projects/torbrowser/design/index.html.en (371a8cfad) - tor-webwml.git

371a8cfadd290f2d66d164b074688b23b5af0998

Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Georg</span> <span class="surname">Koppen</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:gk#torproject org">gk#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">March 10th, 2017</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idm29">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idm1010">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idm1042">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idm1049">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idm1090">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm29"></a>1. Introduction</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 3)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 4) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 5) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 6) 6.5.1.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 7) projects/en/torbrowser/design/index.html.en 8) </p><p> projects/en/torbrowser/design/index.html.en 9) projects/en/torbrowser/design/index.html.en 10) This document is also meant to serve as a set of design requirements and to projects/en/torbrowser/design/index.html.en 11) describe a reference implementation of a Private Browsing Mode that defends`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 12) against active network adversaries, in addition to the passive forensic local projects/torbrowser/design/index.html.en 13) adversary currently addressed by the major browsers.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 14)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 15) </p><p> projects/torbrowser/design/index.html.en 16) projects/torbrowser/design/index.html.en 17) For more practical information regarding Tor Browser development, please projects/torbrowser/design/index.html.en 18) consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor projects/torbrowser/design/index.html.en 19) Browser Hacking Guide</a>. projects/torbrowser/design/index.html.en 20)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 21) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 22)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 23) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 24) Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a> projects/torbrowser/design/index.html.en 25) against this browser to enhance privacy and security. Browser behavior is`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 26) additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 27) extension</a>, though we are in the process of moving this functionality`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 28) into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2" target="_top">change`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 29) a number of Firefox preferences</a> from their defaults.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 30)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 31) </p><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 32) Tor process management and configuration is accomplished through the <a class="ulink" href="https://gitweb.torproject.org/tor-launcher.git" target="_top">Tor Launcher</a> projects/torbrowser/design/index.html.en 33) addon, which provides the initial Tor configuration splash screen and projects/torbrowser/design/index.html.en 34) bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 35) Instantbird, and XULRunner.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 36) projects/torbrowser/design/index.html.en 37) </p><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 38)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 39) To help protect against potential Tor Exit Node eavesdroppers, we include`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 40) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 41) provide users with optional defense-in-depth against JavaScript and other projects/torbrowser/design/index.html.en 42) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 43) extension preferences</a> from their defaults.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 44)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 45) </p><p> projects/torbrowser/design/index.html.en 46) projects/torbrowser/design/index.html.en 47) To provide censorship circumvention in areas where the public Tor network is projects/torbrowser/design/index.html.en 48) blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 49) Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs3proxy, projects/torbrowser/design/index.html.en 50) Obfs4proxy, Scramblesuit</a>,`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 51) <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 52) and <a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 53) projects/torbrowser/design/index.html.en 54) </p></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 55) projects/en/torbrowser/design/index.html.en 56) The Tor Browser Design Requirements are meant to describe the properties of a`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 57) Private Browsing Mode that defends against both network and local forensic`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 58) adversaries.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 59) projects/en/torbrowser/design/index.html.en 60) </p><p> projects/en/torbrowser/design/index.html.en 61) projects/en/torbrowser/design/index.html.en 62) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 63) minimum properties in order for a browser to be able to support Tor and projects/torbrowser/design/index.html.en 64) similar privacy proxies safely. Privacy requirements are the set of properties`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 65) that cause us to prefer one browser over another.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 66) projects/en/torbrowser/design/index.html.en 67) </p><p> projects/en/torbrowser/design/index.html.en 68)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 69) While we will endorse the use of browsers that meet the security requirements, projects/torbrowser/design/index.html.en 70) it is primarily the privacy requirements that cause us to maintain our own projects/torbrowser/design/index.html.en 71) browser distribution. projects/torbrowser/design/index.html.en 72) projects/torbrowser/design/index.html.en 73) </p><p> projects/torbrowser/design/index.html.en 74) projects/torbrowser/design/index.html.en 75) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL projects/torbrowser/design/index.html.en 76) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and projects/torbrowser/design/index.html.en 77) "OPTIONAL" in this document are to be interpreted as described in
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 78) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 79)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 80) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 81) projects/en/torbrowser/design/index.html.en 82) The security requirements are primarily concerned with ensuring the safe use projects/en/torbrowser/design/index.html.en 83) of Tor. Violations in these properties typically result in serious risk for`
Add a couple extra sentence... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 84) the user in terms of immediate deanonymization and/or observability. With`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 85) respect to browser support, security requirements are the minimum properties projects/torbrowser/design/index.html.en 86) in order for Tor to support the use of a particular browser.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 87)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 88) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 89) Obedience</strong></span></a><p>The browser`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 90) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 91) Separation</strong></span></a><p> projects/torbrowser/design/index.html.en 92) projects/torbrowser/design/index.html.en 93) The browser MUST NOT provide the content window with any state from any other projects/torbrowser/design/index.html.en 94) browsers or any non-Tor browsing modes. This includes shared state from`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 95) independent plugins, and shared state from operating system implementations of`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 96) TLS and other support libraries. projects/torbrowser/design/index.html.en 97)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 98) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 99) Avoidance</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 100) projects/torbrowser/design/index.html.en 101) The browser MUST NOT write any information that is derived from or that projects/torbrowser/design/index.html.en 102) reveals browsing activity to the disk, or store it in memory beyond the projects/torbrowser/design/index.html.en 103) duration of one browsing session, unless the user has explicitly opted to projects/torbrowser/design/index.html.en 104) store their browsing history information to disk. projects/torbrowser/design/index.html.en 105)
