently addressed by the major browsers.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 14)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 15) </p><p>
projects/torbrowser/design/index.html.en 16)
projects/torbrowser/design/index.html.en 17) For more practical information regarding Tor Browser development, please
projects/torbrowser/design/index.html.en 18) consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor
projects/torbrowser/design/index.html.en 19) Browser Hacking Guide</a>.
projects/torbrowser/design/index.html.en 20)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 21) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 22)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 23) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 24) Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a>
projects/torbrowser/design/index.html.en 25) against this browser to enhance privacy and security. Browser behavior is
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 26) additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 27) extension</a>, though we are in the process of moving this functionality
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 28) into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2" target="_top">change
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 29) a number of Firefox preferences</a> from their defaults.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 30)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 31) </p><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 32) Tor process management and configuration is accomplished through the <a class="ulink" href="https://gitweb.torproject.org/tor-launcher.git" target="_top">Tor Launcher</a>
projects/torbrowser/design/index.html.en 33) addon, which provides the initial Tor configuration splash screen and
projects/torbrowser/design/index.html.en 34) bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 35) Instantbird, and XULRunner.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 36)
projects/torbrowser/design/index.html.en 37) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 38)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 39) To help protect against potential Tor Exit Node eavesdroppers, we include
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 40) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 41) provide users with optional defense-in-depth against JavaScript and other
projects/torbrowser/design/index.html.en 42) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 43) extension preferences</a> from their defaults.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 44)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 45) </p><p>
projects/torbrowser/design/index.html.en 46)
projects/torbrowser/design/index.html.en 47) To provide censorship circumvention in areas where the public Tor network is
projects/torbrowser/design/index.html.en 48) blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 49) Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs3proxy,
projects/torbrowser/design/index.html.en 50) Obfs4proxy, Scramblesuit</a>,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 51) <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 52) and <a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 53)
projects/torbrowser/design/index.html.en 54) </p></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 55)
projects/en/torbrowser/design/index.html.en 56) The Tor Browser Design Requirements are meant to describe the properties of a
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 57) Private Browsing Mode that defends against both network and local forensic
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 58) adversaries.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 59)
projects/en/torbrowser/design/index.html.en 60) </p><p>
projects/en/torbrowser/design/index.html.en 61)
projects/en/torbrowser/design/index.html.en 62) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 63) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en 64) similar privacy proxies safely. Privacy requirements are the set of properties
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 65) that cause us to prefer one browser over another.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 66)
projects/en/torbrowser/design/index.html.en 67) </p><p>
projects/en/torbrowser/design/index.html.en 68)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 69) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en 70) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en 71) browser distribution.
projects/torbrowser/design/index.html.en 72)
projects/torbrowser/design/index.html.en 73) </p><p>
projects/torbrowser/design/index.html.en 74)
projects/torbrowser/design/index.html.en 75) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en 76) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
projects/torbrowser/design/index.html.en 77) "OPTIONAL" in this document are to be interpreted as described in
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 78) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 79)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 80) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 81)
projects/en/torbrowser/design/index.html.en 82) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en 83) of Tor. Violations in these properties typically result in serious risk for
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 84) the user in terms of immediate deanonymization and/or observability. With
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 85) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en 86) in order for Tor to support the use of a particular browser.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 87)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 88) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 89) Obedience</strong></span></a><p>The browser
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 90) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 91) Separation</strong></span></a><p>
projects/torbrowser/design/index.html.en 92)
projects/torbrowser/design/index.html.en 93) The browser MUST NOT provide the content window with any state from any other
projects/torbrowser/design/index.html.en 94) browsers or any non-Tor browsing modes. This includes shared state from
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 95) independent plugins, and shared state from operating system implementations of
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 96) TLS and other support libraries.
projects/torbrowser/design/index.html.en 97)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 98) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 99) Avoidance</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 100)
projects/torbrowser/design/index.html.en 101) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en 102) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en 103) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en 104) store their browsing history information to disk.
projects/torbrowser/design/index.html.en 105)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 106) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 107) Isolation</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 108)
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 109) The components involved in providing private browsing MUST be self-contained,
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 110) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en 111) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en 112) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en 113) of private browsing to disk outside of the application's control. The user
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 114) must be able to ensure that secure deletion of the software is sufficient to
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 115) remove evidence of the use of the software. All exceptions and shortcomings
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 116) due to operating system behavior MUST be wiped by an uninstaller. However, due
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 117) to permissions issues with access to swap, implementations MAY choose to leave
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 118) it out of scope, and/or leave it to the operating system/platform to implement
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 119) ephemeral-keyed encrypted swap.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 120)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 121) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 122)
projects/en/torbrowser/design/index.html.en 123) The privacy requirements are primarily concerned with reducing linkability:
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 124) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en 125) on another site without their knowledge or explicit consent. With respect to
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 126) browser support, privacy requirements are the set of properties that cause us
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 127) to prefer one browser over another.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 128)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 129) </p><p>
projects/torbrowser/design/index.html.en 130)
projects/torbrowser/design/index.html.en 131) For the purposes of the unlinkability requirements of this section as well as
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 132) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 133) section</a>, a <span class="command"><strong>URL bar origin</strong></span> means at least the
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 134) second-level DNS name. For example, for mail.google.com, the origin would be
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 135) google.com. Implementations MAY, at their option, restrict the URL bar origin
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 136) to be the entire fully qualified domain name.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 137)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 138) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 139) Identifier Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 140)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 141) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en 142) any other URL bar origin by any third party automatically or without user
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 143) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en 144) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en 145) requirement does not apply to linkable information the user manually submits
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 146) to sites, or due to information submitted during manual link traversal. This
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 147) functionality SHOULD NOT interfere with interactive, click-driven federated
projects/torbrowser/design/index.html.en 148) login in a substantial way.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 149)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 150) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 151) Fingerprinting Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 152)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 153) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en 154) any other URL bar origin by any third party. This property specifically applies to
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 155) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en 156)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 157) </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 158) Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 159)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 160) The browser MUST provide an obvious, easy way for the user to remove all of
projects/torbrowser/design/index.html.en 161) its authentication tokens and browser state and obtain a fresh identity.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 162) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en 163) upon browser restart, except at user option.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 164)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 165) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 166)
projects/en/torbrowser/design/index.html.en 167) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en 168) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en 169)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 170) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 171)
projects/en/torbrowser/design/index.html.en 172) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en 173) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en 174) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en 175) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en 176) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en 177) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en 178)
projects/en/torbrowser/design/index.html.en 179) </p><p>
projects/en/torbrowser/design/index.html.en 180)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 181) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 182) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en 183) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en 184) in the face of accumulating tabs from multiple states crossed with the current
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 185) Tor-state of the browser.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 186)
projects/en/torbrowser/design/index.html.en 187) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en 188) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en 189)
projects/en/torbrowser/design/index.html.en 190) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en 191) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en 192)
projects/en/torbrowser/design/index.html.en 193) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en 194)
projects/en/torbrowser/design/index.html.en 195) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en 196) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en 197) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en 198) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en 199) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en 200) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en 201)
projects/en/torbrowser/design/index.html.en 202) </p><p>
projects/en/torbrowser/design/index.html.en 203)
projects/en/torbrowser/design/index.html.en 204) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en 205) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en 206) placeholders), and/or be sandboxed to restrict the types of system calls they
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 207) can execute. If the user agent allows the user to craft an exemption to allow
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 208) a plugin to be used automatically, it must only apply to the top level URL bar
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 209) domain, and not to all sites, to reduce cross-origin fingerprinting
projects/torbrowser/design/index.html.en 210) linkability.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 211)
projects/en/torbrowser/design/index.html.en 212) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en 213)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 214) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 215) failure of Torbutton</a> was the options panel. Each option
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 216) that detectably alters browser behavior can be used as a fingerprinting tool.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 217) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be
projects/torbrowser/design/index.html.en 218) disabled in the mode</a> except as an opt-in basis. We should not load
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 219) system-wide and/or operating system provided addons or plugins.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 220)
projects/en/torbrowser/design/index.html.en 221) </p><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 222) Instead of global browser privacy options, privacy decisions should be made
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 223) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 224) URL bar origin</a> to eliminate the possibility of linkability
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 225) between domains. For example, when a plugin object (or a JavaScript access of
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 226) window.plugins) is present in a page, the user should be given the choice of
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 227) allowing that plugin object for that URL bar origin only. The same
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 228) goes for exemptions to third party cookie policy, geolocation, and any other
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 229) privacy permissions.
projects/en/torbrowser/design/index.html.en 230) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 231) If the user has indicated they wish to record local history storage, these
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 232) permissions can be written to disk. Otherwise, they should remain memory-only.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 233) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en 234)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 235) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/torbrowser/design/index.html.en 236) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>,
projects/torbrowser/design/index.html.en 237) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 238) avoided. We believe that these addons do not add any real privacy to a proper
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 239) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
projects/torbrowser/design/index.html.en 240) should be focused on general solutions that prevent tracking by all
projects/torbrowser/design/index.html.en 241) third parties, rather than a list of specific URLs or hosts.
projects/torbrowser/design/index.html.en 242) </p><p>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 243) Implementing filter-based blocking directly into the browser, such as done with
projects/torbrowser/design/index.html.en 244) <a class="ulink" href="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf" target="_top">
projects/torbrowser/design/index.html.en 245) Firefox' Tracking Protection</a>, does not alleviate the concerns mentioned
projects/torbrowser/design/index.html.en 246) in the previous paragraph. There is still just a list concerned with specific
projects/torbrowser/design/index.html.en 247) URLs and hosts which, in this case, are
projects/torbrowser/design/index.html.en 248) <a class="ulink" href="https://services.disconnect.me/disconnect-plaintext.json" target="_top">
projects/torbrowser/design/index.html.en 249) assembled</a> by <a class="ulink" href="https://disconnect.me/trackerprotection" target="_top">
projects/torbrowser/design/index.html.en 250) Disconnect</a> and <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">adapted</a> by Mozilla.
projects/torbrowser/design/index.html.en 251) </p><p>
projects/torbrowser/design/index.html.en 252) Trying to resort to <a class="ulink" href="https://jonathanmayer.org/papers_data/bau13.pdf" target="_top">filter methods based on
projects/torbrowser/design/index.html.en 253) machine learning</a> does not solve the problem either: they don't provide
projects/torbrowser/design/index.html.en 254) a general solution to the tracking problem as they are working probabilistically.
projects/torbrowser/design/index.html.en 255) Even with a precision rate at 99% and a false positive rate at 0.1% trackers
projects/torbrowser/design/index.html.en 256) would be missed and sites would be wrongly blocked.
projects/torbrowser/design/index.html.en 257) </p><p>
projects/torbrowser/design/index.html.en 258) Filter-based solutions in general can also introduce strange breakage and cause
projects/torbrowser/design/index.html.en 259) usability nightmares. Coping with those easily leads to just <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">whitelisting
projects/torbrowser/design/index.html.en 260) </a>
projects/torbrowser/design/index.html.en 261) the affected domains defeating the purpose of the filter in the first place.
projects/torbrowser/design/index.html.en 262) Filters will also fail to do their job if an adversary simply
projects/torbrowser/design/index.html.en 263) registers a new domain or <a class="ulink" href="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf" target="_top">
projects/torbrowser/design/index.html.en 264) creates a new URL path</a>. Worse still, the unique filter sets that each
projects/torbrowser/design/index.html.en 265) user creates or installs will provide a wealth of fingerprinting targets.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 266) </p><p>
projects/en/torbrowser/design/index.html.en 267)
projects/en/torbrowser/design/index.html.en 268) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en 269) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en 270) terms of demonstrating that we are providing privacy through a sound design
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 271) alone, as well as damage the acceptance of Tor users by sites that support
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 272) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en 273)
projects/en/torbrowser/design/index.html.en 274) </p><p>
projects/en/torbrowser/design/index.html.en 275) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en 276) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en 277) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en 278) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en 279) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en 280) their proper deployment or privacy realization. However, we will likely disable
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 281) high-risk features pending analysis, audit, and mitigation.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 282) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 283)
projects/torbrowser/design/index.html.en 284) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/torbrowser/design/index.html.en 285) types that can be used to illustrate the design requirements for the
projects/torbrowser/design/index.html.en 286) Tor Browser. Let's start with the goals.
projects/torbrowser/design/index.html.en 287)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 288) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 289) Tor, causing the user to directly connect to an IP of the adversary's
projects/torbrowser/design/index.html.en 290) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/torbrowser/design/index.html.en 291) happily settle for the ability to correlate something a user did via Tor with
projects/torbrowser/design/index.html.en 292) their non-Tor activity. This can be done with cookies, cache identifiers,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 293) JavaScript events, and even CSS. Sometimes the fact that a user uses Tor may
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 294) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/torbrowser/design/index.html.en 295) The adversary may also be interested in history disclosure: the ability to
projects/torbrowser/design/index.html.en 296) query a user's history to see if they have issued certain censored search
projects/torbrowser/design/index.html.en 297) queries, or visited censored sites.
projects/torbrowser/design/index.html.en 298) </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p>
projects/torbrowser/design/index.html.en 299)
projects/torbrowser/design/index.html.en 300) The primary goal of the advertising networks is to know that the user who
projects/torbrowser/design/index.html.en 301) visited siteX.com is the same user that visited siteY.com to serve them
projects/torbrowser/design/index.html.en 302) targeted ads. The advertising networks become our adversary insofar as they
projects/torbrowser/design/index.html.en 303) attempt to perform this correlation without the user's explicit consent.
projects/torbrowser/design/index.html.en 304)
projects/torbrowser/design/index.html.en 305) </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p>
projects/torbrowser/design/index.html.en 306)
projects/torbrowser/design/index.html.en 307) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 308) to gather identifying information on a particular individual without the use
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 309) of tracking identifiers. If the dissident's or whistleblower's timezone is
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 310) available, and they are using a rare build of Firefox for an obscure operating
projects/torbrowser/design/index.html.en 311) system, and they have a specific display resolution only used on one type of
projects/torbrowser/design/index.html.en 312) laptop, this can be very useful information for tracking them down, or at
projects/torbrowser/design/index.html.en 313) least <a class="link" href="#fingerprinting">tracking their activities</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 314)
projects/torbrowser/design/index.html.en 315) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/torbrowser/design/index.html.en 316) information</strong></span><p>
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 317)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 318) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/torbrowser/design/index.html.en 319) seizing the computers of all Tor users in an area (especially after narrowing
projects/torbrowser/design/index.html.en 320) the field by the above two pieces of information). History records and cache
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 321) data are the primary goals here. Secondary goals may include confirming
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 322) on-disk identifiers (such as hostname and disk-logged spoofed MAC address
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 323) history) obtained by other means.
projects/torbrowser/design/index.html.en 324)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 325) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 326) The adversary can position themselves at a number of different locations in
projects/torbrowser/design/index.html.en 327) order to execute their attacks.
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 328) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 329) The adversary can run exit nodes, or alternatively, they may control routers
projects/torbrowser/design/index.html.en 330) upstream of exit nodes. Both of these scenarios have been observed in the
projects/torbrowser/design/index.html.en 331) wild.
projects/torbrowser/design/index.html.en 332) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
projects/torbrowser/design/index.html.en 333) The adversary can also run websites, or more likely, they can contract out
projects/torbrowser/design/index.html.en 334) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en 335) some users, the adversary may be the ad servers themselves. It is not
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 336) inconceivable that ad servers may try to subvert or reduce a user's anonymity
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 337) through Tor for marketing purposes.
projects/torbrowser/design/index.html.en 338) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en 339) The adversary can also inject malicious content at the user's upstream router
projects/torbrowser/design/index.html.en 340) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/torbrowser/design/index.html.en 341) activity.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 342) </p><p>
projects/torbrowser/design/index.html.en 343)
projects/torbrowser/design/index.html.en 344) Additionally, at this position the adversary can block Tor, or attempt to
projects/torbrowser/design/index.html.en 345) recognize the traffic patterns of specific web pages at the entrance to the Tor
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 346) network.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 347)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 348) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/torbrowser/design/index.html.en 349) Some users face adversaries with intermittent or constant physical access.
projects/torbrowser/design/index.html.en 350) Users in Internet cafes, for example, face such a threat. In addition, in
projects/torbrowser/design/index.html.en 351) countries where simply using tools like Tor is illegal, users may face
projects/torbrowser/design/index.html.en 352) confiscation of their computer equipment for excessive Tor usage or just
projects/torbrowser/design/index.html.en 353) general suspicion.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 354) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 355)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 356) The adversary can perform the following attacks from a number of different
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 357) positions to accomplish various aspects of their goals. It should be noted
projects/torbrowser/design/index.html.en 358) that many of these attacks (especially those involving IP address leakage) are
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 359) often performed by accident by websites that simply have JavaScript, dynamic
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 360) CSS elements, and plugins. Others are performed by ad servers seeking to
projects/torbrowser/design/index.html.en 361) correlate users' activity across different IP addresses, and still others are
projects/torbrowser/design/index.html.en 362) performed by malicious agents on the Tor network and at national firewalls.
projects/torbrowser/design/index.html.en 363)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 364) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 365)
projects/torbrowser/design/index.html.en 366) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en 367) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en 368) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en 369) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en 370) even TLS Session IDs.
projects/torbrowser/design/index.html.en 371)
projects/torbrowser/design/index.html.en 372) </p><p>
projects/torbrowser/design/index.html.en 373)
projects/torbrowser/design/index.html.en 374) An adversary in a position to perform MITM content alteration can inject
projects/torbrowser/design/index.html.en 375) document content elements to both read and inject cookies for arbitrary
projects/torbrowser/design/index.html.en 376) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 377) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 378) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/torbrowser/design/index.html.en 379) with cookies as well.
projects/torbrowser/design/index.html.en 380)
projects/torbrowser/design/index.html.en 381) </p><p>
projects/torbrowser/design/index.html.en 382)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 383) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 384)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 385) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 386) attributes</strong></span><p>
projects/torbrowser/design/index.html.en 387)
projects/torbrowser/design/index.html.en 388) There is an absurd amount of information available to websites via attributes
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 389) of the browser. This information can be used to reduce the anonymity set, or
projects/torbrowser/design/index.html.en 390) even uniquely fingerprint individual users. Attacks of this nature are
projects/torbrowser/design/index.html.en 391) typically aimed at tracking users across sites without their consent, in an
projects/torbrowser/design/index.html.en 392) attempt to subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 393) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 394)
projects/torbrowser/design/index.html.en 395) </p><p>
projects/torbrowser/design/index.html.en 396)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 397) Fingerprinting is an intimidating problem to attempt to tackle, especially
projects/torbrowser/design/index.html.en 398) without a metric to determine or at least intuitively understand and estimate
projects/torbrowser/design/index.html.en 399) which features will most contribute to linkability between visits.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 400)
projects/torbrowser/design/index.html.en 401) </p><p>
projects/torbrowser/design/index.html.en 402)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 403) The <a class="ulink" href="https://panopticlick.eff.org/about" target="_top">Panopticlick study
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 404) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 405) entropy</a> - the number of identifying bits of information encoded in
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 406) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 407) definitely useful, and the metric is probably the appropriate one for
projects/torbrowser/design/index.html.en 408) determining how identifying a particular browser property is. However, some
projects/torbrowser/design/index.html.en 409) quirks of their study means that they do not extract as much information as
projects/torbrowser/design/index.html.en 410) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en 411) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en 412) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en 413) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en 414) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en 415) final.
projects/torbrowser/design/index.html.en 416)
projects/torbrowser/design/index.html.en 417) </p><p>
projects/torbrowser/design/index.html.en 418)
projects/torbrowser/design/index.html.en 419) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en 420) attack vectors:
projects/torbrowser/design/index.html.en 421)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 422) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 423)
projects/torbrowser/design/index.html.en 424) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en 425) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en 426) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en 427) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en 428) (as an extreme example).
projects/torbrowser/design/index.html.en 429)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 430) </p></li><li class="listitem"><span class="command"><strong>Inserting JavaScript</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 431)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 432) JavaScript can reveal a lot of fingerprinting information. It provides DOM
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 433) objects such as window.screen and window.navigator to extract information
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 434) about the user agent.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 435)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 436) Also, JavaScript can be used to query the user's timezone via the
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 437) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 438) reveal information about the video card in use, and high precision timing
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 439) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 440) interpreter speed</a>. JavaScript features such as
projects/torbrowser/design/index.html.en 441) <a class="ulink" href="https://www.w3.org/TR/resource-timing/" target="_top">Resource Timing</a>
projects/torbrowser/design/index.html.en 442) may leak an unknown amount of network timing related information. And, moreover,
projects/torbrowser/design/index.html.en 443) JavaScript is able to
projects/torbrowser/design/index.html.en 444) <a class="ulink" href="https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf" target="_top">
projects/torbrowser/design/index.html.en 445) extract</a>
projects/torbrowser/design/index.html.en 446) <a class="ulink" href="https://www.cosic.esat.kuleuven.be/fpdetective/" target="_top">available</a>
projects/torbrowser/design/index.html.en 447) <a class="ulink" href="https://hal.inria.fr/hal-01285470v2/document" target="_top">fonts</a> on a
projects/torbrowser/design/index.html.en 448) device with high precision.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 449)
projects/torbrowser/design/index.html.en 450) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en 451)
projects/torbrowser/design/index.html.en 452) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en 453) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en 454) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en 455) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en 456) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en 457) store unique identifiers that are more difficult to clear than standard
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 458) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 459) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en 460) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 461) settings of the browser.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 462)
projects/torbrowser/design/index.html.en 463)
projects/torbrowser/design/index.html.en 464) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en 465)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 466) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 467) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en 468) widget size, display type, DPI, user agent type, and other information that
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 469) was formerly available only to JavaScript.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 470)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 471) </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en 472)
projects/torbrowser/design/index.html.en 473) Website traffic fingerprinting is an attempt by the adversary to recognize the
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 474) encrypted traffic patterns of specific websites. In the case of Tor, this
projects/torbrowser/design/index.html.en 475) attack would take place between the user and the Guard node, or at the Guard
projects/torbrowser/design/index.html.en 476) node itself.