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 106) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 107) Isolation</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 108)`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 109) The components involved in providing private browsing MUST be self-contained,`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 110) or MUST provide a mechanism for rapid, complete removal of all evidence of the projects/torbrowser/design/index.html.en 111) use of the mode. In other words, the browser MUST NOT write or cause the projects/torbrowser/design/index.html.en 112) operating system to write <span class="emphasis"><em>any information</em></span> about the use projects/torbrowser/design/index.html.en 113) of private browsing to disk outside of the application's control. The user
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 114) must be able to ensure that secure deletion of the software is sufficient to`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 115) remove evidence of the use of the software. All exceptions and shortcomings`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 116) due to operating system behavior MUST be wiped by an uninstaller. However, due`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 117) to permissions issues with access to swap, implementations MAY choose to leave`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 118) it out of scope, and/or leave it to the operating system/platform to implement`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 119) ephemeral-keyed encrypted swap.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 120)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 121) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 122) projects/en/torbrowser/design/index.html.en 123) The privacy requirements are primarily concerned with reducing linkability:`
Add a couple extra sentence... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 124) the ability for a user's activity on one site to be linked with their activity projects/torbrowser/design/index.html.en 125) on another site without their knowledge or explicit consent. With respect to`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 126) browser support, privacy requirements are the set of properties that cause us`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 127) to prefer one browser over another.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 128)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 129) </p><p> projects/torbrowser/design/index.html.en 130) projects/torbrowser/design/index.html.en 131) For the purposes of the unlinkability requirements of this section as well as`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 132) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 133) section</a>, a <span class="command"><strong>URL bar origin</strong></span> means at least the`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 134) second-level DNS name. For example, for mail.google.com, the origin would be`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 135) google.com. Implementations MAY, at their option, restrict the URL bar origin`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 136) to be the entire fully qualified domain name.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 137)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 138) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 139) Identifier Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 140)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 141) User activity on one URL bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 142) any other URL bar origin by any third party automatically or without user`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 143) interaction or approval. This requirement specifically applies to linkability projects/torbrowser/design/index.html.en 144) from stored browser identifiers, authentication tokens, and shared state. The projects/torbrowser/design/index.html.en 145) requirement does not apply to linkable information the user manually submits`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 146) to sites, or due to information submitted during manual link traversal. This`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 147) functionality SHOULD NOT interfere with interactive, click-driven federated projects/torbrowser/design/index.html.en 148) login in a substantial way.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 149)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 150) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 151) Fingerprinting Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 152)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 153) User activity on one URL bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 154) any other URL bar origin by any third party. This property specifically applies to`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 155) linkability from fingerprinting browser behavior. projects/en/torbrowser/design/index.html.en 156)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 157) </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 158) Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 159)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 160) The browser MUST provide an obvious, easy way for the user to remove all of projects/torbrowser/design/index.html.en 161) its authentication tokens and browser state and obtain a fresh identity.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 162) Additionally, the browser SHOULD clear linkable state by default automatically projects/torbrowser/design/index.html.en 163) upon browser restart, except at user option.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 164)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 165) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 166) projects/en/torbrowser/design/index.html.en 167) In addition to the above design requirements, the technology decisions about projects/en/torbrowser/design/index.html.en 168) Tor Browser are also guided by some philosophical positions about technology. projects/en/torbrowser/design/index.html.en 169)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 170) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 171) projects/en/torbrowser/design/index.html.en 172) The existing way that the user expects to use a browser must be preserved. If projects/en/torbrowser/design/index.html.en 173) the user has to maintain a different mental model of how the sites they are projects/en/torbrowser/design/index.html.en 174) using behave depending on tab, browser state, or anything else that would not projects/en/torbrowser/design/index.html.en 175) normally be what they experience in their default browser, the user will projects/en/torbrowser/design/index.html.en 176) inevitably be confused. They will make mistakes and reduce their privacy as a projects/en/torbrowser/design/index.html.en 177) result. Worse, they may just stop using the browser, assuming it is broken. projects/en/torbrowser/design/index.html.en 178) projects/en/torbrowser/design/index.html.en 179) </p><p> projects/en/torbrowser/design/index.html.en 180)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 181) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 182) of Torbutton</a>: Even if users managed to install everything properly, projects/en/torbrowser/design/index.html.en 183) the toggle model was too hard for the average user to understand, especially projects/en/torbrowser/design/index.html.en 184) in the face of accumulating tabs from multiple states crossed with the current`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 185) Tor-state of the browser.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 186) projects/en/torbrowser/design/index.html.en 187) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to projects/en/torbrowser/design/index.html.en 188) break sites</strong></span><p> projects/en/torbrowser/design/index.html.en 189) projects/en/torbrowser/design/index.html.en 190) In general, we try to find solutions to privacy issues that will not induce projects/en/torbrowser/design/index.html.en 191) site breakage, though this is not always possible. projects/en/torbrowser/design/index.html.en 192) projects/en/torbrowser/design/index.html.en 193) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p> projects/en/torbrowser/design/index.html.en 194) projects/en/torbrowser/design/index.html.en 195) Even if plugins always properly used the browser proxy settings (which none of projects/en/torbrowser/design/index.html.en 196) them do) and could not be induced to bypass them (which all of them can), the projects/en/torbrowser/design/index.html.en 197) activities of closed-source plugins are very difficult to audit and control. projects/en/torbrowser/design/index.html.en 198) They can obtain and transmit all manner of system information to websites, projects/en/torbrowser/design/index.html.en 199) often have their own identifier storage for tracking users, and also projects/en/torbrowser/design/index.html.en 200) contribute to fingerprinting. projects/en/torbrowser/design/index.html.en 201) projects/en/torbrowser/design/index.html.en 202) </p><p> projects/en/torbrowser/design/index.html.en 203) projects/en/torbrowser/design/index.html.en 204) Therefore, if plugins are to be enabled in private browsing modes, they must projects/en/torbrowser/design/index.html.en 205) be restricted from running automatically on every page (via click-to-play projects/en/torbrowser/design/index.html.en 206) placeholders), and/or be sandboxed to restrict the types of system calls they
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 207) can execute. If the user agent allows the user to craft an exemption to allow`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 208) a plugin to be used automatically, it must only apply to the top level URL bar`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 209) domain, and not to all sites, to reduce cross-origin fingerprinting projects/torbrowser/design/index.html.en 210) linkability.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 211) projects/en/torbrowser/design/index.html.en 212) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p> projects/en/torbrowser/design/index.html.en 213)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 214) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 215) failure of Torbutton</a> was the options panel. Each option`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 216) that detectably alters browser behavior can be used as a fingerprinting tool.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 217) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be projects/torbrowser/design/index.html.en 218) disabled in the mode</a> except as an opt-in basis. We should not load`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 219) system-wide and/or operating system provided addons or plugins.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 220) projects/en/torbrowser/design/index.html.en 221) </p><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 222) Instead of global browser privacy options, privacy decisions should be made`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 223) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 224) URL bar origin</a> to eliminate the possibility of linkability`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 225) between domains. For example, when a plugin object (or a JavaScript access of`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 226) window.plugins) is present in a page, the user should be given the choice of`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 227) allowing that plugin object for that URL bar origin only. The same`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 228) goes for exemptions to third party cookie policy, geolocation, and any other`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 229) privacy permissions. projects/en/torbrowser/design/index.html.en 230) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 231) If the user has indicated they wish to record local history storage, these`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 232) permissions can be written to disk. Otherwise, they should remain memory-only.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 233) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p> projects/en/torbrowser/design/index.html.en 234)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 235) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock projects/torbrowser/design/index.html.en 236) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>, projects/torbrowser/design/index.html.en 237) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 238) avoided. We believe that these addons do not add any real privacy to a proper`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 239) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts projects/torbrowser/design/index.html.en 240) should be focused on general solutions that prevent tracking by all projects/torbrowser/design/index.html.en 241) third parties, rather than a list of specific URLs or hosts. projects/torbrowser/design/index.html.en 242) </p><p>
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 243) Implementing filter-based blocking directly into the browser, such as done with projects/torbrowser/design/index.html.en 244) <a class="ulink" href="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf" target="_top"> projects/torbrowser/design/index.html.en 245) Firefox' Tracking Protection</a>, does not alleviate the concerns mentioned projects/torbrowser/design/index.html.en 246) in the previous paragraph. There is still just a list concerned with specific projects/torbrowser/design/index.html.en 247) URLs and hosts which, in this case, are projects/torbrowser/design/index.html.en 248) <a class="ulink" href="https://services.disconnect.me/disconnect-plaintext.json" target="_top"> projects/torbrowser/design/index.html.en 249) assembled</a> by <a class="ulink" href="https://disconnect.me/trackerprotection" target="_top"> projects/torbrowser/design/index.html.en 250) Disconnect</a> and <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">adapted</a> by Mozilla. projects/torbrowser/design/index.html.en 251) </p><p> projects/torbrowser/design/index.html.en 252) Trying to resort to <a class="ulink" href="https://jonathanmayer.org/papers_data/bau13.pdf" target="_top">filter methods based on projects/torbrowser/design/index.html.en 253) machine learning</a> does not solve the problem either: they don't provide projects/torbrowser/design/index.html.en 254) a general solution to the tracking problem as they are working probabilistically. projects/torbrowser/design/index.html.en 255) Even with a precision rate at 99% and a false positive rate at 0.1% trackers projects/torbrowser/design/index.html.en 256) would be missed and sites would be wrongly blocked. projects/torbrowser/design/index.html.en 257) </p><p> projects/torbrowser/design/index.html.en 258) Filter-based solutions in general can also introduce strange breakage and cause projects/torbrowser/design/index.html.en 259) usability nightmares. Coping with those easily leads to just <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">whitelisting projects/torbrowser/design/index.html.en 260) </a> projects/torbrowser/design/index.html.en 261) the affected domains defeating the purpose of the filter in the first place. projects/torbrowser/design/index.html.en 262) Filters will also fail to do their job if an adversary simply projects/torbrowser/design/index.html.en 263) registers a new domain or <a class="ulink" href="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf" target="_top"> projects/torbrowser/design/index.html.en 264) creates a new URL path</a>. Worse still, the unique filter sets that each projects/torbrowser/design/index.html.en 265) user creates or installs will provide a wealth of fingerprinting targets.