projects/torbrowser/design/index.html.en 477) </p><p> The most comprehensive study of the statistical properties of this
projects/torbrowser/design/index.html.en 478) attack against Tor was done by <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 479) et al</a>. Unfortunately, the publication bias in academia has encouraged
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 480) the production of
projects/torbrowser/design/index.html.en 481) <a class="ulink" href="https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks" target="_top">a
projects/torbrowser/design/index.html.en 482) number of follow-on attack papers claiming "improved" success rates</a>, in
projects/torbrowser/design/index.html.en 483) some cases even claiming to completely invalidate any attempt at defense. These
projects/torbrowser/design/index.html.en 484) "improvements" are actually enabled primarily by taking a number of shortcuts
projects/torbrowser/design/index.html.en 485) (such as classifying only very small numbers of web pages, neglecting to publish
projects/torbrowser/design/index.html.en 486) ROC curves or at least false positive rates, and/or omitting the effects of
projects/torbrowser/design/index.html.en 487) dataset size on their results). Despite these subsequent "improvements", we are
projects/torbrowser/design/index.html.en 488) skeptical of the efficacy of this attack in a real world scenario,
projects/torbrowser/design/index.html.en 489) <span class="emphasis"><em>especially</em></span> in the face of any defenses.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 490)
projects/torbrowser/design/index.html.en 491) </p><p>
projects/torbrowser/design/index.html.en 492)
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 493) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of
projects/torbrowser/design/index.html.en 494) categories to classify</a> while maintaining a limit on reliable feature
projects/torbrowser/design/index.html.en 495) information you can extract, you eventually run out of descriptive feature
projects/torbrowser/design/index.html.en 496) information, and either true positive accuracy goes down or the false positive
projects/torbrowser/design/index.html.en 497) rate goes up. This error is called the <a class="ulink" href="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias
projects/torbrowser/design/index.html.en 498) in your hypothesis space</a>. In fact, even for unbiased hypothesis
projects/torbrowser/design/index.html.en 499) spaces, the number of training examples required to achieve a reasonable error
projects/torbrowser/design/index.html.en 500) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 501) function of the complexity of the categories</a> you need to classify.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 502)
projects/torbrowser/design/index.html.en 503) </p><p>
projects/torbrowser/design/index.html.en 504)
projects/torbrowser/design/index.html.en 505)
projects/torbrowser/design/index.html.en 506) In the case of this attack, the key factors that increase the classification
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 507) complexity (and thus hinder a real world adversary who attempts this attack)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 508) are large numbers of dynamically generated pages, partially cached content,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 509) and also the non-web activity of the entire Tor network. This yields an
projects/torbrowser/design/index.html.en 510) effective number of "web pages" many orders of magnitude larger than even <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 511) "Open World" scenario</a>, which suffered continuous near-constant decline
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 512) in the true positive rate as the "Open World" size grew (see figure 4). This
projects/torbrowser/design/index.html.en 513) large level of classification complexity is further confounded by a noisy and
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 514) low resolution featureset - one which is also relatively easy for the defender
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 515) to manipulate at low cost.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 516)
projects/torbrowser/design/index.html.en 517) </p><p>
projects/torbrowser/design/index.html.en 518)
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 519) To make matters worse for a real-world adversary, the ocean of Tor Internet
projects/torbrowser/design/index.html.en 520) activity (at least, when compared to a lab setting) makes it a certainty that
projects/torbrowser/design/index.html.en 521) an adversary attempting examine large amounts of Tor traffic will ultimately
projects/torbrowser/design/index.html.en 522) be overwhelmed by false positives (even after making heavy tradeoffs on the
projects/torbrowser/design/index.html.en 523) ROC curve to minimize false positives to below 0.01%). This problem is known
projects/torbrowser/design/index.html.en 524) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 525) Fallacy</a>, and it is the primary reason that anomaly and activity
projects/torbrowser/design/index.html.en 526) classification-based IDS and antivirus systems have failed to materialize in
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 527) the marketplace (despite early success in academic literature).
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 528)
projects/torbrowser/design/index.html.en 529) </p><p>
projects/torbrowser/design/index.html.en 530)
projects/torbrowser/design/index.html.en 531) Still, we do not believe that these issues are enough to dismiss the attack
projects/torbrowser/design/index.html.en 532) outright. But we do believe these factors make it both worthwhile and
projects/torbrowser/design/index.html.en 533) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy
projects/torbrowser/design/index.html.en 534) light-weight defenses</a> that reduce the accuracy of this attack by
projects/torbrowser/design/index.html.en 535) further contributing noise to hinder successful feature extraction.
projects/torbrowser/design/index.html.en 536)
projects/torbrowser/design/index.html.en 537) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 538) OS</strong></span><p>
projects/torbrowser/design/index.html.en 539)
projects/torbrowser/design/index.html.en 540) Last, but definitely not least, the adversary can exploit either general
projects/torbrowser/design/index.html.en 541) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/torbrowser/design/index.html.en 542) install malware and surveillance software. An adversary with physical access
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 543) can perform similar actions.
projects/torbrowser/design/index.html.en 544)
projects/torbrowser/design/index.html.en 545) </p><p>
projects/torbrowser/design/index.html.en 546)
projects/torbrowser/design/index.html.en 547) For the purposes of the browser itself, we limit the scope of this adversary
projects/torbrowser/design/index.html.en 548) to one that has passive forensic access to the disk after browsing activity
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 549) has taken place. This adversary motivates our
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 550) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 551)
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 552) </p><p>
projects/torbrowser/design/index.html.en 553)
projects/torbrowser/design/index.html.en 554) An adversary with arbitrary code execution typically has more power, though.
projects/torbrowser/design/index.html.en 555) It can be quite hard to really significantly limit the capabilities of such an
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 556) adversary. <a class="ulink" href="https://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 557) provide some defense against this adversary through the use of readonly media
projects/torbrowser/design/index.html.en 558) and frequent reboots, but even this can be circumvented on machines without
projects/torbrowser/design/index.html.en 559) Secure Boot through the use of BIOS rootkits.
projects/torbrowser/design/index.html.en 560)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 561) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 562)
projects/torbrowser/design/index.html.en 563) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en 564) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en 565) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en 566) implementation is then described for that property.
projects/torbrowser/design/index.html.en 567)
projects/torbrowser/design/index.html.en 568) </p><p>
projects/torbrowser/design/index.html.en 569)
projects/torbrowser/design/index.html.en 570) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en 571) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en 572) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en 573) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 574) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 575) are typically linked for these cases.
projects/torbrowser/design/index.html.en 576)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 577) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 578)
projects/en/torbrowser/design/index.html.en 579) Proxy obedience is assured through the following:
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 580) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Firefox proxy settings, patches, and build flags</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 581)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 582) Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2" target="_top">Firefox
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 583) preferences file</a> sets the Firefox proxy settings to use Tor directly
projects/torbrowser/design/index.html.en 584) as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 585) <span class="command"><strong>network.proxy.socks_version</strong></span>,
projects/torbrowser/design/index.html.en 586) <span class="command"><strong>network.proxy.socks_port</strong></span>, and
projects/torbrowser/design/index.html.en 587) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 588)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 589) </p><p>
projects/torbrowser/design/index.html.en 590)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 591) To prevent proxy bypass by WebRTC calls, we disable WebRTC at compile time
projects/torbrowser/design/index.html.en 592) with the <span class="command"><strong>--disable-webrtc</strong></span> configure switch, as well
projects/torbrowser/design/index.html.en 593) as set the pref <span class="command"><strong>media.peerconnection.enabled</strong></span> to false.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 594)
projects/torbrowser/design/index.html.en 595) </p><p>
projects/torbrowser/design/index.html.en 596)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 597) We also patch Firefox in order to provide several defense-in-depth mechanisms
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 598) for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=177e78923b3252a7442160486ec48252a6adb77a" target="_top">patch
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 599) the DNS service</a> to prevent any browser or addon DNS resolution, and we
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 600) also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=6e17cef8f3cf61fdabf99e40d5e09a730142d6cd" target="_top">
projects/torbrowser/design/index.html.en 601) remove the DNS lookup for the profile lock signature</a>. Furhermore, we
projects/torbrowser/design/index.html.en 602) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8197f6ffe58ba167e3bca4230c5721ebcfae55de" target="_top">patch
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 603) OCSP and PKIX code</a> to prevent any use of the non-proxied command-line
projects/torbrowser/design/index.html.en 604) tool utility functions from being functional while linked in to the browser.
projects/torbrowser/design/index.html.en 605) In both cases, we could find no direct paths to these routines in the browser,
projects/torbrowser/design/index.html.en 606) but it seemed better safe than sorry.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 607)
|
Comments from Georg + proxy...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 608) </p><p>
projects/torbrowser/design/index.html.en 609)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 610) For further defense-in-depth we disabled WebIDE because it can bypass proxy
projects/torbrowser/design/index.html.en 611) settings for remote debugging, and also because it downloads extensions we
projects/torbrowser/design/index.html.en 612) have not reviewed. We
projects/torbrowser/design/index.html.en 613) are doing this by setting
projects/torbrowser/design/index.html.en 614) <span class="command"><strong>devtools.webide.autoinstallADBHelper</strong></span>,
projects/torbrowser/design/index.html.en 615) <span class="command"><strong>devtools.webide.autoinstallFxdtAdapters</strong></span>,
projects/torbrowser/design/index.html.en 616) <span class="command"><strong>devtools.webide.enabled</strong></span>, and
projects/torbrowser/design/index.html.en 617) <span class="command"><strong>devtools.appmanager.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en 618) Moreover, we removed the Roku Screen Sharing and screencaster code with a
projects/torbrowser/design/index.html.en 619) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id= ad4abdb2e724fec060063f460604b829c66ea08a" target="_top">
projects/torbrowser/design/index.html.en 620) Firefox patch</a> as these features can bypass proxy settings as well.
projects/torbrowser/design/index.html.en 621) </p><p>
projects/torbrowser/design/index.html.en 622) Shumway is removed, too, for possible proxy bypass risks. We did this by
projects/torbrowser/design/index.html.en 623) backporting a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d020a4992d8d25baf7dfb5c8b308d80b47a8d312" target="_top">
projects/torbrowser/design/index.html.en 624) number</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=98bf6c81b22cb5e4651a5fc060182f27b26c8ee5" target="_top">
projects/torbrowser/design/index.html.en 625) of</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=14b723f28a6b1dd78093691013d1bf7d49dc4413" target="_top">Mozilla patches</a>.
projects/torbrowser/design/index.html.en 626) Further down on our road to proxy safety we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a9e1d8eac28abb364bbfd3adabeae287751a6a8e" target="_top">
projects/torbrowser/design/index.html.en 627) disabled the network tickler</a> as it has the capability to send UDP
projects/torbrowser/design/index.html.en 628) traffic.
projects/torbrowser/design/index.html.en 629) </p><p>
projects/torbrowser/design/index.html.en 630)
projects/torbrowser/design/index.html.en 631) Finally, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8e52265653ab223dc5af679f9f0c073b44371fa4" target="_top">
projects/torbrowser/design/index.html.en 632) disabled mDNS support</a>, since mDNS uses UDP packets. We also disable
projects/torbrowser/design/index.html.en 633) Mozilla's TCPSocket by setting
projects/torbrowser/design/index.html.en 634) <span class="command"><strong>dom.mozTCPSocket.enabled</strong></span> to <span class="command"><strong>false</strong></span>. We
projects/torbrowser/design/index.html.en 635) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18866" target="_top">intend to
projects/torbrowser/design/index.html.en 636) rip out</a> the TCPSocket code in the future to have an even more solid
projects/torbrowser/design/index.html.en 637) guarantee that it won't be used by accident.
projects/torbrowser/design/index.html.en 638)
projects/torbrowser/design/index.html.en 639) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 640) During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 641) code audits</a> to verify that there were no system calls or XPCOM
projects/torbrowser/design/index.html.en 642) activity in the source tree that did not use the browser proxy settings.
projects/torbrowser/design/index.html.en 643) </p><p>
projects/torbrowser/design/index.html.en 644)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 645) We have verified that these settings and patches properly proxy HTTPS, OCSP,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 646) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all JavaScript
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 647) activity, including HTML5 audio and video objects, addon updates, WiFi
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 648) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 649) WebSockets, and live bookmark updates. We have also verified that external
projects/torbrowser/design/index.html.en 650) protocol helpers, such as SMB URLs and other custom protocol handlers are all
projects/torbrowser/design/index.html.en 651) blocked.
projects/torbrowser/design/index.html.en 652) </p></li><li class="listitem"><span class="command"><strong>Disabling plugins</strong></span><p>
projects/torbrowser/design/index.html.en 653) Plugins, like Flash, have the ability to make arbitrary OS system calls and
projects/torbrowser/design/index.html.en 654) <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 655) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en 656) browser proxy settings.
projects/en/torbrowser/design/index.html.en 657) </p><p>
projects/en/torbrowser/design/index.html.en 658) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en 659) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 660) as disabled. This block can be undone through both the Torbutton Security UI,
projects/torbrowser/design/index.html.en 661) and the Firefox Plugin Preferences.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 662) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 663) If the user does enable plugins in this way, plugin-handled objects are still
projects/torbrowser/design/index.html.en 664) restricted from automatic load through Firefox's click-to-play preference
projects/torbrowser/design/index.html.en 665) <span class="command"><strong>plugins.click_to_play</strong></span>.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 666) </p><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 667)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 668) In addition, to reduce any unproxied activity by arbitrary plugins at load
projects/torbrowser/design/index.html.en 669) time, and to reduce the fingerprintability of the installed plugin list, we
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 670) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09883246904ce4dede9f3c4d4bb8d644aefe9d1d" target="_top">
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 671) prevent the load of any plugins except for Flash and Gnash</a>. Even for
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 672) Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9a0d506e3655f2fdec97ee4217f354941e39b5b3" target="_top">
projects/torbrowser/design/index.html.en 673) prevent loading them into the address space</a> until they are explicitly
projects/torbrowser/design/index.html.en 674) enabled.
projects/torbrowser/design/index.html.en 675) </p><p>
projects/torbrowser/design/index.html.en 676) With <a class="ulink" href="https://wiki.mozilla.org/GeckoMediaPlugins" target="_top">Gecko Media
projects/torbrowser/design/index.html.en 677) Plugins</a> (GMPs) a second type of plugins is available. They are mainly
projects/torbrowser/design/index.html.en 678) third party codecs and <a class="ulink" href="https://www.w3.org/TR/encrypted-media/" target="_top">EME</a>
projects/torbrowser/design/index.html.en 679) content decryption modules. We currently disable these plugins as they either
projects/torbrowser/design/index.html.en 680) can't be built reproducibly or are binary blobs which we are not allowed to
projects/torbrowser/design/index.html.en 681) audit (or both). For the EME case we use the <span class="command"><strong>--disable-eme</strong></span>
projects/torbrowser/design/index.html.en 682) configure switch and set
projects/torbrowser/design/index.html.en 683) <span class="command"><strong>browser.eme.ui.enabled</strong></span>,
projects/torbrowser/design/index.html.en 684) <span class="command"><strong>media.gmp-eme-adobe.enabled</strong></span>,
projects/torbrowser/design/index.html.en 685) <span class="command"><strong>media.eme.enabled</strong></span>, and
projects/torbrowser/design/index.html.en 686) <span class="command"><strong>media.eme.apiVisible</strong></span> to <span class="command"><strong>false</strong></span> to indicate
projects/torbrowser/design/index.html.en 687) to the user that this feature is disabled. For GMPs in general we make sure that
projects/torbrowser/design/index.html.en 688) the external server is not even pinged for updates/downloads in the first place
projects/torbrowser/design/index.html.en 689) by setting <span class="command"><strong>media.gmp-manager.url.override</strong></span> to
projects/torbrowser/design/index.html.en 690) <span class="command"><strong>data:text/plain,</strong></span> and avoid any UI with <span class="command"><strong>
projects/torbrowser/design/index.html.en 691) media.gmp-provider.enabled</strong></span> set to <span class="command"><strong>false</strong></span>.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 692)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 693) </p></li><li class="listitem"><span class="command"><strong>External App Blocking and Drag Event Filtering</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 694)
projects/torbrowser/design/index.html.en 695) External apps can be induced to load files that perform network activity.
projects/torbrowser/design/index.html.en 696) Unfortunately, there are cases where such apps can be launched automatically
projects/torbrowser/design/index.html.en 697) with little to no user input. In order to prevent this, Torbutton installs a
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 698) component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 699) provide the user with a popup</a> whenever the browser attempts to launch
projects/torbrowser/design/index.html.en 700) a helper app.
projects/torbrowser/design/index.html.en 701)
projects/torbrowser/design/index.html.en 702) </p><p>
projects/torbrowser/design/index.html.en 703)
projects/torbrowser/design/index.html.en 704) Additionally, modern desktops now pre-emptively fetch any URLs in Drag and
projects/torbrowser/design/index.html.en 705) Drop events as soon as the drag is initiated. This download happens
projects/torbrowser/design/index.html.en 706) independent of the browser's Tor settings, and can be triggered by something
projects/torbrowser/design/index.html.en 707) as simple as holding the mouse button down for slightly too long while
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 708) clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 709) Torbutton</a> before the OS downloads the URLs the events contained.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 710)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 711) </p></li><li class="listitem"><span class="command"><strong>Disabling system extensions and clearing the addon whitelist</strong></span><p>
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 712)
projects/torbrowser/design/index.html.en 713) Firefox addons can perform arbitrary activity on your computer, including
projects/torbrowser/design/index.html.en 714) bypassing Tor. It is for this reason we disable the addon whitelist
projects/torbrowser/design/index.html.en 715) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted
projects/torbrowser/design/index.html.en 716) before installing addons regardless of the source. We also exclude
projects/torbrowser/design/index.html.en 717) system-level addons from the browser through the use of
projects/torbrowser/design/index.html.en 718) <span class="command"><strong>extensions.enabledScopes</strong></span> and
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 719) <span class="command"><strong>extensions.autoDisableScopes</strong></span>. Furthermore, we set
projects/torbrowser/design/index.html.en 720) <span class="command"><strong>extensions.systemAddon.update.url</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en 721) extensions.hotfix.id</strong></span> to an empty string in order
projects/torbrowser/design/index.html.en 722) to avoid the risk of getting extensions installed by Mozilla into Tor Browser.
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 723)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 724) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 725)
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 726) Tor Browser State is separated from existing browser state through use of a
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 727) custom Firefox profile, and by setting the $HOME environment variable to the
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 728) root of the bundle's directory. The browser also does not load any
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 729) system-wide extensions (through the use of
projects/torbrowser/design/index.html.en 730) <span class="command"><strong>extensions.enabledScopes</strong></span> and
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 731) <span class="command"><strong>extensions.autoDisableScopes</strong></span>). Furthermore, plugins are
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 732) disabled, which prevents Flash cookies from leaking from a pre-existing Flash
projects/torbrowser/design/index.html.en 733) directory.
projects/torbrowser/design/index.html.en 734)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 735) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm357"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 736)
projects/torbrowser/design/index.html.en 737) The User Agent MUST (at user option) prevent all disk records of browser activity.
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 738) The user SHOULD be able to optionally enable URL history and other history
projects/torbrowser/design/index.html.en 739) features if they so desire.
projects/torbrowser/design/index.html.en 740)
projects/torbrowser/design/index.html.en 741) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm360"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en 742)
projects/torbrowser/design/index.html.en 743) We are working towards this goal through several mechanisms. First, we set
projects/torbrowser/design/index.html.en 744) the Firefox Private Browsing preference
projects/torbrowser/design/index.html.en 745) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>.
projects/torbrowser/design/index.html.en 746) We also had to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>, to prevent HTML5 videos from being written to the OS temporary directory, which happened regardless of the private browsing mode setting.
projects/torbrowser/design/index.html.en 747) Finally, we needed to disable asm.js as it turns out that
projects/torbrowser/design/index.html.en 748) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1047105" target="_top">asm.js
projects/torbrowser/design/index.html.en 749) cache entries get written to disk</a> in private browsing mode. This
projects/torbrowser/design/index.html.en 750) is done by setting <span class="command"><strong>javascript.options.asmjs</strong></span> to
projects/torbrowser/design/index.html.en 751) <span class="command"><strong>false</strong></span> (for linkability concerns with asm.js see below).
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 752) </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en 753)
projects/torbrowser/design/index.html.en 754) As an additional defense-in-depth measure, we set the following preferences:
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 755) <span class="command"><strong></strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 756) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 757) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 758) <span class="command"><strong>dom.indexedDB.enabled</strong></span>,
projects/torbrowser/design/index.html.en 759) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 760) <span class="command"><strong>signon.rememberSignons</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 761) <span class="command"><strong>browser.formfill.enable</strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 762) <span class="command"><strong>browser.download.manager.retention</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 763) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>,
projects/torbrowser/design/index.html.en 764) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these
projects/torbrowser/design/index.html.en 765) preferences are likely redundant with
projects/torbrowser/design/index.html.en 766) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the
projects/torbrowser/design/index.html.en 767) auditing work to ensure that yet.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 768)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 769) </blockquote></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 770)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 771) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 772)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 773) Tor Browser MUST NOT cause any information to be written outside of the bundle
projects/torbrowser/design/index.html.en 774) directory. This is to ensure that the user is able to completely and
projects/torbrowser/design/index.html.en 775) safely remove it without leaving other traces of Tor usage on their computer.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 776)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 777) </p><p>
projects/torbrowser/design/index.html.en 778)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 779) To ensure Tor Browser directory isolation, we set
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 780) <span class="command"><strong>browser.download.useDownloadDir</strong></span>,
projects/torbrowser/design/index.html.en 781) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
projects/torbrowser/design/index.html.en 782) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 783) $HOME environment variable to be the Tor Browser extraction directory.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 784) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 785)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 786) The Cross-Origin Identifier Unlinkability design requirement is satisfied
projects/torbrowser/design/index.html.en 787) through first party isolation of all browser identifier sources. First party
projects/torbrowser/design/index.html.en 788) isolation means that all identifier sources and browser state are scoped
projects/torbrowser/design/index.html.en 789) (isolated) using the URL bar domain. This scoping is performed in
projects/torbrowser/design/index.html.en 790) combination with any additional third party scope. When first party isolation
projects/torbrowser/design/index.html.en 791) is used with explicit identifier storage that already has a constrained third
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 792) party scope (such as cookies and DOM storage), this approach is
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 793) referred to as "double-keying".
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 794)
projects/en/torbrowser/design/index.html.en 795) </p><p>
projects/en/torbrowser/design/index.html.en 796)
projects/en/torbrowser/design/index.html.en 797) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en 798) linkability, but also in terms of simplified privacy UI. If all stored browser
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 799) state and permissions become associated with the URL bar origin, the six or
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 800) seven different pieces of privacy UI governing these identifiers and
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 801) permissions can become just one piece of UI. For instance, a window that lists
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 802) the URL bar origin for which browser state exists, possibly with a
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 803) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en 804) An example of this simplification can be seen in Figure 1.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 805)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 806) </p><div class="figure"><a id="idm393"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 807)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 808) This example UI is a mock-up of how isolating identifiers to the URL bar
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 809) domain can simplify the privacy UI for all data - not just cookies. Once
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 810) browser identifiers and site permissions operate on a URL bar basis, the same
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 811) privacy window can represent browsing history, DOM Storage, HTTP Auth, search
projects/torbrowser/design/index.html.en 812) form history, login values, and so on within a context menu for each site.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 813)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 814) </div></div></div><br class="figure-break" /><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm400"></a>Identifier Unlinkability Defenses in the Tor Browser</h4></div></div></div><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 815)
projects/torbrowser/design/index.html.en 816) Unfortunately, many aspects of browser state can serve as identifier storage,
projects/torbrowser/design/index.html.en 817) and no other browser vendor or standards body has invested the effort to
projects/torbrowser/design/index.html.en 818) enumerate or otherwise deal with these vectors for third party tracking. As
projects/torbrowser/design/index.html.en 819) such, we have had to enumerate and isolate these identifier sources on a
projects/torbrowser/design/index.html.en 820) piecemeal basis. Here is the list that we have discovered and dealt with to
projects/torbrowser/design/index.html.en 821) date:
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 822)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 823) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 824)
projects/torbrowser/design/index.html.en 825) All cookies MUST be double-keyed to the URL bar origin and third-party
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 826) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 827) that contains a prototype patch, but it lacks UI, and does not apply to modern
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 828) Firefox versions.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 829)
projects/en/torbrowser/design/index.html.en 830) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 831)
projects/en/torbrowser/design/index.html.en 832) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en 833) entirely disable 3rd party cookies by setting
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 834) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to <span class="command"><strong>1</strong></span>. We
projects/torbrowser/design/index.html.en 835) would prefer that third party content continue to function, but we believe the
projects/torbrowser/design/index.html.en 836) requirement for unlinkability trumps that desire.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 837)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 838) </p></li><li class="listitem"><span class="command"><strong>Cache</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 839) All cache entries MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en 840) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 841)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 842) In Firefox, there are actually several distinct caching mechanisms: One is for
projects/torbrowser/design/index.html.en 843) general content (HTML, JavaScript, CSS). That content cache is isolated to the
projects/torbrowser/design/index.html.en 844) URL bar domain by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9e88ab764b1c9c5d26a398ec6381eef88689929c" target="_top">altering
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 845) each cache key</a> to include an additional ID that includes the URL bar
projects/torbrowser/design/index.html.en 846) domain. This functionality can be observed by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key used for each cache
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 847) entry. Each third party element should have an additional "string@:"
projects/torbrowser/design/index.html.en 848) property prepended, which will list the base domain that was used to source it.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 849)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 850) </p><p>
projects/torbrowser/design/index.html.en 851)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 852) Additionally, there is the image cache. Because it is a separate entity from
projects/torbrowser/design/index.html.en 853) the content cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=05749216781d470ab95c2d101dd28ad000d9161f" target="_top">isolate
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 854) this cache per URL bar domain</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 855)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 856) </p><p>
projects/torbrowser/design/index.html.en 857) Furthermore there is the Cache API (CacheStorage). That one is currently not
projects/torbrowser/design/index.html.en 858) available in Tor Browser as we do not allow third party cookies and are in
projects/torbrowser/design/index.html.en 859) Private Browsing Mode by default.
projects/torbrowser/design/index.html.en 860) </p><p>
projects/torbrowser/design/index.html.en 861) Finally, we have the asm.js cache. The cache entry of the sript is (among
projects/torbrowser/design/index.html.en 862) others things, like type of CPU, build ID, source characters of the asm.js
projects/torbrowser/design/index.html.en 863) module etc.) keyed <a class="ulink" href="https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-compilation-and-startup-performance/" target="_top">to the origin of the script</a>.
projects/torbrowser/design/index.html.en 864) Lacking a good solution for binding it to the URL bar domain instead (and given
projects/torbrowser/design/index.html.en 865) the storage of asm.js modules in Private Browsing Mode) we decided to disable
projects/torbrowser/design/index.html.en 866) asm.js for the time being by setting <span class="command"><strong>javascript.options.asmjs</strong></span> to
projects/torbrowser/design/index.html.en 867) <span class="command"><strong>false</strong></span>. It remains to be seen whether keying the cache entry
projects/torbrowser/design/index.html.en 868) to the source characters of the asm.js module helps to avoid using it for
projects/torbrowser/design/index.html.en 869) cross-origin tracking of users. We did not investigate that yet.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 870) </p></li><li class="listitem"><span class="command"><strong>HTTP Authentication</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 871)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 872) HTTP Authorization headers can be used to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 873) third party tracking identifiers</a>. To prevent this, we remove HTTP
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 874) authentication tokens for third party elements through a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5e686c690cbc33cf3fdf984e6f3d3fe7b4d83701" target="_top">patch
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 875) to nsHTTPChannel</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 876)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 877) </p></li><li class="listitem"><span class="command"><strong>DOM Storage</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 878)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 879) DOM storage for third party domains MUST be isolated to the URL bar domain,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 880) to prevent linkability between sites. This functionality is provided through a
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 881) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=20fee895321a7a18e79547e74f6739786558c0e8" target="_top">patch
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 882) to Firefox</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 883)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 884) </p></li><li class="listitem"><span class="command"><strong>Flash cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 885)
projects/torbrowser/design/index.html.en 886) Users should be able to click-to-play flash objects from trusted sites. To
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 887) make this behavior unlinkable, we wish to include a settings file for all
projects/torbrowser/design/index.html.en 888) platforms that disables flash cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 889) settings manager</a>.
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 890)
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 891) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 892)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 893) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 894) difficulties</a> causing Flash player to use this settings
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 895) file on Windows, so Flash remains difficult to enable.
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 896)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 897) </p></li><li class="listitem"><span class="command"><strong>SSL+TLS session resumption</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 898)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 899) TLS session resumption tickets and SSL Session IDs MUST be limited to the URL
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 900) bar domain.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 901)
projects/en/torbrowser/design/index.html.en 902) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 903)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 904) We disable TLS Session Tickets and SSL Session IDs by
projects/torbrowser/design/index.html.en 905) setting <span class="command"><strong>security.ssl.disable_session_identifiers</strong></span> to
projects/torbrowser/design/index.html.en 906) <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en 907) To compensate for the increased round trip latency from disabling
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 908) these performance optimizations, we also enable
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 909) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 910) False Start</a> via the Firefox Pref
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 911) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 912)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 913) </p></li><li class="listitem"><span class="command"><strong>Tor circuit and HTTP connection linkability</strong></span><p>
projects/torbrowser/design/index.html.en 914)
projects/torbrowser/design/index.html.en 915) Tor circuits and HTTP connections from a third party in one URL bar origin
projects/torbrowser/design/index.html.en 916) MUST NOT be reused for that same third party in another URL bar origin.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 917)
projects/torbrowser/design/index.html.en 918) </p><p>
projects/torbrowser/design/index.html.en 919)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 920) This isolation functionality is provided by a Torbutton
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 921) component that <a class="ulink" href="" target="_top">sets
projects/torbrowser/design/index.html.en 922) the SOCKS username and password for each request</a>. The Tor client has
projects/torbrowser/design/index.html.en 923) logic to prevent connections with different SOCKS usernames and passwords from
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 924) using the same Tor circuit. Firefox has existing logic to ensure that
projects/torbrowser/design/index.html.en 925) connections with SOCKS proxies do not re-use existing HTTP Keep-Alive
projects/torbrowser/design/index.html.en 926) connections unless the proxy settings match.
projects/torbrowser/design/index.html.en 927) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1200802" target="_top">We extended
projects/torbrowser/design/index.html.en 928) this logic</a> to cover SOCKS username and password authentication,
projects/torbrowser/design/index.html.en 929) providing us with HTTP Keep-Alive unlinkability.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 930)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 931) </p></li><li class="listitem"><span class="command"><strong>SharedWorkers</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 932)
projects/torbrowser/design/index.html.en 933) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 934) are a special form of JavaScript Worker threads that have a shared scope between
projects/torbrowser/design/index.html.en 935) all threads from the same Javascript origin.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 936)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 937) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 938)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 939) The SharedWorker scope MUST be isolated to the URL bar domain. I.e. a
projects/torbrowser/design/index.html.en 940) SharedWorker launched from a third party from one URL bar domain MUST NOT have
projects/torbrowser/design/index.html.en 941) access to the objects created by that same third party loaded under another URL
projects/torbrowser/design/index.html.en 942) bar domain. This functionality is provided by a
projects/torbrowser/design/index.html.en 943) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d17c11445645908086c8d0af84e970e880f586eb" target="_top">
projects/torbrowser/design/index.html.en 944) Firefox patch</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 945)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 946) </p></li><li class="listitem"><span class="command"><strong>blob: URIs (URL.createObjectURL)</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 947)
projects/torbrowser/design/index.html.en 948) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>
projects/torbrowser/design/index.html.en 949) API allows a site to load arbitrary content into a random UUID that is stored
projects/torbrowser/design/index.html.en 950) in the user's browser, and this content can be accessed via a URL of the form
projects/torbrowser/design/index.html.en 951) <span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the
projects/torbrowser/design/index.html.en 952) web. While this UUID value is neither under control of the site nor
projects/torbrowser/design/index.html.en 953) predictable, it can still be used to tag a set of users that are of high
projects/torbrowser/design/index.html.en 954) interest to an adversary.
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 955)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 956) </p><p><span class="command"><strong>Design Goal:</strong></span>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 957)
projects/torbrowser/design/index.html.en 958) URIs created with URL.createObjectURL MUST be limited in scope to the first
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 959) party URL bar domain that created them.
projects/torbrowser/design/index.html.en 960)
projects/torbrowser/design/index.html.en 961) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 962)
projects/torbrowser/design/index.html.en 963) We provide the isolation in Tor Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f" target="_top">direct
projects/torbrowser/design/index.html.en 964) patch to Firefox</a>. However, downloads of PDF files via the download button in the PDF viewer <a class="ulink" href="https://bugs.torproject.org/17933" target="_top">are not isolated yet</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 965)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 966) </p></li><li class="listitem"><span class="command"><strong>SPDY and HTTP/2</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 967)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 968) SPDY and HTTP/2 connections MUST be isolated to the URL bar domain. Furthermore,
projects/torbrowser/design/index.html.en 969) all associated means that could be used for cross-domain user tracking (alt-svc
projects/torbrowser/design/index.html.en 970) headers come to mind) MUST adhere to this design principle as well.
projects/torbrowser/design/index.html.en 971)
projects/torbrowser/design/index.html.en 972) </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en 973)
projects/torbrowser/design/index.html.en 974) SPDY and HTTP/2 are currently disabled by setting the
projects/torbrowser/design/index.html.en 975) Firefox preferences <span class="command"><strong>network.http.spdy.enabled</strong></span>,
projects/torbrowser/design/index.html.en 976) <span class="command"><strong>network.http.spdy.enabled.v2</strong></span>,
projects/torbrowser/design/index.html.en 977) <span class="command"><strong>network.http.spdy.enabled.v3</strong></span>,
projects/torbrowser/design/index.html.en 978) <span class="command"><strong>network.http.spdy.enabled.v3-1</strong></span>,
projects/torbrowser/design/index.html.en 979) <span class="command"><strong>network.http.spdy.enabled.http2</strong></span>,
projects/torbrowser/design/index.html.en 980) <span class="command"><strong>network.http.spdy.enabled.http2draft</strong></span>,
projects/torbrowser/design/index.html.en 981) <span class="command"><strong>network.http.altsvc.enabled</strong></span>, and
projects/torbrowser/design/index.html.en 982) <span class="command"><strong>network.http.altsvc.oe</strong></span> to <span class="command"><strong>false</strong></span>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 983)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 984) </p></li><li class="listitem"><span class="command"><strong>Automated cross-origin redirects</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 985)
projects/torbrowser/design/index.html.en 986) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en 987) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 988) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en 989) for cross-origin redirect intermediaries that do not prompt for user input.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 990) For example, if a user clicks on a bit.ly URL that redirects to a
projects/torbrowser/design/index.html.en 991) doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 992) cnn.com should be retained after the redirect chain completes.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 993)
projects/torbrowser/design/index.html.en 994) </p><p>
projects/torbrowser/design/index.html.en 995)
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 996) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en 997) federated login systems) SHOULD still allow identifiers to persist.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 998)
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 999) </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en 1000)
projects/torbrowser/design/index.html.en 1001) There are numerous ways for the user to be redirected, and the Firefox API
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1002) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1003) open</a> to implement what we can.
projects/torbrowser/design/index.html.en 1004)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1005) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1006)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1007) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1008) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en 1009) for the lifespan of a browser tab. It is possible to utilize this property for
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1010) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1011) storage</a>.
projects/en/torbrowser/design/index.html.en 1012)
projects/en/torbrowser/design/index.html.en 1013) </p><p>
projects/en/torbrowser/design/index.html.en 1014)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1015) In order to eliminate non-consensual linkability but still allow for sites
projects/torbrowser/design/index.html.en 1016) that utilize this property to function, we reset the window.name property of
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1017) tabs in Torbutton every time we encounter a blank Referer. This behavior
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1018) allows window.name to persist for the duration of a click-driven navigation
projects/torbrowser/design/index.html.en 1019) session, but as soon as the user enters a new URL or navigates between
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1020) HTTPS/HTTP schemes, the property is cleared.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1021)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1022) </p></li><li class="listitem"><span class="command"><strong>Auto form-fill</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1023)
projects/torbrowser/design/index.html.en 1024) We disable the password saving functionality in the browser as part of our
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1025) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1026) since users may decide to re-enable disk history records and password saving,
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1027) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1028) preference to false to prevent saved values from immediately populating
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1029) fields upon page load. Since JavaScript can read these values as soon as they
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1030) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en 1031)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1032) </p></li><li class="listitem"><span class="command"><strong>HSTS and HPKP supercookies</strong></span><p>
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1033)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1034) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS</a>
projects/torbrowser/design/index.html.en 1035) <a class="ulink" href="http://www.radicalresearch.co.uk/lab/hstssupercookies/" target="_top">
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1036) supercookies</a>. Since HSTS effectively stores one bit of information per domain
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1037) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en 1038) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en 1039)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1040) </p><p>
projects/torbrowser/design/index.html.en 1041)
projects/torbrowser/design/index.html.en 1042) HPKP provides <a class="ulink" href="https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf" target="_top">
projects/torbrowser/design/index.html.en 1043) a mechanism for user tracking</a> across domains as well. It allows abusing the
projects/torbrowser/design/index.html.en 1044) requirement to provide a backup pin and the option to report a pin validation
projects/torbrowser/design/index.html.en 1045) failure. In a tracking scenario every user gets a unique SHA-256 value serving
projects/torbrowser/design/index.html.en 1046) as backup pin. This value is sent back after (deliberate) pin validation failures
projects/torbrowser/design/index.html.en 1047) working in fact as a cookie.
projects/torbrowser/design/index.html.en 1048)
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1049) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1050)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1051) HSTS and HPKP MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en 1052)
projects/torbrowser/design/index.html.en 1053) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1054)
projects/torbrowser/design/index.html.en 1055) Currently, HSTS and HPKP state is both cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>,
projects/torbrowser/design/index.html.en 1056) but we don't defend against the creation and usage of any of these supercookies
projects/torbrowser/design/index.html.en 1057) between <span class="command"><strong>New Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en 1058)
projects/torbrowser/design/index.html.en 1059) </p></li><li class="listitem"><span class="command"><strong>Broadcast Channels</strong></span><p>
projects/torbrowser/design/index.html.en 1060)
projects/torbrowser/design/index.html.en 1061) The BroadcastChannel API allows cross-site communication within the same
projects/torbrowser/design/index.html.en 1062) origin. However, to avoid cross-origin linkability broadcast channels MUST
projects/torbrowser/design/index.html.en 1063) instead be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en 1064)
projects/torbrowser/design/index.html.en 1065) </p><p>
projects/torbrowser/design/index.html.en 1066)
projects/torbrowser/design/index.html.en 1067) We provide the isolation in Tor Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=3460a38721810b5b7e785e18f202dde20b3434e8" target="_top">direct
projects/torbrowser/design/index.html.en 1068) patch to Firefox</a>. If we lack a window for determining the URL bar
projects/torbrowser/design/index.html.en 1069) domain (e.g. in some worker contexts) the use of broadcast channels is disabled.