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 266) </p><p> projects/en/torbrowser/design/index.html.en 267) projects/en/torbrowser/design/index.html.en 268) As a general matter, we are also generally opposed to shipping an always-on Ad projects/en/torbrowser/design/index.html.en 269) blocker with Tor Browser. We feel that this would damage our credibility in projects/en/torbrowser/design/index.html.en 270) terms of demonstrating that we are providing privacy through a sound design`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 271) alone, as well as damage the acceptance of Tor users by sites that support`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 272) themselves through advertising revenue. projects/en/torbrowser/design/index.html.en 273) projects/en/torbrowser/design/index.html.en 274) </p><p> projects/en/torbrowser/design/index.html.en 275) Users are free to install these addons if they wish, but doing projects/en/torbrowser/design/index.html.en 276) so is not recommended, as it will alter the browser request fingerprint. projects/en/torbrowser/design/index.html.en 277) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p> projects/en/torbrowser/design/index.html.en 278) We believe that if we do not stay current with the support of new web projects/en/torbrowser/design/index.html.en 279) technologies, we cannot hope to substantially influence or be involved in projects/en/torbrowser/design/index.html.en 280) their proper deployment or privacy realization. However, we will likely disable
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 281) high-risk features pending analysis, audit, and mitigation.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 282) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 283) projects/torbrowser/design/index.html.en 284) A Tor web browser adversary has a number of goals, capabilities, and attack projects/torbrowser/design/index.html.en 285) types that can be used to illustrate the design requirements for the projects/torbrowser/design/index.html.en 286) Tor Browser. Let's start with the goals. projects/torbrowser/design/index.html.en 287)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 288) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 289) Tor, causing the user to directly connect to an IP of the adversary's projects/torbrowser/design/index.html.en 290) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely projects/torbrowser/design/index.html.en 291) happily settle for the ability to correlate something a user did via Tor with projects/torbrowser/design/index.html.en 292) their non-Tor activity. This can be done with cookies, cache identifiers,
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 293) JavaScript events, and even CSS. Sometimes the fact that a user uses Tor may`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 294) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p> projects/torbrowser/design/index.html.en 295) The adversary may also be interested in history disclosure: the ability to projects/torbrowser/design/index.html.en 296) query a user's history to see if they have issued certain censored search projects/torbrowser/design/index.html.en 297) queries, or visited censored sites. projects/torbrowser/design/index.html.en 298) </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p> projects/torbrowser/design/index.html.en 299) projects/torbrowser/design/index.html.en 300) The primary goal of the advertising networks is to know that the user who projects/torbrowser/design/index.html.en 301) visited siteX.com is the same user that visited siteY.com to serve them projects/torbrowser/design/index.html.en 302) targeted ads. The advertising networks become our adversary insofar as they projects/torbrowser/design/index.html.en 303) attempt to perform this correlation without the user's explicit consent. projects/torbrowser/design/index.html.en 304) projects/torbrowser/design/index.html.en 305) </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p> projects/torbrowser/design/index.html.en 306) projects/torbrowser/design/index.html.en 307) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 308) to gather identifying information on a particular individual without the use`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 309) of tracking identifiers. If the dissident's or whistleblower's timezone is`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 310) available, and they are using a rare build of Firefox for an obscure operating projects/torbrowser/design/index.html.en 311) system, and they have a specific display resolution only used on one type of projects/torbrowser/design/index.html.en 312) laptop, this can be very useful information for tracking them down, or at projects/torbrowser/design/index.html.en 313) least <a class="link" href="#fingerprinting">tracking their activities</a>.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 314) projects/torbrowser/design/index.html.en 315) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk projects/torbrowser/design/index.html.en 316) information</strong></span><p>`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 317)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 318) In some cases, the adversary may opt for a heavy-handed approach, such as projects/torbrowser/design/index.html.en 319) seizing the computers of all Tor users in an area (especially after narrowing projects/torbrowser/design/index.html.en 320) the field by the above two pieces of information). History records and cache`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 321) data are the primary goals here. Secondary goals may include confirming`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 322) on-disk identifiers (such as hostname and disk-logged spoofed MAC address`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 323) history) obtained by other means. projects/torbrowser/design/index.html.en 324)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 325) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 326) The adversary can position themselves at a number of different locations in projects/torbrowser/design/index.html.en 327) order to execute their attacks.`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 328) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 329) The adversary can run exit nodes, or alternatively, they may control routers projects/torbrowser/design/index.html.en 330) upstream of exit nodes. Both of these scenarios have been observed in the projects/torbrowser/design/index.html.en 331) wild. projects/torbrowser/design/index.html.en 332) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p> projects/torbrowser/design/index.html.en 333) The adversary can also run websites, or more likely, they can contract out projects/torbrowser/design/index.html.en 334) ad space from a number of different ad servers and inject content that way. For projects/torbrowser/design/index.html.en 335) some users, the adversary may be the ad servers themselves. It is not
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 336) inconceivable that ad servers may try to subvert or reduce a user's anonymity`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 337) through Tor for marketing purposes. projects/torbrowser/design/index.html.en 338) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p> projects/torbrowser/design/index.html.en 339) The adversary can also inject malicious content at the user's upstream router projects/torbrowser/design/index.html.en 340) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor projects/torbrowser/design/index.html.en 341) activity.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 342) </p><p> projects/torbrowser/design/index.html.en 343) projects/torbrowser/design/index.html.en 344) Additionally, at this position the adversary can block Tor, or attempt to projects/torbrowser/design/index.html.en 345) recognize the traffic patterns of specific web pages at the entrance to the Tor`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 346) network.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 347)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 348) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p> projects/torbrowser/design/index.html.en 349) Some users face adversaries with intermittent or constant physical access. projects/torbrowser/design/index.html.en 350) Users in Internet cafes, for example, face such a threat. In addition, in projects/torbrowser/design/index.html.en 351) countries where simply using tools like Tor is illegal, users may face projects/torbrowser/design/index.html.en 352) confiscation of their computer equipment for excessive Tor usage or just projects/torbrowser/design/index.html.en 353) general suspicion.