projects/torbrowser/design/index.html.en 1070)
projects/torbrowser/design/index.html.en 1071) </p></li><li class="listitem"><span class="command"><strong>OCSP</strong></span><p>
projects/torbrowser/design/index.html.en 1072)
projects/torbrowser/design/index.html.en 1073) OCSP requests go to Certfication Authorities (CAs) to check for revoked
projects/torbrowser/design/index.html.en 1074) certificates. They are sent once the browser is visiting a website via HTTPS and
projects/torbrowser/design/index.html.en 1075) no cached results are available. Thus, to avoid information leaks, e.g. to exit
projects/torbrowser/design/index.html.en 1076) relays, OCSP requests MUST go over the same circuit as the HTTPS request causing
projects/torbrowser/design/index.html.en 1077) them and MUST therefore be isolated to the URL bar domain. The resulting cache
projects/torbrowser/design/index.html.en 1078) entries MUST be bound to the URL bar domain as well. This functionality is
projects/torbrowser/design/index.html.en 1079) provided by a
projects/torbrowser/design/index.html.en 1080) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb1568275acd4fdf61359c9b1e97c2753e7b2be" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en 1081)
projects/torbrowser/design/index.html.en 1082) </p></li><li class="listitem"><span class="command"><strong>Favicons</strong></span><p>
projects/torbrowser/design/index.html.en 1083)
projects/torbrowser/design/index.html.en 1084) When visiting a website its favicon is fetched via a request originating from
projects/torbrowser/design/index.html.en 1085) the browser itself (similar to the OCSP mechanism mentioned in the previous
projects/torbrowser/design/index.html.en 1086) section). Those requests MUST be isolated to the URL bar domain. This
projects/torbrowser/design/index.html.en 1087) functionality is provided by a
projects/torbrowser/design/index.html.en 1088) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=f29f3ff28bbc471ea209d2181770677223c394d1" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en 1089)
projects/torbrowser/design/index.html.en 1090) </p></li><li class="listitem"><span class="command"><strong>mediasource: URIs and MediaStreams</strong></span><p>
projects/torbrowser/design/index.html.en 1091)
projects/torbrowser/design/index.html.en 1092) Much like blob URLs, mediasource: URIs and MediaStreams can be used to tag
projects/torbrowser/design/index.html.en 1093) users. Therefore, mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en 1094) This functionality is part of a
projects/torbrowser/design/index.html.en 1095) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f" target="_top">Firefox patch</a>
projects/torbrowser/design/index.html.en 1096)
projects/torbrowser/design/index.html.en 1097) </p></li><li class="listitem"><span class="command"><strong>Speculative and prefetched connections</strong></span><p>
projects/torbrowser/design/index.html.en 1098)
projects/torbrowser/design/index.html.en 1099) Firefox provides the feature to <a class="ulink" href="https://www.igvita.com/2015/08/17/eliminating-roundtrips-with-preconnect/" target="_top">connect speculatively</a> to
projects/torbrowser/design/index.html.en 1100) remote hosts if that is either indicated in the HTML file (e.g. by
projects/torbrowser/design/index.html.en 1101) <a class="ulink" href="https://w3c.github.io/resource-hints/" target="_top">link
projects/torbrowser/design/index.html.en 1102) rel="preconnect" and rel="prefetch"</a>) or otherwise deemed beneficial.
projects/torbrowser/design/index.html.en 1103)
projects/torbrowser/design/index.html.en 1104) </p><p>
projects/torbrowser/design/index.html.en 1105)
projects/torbrowser/design/index.html.en 1106) Firefox does not support rel="prerender", and Mozilla has disabled speculative
projects/torbrowser/design/index.html.en 1107) connections and rel="preconnect" usage where a proxy is used (see <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18762#comment:3" target="_top"> comment
projects/torbrowser/design/index.html.en 1108) 3 in bug 18762</a> for further details). Explicit prefetching via the
projects/torbrowser/design/index.html.en 1109) rel="prefetch" attribute is still performed, however.
projects/torbrowser/design/index.html.en 1110)
projects/torbrowser/design/index.html.en 1111) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1112)
projects/torbrowser/design/index.html.en 1113) All pre-loaded links and speculative connections MUST be isolated to the URL
projects/torbrowser/design/index.html.en 1114) bar domain, if enabled. This includes isolating both Tor circuit use, as well
projects/torbrowser/design/index.html.en 1115) as the caching and associate browser state for the prefetched resource.
projects/torbrowser/design/index.html.en 1116)
projects/torbrowser/design/index.html.en 1117) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1118)
projects/torbrowser/design/index.html.en 1119) For automatic speculative connects and rel="preconnect", we leave them
projects/torbrowser/design/index.html.en 1120) disabled as per the Mozilla default for proxy settings. However, if enabled,
projects/torbrowser/design/index.html.en 1121) speculative connects will be isolated to the proper first party Tor circuit by
projects/torbrowser/design/index.html.en 1122) the same mechanism as is used for HTTP Keep-alive. This is true for rel="prefetch"
projects/torbrowser/design/index.html.en 1123) requests as well. For rel="preconnect", we isolate them <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9126303651785d02f2df0554f391fffba0b0a00e" target="_top">via
projects/torbrowser/design/index.html.en 1124) this patch</a>. This isolation makes both preconnecting and cache warming
projects/torbrowser/design/index.html.en 1125) via rel=prefetch ineffective for links to domains other than the current URL
projects/torbrowser/design/index.html.en 1126) bar domain. For links to the same domain as the URL bar domain, the full cache
projects/torbrowser/design/index.html.en 1127) warming benefit is obtained. As an optimization, any preconnecting to domains
projects/torbrowser/design/index.html.en 1128) other than the current URL bar domain can thus be disabled (perhaps with the
projects/torbrowser/design/index.html.en 1129) exception of frames), but we do not do this. We allow these requests to
projects/torbrowser/design/index.html.en 1130) proceed, but we isolate them.
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1131)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1132) </p></li></ol></div><p>
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1133) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1134) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1135) Browser fingerprinting is the act of inspecting browser behaviors and features in
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1136) an attempt to differentiate and track individual users.
projects/torbrowser/design/index.html.en 1137) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1138)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1139) Fingerprinting attacks are typically broken up into passive and active
projects/torbrowser/design/index.html.en 1140) vectors. Passive fingerprinting makes use of any information the browser
projects/torbrowser/design/index.html.en 1141) provides automatically to a website without any specific action on the part of
projects/torbrowser/design/index.html.en 1142) the website. Active fingerprinting makes use of any information that can be
projects/torbrowser/design/index.html.en 1143) extracted from the browser by some specific website action, usually involving
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1144) JavaScript. Some definitions of browser fingerprinting also include
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1145) supercookies and cookie-like identifier storage, but we deal with those issues
projects/torbrowser/design/index.html.en 1146) separately in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on
projects/torbrowser/design/index.html.en 1147) identifier linkability</a>.
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1148)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1149) </p><p>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1150)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1151) For the most part, however, we do not differentiate between passive or active
projects/torbrowser/design/index.html.en 1152) fingerprinting sources, since many active fingerprinting mechanisms are very
projects/torbrowser/design/index.html.en 1153) rapid, and can be obfuscated or disguised as legitimate functionality.
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1154)
projects/torbrowser/design/index.html.en 1155) </p><p>
projects/torbrowser/design/index.html.en 1156)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1157) Instead, we believe fingerprinting can only be rationally addressed if we
projects/torbrowser/design/index.html.en 1158) understand where the problem comes from, what sources of issues are the most
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1159) severe, what types of defenses are suitable for which sources, and have a
projects/torbrowser/design/index.html.en 1160) consistent strategy for designing defenses that maximizes our ability to study
projects/torbrowser/design/index.html.en 1161) defense efficacy. The following subsections address these issues from a high
projects/torbrowser/design/index.html.en 1162) level, and we then conclude with a list of our current specific defenses.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1163)
projects/torbrowser/design/index.html.en 1164) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p>
projects/torbrowser/design/index.html.en 1165)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1166) All browser fingerprinting issues arise from one of four primary sources:
projects/torbrowser/design/index.html.en 1167) end-user configuration details, device and hardware characteristics, operating
projects/torbrowser/design/index.html.en 1168) system vendor and version differences, and browser vendor and version
projects/torbrowser/design/index.html.en 1169) differences. Additionally, user behavior itself provides one more source of
projects/torbrowser/design/index.html.en 1170) potential fingerprinting.
projects/torbrowser/design/index.html.en 1171)
projects/torbrowser/design/index.html.en 1172) </p><p>
projects/torbrowser/design/index.html.en 1173)
projects/torbrowser/design/index.html.en 1174) In order to help prioritize and inform defenses, we now list these sources in
projects/torbrowser/design/index.html.en 1175) order from most severe to least severe in terms of the amount of information
projects/torbrowser/design/index.html.en 1176) they reveal, and describe them in more detail.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1177)
projects/torbrowser/design/index.html.en 1178) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p>
projects/torbrowser/design/index.html.en 1179)
projects/torbrowser/design/index.html.en 1180) End-user configuration details are by far the most severe threat to
projects/torbrowser/design/index.html.en 1181) fingerprinting, as they will quickly provide enough information to uniquely
projects/torbrowser/design/index.html.en 1182) identify a user. We believe it is essential to avoid exposing platform
projects/torbrowser/design/index.html.en 1183) configuration details to website content at all costs. We also discourage
projects/torbrowser/design/index.html.en 1184) excessive fine-grained customization of Tor Browser by minimizing and
projects/torbrowser/design/index.html.en 1185) aggregating user-facing privacy and security options, as well as by
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1186) discouraging the use of additional plugins and addons. When it is necessary to
projects/torbrowser/design/index.html.en 1187) expose configuration details in the course of providing functionality, we
projects/torbrowser/design/index.html.en 1188) strive to do so only on a per-site basis via site permissions, to avoid
projects/torbrowser/design/index.html.en 1189) linkability.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1190)
projects/torbrowser/design/index.html.en 1191) </p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p>
projects/torbrowser/design/index.html.en 1192)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1193) Device and hardware characteristics can be determined in three ways: they can
projects/torbrowser/design/index.html.en 1194) be reported explicitly by the browser, they can be inferred through browser
projects/torbrowser/design/index.html.en 1195) functionality, or they can be extracted through statistical measurements of
projects/torbrowser/design/index.html.en 1196) system performance. We are most concerned with the cases where this
projects/torbrowser/design/index.html.en 1197) information is either directly reported or can be determined via a single use
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1198) of an API or feature, and prefer to either alter functionality to prevent
projects/torbrowser/design/index.html.en 1199) exposing the most variable aspects of these characteristics, place such
projects/torbrowser/design/index.html.en 1200) features behind site permissions, or disable them entirely.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1201)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1202) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1203)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1204) On the other hand, because statistical inference of system performance
projects/torbrowser/design/index.html.en 1205) requires many iterations to achieve accuracy in the face of noise and
projects/torbrowser/design/index.html.en 1206) concurrent activity, we are less concerned with this mechanism of extracting
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1207) this information. We also expect that reducing the resolution of JavaScript's
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1208) time sources will significantly increase the duration of execution required to
projects/torbrowser/design/index.html.en 1209) extract accurate results, and thus make statistical approaches both
projects/torbrowser/design/index.html.en 1210) unattractive and highly noticeable due to excessive resource consumption.
projects/torbrowser/design/index.html.en 1211)
projects/torbrowser/design/index.html.en 1212) </p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en 1213)
projects/torbrowser/design/index.html.en 1214) Operating system vendor and version differences permeate many different
projects/torbrowser/design/index.html.en 1215) aspects of the browser. While it is possible to address these issues with some
projects/torbrowser/design/index.html.en 1216) effort, the relative lack of diversity in operating systems causes us to
projects/torbrowser/design/index.html.en 1217) primarily focus our efforts on passive operating system fingerprinting
projects/torbrowser/design/index.html.en 1218) mechanisms at this point in time. For the purposes of protecting user
projects/torbrowser/design/index.html.en 1219) anonymity, it is not strictly essential that the operating system be
projects/torbrowser/design/index.html.en 1220) completely concealed, though we recognize that it is useful to reduce this
projects/torbrowser/design/index.html.en 1221) differentiation ability where possible, especially for cases where the
projects/torbrowser/design/index.html.en 1222) specific version of a system can be inferred.
projects/torbrowser/design/index.html.en 1223)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1224) </p></li><li class="listitem"><span class="command"><strong>User Behavior</strong></span><p>
projects/torbrowser/design/index.html.en 1225)
projects/torbrowser/design/index.html.en 1226) While somewhat outside the scope of browser fingerprinting, for completeness
projects/torbrowser/design/index.html.en 1227) it is important to mention that users themselves theoretically might be
projects/torbrowser/design/index.html.en 1228) fingerprinted through their behavior while interacting with a website. This
projects/torbrowser/design/index.html.en 1229) behavior includes e.g. keystrokes, mouse movements, click speed, and writing
projects/torbrowser/design/index.html.en 1230) style. Basic vectors such as keystroke and mouse usage fingerprinting can be
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1231) mitigated by altering JavaScript's notion of time. More advanced issues like
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1232) writing style fingerprinting are the domain of <a class="ulink" href="https://github.com/psal/anonymouth/blob/master/README.md" target="_top">other tools</a>.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1233)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1234) </p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en 1235)
projects/torbrowser/design/index.html.en 1236) Due to vast differences in feature set and implementation behavior even
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1237) between different (<a class="ulink" href="https://tsyrklevich.net/2014/10/28/abusing-strict-transport-security/" target="_top">minor</a>)
projects/torbrowser/design/index.html.en 1238) versions of the same browser, browser vendor and version differences are simply
projects/torbrowser/design/index.html.en 1239) not possible to conceal in any realistic way. It is only possible to minimize
projects/torbrowser/design/index.html.en 1240) the differences among different installations of the same browser vendor and
projects/torbrowser/design/index.html.en 1241) version. We make no effort to mimic any other major browser vendor, and in fact
projects/torbrowser/design/index.html.en 1242) most of our fingerprinting defenses serve to differentiate Tor Browser users
projects/torbrowser/design/index.html.en 1243) from normal Firefox users. Because of this, any study that lumps browser vendor
projects/torbrowser/design/index.html.en 1244) and version differences into its analysis of the fingerprintability of a
projects/torbrowser/design/index.html.en 1245) population is largely useless for evaluating either attacks or defenses.
projects/torbrowser/design/index.html.en 1246) Unfortunately, this includes popular large-scale studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1247)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1248) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses-general"></a>General Fingerprinting Defenses</h4></div></div></div><p>
projects/torbrowser/design/index.html.en 1249)
projects/torbrowser/design/index.html.en 1250) To date, the Tor Browser team has concerned itself only with developing
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1251) defenses for APIs that have already been standardized and deployed. Once an
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1252) API or feature has been standardized and widely deployed, defenses to the
projects/torbrowser/design/index.html.en 1253) associated fingerprinting issues tend to have only a few options available to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1254) compensate for the lack of up-front privacy design. In our experience, so far
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1255) these options have been limited to value spoofing, subsystem modification or
projects/torbrowser/design/index.html.en 1256) reimplementation, virtualization, site permissions, and feature removal. We
projects/torbrowser/design/index.html.en 1257) will now describe these options and the fingerprinting sources they tend to
projects/torbrowser/design/index.html.en 1258) work best with.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1259)
projects/torbrowser/design/index.html.en 1260) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Value Spoofing</strong></span><p>
projects/torbrowser/design/index.html.en 1261)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1262) Value spoofing can be used for simple cases where the browser provides some
projects/torbrowser/design/index.html.en 1263) aspect of the user's configuration details, devices, hardware, or operating
projects/torbrowser/design/index.html.en 1264) system directly to a website. It becomes less useful when the fingerprinting
projects/torbrowser/design/index.html.en 1265) method relies on behavior to infer aspects of the hardware or operating system,
projects/torbrowser/design/index.html.en 1266) rather than obtain them directly.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1267)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1268) </p></li><li class="listitem"><span class="command"><strong>Subsystem Modification or Reimplementation</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1269)
projects/torbrowser/design/index.html.en 1270) In cases where simple spoofing is not enough to properly conceal underlying
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1271) device characteristics or operating system details, the underlying subsystem
projects/torbrowser/design/index.html.en 1272) that provides the functionality for a feature or API may need to be modified
projects/torbrowser/design/index.html.en 1273) or completely reimplemented. This is most common in cases where customizable
projects/torbrowser/design/index.html.en 1274) or version-specific aspects of the user's operating system are visible through
projects/torbrowser/design/index.html.en 1275) the browser's featureset or APIs, usually because the browser directly exposes
projects/torbrowser/design/index.html.en 1276) OS-provided implementations of underlying features. In these cases, such
projects/torbrowser/design/index.html.en 1277) OS-provided implementations must be replaced by a generic implementation, or
projects/torbrowser/design/index.html.en 1278) at least modified by an implementation wrapper layer that makes effort to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1279) conceal any user-customized aspects of the system.
projects/torbrowser/design/index.html.en 1280)
projects/torbrowser/design/index.html.en 1281) </p></li><li class="listitem"><span class="command"><strong>Virtualization</strong></span><p>
projects/torbrowser/design/index.html.en 1282)
projects/torbrowser/design/index.html.en 1283) Virtualization is needed when simply reimplementing a feature in a different
projects/torbrowser/design/index.html.en 1284) way is insufficient to fully conceal the underlying behavior. This is most
projects/torbrowser/design/index.html.en 1285) common in instances of device and hardware fingerprinting, but since the
projects/torbrowser/design/index.html.en 1286) notion of time can also be virtualized, virtualization also can apply to any
projects/torbrowser/design/index.html.en 1287) instance where an accurate measurement of wall clock time is required for a
projects/torbrowser/design/index.html.en 1288) fingerprinting vector to attain high accuracy.
projects/torbrowser/design/index.html.en 1289)
projects/torbrowser/design/index.html.en 1290) </p></li><li class="listitem"><span class="command"><strong>Site Permissions</strong></span><p>
projects/torbrowser/design/index.html.en 1291)
projects/torbrowser/design/index.html.en 1292) In the event that reimplementation or virtualization is too expensive in terms
projects/torbrowser/design/index.html.en 1293) of performance or engineering effort, and the relative expected usage of a
projects/torbrowser/design/index.html.en 1294) feature is rare, site permissions can be used to prevent the usage of a
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1295) feature for cross-site tracking. Unfortunately, site permissions become less
projects/torbrowser/design/index.html.en 1296) effective once a feature is already widely overused and abused by many
projects/torbrowser/design/index.html.en 1297) websites, since warning fatigue typically sets in for most users after just a
projects/torbrowser/design/index.html.en 1298) few permission requests.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1299)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1300) </p></li><li class="listitem"><span class="command"><strong>Feature or Functionality Removal</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1301)
projects/torbrowser/design/index.html.en 1302) Due to the current bias in favor of invasive APIs that expose the maximum
projects/torbrowser/design/index.html.en 1303) amount of platform information, some features and APIs are simply not
projects/torbrowser/design/index.html.en 1304) salvageable in their current form. When such invasive features serve only a
projects/torbrowser/design/index.html.en 1305) narrow domain or use case, or when there are alternate ways of accomplishing
projects/torbrowser/design/index.html.en 1306) the same task, these features and/or certain aspects of their functionality
projects/torbrowser/design/index.html.en 1307) may be simply removed.
projects/torbrowser/design/index.html.en 1308)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1309) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm608"></a>Strategies for Defense: Randomization versus Uniformity</h4></div></div></div><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1310)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1311) When applying a form of defense to a specific fingerprinting vector or source,
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1312) there are two general strategies available: either the implementation for all
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1313) users of a single browser version can be made to behave as uniformly as
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1314) possible, or the user agent can attempt to randomize its behavior so that
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1315) each interaction between a user and a site provides a different fingerprint.
projects/torbrowser/design/index.html.en 1316)
projects/torbrowser/design/index.html.en 1317) </p><p>
projects/torbrowser/design/index.html.en 1318)
projects/torbrowser/design/index.html.en 1319) Although <a class="ulink" href="http://research.microsoft.com/pubs/209989/tr1.pdf" target="_top">some
projects/torbrowser/design/index.html.en 1320) research suggests</a> that randomization can be effective, so far striving
projects/torbrowser/design/index.html.en 1321) for uniformity has generally proved to be a better strategy for Tor Browser
projects/torbrowser/design/index.html.en 1322) for the following reasons:
projects/torbrowser/design/index.html.en 1323)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1324) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Evaluation and measurement difficulties</strong></span><p>
projects/torbrowser/design/index.html.en 1325)
projects/torbrowser/design/index.html.en 1326) The fact that randomization causes behaviors to differ slightly with every
projects/torbrowser/design/index.html.en 1327) site visit makes it appealing at first glance, but this same property makes it
projects/torbrowser/design/index.html.en 1328) very difficult to objectively measure its effectiveness. By contrast, an
projects/torbrowser/design/index.html.en 1329) implementation that strives for uniformity is very simple to evaluate. Despite
projects/torbrowser/design/index.html.en 1330) their current flaws, a properly designed version of <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> or <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a> could report the entropy and
projects/torbrowser/design/index.html.en 1331) uniqueness rates for all users of a single user agent version, without the
projects/torbrowser/design/index.html.en 1332) need for complicated statistics about the variance of the measured behaviors.
projects/torbrowser/design/index.html.en 1333)
projects/torbrowser/design/index.html.en 1334) </p><p>
projects/torbrowser/design/index.html.en 1335)
projects/torbrowser/design/index.html.en 1336) Randomization (especially incomplete randomization) may also provide a false
projects/torbrowser/design/index.html.en 1337) sense of security. When a fingerprinting attempt makes naive use of randomized
projects/torbrowser/design/index.html.en 1338) information, a fingerprint will appear unstable, but may not actually be
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1339) sufficiently randomized to impede a dedicated adversary. Sophisticated
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1340) fingerprinting mechanisms may either ignore randomized information, or
projects/torbrowser/design/index.html.en 1341) incorporate knowledge of the distribution and range of randomized values into
projects/torbrowser/design/index.html.en 1342) the creation of a more stable fingerprint (by either removing the randomness,
projects/torbrowser/design/index.html.en 1343) modeling it, or averaging it out).