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 354) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 355)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 356) The adversary can perform the following attacks from a number of different`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 357) positions to accomplish various aspects of their goals. It should be noted projects/torbrowser/design/index.html.en 358) that many of these attacks (especially those involving IP address leakage) are`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 359) often performed by accident by websites that simply have JavaScript, dynamic`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 360) CSS elements, and plugins. Others are performed by ad servers seeking to projects/torbrowser/design/index.html.en 361) correlate users' activity across different IP addresses, and still others are projects/torbrowser/design/index.html.en 362) performed by malicious agents on the Tor network and at national firewalls. projects/torbrowser/design/index.html.en 363)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 364) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 365) projects/torbrowser/design/index.html.en 366) The browser contains multiple facilities for storing identifiers that the projects/torbrowser/design/index.html.en 367) adversary creates for the purposes of tracking users. These identifiers are projects/torbrowser/design/index.html.en 368) most obviously cookies, but also include HTTP auth, DOM storage, cached projects/torbrowser/design/index.html.en 369) scripts and other elements with embedded identifiers, client certificates, and projects/torbrowser/design/index.html.en 370) even TLS Session IDs. projects/torbrowser/design/index.html.en 371) projects/torbrowser/design/index.html.en 372) </p><p> projects/torbrowser/design/index.html.en 373) projects/torbrowser/design/index.html.en 374) An adversary in a position to perform MITM content alteration can inject projects/torbrowser/design/index.html.en 375) document content elements to both read and inject cookies for arbitrary projects/torbrowser/design/index.html.en 376) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 377) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 378) sidejacking</a>. In addition, the ad networks of course perform tracking projects/torbrowser/design/index.html.en 379) with cookies as well. projects/torbrowser/design/index.html.en 380) projects/torbrowser/design/index.html.en 381) </p><p> projects/torbrowser/design/index.html.en 382)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 383) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 384)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 385) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 386) attributes</strong></span><p> projects/torbrowser/design/index.html.en 387) projects/torbrowser/design/index.html.en 388) There is an absurd amount of information available to websites via attributes`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 389) of the browser. This information can be used to reduce the anonymity set, or projects/torbrowser/design/index.html.en 390) even uniquely fingerprint individual users. Attacks of this nature are projects/torbrowser/design/index.html.en 391) typically aimed at tracking users across sites without their consent, in an projects/torbrowser/design/index.html.en 392) attempt to subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 393) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 394) projects/torbrowser/design/index.html.en 395) </p><p> projects/torbrowser/design/index.html.en 396)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 397) Fingerprinting is an intimidating problem to attempt to tackle, especially projects/torbrowser/design/index.html.en 398) without a metric to determine or at least intuitively understand and estimate projects/torbrowser/design/index.html.en 399) which features will most contribute to linkability between visits.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 400) projects/torbrowser/design/index.html.en 401) </p><p> projects/torbrowser/design/index.html.en 402)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 403) The <a class="ulink" href="https://panopticlick.eff.org/about" target="_top">Panopticlick study`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 404) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 405) entropy</a> - the number of identifying bits of information encoded in`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 406) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 407) definitely useful, and the metric is probably the appropriate one for projects/torbrowser/design/index.html.en 408) determining how identifying a particular browser property is. However, some projects/torbrowser/design/index.html.en 409) quirks of their study means that they do not extract as much information as projects/torbrowser/design/index.html.en 410) they could from display information: they only use desktop resolution and do projects/torbrowser/design/index.html.en 411) not attempt to infer the size of toolbars. In the other direction, they may be projects/torbrowser/design/index.html.en 412) over-counting in some areas, as they did not compute joint entropy over projects/torbrowser/design/index.html.en 413) multiple attributes that may exhibit a high degree of correlation. Also, new projects/torbrowser/design/index.html.en 414) browser features are added regularly, so the data should not be taken as projects/torbrowser/design/index.html.en 415) final. projects/torbrowser/design/index.html.en 416) projects/torbrowser/design/index.html.en 417) </p><p> projects/torbrowser/design/index.html.en 418) projects/torbrowser/design/index.html.en 419) Despite the uncertainty, all fingerprinting attacks leverage the following projects/torbrowser/design/index.html.en 420) attack vectors: projects/torbrowser/design/index.html.en 421)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 422) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 423) projects/torbrowser/design/index.html.en 424) Properties of the user's request behavior comprise the bulk of low-hanging projects/torbrowser/design/index.html.en 425) fingerprinting targets. These include: User agent, Accept-* headers, pipeline projects/torbrowser/design/index.html.en 426) usage, and request ordering. Additionally, the use of custom filters such as projects/torbrowser/design/index.html.en 427) AdBlock and other privacy filters can be used to fingerprint request patterns projects/torbrowser/design/index.html.en 428) (as an extreme example). projects/torbrowser/design/index.html.en 429)
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 430) </p></li><li class="listitem"><span class="command"><strong>Inserting JavaScript</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 431)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 432) JavaScript can reveal a lot of fingerprinting information. It provides DOM`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 433) objects such as window.screen and window.navigator to extract information`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 434) about the user agent.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 435)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 436) Also, JavaScript can be used to query the user's timezone via the`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 437) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 438) reveal information about the video card in use, and high precision timing`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 439) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 440) interpreter speed</a>. JavaScript features such as projects/torbrowser/design/index.html.en 441) <a class="ulink" href="https://www.w3.org/TR/resource-timing/" target="_top">Resource Timing</a> projects/torbrowser/design/index.html.en 442) may leak an unknown amount of network timing related information. And, moreover, projects/torbrowser/design/index.html.en 443) JavaScript is able to projects/torbrowser/design/index.html.en 444) <a class="ulink" href="https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf" target="_top"> projects/torbrowser/design/index.html.en 445) extract</a> projects/torbrowser/design/index.html.en 446) <a class="ulink" href="https://www.cosic.esat.kuleuven.be/fpdetective/" target="_top">available</a> projects/torbrowser/design/index.html.en 447) <a class="ulink" href="https://hal.inria.fr/hal-01285470v2/document" target="_top">fonts</a> on a projects/torbrowser/design/index.html.en 448) device with high precision.
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 449) projects/torbrowser/design/index.html.en 450) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p> projects/torbrowser/design/index.html.en 451) projects/torbrowser/design/index.html.en 452) The Panopticlick project found that the mere list of installed plugins (in projects/torbrowser/design/index.html.en 453) navigator.plugins) was sufficient to provide a large degree of projects/torbrowser/design/index.html.en 454) fingerprintability. Additionally, plugins are capable of extracting font lists, projects/torbrowser/design/index.html.en 455) interface addresses, and other machine information that is beyond what the projects/torbrowser/design/index.html.en 456) browser would normally provide to content. In addition, plugins can be used to projects/torbrowser/design/index.html.en 457) store unique identifiers that are more difficult to clear than standard
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 458) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 459) cookies</a> fall into this category, but there are likely numerous other projects/torbrowser/design/index.html.en 460) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 461) settings of the browser.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 462) projects/torbrowser/design/index.html.en 463) projects/torbrowser/design/index.html.en 464) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p> projects/torbrowser/design/index.html.en 465)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 466) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 467) queries</a> can be inserted to gather information about the desktop size, projects/torbrowser/design/index.html.en 468) widget size, display type, DPI, user agent type, and other information that`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 469) was formerly available only to JavaScript.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 470)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 471) </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p> projects/torbrowser/design/index.html.en 472) projects/torbrowser/design/index.html.en 473) Website traffic fingerprinting is an attempt by the adversary to recognize the`
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 474) encrypted traffic patterns of specific websites. In the case of Tor, this projects/torbrowser/design/index.html.en 475) attack would take place between the user and the Guard node, or at the Guard projects/torbrowser/design/index.html.en 476) node itself. projects/torbrowser/design/index.html.en 477) </p><p> The most comprehensive study of the statistical properties of this projects/torbrowser/design/index.html.en 478) attack against Tor was done by <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 479) et al</a>. Unfortunately, the publication bias in academia has encouraged`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 480) the production of projects/torbrowser/design/index.html.en 481) <a class="ulink" href="https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks" target="_top">a projects/torbrowser/design/index.html.en 482) number of follow-on attack papers claiming "improved" success rates</a>, in projects/torbrowser/design/index.html.en 483) some cases even claiming to completely invalidate any attempt at defense. These projects/torbrowser/design/index.html.en 484) "improvements" are actually enabled primarily by taking a number of shortcuts projects/torbrowser/design/index.html.en 485) (such as classifying only very small numbers of web pages, neglecting to publish projects/torbrowser/design/index.html.en 486) ROC curves or at least false positive rates, and/or omitting the effects of projects/torbrowser/design/index.html.en 487) dataset size on their results). Despite these subsequent "improvements", we are projects/torbrowser/design/index.html.en 488) skeptical of the efficacy of this attack in a real world scenario, projects/torbrowser/design/index.html.en 489) <span class="emphasis"><em>especially</em></span> in the face of any defenses.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 490) projects/torbrowser/design/index.html.en 491) </p><p> projects/torbrowser/design/index.html.en 492)`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 493) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of projects/torbrowser/design/index.html.en 494) categories to classify</a> while maintaining a limit on reliable feature projects/torbrowser/design/index.html.en 495) information you can extract, you eventually run out of descriptive feature projects/torbrowser/design/index.html.en 496) information, and either true positive accuracy goes down or the false positive projects/torbrowser/design/index.html.en 497) rate goes up. This error is called the <a class="ulink" href="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias projects/torbrowser/design/index.html.en 498) in your hypothesis space</a>. In fact, even for unbiased hypothesis projects/torbrowser/design/index.html.en 499) spaces, the number of training examples required to achieve a reasonable error projects/torbrowser/design/index.html.en 500) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 501) function of the complexity of the categories</a> you need to classify.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 502) projects/torbrowser/design/index.html.en 503) </p><p> projects/torbrowser/design/index.html.en 504) projects/torbrowser/design/index.html.en 505) projects/torbrowser/design/index.html.en 506) In the case of this attack, the key factors that increase the classification`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 507) complexity (and thus hinder a real world adversary who attempts this attack)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 508) are large numbers of dynamically generated pages, partially cached content,`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 509) and also the non-web activity of the entire Tor network. This yields an projects/torbrowser/design/index.html.en 510) effective number of "web pages" many orders of magnitude larger than even <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 511) "Open World" scenario</a>, which suffered continuous near-constant decline`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 512) in the true positive rate as the "Open World" size grew (see figure 4). This projects/torbrowser/design/index.html.en 513) large level of classification complexity is further confounded by a noisy and`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 514) low resolution featureset - one which is also relatively easy for the defender`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 515) to manipulate at low cost.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 516) projects/torbrowser/design/index.html.en 517) </p><p> projects/torbrowser/design/index.html.en 518)`