projects/torbrowser/design/index.html.en 1344)
projects/torbrowser/design/index.html.en 1345) </p></li><li class="listitem"><span class="command"><strong>Randomization is not a shortcut</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1346)
projects/torbrowser/design/index.html.en 1347) While many end-user configuration details that the browser currently exposes
projects/torbrowser/design/index.html.en 1348) may be safely replaced by false information, randomization of these details
projects/torbrowser/design/index.html.en 1349) must be just as exhaustive as an approach that seeks to make these behaviors
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1350) uniform. When confronting either strategy, the adversary can still make use of
projects/torbrowser/design/index.html.en 1351) any details which have not been altered to be either sufficiently uniform or
projects/torbrowser/design/index.html.en 1352) sufficiently random.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1353)
projects/torbrowser/design/index.html.en 1354) </p><p>
projects/torbrowser/design/index.html.en 1355)
projects/torbrowser/design/index.html.en 1356) Furthermore, the randomization approach seems to break down when it is applied
projects/torbrowser/design/index.html.en 1357) to deeper issues where underlying system functionality is directly exposed. In
projects/torbrowser/design/index.html.en 1358) particular, it is not clear how to randomize the capabilities of hardware
projects/torbrowser/design/index.html.en 1359) attached to a computer in such a way that it either convincingly behaves like
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1360) other hardware, or such that the exact properties of the hardware that vary
projects/torbrowser/design/index.html.en 1361) from user to user are sufficiently randomized. Similarly, truly concealing
projects/torbrowser/design/index.html.en 1362) operating system version differences through randomization may require
projects/torbrowser/design/index.html.en 1363) multiple reimplementations of the underlying operating system functionality to
projects/torbrowser/design/index.html.en 1364) ensure that every operating system version is covered by the range of possible
projects/torbrowser/design/index.html.en 1365) behaviors.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1366)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1367) </p></li><li class="listitem"><span class="command"><strong>Usability issues</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1368)
projects/torbrowser/design/index.html.en 1369) When randomization is introduced to features that affect site behavior, it can
projects/torbrowser/design/index.html.en 1370) be very distracting for this behavior to change between visits of a given
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1371) site. For the simplest cases, this will lead to minor visual nuisances.
projects/torbrowser/design/index.html.en 1372) However, when this information affects reported functionality or hardware
projects/torbrowser/design/index.html.en 1373) characteristics, sometimes a site will function one way on one visit, and
projects/torbrowser/design/index.html.en 1374) another way on a subsequent visit.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1375)
projects/torbrowser/design/index.html.en 1376) </p></li><li class="listitem"><span class="command"><strong>Performance costs</strong></span><p>
projects/torbrowser/design/index.html.en 1377)
projects/torbrowser/design/index.html.en 1378) Randomizing involves performance costs. This is especially true if the
projects/torbrowser/design/index.html.en 1379) fingerprinting surface is large (like in a modern browser) and one needs more
projects/torbrowser/design/index.html.en 1380) elaborate randomizing strategies (including randomized virtualization) to
projects/torbrowser/design/index.html.en 1381) ensure that the randomization fully conceals the true behavior. Many calls to
projects/torbrowser/design/index.html.en 1382) a cryptographically secure random number generator during the course of a page
projects/torbrowser/design/index.html.en 1383) load will both serve to exhaust available entropy pools, as well as lead to
projects/torbrowser/design/index.html.en 1384) increased computation while loading a page.
projects/torbrowser/design/index.html.en 1385)
projects/torbrowser/design/index.html.en 1386) </p></li><li class="listitem"><span class="command"><strong>Increased vulnerability surface</strong></span><p>
projects/torbrowser/design/index.html.en 1387)
projects/torbrowser/design/index.html.en 1388) Improper randomization might introduce a new fingerprinting vector, as the
projects/torbrowser/design/index.html.en 1389) process of generating the values for the fingerprintable attributes could be
projects/torbrowser/design/index.html.en 1390) itself susceptible to side-channel attacks, analysis, or exploitation.
projects/torbrowser/design/index.html.en 1391)
projects/torbrowser/design/index.html.en 1392) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Specific Fingerprinting Defenses in the Tor Browser</h4></div></div></div><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1393)
projects/torbrowser/design/index.html.en 1394) The following defenses are listed roughly in order of most severe
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1395) fingerprinting threat first. This ordering is based on the above intuition
projects/torbrowser/design/index.html.en 1396) that user configurable aspects of the computer are the most severe source of
projects/torbrowser/design/index.html.en 1397) fingerprintability, followed by device characteristics and hardware, and then
projects/torbrowser/design/index.html.en 1398) finally operating system vendor and version information.
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1399)
projects/torbrowser/design/index.html.en 1400) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1401)
projects/torbrowser/design/index.html.en 1402) Where our actual implementation differs from an ideal solution, we separately
projects/torbrowser/design/index.html.en 1403) describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en 1404) Status</strong></span>.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1405)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1406) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Plugins</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1407)
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1408) Plugins add to fingerprinting risk via two main vectors: their mere presence
projects/torbrowser/design/index.html.en 1409) in window.navigator.plugins (because they are optional, end-user installed
projects/torbrowser/design/index.html.en 1410) third party software), as well as their internal functionality.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1411)
projects/en/torbrowser/design/index.html.en 1412) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1413)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1414) All plugins that have not been specifically audited or sandboxed MUST be
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1415) disabled. To reduce linkability potential, even sandboxed plugins SHOULD NOT
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1416) be allowed to load objects until the user has clicked through a click-to-play
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1417) barrier. Additionally, version information SHOULD be reduced or obfuscated
projects/torbrowser/design/index.html.en 1418) until the plugin object is loaded. For Flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1419) settings.sol file</a> to disable Flash cookies, and to restrict P2P
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1420) features that are likely to bypass proxy settings. We'd also like to restrict
projects/torbrowser/design/index.html.en 1421) access to fonts and other system information (such as IP address and MAC
projects/torbrowser/design/index.html.en 1422) address) in such a sandbox.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1423)
projects/en/torbrowser/design/index.html.en 1424) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1425)
projects/en/torbrowser/design/index.html.en 1426) Currently, we entirely disable all plugins in Tor Browser. However, as a
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1427) compromise due to the popularity of Flash, we allow users to re-enable Flash,
projects/torbrowser/design/index.html.en 1428) and flash objects are blocked behind a click-to-play barrier that is available
projects/torbrowser/design/index.html.en 1429) only after the user has specifically enabled plugins. Flash is the only plugin
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1430) available, the rest are entirely
projects/torbrowser/design/index.html.en 1431) blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience
projects/torbrowser/design/index.html.en 1432) section</a>. We also set the Firefox
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1433) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
projects/torbrowser/design/index.html.en 1434) leaking plugin installation information.
projects/torbrowser/design/index.html.en 1435)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1436) </p></li><li class="listitem"><span class="command"><strong>HTML5 Canvas Image Extraction</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1437)
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1438) After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5
projects/torbrowser/design/index.html.en 1439) Canvas</a> is the single largest fingerprinting threat browsers face
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1440) today. <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top">
projects/torbrowser/design/index.html.en 1441) Studies</a> <a class="ulink" href="https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf" target="_top">show</a> that the Canvas can provide an easy-access fingerprinting
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1442) target: The adversary simply renders WebGL, font, and named color data to a
projects/torbrowser/design/index.html.en 1443) Canvas element, extracts the image buffer, and computes a hash of that image
projects/torbrowser/design/index.html.en 1444) data. Subtle differences in the video card, font packs, and even font and
projects/torbrowser/design/index.html.en 1445) graphics library versions allow the adversary to produce a stable, simple,
projects/torbrowser/design/index.html.en 1446) high-entropy fingerprint of a computer. In fact, the hash of the rendered
projects/torbrowser/design/index.html.en 1447) image can be used almost identically to a tracking cookie by the web server.
projects/torbrowser/design/index.html.en 1448)
projects/torbrowser/design/index.html.en 1449) </p><p>
projects/torbrowser/design/index.html.en 1450)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1451) In some sense, the canvas can be seen as the union of many other
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1452) fingerprinting vectors. If WebGL is normalized through software rendering,
projects/torbrowser/design/index.html.en 1453) system colors were standardized, and the browser shipped a fixed collection of
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1454) fonts (see later points in this list), it might not be necessary to create a
projects/torbrowser/design/index.html.en 1455) canvas permission. However, until then, to reduce the threat from this vector,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1456) we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=526e6d0bc5c68d8c409cbaefc231c71973d949cc" target="_top">prompt before returning valid image data</a> to the Canvas APIs,
projects/torbrowser/design/index.html.en 1457) and for access to isPointInPath and related functions. Moreover, we put media
projects/torbrowser/design/index.html.en 1458) streams on a canvas behind the site permission in that patch as well.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1459) If the user hasn't previously allowed the site in the URL bar to access Canvas
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1460) image data, pure white image data is returned to the JavaScript APIs.
projects/torbrowser/design/index.html.en 1461) Extracting canvas image data by third parties is not allowed, though.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1462)
projects/torbrowser/design/index.html.en 1463) </p><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1464) </p></li><li class="listitem"><span class="command"><strong>Open TCP Port and Local Network Fingerprinting</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1465)
projects/torbrowser/design/index.html.en 1466) In Firefox, by using either WebSockets or XHR, it is possible for remote
projects/torbrowser/design/index.html.en 1467) content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1468) the list of TCP ports open on 127.0.0.1</a>, as well as on any other
projects/torbrowser/design/index.html.en 1469) machines on the local network. In other browsers, this can be accomplished by
projects/torbrowser/design/index.html.en 1470) DOM events on image or script tags. This open vs filtered vs closed port list
projects/torbrowser/design/index.html.en 1471) can provide a very unique fingerprint of a machine, because it essentially
projects/torbrowser/design/index.html.en 1472) enables the detection of many different popular third party applications and
projects/torbrowser/design/index.html.en 1473) optional system services (Skype, Bitcoin, Bittorrent and other P2P software,
projects/torbrowser/design/index.html.en 1474) SSH ports, SMB and related LAN services, CUPS and printer daemon config ports,
projects/torbrowser/design/index.html.en 1475) mail servers, and so on). It is also possible to determine when ports are
projects/torbrowser/design/index.html.en 1476) closed versus filtered/blocked (and thus probe custom firewall configuration).
projects/torbrowser/design/index.html.en 1477)
projects/torbrowser/design/index.html.en 1478) </p><p>
projects/torbrowser/design/index.html.en 1479)
projects/torbrowser/design/index.html.en 1480) In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even
projects/torbrowser/design/index.html.en 1481) these requests are still sent by Firefox to our SOCKS proxy (ie we set
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1482) <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local
projects/torbrowser/design/index.html.en 1483) Tor client then rejects them, since it is configured to proxy for internal IP
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1484) addresses by default. Access to the local network is forbidden via the same
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1485) mechanism. We also disable the WebRTC API as mentioned previously, since even
projects/torbrowser/design/index.html.en 1486) if it were usable over Tor, it still currently provides the local IP address
projects/torbrowser/design/index.html.en 1487) and associated network information to websites.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1488)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1489) </p></li><li class="listitem"><span class="command"><strong>Invasive Authentication Mechanisms (NTLM and SPNEGO)</strong></span><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1490)
projects/torbrowser/design/index.html.en 1491) Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in
projects/torbrowser/design/index.html.en 1492) some cases the current username. The only reason why these aren't a more
projects/torbrowser/design/index.html.en 1493) serious problem is that they typically involve user interaction, and likely
projects/torbrowser/design/index.html.en 1494) aren't an attractive vector for this reason. However, because it is not clear
projects/torbrowser/design/index.html.en 1495) if certain carefully-crafted error conditions in these protocols could cause
projects/torbrowser/design/index.html.en 1496) them to reveal machine information and still fail silently prior to the
projects/torbrowser/design/index.html.en 1497) password prompt, these authentication mechanisms should either be disabled, or
projects/torbrowser/design/index.html.en 1498) placed behind a site permission before their use. We simply disable them.
projects/torbrowser/design/index.html.en 1499)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1500) </p></li><li class="listitem"><span class="command"><strong>USB Device ID Enumeration via the GamePad API</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1501)
projects/torbrowser/design/index.html.en 1502) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad
projects/torbrowser/design/index.html.en 1503) API</a> provides web pages with the <a class="ulink" href="https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.html#widl-Gamepad-id" target="_top">USB
projects/torbrowser/design/index.html.en 1504) device id, product id, and driver name</a> of all connected game
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1505) controllers, as well as detailed information about their capabilities.
projects/torbrowser/design/index.html.en 1506) </p><p>
projects/torbrowser/design/index.html.en 1507)
projects/torbrowser/design/index.html.en 1508) It's our opinion that this API needs to be completely redesigned to provide an
projects/torbrowser/design/index.html.en 1509) abstract notion of a game controller rather than offloading all of the
projects/torbrowser/design/index.html.en 1510) complexity associated with handling specific game controller models to web
projects/torbrowser/design/index.html.en 1511) content authors. For systems without a game controller, a standard controller
projects/torbrowser/design/index.html.en 1512) can be virtualized through the keyboard, which will serve to both improve
projects/torbrowser/design/index.html.en 1513) usability by normalizing user interaction with different games, as well as
projects/torbrowser/design/index.html.en 1514) eliminate fingerprinting vectors. Barring that, this API should be behind a
projects/torbrowser/design/index.html.en 1515) site permission in Private Browsing Modes. For now though, we simply disable
projects/torbrowser/design/index.html.en 1516) it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1517)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1518) </p></li><li class="listitem"><span class="command"><strong>Fonts</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1519)
projects/en/torbrowser/design/index.html.en 1520) According to the Panopticlick study, fonts provide the most linkability when
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1521) they are provided as an enumerable list in file system order, via either the
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1522) Flash or Java plugins. However, it is still possible to use CSS and/or
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1523) JavaScript to query for the existence of specific fonts. With a large enough
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1524) pre-built list to query, a large amount of fingerprintable information may
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1525) still be available, especially given that additional fonts often end up
projects/torbrowser/design/index.html.en 1526) installed by third party software and for multilingual support.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1527)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1528) </p><p><span class="command"><strong>Design Goal:</strong></span>Font-based fingerprinting MUST be rendered ineffective</p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1529)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1530) We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/13313" target="_top">investigated
projects/torbrowser/design/index.html.en 1531) </a>shipping a predefined set of fonts to all of our users allowing only
projects/torbrowser/design/index.html.en 1532) those fonts to be used by websites at the exclusion of system fonts. We are
projects/torbrowser/design/index.html.en 1533) currently following this approach, which has been <a class="ulink" href="https://www.bamsoftware.com/papers/fontfp.pdf" target="_top">
projects/torbrowser/design/index.html.en 1534) suggested</a> <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top">by
projects/torbrowser/design/index.html.en 1535) researchers</a> previously. This defense is available for all three
projects/torbrowser/design/index.html.en 1536) supported platforms: Windows, macOS, and Linux, although the implementations
projects/torbrowser/design/index.html.en 1537) vary in detail.
projects/torbrowser/design/index.html.en 1538)
projects/torbrowser/design/index.html.en 1539) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1540)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1541) For Windows and macOS we use a preference, <span class="command"><strong>font.system.whitelist</strong></span>,
projects/torbrowser/design/index.html.en 1542) to restrict fonts being used to those in the whitelist. This functionality is
projects/torbrowser/design/index.html.en 1543) provided <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=80d233db514a556d7255034ae057b138527cb2ea" target="_top">by a Firefox patch</a>.
projects/torbrowser/design/index.html.en 1544) The whitelist for Windows and macOS contains both a set of
projects/torbrowser/design/index.html.en 1545) <a class="ulink" href="https://www.google.com/get/noto" target="_top">Noto fonts</a> which we bundle
projects/torbrowser/design/index.html.en 1546) and fonts provided by the operating system. For Linux systems we only bundle
projects/torbrowser/design/index.html.en 1547) fonts and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=b88443f6d8af62f763b069eb15e008a46d9b468a" target="_top">
projects/torbrowser/design/index.html.en 1548) deploy </a> a <span class="command"><strong>fonts.conf</strong></span> file to restrict the browser to
projects/torbrowser/design/index.html.en 1549) use those fonts exclusively. In addition to that we set the <span class="command"><strong>font.name*
projects/torbrowser/design/index.html.en 1550) </strong></span> preferences for macOS and Linux to make sure that a given code point
projects/torbrowser/design/index.html.en 1551) is always displayed with the same font. This is not guaranteed even if we bundle
projects/torbrowser/design/index.html.en 1552) all the fonts Tor Browser uses as it can happen that fonts are loaded in a
projects/torbrowser/design/index.html.en 1553) different order on different systems. Setting the above mentioned preferences
projects/torbrowser/design/index.html.en 1554) works around this issue by specifying the font to use explicitely.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1555)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1556) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1557)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1558) Allowing fonts provided by the operating system for Windows and macOS users is
projects/torbrowser/design/index.html.en 1559) currently a compromise between fingerprintability resistance and usability
projects/torbrowser/design/index.html.en 1560) concerns. We are still investigating the right balance between them and have
projects/torbrowser/design/index.html.en 1561) created a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18097" target="_top">
projects/torbrowser/design/index.html.en 1562) ticket in our bug tracker</a> to summarize the current state of our defense
projects/torbrowser/design/index.html.en 1563) and future work that remains to be done.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1564)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1565) </p></li><li class="listitem"><span class="command"><strong>Monitor, Widget, and OS Desktop Resolution</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1566)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1567) Both CSS and JavaScript have access to a lot of information about the screen
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1568) resolution, usable desktop size, OS widget size, toolbar size, title bar size,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1569) and OS desktop widget sizing information that are not at all relevant to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1570) rendering and serve only to provide information for fingerprinting. Since many
projects/torbrowser/design/index.html.en 1571) aspects of desktop widget positioning and size are user configurable, these
projects/torbrowser/design/index.html.en 1572) properties yield customized information about the computer, even beyond the
projects/torbrowser/design/index.html.en 1573) monitor size.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1574)
projects/en/torbrowser/design/index.html.en 1575) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1576)
projects/en/torbrowser/design/index.html.en 1577) Our design goal here is to reduce the resolution information down to the bare
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1578) minimum required for properly rendering inside a content window. We intend to
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1579) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 1580) properties of the content window, but report an effective size of 0 for all
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1581) border material, and also report that the desktop is only as big as the inner
projects/torbrowser/design/index.html.en 1582) content window. Additionally, new browser windows are sized such that their
projects/torbrowser/design/index.html.en 1583) content windows are one of a few fixed sizes based on the user's desktop
projects/torbrowser/design/index.html.en 1584) resolution. In addition, to further reduce resolution-based fingerprinting, we
projects/torbrowser/design/index.html.en 1585) are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating
projects/torbrowser/design/index.html.en 1586) zoom/viewport-based mechanisms</a> that might allow us to always report the
projects/torbrowser/design/index.html.en 1587) same desktop resolution regardless of the actual size of the content window,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1588) and simply scale to make up the difference. As an alternative to zoom-based
projects/torbrowser/design/index.html.en 1589) solutions we are testing a
projects/torbrowser/design/index.html.en 1590) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/14429" target="_top">different
projects/torbrowser/design/index.html.en 1591) approach</a> in our alpha series that tries to round the browser window at
projects/torbrowser/design/index.html.en 1592) all times to a multiple 200x100 pixels. Regardless which solution we finally
projects/torbrowser/design/index.html.en 1593) pick, until it will be available the user should also be informed that
projects/torbrowser/design/index.html.en 1594) maximizing their windows can lead to fingerprintability under the current scheme.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1595)
projects/en/torbrowser/design/index.html.en 1596) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1597)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1598) We automatically resize new browser windows to a 200x100 pixel multiple <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b3e68bd7172d4f3feac11e74c65b06729a502b2" target="_top">based
projects/torbrowser/design/index.html.en 1599) on desktop resolution</a> which is provided by a Firefox patch. To minimize
projects/torbrowser/design/index.html.en 1600) the effect of the long tail of large monitor sizes, we also cap the window size
projects/torbrowser/design/index.html.en 1601) at 1000 pixels in each direction. In addition to that we set
projects/torbrowser/design/index.html.en 1602) <span class="command"><strong>privacy.resistFingerprinting</strong></span>
projects/torbrowser/design/index.html.en 1603) to <span class="command"><strong>true</strong></span> to use the client content window size for
projects/torbrowser/design/index.html.en 1604) window.screen, and to report a window.devicePixelRatio of 1.0. Similarly,
projects/torbrowser/design/index.html.en 1605) we use that preference to return content window relative points for DOM events.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1606)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1607) We also force popups to open in new tabs (via
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1608) <span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid
projects/torbrowser/design/index.html.en 1609) full-screen popups inferring information about the browser resolution. In
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1610) addition, we prevent auto-maximizing on browser start, and inform users that
projects/torbrowser/design/index.html.en 1611) maximized windows are detrimental to privacy in this mode.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1612)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1613) </p></li><li class="listitem"><span class="command"><strong>Display Media information</strong></span><p>
|
Update design doc to descri...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1614)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1615) Beyond simple resolution information, a large amount of so-called "Media"
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1616) information is also exported to content. Even without JavaScript, CSS has
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1617) access to a lot of information about the device orientation, system theme
|
More fingerprinting clarifi...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1618) colors, and other desktop and display features that are not at all relevant to
projects/torbrowser/design/index.html.en 1619) rendering and also user configurable. Most of this
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1620) information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS
projects/torbrowser/design/index.html.en 1621) Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several
projects/torbrowser/design/index.html.en 1622) user and OS theme defined color values</a> to CSS as well.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1623)
projects/torbrowser/design/index.html.en 1624) </p><p><span class="command"><strong>Design Goal:</strong></span>
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1625)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1626) A website MUST NOT be able infer anything that the user has configured about
projects/torbrowser/design/index.html.en 1627) their computer. Additionally, it SHOULD NOT be able to infer machine-specific
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1628) details such as screen orientation or type.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1629)
projects/torbrowser/design/index.html.en 1630) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1631)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1632) We set <span class="command"><strong>ui.use_standins_for_native_colors</strong></span> to <span class="command"><strong>true
projects/torbrowser/design/index.html.en 1633) </strong></span> and provide a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=c6be9ba561a69250c7d5926d90e0112091453643" target="_top">Firefox patch</a>
projects/torbrowser/design/index.html.en 1634) to report a fixed set of system colors to content window CSS, and prevent
projects/torbrowser/design/index.html.en 1635) detection of font smoothing on macOS with the help of
projects/torbrowser/design/index.html.en 1636) <span class="command"><strong>privacy.resistFingerprinting</strong></span>. We also always
projects/torbrowser/design/index.html.en 1637) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5a159c6bfa310b4339555de389ac16cf8e13b3f5" target="_top">
projects/torbrowser/design/index.html.en 1638) report landscape-primary</a> for the <a class="ulink" href="https://w3c.github.io/screen-orientation/" target="_top">screen orientation</a>.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1639)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1640) </p></li><li class="listitem"><span class="command"><strong>WebGL</strong></span><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1641)
projects/torbrowser/design/index.html.en 1642) WebGL is fingerprintable both through information that is exposed about the
projects/torbrowser/design/index.html.en 1643) underlying driver and optimizations, as well as through performance
projects/torbrowser/design/index.html.en 1644) fingerprinting.