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 519) To make matters worse for a real-world adversary, the ocean of Tor Internet projects/torbrowser/design/index.html.en 520) activity (at least, when compared to a lab setting) makes it a certainty that projects/torbrowser/design/index.html.en 521) an adversary attempting examine large amounts of Tor traffic will ultimately projects/torbrowser/design/index.html.en 522) be overwhelmed by false positives (even after making heavy tradeoffs on the projects/torbrowser/design/index.html.en 523) ROC curve to minimize false positives to below 0.01%). This problem is known projects/torbrowser/design/index.html.en 524) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 525) Fallacy</a>, and it is the primary reason that anomaly and activity projects/torbrowser/design/index.html.en 526) classification-based IDS and antivirus systems have failed to materialize in`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 527) the marketplace (despite early success in academic literature).`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 528) projects/torbrowser/design/index.html.en 529) </p><p> projects/torbrowser/design/index.html.en 530) projects/torbrowser/design/index.html.en 531) Still, we do not believe that these issues are enough to dismiss the attack projects/torbrowser/design/index.html.en 532) outright. But we do believe these factors make it both worthwhile and projects/torbrowser/design/index.html.en 533) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy projects/torbrowser/design/index.html.en 534) light-weight defenses</a> that reduce the accuracy of this attack by projects/torbrowser/design/index.html.en 535) further contributing noise to hinder successful feature extraction. projects/torbrowser/design/index.html.en 536) projects/torbrowser/design/index.html.en 537) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 538) OS</strong></span><p> projects/torbrowser/design/index.html.en 539) projects/torbrowser/design/index.html.en 540) Last, but definitely not least, the adversary can exploit either general projects/torbrowser/design/index.html.en 541) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to projects/torbrowser/design/index.html.en 542) install malware and surveillance software. An adversary with physical access`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 543) can perform similar actions. projects/torbrowser/design/index.html.en 544) projects/torbrowser/design/index.html.en 545) </p><p> projects/torbrowser/design/index.html.en 546) projects/torbrowser/design/index.html.en 547) For the purposes of the browser itself, we limit the scope of this adversary projects/torbrowser/design/index.html.en 548) to one that has passive forensic access to the disk after browsing activity`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 549) has taken place. This adversary motivates our`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 550) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 551)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 552) </p><p> projects/torbrowser/design/index.html.en 553) projects/torbrowser/design/index.html.en 554) An adversary with arbitrary code execution typically has more power, though. projects/torbrowser/design/index.html.en 555) It can be quite hard to really significantly limit the capabilities of such an`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 556) adversary. <a class="ulink" href="https://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 557) provide some defense against this adversary through the use of readonly media projects/torbrowser/design/index.html.en 558) and frequent reboots, but even this can be circumvented on machines without projects/torbrowser/design/index.html.en 559) Secure Boot through the use of BIOS rootkits. projects/torbrowser/design/index.html.en 560)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 561) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 562) projects/torbrowser/design/index.html.en 563) The Implementation section is divided into subsections, each of which projects/torbrowser/design/index.html.en 564) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>. projects/torbrowser/design/index.html.en 565) Each subsection is divided into specific web technologies or properties. The projects/torbrowser/design/index.html.en 566) implementation is then described for that property. projects/torbrowser/design/index.html.en 567) projects/torbrowser/design/index.html.en 568) </p><p> projects/torbrowser/design/index.html.en 569) projects/torbrowser/design/index.html.en 570) In some cases, the implementation meets the design requirements in a non-ideal projects/torbrowser/design/index.html.en 571) way (for example, by disabling features). In rare cases, there may be no projects/torbrowser/design/index.html.en 572) implementation at all. Both of these cases are denoted by differentiating projects/torbrowser/design/index.html.en 573) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 574) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 575) are typically linked for these cases. projects/torbrowser/design/index.html.en 576)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 577) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 578) projects/en/torbrowser/design/index.html.en 579) Proxy obedience is assured through the following:`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 580) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Firefox proxy settings, patches, and build flags</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 581)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 582) Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2" target="_top">Firefox`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 583) preferences file</a> sets the Firefox proxy settings to use Tor directly projects/torbrowser/design/index.html.en 584) as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 585) <span class="command"><strong>network.proxy.socks_version</strong></span>, projects/torbrowser/design/index.html.en 586) <span class="command"><strong>network.proxy.socks_port</strong></span>, and projects/torbrowser/design/index.html.en 587) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 588)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 589) </p><p> projects/torbrowser/design/index.html.en 590)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 591) To prevent proxy bypass by WebRTC calls, we disable WebRTC at compile time projects/torbrowser/design/index.html.en 592) with the <span class="command"><strong>--disable-webrtc</strong></span> configure switch, as well projects/torbrowser/design/index.html.en 593) as set the pref <span class="command"><strong>media.peerconnection.enabled</strong></span> to false.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 594) projects/torbrowser/design/index.html.en 595) </p><p> projects/torbrowser/design/index.html.en 596)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 597) We also patch Firefox in order to provide several defense-in-depth mechanisms`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 598) for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=177e78923b3252a7442160486ec48252a6adb77a" target="_top">patch`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 599) the DNS service</a> to prevent any browser or addon DNS resolution, and we`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 600) also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=6e17cef8f3cf61fdabf99e40d5e09a730142d6cd" target="_top"> projects/torbrowser/design/index.html.en 601) remove the DNS lookup for the profile lock signature</a>. Furhermore, we projects/torbrowser/design/index.html.en 602) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8197f6ffe58ba167e3bca4230c5721ebcfae55de" target="_top">patch
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 603) OCSP and PKIX code</a> to prevent any use of the non-proxied command-line projects/torbrowser/design/index.html.en 604) tool utility functions from being functional while linked in to the browser. projects/torbrowser/design/index.html.en 605) In both cases, we could find no direct paths to these routines in the browser, projects/torbrowser/design/index.html.en 606) but it seemed better safe than sorry.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 607)`