projects/torbrowser/design/index.html.en 1645)
projects/torbrowser/design/index.html.en 1646) </p><p>
projects/torbrowser/design/index.html.en 1647)
projects/torbrowser/design/index.html.en 1648) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed
projects/torbrowser/design/index.html.en 1649) vulnerability surface</a>, we deploy a similar strategy against WebGL as
projects/torbrowser/design/index.html.en 1650) for plugins. First, WebGL Canvases have click-to-play placeholders (provided
projects/torbrowser/design/index.html.en 1651) by NoScript), and do not run until authorized by the user. Second, we
projects/torbrowser/design/index.html.en 1652) obfuscate driver information by setting the Firefox preferences
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1653) <span class="command"><strong>webgl.disable-extensions</strong></span>,
projects/torbrowser/design/index.html.en 1654) <span class="command"><strong>webgl.min_capability_mode</strong></span>, and
projects/torbrowser/design/index.html.en 1655) <span class="command"><strong>webgl.disable-fail-if-major-performance-caveat</strong></span> which reduce
projects/torbrowser/design/index.html.en 1656) the information provided by the following WebGL API calls:
projects/torbrowser/design/index.html.en 1657) <span class="command"><strong>getParameter()</strong></span>, <span class="command"><strong>getSupportedExtensions()</strong></span>,
projects/torbrowser/design/index.html.en 1658) and <span class="command"><strong>getExtension()</strong></span>. To make the minimal WebGL mode usable we
projects/torbrowser/design/index.html.en 1659) additionally <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b0caa1224c3417754d688344eacc97fbbabf7d5" target="_top">
projects/torbrowser/design/index.html.en 1660) normalize its properties with a Firefox patch</a>.
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1661)
projects/torbrowser/design/index.html.en 1662) </p><p>
projects/torbrowser/design/index.html.en 1663)
projects/torbrowser/design/index.html.en 1664) Another option for WebGL might be to use software-only rendering, using a
projects/torbrowser/design/index.html.en 1665) library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of
projects/torbrowser/design/index.html.en 1666) such a library would avoid hardware-specific rendering differences.
projects/torbrowser/design/index.html.en 1667)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1668) </p></li><li class="listitem"><span class="command"><strong>MediaDevices API</strong></span><p>
projects/torbrowser/design/index.html.en 1669) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices" target="_top">
projects/torbrowser/design/index.html.en 1670) MediaDevices API</a> provides access to connected media input devices like
projects/torbrowser/design/index.html.en 1671) cameras and microphones, as well as screen sharing. In particular, it allows web
projects/torbrowser/design/index.html.en 1672) content to easily enumerate those devices with <span class="command"><strong>
projects/torbrowser/design/index.html.en 1673) MediaDevices.enumerateDevices()</strong></span>. This relies on WebRTC being compiled
projects/torbrowser/design/index.html.en 1674) in which we currently don't do. Nevertheless, we disable this feature for now as
projects/torbrowser/design/index.html.en 1675) a defense-in-depth by setting <span class="command"><strong>media.peerconnection.enabled</strong></span> and
projects/torbrowser/design/index.html.en 1676) <span class="command"><strong>media.navigator.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en 1677) </p></li><li class="listitem"><span class="command"><strong>MIME Types</strong></span><p>
projects/torbrowser/design/index.html.en 1678)
projects/torbrowser/design/index.html.en 1679) Which MIME Types are registered with an operating system depends to a great deal
projects/torbrowser/design/index.html.en 1680) on the application software and/or drivers a user chose to install. Web pages
projects/torbrowser/design/index.html.en 1681) can not only estimate the amount of MIME types registered by checking
projects/torbrowser/design/index.html.en 1682) <span class="command"><strong>navigator.mimetypes.length</strong></span>. Rather, they are even able to
projects/torbrowser/design/index.html.en 1683) test whether particular MIME types are available which can have a non-negligible
projects/torbrowser/design/index.html.en 1684) impact on a user's fingerprint. We prevent both of these information leaks with
projects/torbrowser/design/index.html.en 1685) a direct <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=38999857761196b0b7f59f49ee93ae13f73c6149" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en 1686)
projects/torbrowser/design/index.html.en 1687) </p></li><li class="listitem"><span class="command"><strong>System Uptime</strong></span><p>
projects/torbrowser/design/index.html.en 1688)
projects/torbrowser/design/index.html.en 1689) It is possible to get the system uptime of a Tor Browser user by querying the
projects/torbrowser/design/index.html.en 1690) <span class="command"><strong>Event.timestamp</strong></span> property. We avoid this by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en 1691) dom.event.highrestimestamp.enabled</strong></span> to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en 1692)
projects/torbrowser/design/index.html.en 1693) </p></li><li class="listitem"><span class="command"><strong>Keyboard Layout Fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en 1694)
projects/torbrowser/design/index.html.en 1695) <span class="command"><strong>KeyboardEvent</strong></span>s provide a way for a website to find out
projects/torbrowser/design/index.html.en 1696) information about the keyboard layout of its visitors. In fact there are <a class="ulink" href="https://developers.google.com/web/updates/2016/04/keyboardevent-keys-codes" target="_top">
projects/torbrowser/design/index.html.en 1697) several dimensions</a> to this fingerprinting vector. The <span class="command"><strong>
projects/torbrowser/design/index.html.en 1698) KeyboardEvent.code</strong></span> property represents a physical key that can't be
projects/torbrowser/design/index.html.en 1699) changed by the keyboard layout nor by the modifier state. On the other hand the
projects/torbrowser/design/index.html.en 1700) <span class="command"><strong>KeyboardEvent.key</strong></span> property contains the character that is
projects/torbrowser/design/index.html.en 1701) generated by that key. This is dependent on things like keyboard layout, locale
projects/torbrowser/design/index.html.en 1702) and modifier keys.
projects/torbrowser/design/index.html.en 1703)
projects/torbrowser/design/index.html.en 1704) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1705)
projects/torbrowser/design/index.html.en 1706) Websites MUST NOT be able to infer any information about the keyboard of a Tor
projects/torbrowser/design/index.html.en 1707) Browser user.
projects/torbrowser/design/index.html.en 1708)
projects/torbrowser/design/index.html.en 1709) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1710)
projects/torbrowser/design/index.html.en 1711) We provide <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a65b5269ff04e4fbbb3689e2adf853543804ffbf" target="_top">two</a>
projects/torbrowser/design/index.html.en 1712) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=383b8e7e073ea79e70f19858efe1c5fde64b99cf" target="_top">Firefox patches</a> that
projects/torbrowser/design/index.html.en 1713) take care of spoofing <span class="command"><strong>KeyboardEvent.code</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en 1714) KeyboardEvent.keyCode</strong></span> by providing consensus (US-English-style) fake
projects/torbrowser/design/index.html.en 1715) properties. This is achieved by hiding the user's use of the numpad, and any
projects/torbrowser/design/index.html.en 1716) non-QWERTY US English keyboard. Characters from non-en-US languages
projects/torbrowser/design/index.html.en 1717) are currently returning an empty <span class="command"><strong>KeyboardEvent.code</strong></span> and a
projects/torbrowser/design/index.html.en 1718) <span class="command"><strong>KeyboardEvent.keyCode</strong></span> of <span class="command"><strong>0</strong></span>. Moreover,
projects/torbrowser/design/index.html.en 1719) neither <span class="command"><strong>Alt</strong></span> or <span class="command"><strong>Shift</strong></span>, or
projects/torbrowser/design/index.html.en 1720) <span class="command"><strong>AltGr</strong></span> keyboard events are reported to content.
projects/torbrowser/design/index.html.en 1721) </p></li><li class="listitem"><span class="command"><strong>User Agent and HTTP Headers</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Update design doc to descri...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1722)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1723) All Tor Browser users MUST provide websites with an identical user agent and
projects/torbrowser/design/index.html.en 1724) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/torbrowser/design/index.html.en 1725) and report a popular Windows platform. If the software is kept up to date,
projects/torbrowser/design/index.html.en 1726) these headers should remain identical across the population even when updated.
projects/torbrowser/design/index.html.en 1727)
projects/torbrowser/design/index.html.en 1728) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1729)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1730) Firefox provides several options for controlling the browser user agent string
projects/torbrowser/design/index.html.en 1731) which we leverage. We also set similar prefs for controlling the
projects/torbrowser/design/index.html.en 1732) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1733) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=848da9cdb2b7c09dc8ec335d687f535fc5c87a67" target="_top">remove
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1734) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1735) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem"><span class="command"><strong>Timing-based Side Channels</strong></span><p>
projects/torbrowser/design/index.html.en 1736) Attacks based on timing side channels are nothing new in the browser context.
projects/torbrowser/design/index.html.en 1737) <a class="ulink" href="http://sip.cs.princeton.edu/pub/webtiming.pdf" target="_top">Cache-based</a>,
projects/torbrowser/design/index.html.en 1738) <a class="ulink" href="https://www.abortz.net/papers/timingweb.pdf" target="_top">cross-site timing</a>,
projects/torbrowser/design/index.html.en 1739) and <a class="ulink" href="https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf" target="_top">
projects/torbrowser/design/index.html.en 1740) pixel stealing</a>, to name just a few, got investigated in the past.
projects/torbrowser/design/index.html.en 1741) While their fingerprinting potential varies all timing-based attacks have in
projects/torbrowser/design/index.html.en 1742) common that they need sufficiently fine-grained clocks.
projects/torbrowser/design/index.html.en 1743) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1744)
projects/torbrowser/design/index.html.en 1745) Websites MUST NOT be able to fingerprint a Tor Browser user by exploiting
projects/torbrowser/design/index.html.en 1746) timing-based side channels.
projects/torbrowser/design/index.html.en 1747)
projects/torbrowser/design/index.html.en 1748) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1749)
projects/torbrowser/design/index.html.en 1750) The cleanest solution to timing-based side channels would be to get rid of them.
projects/torbrowser/design/index.html.en 1751) However, this does not seem to be trivial even considering just a
projects/torbrowser/design/index.html.en 1752) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=711043" target="_top">single</a>
projects/torbrowser/design/index.html.en 1753) <a class="ulink" href="https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf" target="_top">side channel</a>.
projects/torbrowser/design/index.html.en 1754) Thus, we rely on disabling all possible timing sources or making them
projects/torbrowser/design/index.html.en 1755) coarse-grained enough in order to render timing side channels unsuitable as a
projects/torbrowser/design/index.html.en 1756) means for fingerprinting browser users.
projects/torbrowser/design/index.html.en 1757)
projects/torbrowser/design/index.html.en 1758) </p><p>
projects/torbrowser/design/index.html.en 1759)
projects/torbrowser/design/index.html.en 1760) We set <span class="command"><strong>dom.enable_user_timing</strong></span> and
projects/torbrowser/design/index.html.en 1761) <span class="command"><strong>dom.enable_resource_timing</strong></span> to <span class="command"><strong>false</strong></span> to
projects/torbrowser/design/index.html.en 1762) disable these explicit timing sources. Furthermore, we clamp the resolution of
projects/torbrowser/design/index.html.en 1763) explicit clocks to 100ms <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774" target="_top">with a Firefox patch</a>.
projects/torbrowser/design/index.html.en 1764)
projects/torbrowser/design/index.html.en 1765) This includes <span class="command"><strong>performance.now()</strong></span>, <span class="command"><strong>new Date().getTime()
projects/torbrowser/design/index.html.en 1766) </strong></span>, <span class="command"><strong>audioContext.currentTime</strong></span>, <span class="command"><strong>
projects/torbrowser/design/index.html.en 1767) canvasStream.currentTime</strong></span>, <span class="command"><strong>video.currentTime</strong></span>,
projects/torbrowser/design/index.html.en 1768) <span class="command"><strong>audio.currentTime</strong></span>, <span class="command"><strong>new File([], "").lastModified
projects/torbrowser/design/index.html.en 1769) </strong></span>, and <span class="command"><strong>new File([], "").lastModifiedDate.getTime()</strong></span>.
projects/torbrowser/design/index.html.en 1770)
projects/torbrowser/design/index.html.en 1771) </p><p>
projects/torbrowser/design/index.html.en 1772)
projects/torbrowser/design/index.html.en 1773) While clamping the clock resolution to 100ms is a step towards neutering the
projects/torbrowser/design/index.html.en 1774) timing-based side channel fingerprinting, it is by no means sufficient. It turns
projects/torbrowser/design/index.html.en 1775) out that it is possible to subvert our clamping of explicit clocks by using
projects/torbrowser/design/index.html.en 1776) <a class="ulink" href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf" target="_top">
projects/torbrowser/design/index.html.en 1777) implicit ones</a>, e.g. extrapolating the true time by running a busy loop
projects/torbrowser/design/index.html.en 1778) with a predictable operation in it. We are tracking
projects/torbrowser/design/index.html.en 1779) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/16110" target="_top">this problem
projects/torbrowser/design/index.html.en 1780) </a> in our bug tracker and are working with the research community and
projects/torbrowser/design/index.html.en 1781) Mozilla to develop and test a proper solution to this part of our defense
projects/torbrowser/design/index.html.en 1782) against timing-based side channel fingerprinting risks.
projects/torbrowser/design/index.html.en 1783)
projects/torbrowser/design/index.html.en 1784) </p></li><li class="listitem"><span class="command"><strong>resource:// and chrome:// URIs Leaks</strong></span><p>
projects/torbrowser/design/index.html.en 1785) Due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=863246" target="_top">bugs
projects/torbrowser/design/index.html.en 1786) </a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1120398" target="_top">
projects/torbrowser/design/index.html.en 1787) in Firefox</a> it is possible to detect the locale and the platform of a
projects/torbrowser/design/index.html.en 1788) Tor Browser user. Moreover, it is possible to find out the extensions a user has
projects/torbrowser/design/index.html.en 1789) installed. This is done by including resource:// and/or chrome:// URIs into
projects/torbrowser/design/index.html.en 1790) web content which point to resources included in Tor Browser itself or in
projects/torbrowser/design/index.html.en 1791) installed extensions.
projects/torbrowser/design/index.html.en 1792) </p><p>
projects/torbrowser/design/index.html.en 1793)
projects/torbrowser/design/index.html.en 1794) We believe that it should be impossible for web content to extract information
projects/torbrowser/design/index.html.en 1795) out of a Tor Browser user by deploying resource:// and/or chrome:// URIs. Until
projects/torbrowser/design/index.html.en 1796) this is fixed in Firefox <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/content-policy.js" target="_top">
projects/torbrowser/design/index.html.en 1797) we filter</a> resource:// and chrome:// requests done
projects/torbrowser/design/index.html.en 1798) by web content denying them by default. We need a whitelist of resource:// and
projects/torbrowser/design/index.html.en 1799) chrome:// URIs, though, to avoid breaking parts of Firefox. Those nearly a
projects/torbrowser/design/index.html.en 1800) dozen Firefox resources do not aid in fingerprinting Tor Browser users as they
projects/torbrowser/design/index.html.en 1801) are not different on the platforms and in the locales we support.
projects/torbrowser/design/index.html.en 1802)
projects/torbrowser/design/index.html.en 1803) </p></li><li class="listitem"><span class="command"><strong>Locale Fingerprinting</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1804)
projects/torbrowser/design/index.html.en 1805) In Tor Browser, we provide non-English users the option of concealing their OS
projects/torbrowser/design/index.html.en 1806) and browser locale from websites. It is debatable if this should be as high of
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1807) a priority as information specific to the user's computer, but for completeness,
projects/torbrowser/design/index.html.en 1808) we attempt to maintain this property.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1809)
projects/torbrowser/design/index.html.en 1810) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1811)
projects/torbrowser/design/index.html.en 1812) We set the fallback character set to set to windows-1252 for all locales, via
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1813) <span class="command"><strong>intl.charset.default</strong></span>. We also set
projects/torbrowser/design/index.html.en 1814) <span class="command"><strong>javascript.use_us_english_locale</strong></span> to <span class="command"><strong>true</strong></span>
projects/torbrowser/design/index.html.en 1815) to instruct the JS engine to use en-US as its internal C locale for all Date,
projects/torbrowser/design/index.html.en 1816) Math, and exception handling. Additionally, we provide a patch to use an
projects/torbrowser/design/index.html.en 1817) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0080b2d6bafcbfb8a57f54a26e53d7f74d239389" target="_top">
projects/torbrowser/design/index.html.en 1818) en-US label for the <span class="command"><strong>isindex</strong></span> HTML element</a> instead of
projects/torbrowser/design/index.html.en 1819) letting the label leak the browser's UI locale.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1820) </p></li><li class="listitem"><span class="command"><strong>Timezone and Clock Offset</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1821)
projects/torbrowser/design/index.html.en 1822) While the latency in Tor connections varies anywhere from milliseconds to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1823) a few seconds, it is still possible for the remote site to detect large
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1824) differences between the user's clock and an official reference time source.
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1825)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1826) </p><p><span class="command"><strong>Design Goal:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1827)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1828) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en 1829) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en 1830) for EDT/EST due to the large English-speaking population density (coupled with
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1831) the fact that we spoof a US English user agent). Additionally, the Tor
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1832) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en 1833) clocks of the relays that it connects to, and use this to reset the clock
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1834) values used in Tor Browser to something reasonably accurate. Alternatively,
projects/torbrowser/design/index.html.en 1835) the browser can obtain this clock skew via a mechanism similar to that used in
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1836) <a class="ulink" href="https://github.com/ioerror/tlsdate" target="_top">tlsdate</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1837)
projects/en/torbrowser/design/index.html.en 1838) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1839)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1840) We <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0ee3aa4cbeb1be3301d8960d0cf3a64831ea6d1b" target="_top">
projects/torbrowser/design/index.html.en 1841) set the timezone to UTC</a> with a Firefox patch using the TZ environment
projects/torbrowser/design/index.html.en 1842) variable, which is supported on all platforms. Moreover, with an additional
projects/torbrowser/design/index.html.en 1843) patch just needed for the Windows platform, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=bdd0303a78347d17250950a4cf858de556afb1c7" target="_top">
projects/torbrowser/design/index.html.en 1844) we make sure</a> the TZ environment variable is respected by the
projects/torbrowser/design/index.html.en 1845) <a class="ulink" href="http://site.icu-project.org/" target="_top">ICU library</a> as well.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1846)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1847) </p></li><li class="listitem"><span class="command"><strong>JavaScript Performance Fingerprinting</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1848)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1849) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">JavaScript performance
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1850) fingerprinting</a> is the act of profiling the performance
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1851) of various JavaScript functions for the purpose of fingerprinting the
projects/torbrowser/design/index.html.en 1852) JavaScript engine and the CPU.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1853)
projects/en/torbrowser/design/index.html.en 1854) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1855)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1856) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1857) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 1858) fingerprinting without risking too much damage to functionality. Our current
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1859) favorite is to reduce the resolution of the Event.timeStamp and the JavaScript
projects/torbrowser/design/index.html.en 1860) Date() object, while also introducing jitter. We believe that JavaScript time
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1861) resolution may be reduced all the way up to the second before it seriously
projects/torbrowser/design/index.html.en 1862) impacts site operation. Our goal with this quantization is to increase the
projects/torbrowser/design/index.html.en 1863) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found
projects/torbrowser/design/index.html.en 1864) that even with the default precision in most browsers, they required up to 120
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1865) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 1866) feature set. We intend to work with the research community to establish the
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1867) optimum trade-off between quantization+jitter and amortization time, as well
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1868) as identify highly variable JavaScript operations. As long as these attacks
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1869) take several seconds or more to execute, they are unlikely to be appealing to
projects/torbrowser/design/index.html.en 1870) advertisers, and are also very likely to be noticed if deployed against a
projects/torbrowser/design/index.html.en 1871) large number of people.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1872)
projects/en/torbrowser/design/index.html.en 1873) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1874)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1875) Currently, our mitigation against performance fingerprinting is to
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1876) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1877) Timing</a> through the Firefox preference
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1878) <span class="command"><strong>dom.enable_performance</strong></span>, and to disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla
projects/torbrowser/design/index.html.en 1879) Video Statistics</a> API extensions via the preference
projects/torbrowser/design/index.html.en 1880) <span class="command"><strong>media.video_stats.enabled</strong></span>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1881)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1882) </p></li><li class="listitem"><span class="command"><strong>Keystroke Fingerprinting</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1883)
projects/en/torbrowser/design/index.html.en 1884) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 1885) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 1886)
projects/en/torbrowser/design/index.html.en 1887) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1888)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1889) We intend to rely on the same mechanisms for defeating JavaScript performance
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1890) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 1891)
projects/en/torbrowser/design/index.html.en 1892) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1893)
projects/torbrowser/design/index.html.en 1894) We clamp keyboard event resolution to 100ms with a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en 1895)
projects/torbrowser/design/index.html.en 1896) </p></li><li class="listitem"><span class="command"><strong>Connection State</strong></span><p>
projects/torbrowser/design/index.html.en 1897)
projects/torbrowser/design/index.html.en 1898) It is possible to monitor the connection state of a browser over time with
projects/torbrowser/design/index.html.en 1899) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine" target="_top">
projects/torbrowser/design/index.html.en 1900) navigator.onLine</a>. We prevent this by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en 1901) network.manage-offline-status</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en 1902)
projects/torbrowser/design/index.html.en 1903) </p></li><li class="listitem"><span class="command"><strong>Reader View</strong></span><p>
projects/torbrowser/design/index.html.en 1904)
projects/torbrowser/design/index.html.en 1905) <a class="ulink" href="https://support.mozilla.org/t5/Basic-Browsing/Firefox-Reader-View-for-clutter-free-web-pages/ta-p/38466" target="_top">Reader View</a>
projects/torbrowser/design/index.html.en 1906) is a Firefox feature to view web pages clutter-free and easily adjusted to
projects/torbrowser/design/index.html.en 1907) own needs and preferences. To avoid fingerprintability risks we make Tor Browser
projects/torbrowser/design/index.html.en 1908) users uniform by setting <span class="command"><strong>reader.parse-on-load.enabled</strong></span> to
projects/torbrowser/design/index.html.en 1909) <span class="command"><strong>false</strong></span> and <span class="command"><strong>browser.reader.detectedFirstArticle</strong></span>
projects/torbrowser/design/index.html.en 1910) to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en 1911)
projects/torbrowser/design/index.html.en 1912) </p></li><li class="listitem"><span class="command"><strong>Contacting Mozilla Services</strong></span><p>
projects/torbrowser/design/index.html.en 1913)
projects/torbrowser/design/index.html.en 1914) Tor Browser is based on Firefox which is a Mozilla product. Quite naturally,
projects/torbrowser/design/index.html.en 1915) Mozilla is interested in making users aware of new features and in gathering
projects/torbrowser/design/index.html.en 1916) information to learn about the most pressing needs Firefox users are facing.
projects/torbrowser/design/index.html.en 1917) This is often implemented by contacting Mozilla services, be it for displaying
projects/torbrowser/design/index.html.en 1918) further information about a new feature or by
projects/torbrowser/design/index.html.en 1919) <a class="ulink" href="https://wiki.mozilla.org/Telemetry" target="_top">sending (aggregated) data back
projects/torbrowser/design/index.html.en 1920) for analysis</a>. While some of those mechanisms are disabled by default on
projects/torbrowser/design/index.html.en 1921) release channels (gathering telemetry data comes to mind) others are not. We
projects/torbrowser/design/index.html.en 1922) make sure that non of those Mozilla services is contacted to avoid possible
projects/torbrowser/design/index.html.en 1923) fingerprinting risks.
projects/torbrowser/design/index.html.en 1924)
projects/torbrowser/design/index.html.en 1925) </p><p>
projects/torbrowser/design/index.html.en 1926)
projects/torbrowser/design/index.html.en 1927) In particular, we disable GeoIP-based search results by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en 1928) browser.search.countryCode</strong></span> and <span class="command"><strong>browser.search.region
projects/torbrowser/design/index.html.en 1929) </strong></span> to <span class="command"><strong>US</strong></span> and <span class="command"><strong>browser.search.geoip.url
projects/torbrowser/design/index.html.en 1930) </strong></span> to the empty string. Furthermore, we disable Selfsupport and Unified
projects/torbrowser/design/index.html.en 1931) Telemetry by setting <span class="command"><strong>browser.selfsupport.enabled</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en 1932) toolkit.telemetry.unified</strong></span> to <span class="command"><strong>false</strong></span> and we make
projects/torbrowser/design/index.html.en 1933) sure no related ping is reaching Mozilla by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en 1934) datareporting.healthreport.about.reportUrlUnified</strong></span> to <span class="command"><strong>
projects/torbrowser/design/index.html.en 1935) data:text/plain,</strong></span>. The same is done with <span class="command"><strong>
projects/torbrowser/design/index.html.en 1936) datareporting.healthreport.about.reportUrl</strong></span> and the new tiles feature
projects/torbrowser/design/index.html.en 1937) related <span class="command"><strong>browser.newtabpage.directory.ping</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en 1938) browser.newtabpage.directory.source</strong></span> preferences. Additionally, we
projects/torbrowser/design/index.html.en 1939) disable the UITour backend by setting <span class="command"><strong>browser.uitour.enabled</strong></span>
projects/torbrowser/design/index.html.en 1940) to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en 1941) </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1942)
projects/torbrowser/design/index.html.en 1943) As we mentioned in the introduction of this section, OS type fingerprinting is
projects/torbrowser/design/index.html.en 1944) currently considered a lower priority, due simply to the numerous ways that
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1945) characteristics of the operating system type may leak into content, and the
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1946) comparatively low contribution of OS to overall entropy. In particular, there
projects/torbrowser/design/index.html.en 1947) are likely to be many ways to measure the differences in widget size,
projects/torbrowser/design/index.html.en 1948) scrollbar size, and other rendered details on a page. Also, directly exported
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1949) OS routines (such as those from the standard C math library) expose
projects/torbrowser/design/index.html.en 1950) differences in their implementations through their return values.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1951)
projects/torbrowser/design/index.html.en 1952) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1953)
projects/torbrowser/design/index.html.en 1954) We intend to reduce or eliminate OS type fingerprinting to the best extent
projects/torbrowser/design/index.html.en 1955) possible, but recognize that the effort for reward on this item is not as high
projects/torbrowser/design/index.html.en 1956) as other areas. The entropy on the current OS distribution is somewhere around
projects/torbrowser/design/index.html.en 1957) 2 bits, which is much lower than other vectors which can also be used to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1958) fingerprint configuration and user-specific information. You can see the
projects/torbrowser/design/index.html.en 1959) major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os
projects/torbrowser/design/index.html.en 1960) tag on our bug tracker</a>.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1961)
projects/torbrowser/design/index.html.en 1962) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1963)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1964) At least three HTML5 features have different implementation status across the
projects/torbrowser/design/index.html.en 1965) major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
projects/torbrowser/design/index.html.en 1966) API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
projects/torbrowser/design/index.html.en 1967) Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
projects/torbrowser/design/index.html.en 1968) <span class="command"><strong>dom.battery.enabled</strong></span>,
projects/torbrowser/design/index.html.en 1969) <span class="command"><strong>dom.network.enabled</strong></span>, and
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1970) <span class="command"><strong>device.sensors.enabled</strong></span>.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1971)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1972) </p></li></ol></div><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1973) For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1974) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1975)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1976) In order to avoid long-term linkability, we provide a "New Identity" context
projects/torbrowser/design/index.html.en 1977) menu option in Torbutton. This context menu option is active if Torbutton can
projects/torbrowser/design/index.html.en 1978) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1979)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1980) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm914"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1981)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1982) All linkable identifiers and browser state MUST be cleared by this feature.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1983)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1984) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm917"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1985)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1986) First, Torbutton disables JavaScript in all open tabs and windows by using
projects/torbrowser/design/index.html.en 1987) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavaScript</a>
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1988) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>.
projects/torbrowser/design/index.html.en 1989) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1990) We then clear the site-specific Zoom by temporarily disabling the preference
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1991) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1992) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL preference (if
projects/torbrowser/design/index.html.en 1993) it exists). Each tab is then closed.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1994)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1995) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1996)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 1997) After closing all tabs, we then clear the searchbox and findbox text and emit
projects/torbrowser/design/index.html.en 1998) "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>"
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1999) (which instructs addons and various Firefox components to clear their session
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2000) state). Then we manually clear the following state: HTTP auth, SSL state,
projects/torbrowser/design/index.html.en 2001) crypto tokens, OCSP state, site-specific content preferences (including HSTS
projects/torbrowser/design/index.html.en 2002) state), the undo tab history, content and image cache, offline and memory cache,
projects/torbrowser/design/index.html.en 2003) offline storage, cookies, DOM storage, the safe browsing key, the
projects/torbrowser/design/index.html.en 2004) Google wifi geolocation token (if it exists), and the domain isolator state. We
projects/torbrowser/design/index.html.en 2005) also clear NoScript's site and temporary permissions, and all other browser site
projects/torbrowser/design/index.html.en 2006) permissions.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 2007)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2008) </p><p>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 2009)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2010) After the state is cleared, we then close all remaining HTTP keep-alive
projects/torbrowser/design/index.html.en 2011) connections and then send the NEWNYM signal to the Tor control port to cause a
projects/torbrowser/design/index.html.en 2012) new circuit to be created.
projects/torbrowser/design/index.html.en 2013) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2014)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2015) Finally, a fresh browser window is opened, and the current browser window is
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2016) closed (this does not spawn a new Firefox process, only a new window). Upon
projects/torbrowser/design/index.html.en 2017) the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage
projects/torbrowser/design/index.html.en 2018) collector</a>, which has the effect of immediately purging any blob:UUID
projects/torbrowser/design/index.html.en 2019) URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>.
projects/torbrowser/design/index.html.en 2020)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2021) </p></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2022)
projects/torbrowser/design/index.html.en 2023) In addition to the above mechanisms that are devoted to preserving privacy
projects/torbrowser/design/index.html.en 2024) while browsing, we also have a number of technical mechanisms to address other
projects/torbrowser/design/index.html.en 2025) privacy and security issues.
projects/torbrowser/design/index.html.en 2026)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2027) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p>
projects/torbrowser/design/index.html.en 2028) In order to provide vulnerability surface reduction for users that need high
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2029) security, we have implemented a "Security Slider" to allow users to make a
projects/torbrowser/design/index.html.en 2030) tradeoff between usability and security while minimizing the total number of
projects/torbrowser/design/index.html.en 2031) choices (to reduce fingerprinting). Using metrics collected from
projects/torbrowser/design/index.html.en 2032) Mozilla's bug tracker, we analyzed the vulnerability counts of core
projects/torbrowser/design/index.html.en 2033) components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2034) gathered from a study performed by iSec Partners</a> to inform which
projects/torbrowser/design/index.html.en 2035) features should be disabled at which security levels.
projects/torbrowser/design/index.html.en 2036)
projects/torbrowser/design/index.html.en 2037) </p><p>
projects/torbrowser/design/index.html.en 2038)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2039) The Security Slider consists of three positions:
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2040)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2041) </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low (default)</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2042)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2043) At this security level, the preferences are the Tor Browser defaults. This
projects/torbrowser/design/index.html.en 2044) includes three features that were formerly governed by the slider at
projects/torbrowser/design/index.html.en 2045) higher security levels: <span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>
projects/torbrowser/design/index.html.en 2046) is set to <span class="command"><strong>false</strong></span> now after Mozilla got convinced that
projects/torbrowser/design/index.html.en 2047) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1255731" target="_top">leaving
projects/torbrowser/design/index.html.en 2048) it enabled is too risky</a>. <span class="command"><strong>network.jar.block-remote-files</strong></span>
projects/torbrowser/design/index.html.en 2049) is set to <span class="command"><strong>true</strong></span>. Mozilla tried to block remote JAR files in
projects/torbrowser/design/index.html.en 2050) Firefox 45 but needed to revert that decision due to breaking IBM's iNotes.
projects/torbrowser/design/index.html.en 2051) While Mozilla <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1329336" target="_top">
projects/torbrowser/design/index.html.en 2052) is working on getting this disabled again</a> we take the protective stance
projects/torbrowser/design/index.html.en 2053) already now and block remote JAR files even on the low security level. Finally,
projects/torbrowser/design/index.html.en 2054) we exempt asm.js from the security slider and block it on all levels. See the
projects/torbrowser/design/index.html.en 2055) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> and the cache linkability
projects/torbrowser/design/index.html.en 2056) concerns in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier
projects/torbrowser/design/index.html.en 2057) Unlinkability</a> sections for further details.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2058)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2059) </p></li><li class="listitem"><span class="command"><strong>Medium</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2060)
projects/torbrowser/design/index.html.en 2061) At this security level, we disable the ION JIT
projects/torbrowser/design/index.html.en 2062) (<span class="command"><strong>javascript.options.ion.content</strong></span>), TypeInference JIT
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2063) (<span class="command"><strong>javascript.options.typeinference</strong></span>), Baseline JIT
projects/torbrowser/design/index.html.en 2064) (<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), WebAudio
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2065) (<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2066) (<span class="command"><strong>mathml.disabled</strong></span>), SVG Opentype font rendering
projects/torbrowser/design/index.html.en 2067) (<span class="command"><strong>gfx.font_rendering.opentype_svg.enabled</strong></span>), and make HTML5 audio
projects/torbrowser/design/index.html.en 2068) and video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>).
projects/torbrowser/design/index.html.en 2069) Furthermore, we only allow JavaScript to run if it is loaded over HTTPS and the
projects/torbrowser/design/index.html.en 2070) URL bar is HTTPS (by setting <span class="command"><strong>noscript.global</strong></span> to false and
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2071) <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true).
projects/torbrowser/design/index.html.en 2072)
projects/torbrowser/design/index.html.en 2073) </p></li><li class="listitem"><span class="command"><strong>High</strong></span><p>
projects/torbrowser/design/index.html.en 2074)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2075) This security level inherits the preferences from the Medium level, and
projects/torbrowser/design/index.html.en 2076) additionally disables remote fonts (<span class="command"><strong>noscript.forbidFonts</strong></span>),
projects/torbrowser/design/index.html.en 2077) completely disables JavaScript (by
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2078) unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG
projects/torbrowser/design/index.html.en 2079) images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
projects/torbrowser/design/index.html.en 2080)
projects/torbrowser/design/index.html.en 2081) </p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2082)
projects/torbrowser/design/index.html.en 2083) <a class="link" href="#website-traffic-fingerprinting">Website Traffic
projects/torbrowser/design/index.html.en 2084) Fingerprinting</a> is a statistical attack to attempt to recognize specific
projects/torbrowser/design/index.html.en 2085) encrypted website activity.
projects/torbrowser/design/index.html.en 2086)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2087) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm975"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2088)
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2089) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2090) for classification. This mechanism would either impact the true and false
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2091) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of web pages
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2092) that could be classified at a given accuracy rate.
projects/torbrowser/design/index.html.en 2093)
projects/torbrowser/design/index.html.en 2094) </p><p>
projects/torbrowser/design/index.html.en 2095)
projects/torbrowser/design/index.html.en 2096) Ideally, this mechanism would be as light-weight as possible, and would be
projects/torbrowser/design/index.html.en 2097) tunable in terms of overhead. We suspect that it may even be possible to
projects/torbrowser/design/index.html.en 2098) deploy a mechanism that reduces feature extraction resolution without any
projects/torbrowser/design/index.html.en 2099) network overhead. In the no-overhead category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and
projects/torbrowser/design/index.html.en 2100) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2101) use of HTTP pipelining and/or SPDY</a>.
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2102) In the tunable/low-overhead
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2103) category, we have <a class="ulink" href="https://arxiv.org/abs/1512.00524" target="_top">Adaptive
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2104) Padding</a> and <a class="ulink" href="http://www.cs.sunysb.edu/~xcai/fp.pdf" target="_top">
projects/torbrowser/design/index.html.en 2105) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such
projects/torbrowser/design/index.html.en 2106) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2107) network, making them also effectively no-overhead.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2108)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2109) </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm987"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
projects/torbrowser/design/index.html.en 2110) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=60f9e7f73f3dba5542f7fbe882f7c804cb8ecc18" target="_top">randomize
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2111) pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
projects/torbrowser/design/index.html.en 2112) Many sites do not support it, and even sites that advertise support for
projects/torbrowser/design/index.html.en 2113) pipelining may simply return error codes for successive requests, effectively
projects/torbrowser/design/index.html.en 2114) forcing the browser into non-pipelined behavior. Firefox also has code to back
projects/torbrowser/design/index.html.en 2115) off and reduce or eliminate the pipeline if this happens. These
projects/torbrowser/design/index.html.en 2116) shortcomings and fallback behaviors are the primary reason that Google
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2117) developed SPDY as opposed to simply extending HTTP to improve pipelining. It
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2118) turns out that we could actually deploy exit-side proxies that allow us to
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2119) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2120) SPDY from the client to the exit node</a>. This would make our defense not
projects/torbrowser/design/index.html.en 2121) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2122)
projects/torbrowser/design/index.html.en 2123) </p><p>
projects/torbrowser/design/index.html.en 2124)
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2125) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2126) research prototype</a> to help evaluate what could be done in the best
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2127) case with full server support. Unfortunately, the bias in favor of compelling
projects/torbrowser/design/index.html.en 2128) attack papers has caused academia to ignore this request thus far, instead
projects/torbrowser/design/index.html.en 2129) publishing only cursory (yet "devastating") evaluations that fail to provide
projects/torbrowser/design/index.html.en 2130) even simple statistics such as the rates of actual pipeline utilization during
projects/torbrowser/design/index.html.en 2131) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can
projects/torbrowser/design/index.html.en 2132) accept that our defense might fail to work as well as others (in fact we
projects/torbrowser/design/index.html.en 2133) expect it), but unfortunately the very same shortcuts that provide excellent
projects/torbrowser/design/index.html.en 2134) attack results also allow the conclusion that all defenses are broken forever.
projects/torbrowser/design/index.html.en 2135) So sadly, we are still left in the dark on this point.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2136)
projects/torbrowser/design/index.html.en 2137) </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p>
projects/torbrowser/design/index.html.en 2138)
projects/torbrowser/design/index.html.en 2139) In order to inform the user when their Tor Browser is out of date, we perform a
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2140) privacy-preserving update check asynchronously in the background. The
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2141) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a>
projects/torbrowser/design/index.html.en 2142) and searches that version list for the current value for the local preference
projects/torbrowser/design/index.html.en 2143) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is
projects/torbrowser/design/index.html.en 2144) present in the recommended version list, the check is considered to have
projects/torbrowser/design/index.html.en 2145) succeeded and the user is up to date. If not, it is considered to have failed
projects/torbrowser/design/index.html.en 2146) and an update is needed. The check is triggered upon browser launch, new
projects/torbrowser/design/index.html.en 2147) window, and new tab, but is rate limited so as to happen no more frequently
projects/torbrowser/design/index.html.en 2148) than once every 1.5 hours.
projects/torbrowser/design/index.html.en 2149)
projects/torbrowser/design/index.html.en 2150) </p><p>
projects/torbrowser/design/index.html.en 2151)
projects/torbrowser/design/index.html.en 2152) If the check fails, we cache this fact, and update the Torbutton graphic to
projects/torbrowser/design/index.html.en 2153) display a flashing warning icon and insert a menu option that provides a link
projects/torbrowser/design/index.html.en 2154) to our download page. Additionally, we reset the value for the browser
projects/torbrowser/design/index.html.en 2155) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&small=1&uptodate=0" target="_top">page that
projects/torbrowser/design/index.html.en 2156) informs the user</a> that their browser is out of
projects/torbrowser/design/index.html.en 2157) date.
projects/torbrowser/design/index.html.en 2158)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2159) </p><p>
projects/torbrowser/design/index.html.en 2160)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2161) We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a5a23f5d316a850f11063ead15353d677c9153fd" target="_top">patched
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2162) the updater</a> to avoid sending OS and Kernel version information as part
projects/torbrowser/design/index.html.en 2163) of its update pings.
projects/torbrowser/design/index.html.en 2164)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2165) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BuildSecurity"></a>5. Build Security and Package Integrity</h2></div></div></div><p>
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 2166)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2167) In the age of state-sponsored malware, <a class="ulink" href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise" target="_top">we
projects/torbrowser/design/index.html.en 2168) believe</a> it is impossible to expect to keep a single build machine or
projects/torbrowser/design/index.html.en 2169) software signing key secure, given the class of adversaries that Tor has to
projects/torbrowser/design/index.html.en 2170) contend with. For this reason, we have deployed a build system
projects/torbrowser/design/index.html.en 2171) that allows anyone to use our source code to reproduce byte-for-byte identical
projects/torbrowser/design/index.html.en 2172) binary packages to the ones that we distribute.
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 2173)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2174) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1010"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 2175)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2176) The GNU toolchain has been working on providing reproducible builds for some
projects/torbrowser/design/index.html.en 2177) time, however a large software project such as Firefox typically ends up
projects/torbrowser/design/index.html.en 2178) embedding a large number of details about the machine it was built on, both
projects/torbrowser/design/index.html.en 2179) intentionally and inadvertently. Additionally, manual changes to the build
projects/torbrowser/design/index.html.en 2180) machine configuration can accumulate over time and are difficult for others to
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2181) replicate externally, which leads to difficulties with binary reproducibility.
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 2182)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2183) </p><p>
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2184) For this reason, we decided to leverage the work done by the <a class="ulink" href="https://gitian.org/" target="_top">Gitian Project</a> from the Bitcoin community.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2185) Gitian is a wrapper around Ubuntu's virtualization tools that allows you to
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2186) specify an Ubuntu or Debian version, architecture, a set of additional packages,
projects/torbrowser/design/index.html.en 2187) a set of input files, and a bash build scriptlet in an YAML document called a
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2188) "Gitian Descriptor". This document is used to install a qemu-kvm image, and
projects/torbrowser/design/index.html.en 2189) execute your build scriptlet inside it.
projects/torbrowser/design/index.html.en 2190) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2191)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2192) We have created a <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/refs/heads/master" target="_top">set
projects/torbrowser/design/index.html.en 2193) of wrapper scripts</a> around Gitian to automate dependency download and
projects/torbrowser/design/index.html.en 2194) authentication, as well as transfer intermediate build outputs between the
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2195) stages of the build process. Because Gitian creates a Linux build environment,
projects/torbrowser/design/index.html.en 2196) we must use cross-compilation to create packages for Windows and macOS. For
projects/torbrowser/design/index.html.en 2197) Windows, we use mingw-w64 as our cross compiler. For macOS, we use cctools and
projects/torbrowser/design/index.html.en 2198) clang and a binary redistribution of the Mac OS 10.7 SDK.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2199)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2200) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2201)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2202) The use of the Gitian system eliminates build non-determinism by normalizing
projects/torbrowser/design/index.html.en 2203) the build environment's hostname, username, build path, uname output,
projects/torbrowser/design/index.html.en 2204) toolchain versions, and time. On top of what Gitian provides, we also had to
projects/torbrowser/design/index.html.en 2205) address the following additional sources of non-determinism:
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2206)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2207) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Filesystem and archive reordering</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2208)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2209) The most prevalent source of non-determinism in the components of Tor Browser
projects/torbrowser/design/index.html.en 2210) by far was various ways that archives (such as zip, tar, jar/ja, DMG, and
projects/torbrowser/design/index.html.en 2211) Firefox manifest lists) could be reordered. Many file archivers walk the
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2212) file system in inode structure order by default, which will result in ordering
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2213) differences between two different archive invocations, especially on machines
projects/torbrowser/design/index.html.en 2214) of different disk and hardware configurations.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2215)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2216) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2217)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2218) The fix for this is to perform an additional sorting step on the input list
projects/torbrowser/design/index.html.en 2219) for archives, but care must be taken to instruct libc and other sorting routines
projects/torbrowser/design/index.html.en 2220) to use a fixed locale to determine lexicographic ordering, or machines with
projects/torbrowser/design/index.html.en 2221) different locale settings will produce different sort results. We chose the
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2222) 'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
projects/torbrowser/design/index.html.en 2223) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
projects/torbrowser/design/index.html.en 2224) and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2225) to aid in reproducible archive creation.
projects/torbrowser/design/index.html.en 2226)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2227) </p></li><li class="listitem"><span class="command"><strong>Uninitialized memory in toolchain/archivers</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2228)
projects/torbrowser/design/index.html.en 2229) We ran into difficulties with both binutils and the DMG archive script using
projects/torbrowser/design/index.html.en 2230) uninitialized memory in certain data structures that ended up written to disk.
projects/torbrowser/design/index.html.en 2231) Our binutils fixes were merged upstream, but the DMG archive fix remains an
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2232) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2233) patch</a>.
projects/torbrowser/design/index.html.en 2234)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2235) </p></li><li class="listitem"><span class="command"><strong>Fine-grained timestamps and timezone leaks</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2236)
projects/torbrowser/design/index.html.en 2237) The standard way of controlling timestamps in Gitian is to use libfaketime,
projects/torbrowser/design/index.html.en 2238) which hooks time-related library calls to provide a fixed timestamp. However,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2239) due to our use of wine to run py2exe for python-based pluggable transports,
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2240) pyc timestamps had to be addressed with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2241) script</a>. The timezone leaks were addressed by setting the
projects/torbrowser/design/index.html.en 2242) <span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2243)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2244) </p></li><li class="listitem"><span class="command"><strong>Deliberately generated entropy</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2245)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2246) In two circumstances, deliberately generated entropy was introduced in various
projects/torbrowser/design/index.html.en 2247) components of the build process. First, the BuildID Debuginfo identifier
projects/torbrowser/design/index.html.en 2248) (which associates detached debug files with their corresponding stripped
projects/torbrowser/design/index.html.en 2249) executables) was introducing entropy from some unknown source. We removed this
projects/torbrowser/design/index.html.en 2250) header using objcopy invocations in our build scriptlets, and opted to use GNU
projects/torbrowser/design/index.html.en 2251) DebugLink instead of BuildID for this association.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2252)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2253) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2254)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2255) Second, on Linux, Firefox builds detached signatures of its cryptographic
projects/torbrowser/design/index.html.en 2256) libraries using a temporary key for FIPS-140 certification. A rather insane
projects/torbrowser/design/index.html.en 2257) subsection of the FIPS-140 certification standard requires that you distribute
projects/torbrowser/design/index.html.en 2258) signatures for all of your cryptographic libraries. The Firefox build process
projects/torbrowser/design/index.html.en 2259) meets this requirement by generating a temporary key, using it to sign the
projects/torbrowser/design/index.html.en 2260) libraries, and discarding the private portion of that key. Because there are
projects/torbrowser/design/index.html.en 2261) many other ways to intercept the crypto outside of modifying the actual DLL
projects/torbrowser/design/index.html.en 2262) images, we opted to simply remove these signature files from distribution.
projects/torbrowser/design/index.html.en 2263) There simply is no way to verify code integrity on a running system without
projects/torbrowser/design/index.html.en 2264) both OS and co-processor assistance. Download package signatures make sense of
projects/torbrowser/design/index.html.en 2265) course, but we handle those another way (as mentioned above).
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2266)
projects/torbrowser/design/index.html.en 2267)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2268) </p></li><li class="listitem"><span class="command"><strong>LXC-specific leaks</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2269)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2270) Gitian provides an option to use LXC containers instead of full qemu-kvm
projects/torbrowser/design/index.html.en 2271) virtualization. Unfortunately, these containers can allow additional details
projects/torbrowser/design/index.html.en 2272) about the host OS to leak. In particular, umask settings as well as the
projects/torbrowser/design/index.html.en 2273) hostname and Linux kernel version can leak from the host OS into the LXC
projects/torbrowser/design/index.html.en 2274) container. We addressed umask by setting it explicitly in our Gitian
projects/torbrowser/design/index.html.en 2275) descriptor scriptlet, and addressed the hostname and kernel version leaks by
projects/torbrowser/design/index.html.en 2276) directly patching the aspects of the Firefox build process that included this
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2277) information into the build. It also turns out that some libraries (in
projects/torbrowser/design/index.html.en 2278) particular: libgmp) attempt to detect the current CPU to determine which
projects/torbrowser/design/index.html.en 2279) optimizations to compile in. This CPU type is uniform on our KVM instances,
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2280) but differs under LXC.
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2281)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2282) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1042"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2283)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2284) The build process generates a single sha256sums-unsigned-build.txt file that
projects/torbrowser/design/index.html.en 2285) contains a sorted list of the SHA-256 hashes of every package produced for that
projects/torbrowser/design/index.html.en 2286) build version. Each official builder uploads this file and a GPG signature of it
projects/torbrowser/design/index.html.en 2287) to a directory on a Tor Project's web server. The build scripts have an optional
projects/torbrowser/design/index.html.en 2288) matching step that downloads these signatures, verifies them, and ensures that
projects/torbrowser/design/index.html.en 2289) the local builds match this file.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2290)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2291) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2292)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2293) When builds are published officially, the single sha256sums-unsigned-build.txt
projects/torbrowser/design/index.html.en 2294) file is accompanied by a detached GPG signature from each official builder that
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2295) produced a matching build. The packages are additionally signed with detached
projects/torbrowser/design/index.html.en 2296) GPG signatures from an official signing key.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2297)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2298) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2299)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2300) The fact that the entire set of packages for a given version can be
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2301) authenticated by a single hash of the sha256sums-unsigned-build.txt file will
projects/torbrowser/design/index.html.en 2302) also allow us to create a number of auxiliary authentication mechanisms for our
projects/torbrowser/design/index.html.en 2303) packages, beyond just trusting a single offline build machine and a single
projects/torbrowser/design/index.html.en 2304) cryptographic key's integrity. Interesting examples include providing multiple
projects/torbrowser/design/index.html.en 2305) independent cryptographic signatures for packages, listing the package hashes in
projects/torbrowser/design/index.html.en 2306) the Tor consensus, and encoding the package hashes in the Bitcoin blockchain.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2307)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2308) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2309)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2310) The Windows releases are also signed by a hardware token provided by Digicert.
projects/torbrowser/design/index.html.en 2311) In order to verify package integrity, the signature must be stripped off using
projects/torbrowser/design/index.html.en 2312) the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
projects/torbrowser/design/index.html.en 2313) Verification</a> page.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2314)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2315) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1049"></a>5.3. Anonymous Verification</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2316)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2317) Due to the fact that bit-identical packages can be produced by anyone, the
projects/torbrowser/design/index.html.en 2318) security of this build system extends beyond the security of the official
projects/torbrowser/design/index.html.en 2319) build machines. In fact, it is still possible for build integrity to be
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2320) achieved even if all official build machines are compromised.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2321)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2322) </p><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2323)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2324) By default, all tor-specific dependencies and inputs to the build process are
projects/torbrowser/design/index.html.en 2325) downloaded over Tor, which allows build verifiers to remain anonymous and
projects/torbrowser/design/index.html.en 2326) hidden. Because of this, any individual can use our anonymity network to
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2327) privately download our source code, verify it against public, signed, audited,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2328) and mirrored git repositories, and reproduce our builds exactly, without being
projects/torbrowser/design/index.html.en 2329) subject to targeted attacks. If they notice any differences, they can alert
projects/torbrowser/design/index.html.en 2330) the public builders/signers, hopefully using a pseudonym or our anonymous
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2331) bug tracker account, to avoid revealing the fact that they are a build
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2332) verifier.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2333)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2334) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p>
projects/torbrowser/design/index.html.en 2335)
projects/torbrowser/design/index.html.en 2336) We make use of the Firefox updater in order to provide automatic updates to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2337) users. We make use of certificate pinning to ensure that update checks cannot
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2338) be tampered with by setting <span class="command"><strong>security.cert_pinning.enforcement_level
projects/torbrowser/design/index.html.en 2339) </strong></span> to <span class="command"><strong>2</strong></span>, and we sign the individual MAR update files
projects/torbrowser/design/index.html.en 2340) with keys that get rotated every year.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2341)
projects/torbrowser/design/index.html.en 2342) </p><p>
projects/torbrowser/design/index.html.en 2343)
projects/torbrowser/design/index.html.en 2344) The Firefox updater also has code to ensure that it can reliably access the
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2345) update server to prevent availability attacks, and complains to the user after 48
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2346) hours go by without a successful response from the server. Additionally, we
projects/torbrowser/design/index.html.en 2347) use Tor's SOCKS username and password isolation to ensure that every new
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2348) request to the updater (provided the former got issued more than 10 minutes ago)
projects/torbrowser/design/index.html.en 2349) traverses a separate circuit, to avoid holdback attacks by exit nodes.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2350)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2351) </p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2352)
projects/torbrowser/design/index.html.en 2353) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
projects/torbrowser/design/index.html.en 2354) upon the assumption that link-click navigation indicates user consent to
projects/torbrowser/design/index.html.en 2355) tracking between the linking site and the destination site. While this
projects/torbrowser/design/index.html.en 2356) definition is sufficient to allow us to eliminate cross-site third party
projects/torbrowser/design/index.html.en 2357) tracking with only minimal site breakage, it is our long-term goal to further
projects/torbrowser/design/index.html.en 2358) reduce cross-origin click navigation tracking to mechanisms that are
projects/torbrowser/design/index.html.en 2359) detectable by attentive users, so they can alert the general public if
projects/torbrowser/design/index.html.en 2360) cross-origin click navigation tracking is happening where it should not be.
projects/torbrowser/design/index.html.en 2361)
projects/torbrowser/design/index.html.en 2362) </p><p>
projects/torbrowser/design/index.html.en 2363)
projects/torbrowser/design/index.html.en 2364) In an ideal world, the mechanisms of tracking that can be employed during a
projects/torbrowser/design/index.html.en 2365) link click would be limited to the contents of URL parameters and other
projects/torbrowser/design/index.html.en 2366) properties that are fully visible to the user before they click. However, the
projects/torbrowser/design/index.html.en 2367) entrenched nature of certain archaic web features make it impossible for us to
projects/torbrowser/design/index.html.en 2368) achieve this transparency goal by ourselves without substantial site breakage.
projects/torbrowser/design/index.html.en 2369) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation
projects/torbrowser/design/index.html.en 2370) Wishlist</a> of archaic web technologies that are currently being (ab)used
projects/torbrowser/design/index.html.en 2371) to facilitate federated login and other legitimate click-driven cross-domain
projects/torbrowser/design/index.html.en 2372) activity but that can one day be replaced with more privacy friendly,
projects/torbrowser/design/index.html.en 2373) auditable alternatives.
projects/torbrowser/design/index.html.en 2374)
projects/torbrowser/design/index.html.en 2375) </p><p>
projects/torbrowser/design/index.html.en 2376)
projects/torbrowser/design/index.html.en 2377) Because the total elimination of side channels during cross-origin navigation
projects/torbrowser/design/index.html.en 2378) will undoubtedly break federated login as well as destroy ad revenue, we
projects/torbrowser/design/index.html.en 2379) also describe auditable alternatives and promising web draft standards that would
projects/torbrowser/design/index.html.en 2380) preserve this functionality while still providing transparency when tracking is
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2381) occurring.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2382)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2383) </p><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>The Referer Header</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2384)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2385) When leaving a .onion domain we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09188cb14dfaa8ac22f687c978166c7bd171b576" target="_top">
projects/torbrowser/design/index.html.en 2386) set the Referer header to the destination</a> to avoid leaking information
projects/torbrowser/design/index.html.en 2387) which might be especially problematic in the case of transitioning from a .onion
projects/torbrowser/design/index.html.en 2388) domain to one reached over clearnet. Apart from that we haven't disabled or
projects/torbrowser/design/index.html.en 2389) restricted the Referer ourselves because of the non-trivial number of sites
projects/torbrowser/design/index.html.en 2390) that rely on the Referer header to "authenticate" image requests and deep-link
projects/torbrowser/design/index.html.en 2391) navigation on their sites. Furthermore, there seems to be no real privacy
projects/torbrowser/design/index.html.en 2392) benefit to taking this action by itself in a vacuum, because many sites have
projects/torbrowser/design/index.html.en 2393) begun encoding Referer URL information into GET parameters when they need it to
projects/torbrowser/design/index.html.en 2394) cross HTTP to HTTPS scheme transitions. Google's +1 buttons are the best
projects/torbrowser/design/index.html.en 2395) example of this activity.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2396)
projects/torbrowser/design/index.html.en 2397) </p><p>
projects/torbrowser/design/index.html.en 2398)
projects/torbrowser/design/index.html.en 2399) Because of the availability of these other explicit vectors, we believe the
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2400) main risk of the Referer header is through inadvertent and/or covert data
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2401) leakage. In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2402) personal data</a> is inadvertently leaked to third parties through the
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2403) source URL parameters.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2404)
projects/torbrowser/design/index.html.en 2405) </p><p>
projects/torbrowser/design/index.html.en 2406)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2407) We believe the Referer header should be made explicit, and believe that Referrer
projects/torbrowser/design/index.html.en 2408) Policy provides a <a class="ulink" href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header" target="_top">
projects/torbrowser/design/index.html.en 2409) decent step in this direction</a>. If a site wishes to transmit its URL to
projects/torbrowser/design/index.html.en 2410) third party content elements during load or during link-click, it should have
projects/torbrowser/design/index.html.en 2411) to specify this as a property of the associated <a class="ulink" href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/" target="_top">
projects/torbrowser/design/index.html.en 2412) HTML tag</a> or in an HTTP response header. With an explicit property or
projects/torbrowser/design/index.html.en 2413) response header, it would then be possible for the user agent to inform the user
projects/torbrowser/design/index.html.en 2414) if they are about to click on a link that will transmit Referer information
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2415) (perhaps through something as subtle as a different color in the lower toolbar
projects/torbrowser/design/index.html.en 2416) for the destination URL). This same UI notification can also be used for links
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2417) with the <a class="ulink" href="https://developers.whatwg.org/links.html#ping" target="_top">"ping"</a>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2418) attribute.
projects/torbrowser/design/index.html.en 2419)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2420) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2421) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2422) a DOM property that for some reason is allowed to retain a persistent value
projects/torbrowser/design/index.html.en 2423) for the lifespan of a browser tab. It is possible to utilize this property for
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2424) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2425) storage</a> during click navigation. This is sometimes used for additional
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2426) CSRF protection and federated login.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2427) </p><p>
projects/torbrowser/design/index.html.en 2428)
projects/torbrowser/design/index.html.en 2429) It's our opinion that the contents of window.name should not be preserved for
projects/torbrowser/design/index.html.en 2430) cross-origin navigation, but doing so may break federated login for some sites.
projects/torbrowser/design/index.html.en 2431)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2432) </p></li><li class="listitem"><span class="command"><strong>JavaScript link rewriting</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2433)
projects/torbrowser/design/index.html.en 2434) In general, it should not be possible for onclick handlers to alter the
projects/torbrowser/design/index.html.en 2435) navigation destination of 'a' tags, silently transform them into POST
projects/torbrowser/design/index.html.en 2436) requests, or otherwise create situations where a user believes they are
projects/torbrowser/design/index.html.en 2437) clicking on a link leading to one URL that ends up on another. This
projects/torbrowser/design/index.html.en 2438) functionality is deceptive and is frequently a vector for malware and phishing
projects/torbrowser/design/index.html.en 2439) attacks. Unfortunately, many legitimate sites also employ such transparent
projects/torbrowser/design/index.html.en 2440) link rewriting, and blanket disabling this functionality ourselves will simply
projects/torbrowser/design/index.html.en 2441) cause Tor Browser to fail to navigate properly on these sites.
projects/torbrowser/design/index.html.en 2442)
projects/torbrowser/design/index.html.en 2443) </p><p>
projects/torbrowser/design/index.html.en 2444)
projects/torbrowser/design/index.html.en 2445) Automated cross-origin redirects are one form of this behavior that is
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2446) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2447) ourselves</a>, as they are comparatively rare and can be handled with site
projects/torbrowser/design/index.html.en 2448) permissions.
projects/torbrowser/design/index.html.en 2449)
|
Updating the Tor Browser de...
Georg Koppen authored 7 years ago
|
projects/torbrowser/design/index.html.en 2450) </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm1090"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2451)
projects/torbrowser/design/index.html.en 2452) Web-Send is a browser-based link sharing and federated login widget that is
projects/torbrowser/design/index.html.en 2453) designed to operate without relying on third-party tracking or abusing other
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2454) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2455) especially if used as a "Like button" replacement.
projects/torbrowser/design/index.html.en 2456)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2457) </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2458)
projects/torbrowser/design/index.html.en 2459) Mozilla's Persona is designed to provide decentralized, cryptographically
projects/torbrowser/design/index.html.en 2460) authenticated federated login in a way that does not expose the user to third
projects/torbrowser/design/index.html.en 2461) party tracking or require browser redirects or side channels. While it does
projects/torbrowser/design/index.html.en 2462) not directly provide the link sharing capabilities that Web-Send does, it is a
projects/torbrowser/design/index.html.en 2463) better solution to the privacy issues associated with federated login than
projects/torbrowser/design/index.html.en 2464) Web-Send is.
projects/torbrowser/design/index.html.en 2465)
|