Comments from Georg + proxy... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 608) </p><p> projects/torbrowser/design/index.html.en 609)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 610) For further defense-in-depth we disabled WebIDE because it can bypass proxy projects/torbrowser/design/index.html.en 611) settings for remote debugging, and also because it downloads extensions we projects/torbrowser/design/index.html.en 612) have not reviewed. We projects/torbrowser/design/index.html.en 613) are doing this by setting projects/torbrowser/design/index.html.en 614) <span class="command"><strong>devtools.webide.autoinstallADBHelper</strong></span>, projects/torbrowser/design/index.html.en 615) <span class="command"><strong>devtools.webide.autoinstallFxdtAdapters</strong></span>, projects/torbrowser/design/index.html.en 616) <span class="command"><strong>devtools.webide.enabled</strong></span>, and projects/torbrowser/design/index.html.en 617) <span class="command"><strong>devtools.appmanager.enabled</strong></span> to <span class="command"><strong>false</strong></span>. projects/torbrowser/design/index.html.en 618) Moreover, we removed the Roku Screen Sharing and screencaster code with a projects/torbrowser/design/index.html.en 619) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id= ad4abdb2e724fec060063f460604b829c66ea08a" target="_top"> projects/torbrowser/design/index.html.en 620) Firefox patch</a> as these features can bypass proxy settings as well. projects/torbrowser/design/index.html.en 621) </p><p> projects/torbrowser/design/index.html.en 622) Shumway is removed, too, for possible proxy bypass risks. We did this by projects/torbrowser/design/index.html.en 623) backporting a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d020a4992d8d25baf7dfb5c8b308d80b47a8d312" target="_top"> projects/torbrowser/design/index.html.en 624) number</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=98bf6c81b22cb5e4651a5fc060182f27b26c8ee5" target="_top"> projects/torbrowser/design/index.html.en 625) of</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=14b723f28a6b1dd78093691013d1bf7d49dc4413" target="_top">Mozilla patches</a>. projects/torbrowser/design/index.html.en 626) Further down on our road to proxy safety we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a9e1d8eac28abb364bbfd3adabeae287751a6a8e" target="_top"> projects/torbrowser/design/index.html.en 627) disabled the network tickler</a> as it has the capability to send UDP projects/torbrowser/design/index.html.en 628) traffic. projects/torbrowser/design/index.html.en 629) </p><p> projects/torbrowser/design/index.html.en 630) projects/torbrowser/design/index.html.en 631) Finally, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8e52265653ab223dc5af679f9f0c073b44371fa4" target="_top"> projects/torbrowser/design/index.html.en 632) disabled mDNS support</a>, since mDNS uses UDP packets. We also disable projects/torbrowser/design/index.html.en 633) Mozilla's TCPSocket by setting projects/torbrowser/design/index.html.en 634) <span class="command"><strong>dom.mozTCPSocket.enabled</strong></span> to <span class="command"><strong>false</strong></span>. We projects/torbrowser/design/index.html.en 635) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18866" target="_top">intend to projects/torbrowser/design/index.html.en 636) rip out</a> the TCPSocket code in the future to have an even more solid projects/torbrowser/design/index.html.en 637) guarantee that it won't be used by accident. projects/torbrowser/design/index.html.en 638) projects/torbrowser/design/index.html.en 639) </p><p>
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 640) During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 641) code audits</a> to verify that there were no system calls or XPCOM projects/torbrowser/design/index.html.en 642) activity in the source tree that did not use the browser proxy settings. projects/torbrowser/design/index.html.en 643) </p><p> projects/torbrowser/design/index.html.en 644)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 645) We have verified that these settings and patches properly proxy HTTPS, OCSP,`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 646) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all JavaScript`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 647) activity, including HTML5 audio and video objects, addon updates, WiFi`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 648) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 649) WebSockets, and live bookmark updates. We have also verified that external projects/torbrowser/design/index.html.en 650) protocol helpers, such as SMB URLs and other custom protocol handlers are all projects/torbrowser/design/index.html.en 651) blocked. projects/torbrowser/design/index.html.en 652) </p></li><li class="listitem"><span class="command"><strong>Disabling plugins</strong></span><p> projects/torbrowser/design/index.html.en 653) Plugins, like Flash, have the ability to make arbitrary OS system calls and projects/torbrowser/design/index.html.en 654) <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 655) the ability to make UDP sockets and send arbitrary data independent of the projects/en/torbrowser/design/index.html.en 656) browser proxy settings. projects/en/torbrowser/design/index.html.en 657) </p><p> projects/en/torbrowser/design/index.html.en 658) Torbutton disables plugins by using the projects/en/torbrowser/design/index.html.en 659) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 660) as disabled. This block can be undone through both the Torbutton Security UI, projects/torbrowser/design/index.html.en 661) and the Firefox Plugin Preferences.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 662) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 663) If the user does enable plugins in this way, plugin-handled objects are still projects/torbrowser/design/index.html.en 664) restricted from automatic load through Firefox's click-to-play preference projects/torbrowser/design/index.html.en 665) <span class="command"><strong>plugins.click_to_play</strong></span>.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 666) </p><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 667)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 668) In addition, to reduce any unproxied activity by arbitrary plugins at load projects/torbrowser/design/index.html.en 669) time, and to reduce the fingerprintability of the installed plugin list, we`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 670) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09883246904ce4dede9f3c4d4bb8d644aefe9d1d" target="_top">`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 671) prevent the load of any plugins except for Flash and Gnash</a>. Even for`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 672) Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9a0d506e3655f2fdec97ee4217f354941e39b5b3" target="_top"> projects/torbrowser/design/index.html.en 673) prevent loading them into the address space</a> until they are explicitly projects/torbrowser/design/index.html.en 674) enabled. projects/torbrowser/design/index.html.en 675) </p><p> projects/torbrowser/design/index.html.en 676) With <a class="ulink" href="https://wiki.mozilla.org/GeckoMediaPlugins" target="_top">Gecko Media projects/torbrowser/design/index.html.en 677) Plugins</a> (GMPs) a second type of plugins is available. They are mainly projects/torbrowser/design/index.html.en 678) third party codecs and <a class="ulink" href="https://www.w3.org/TR/encrypted-media/" target="_top">EME</a> projects/torbrowser/design/index.html.en 679) content decryption modules. We currently disable these plugins as they either projects/torbrowser/design/index.html.en 680) can't be built reproducibly or are binary blobs which we are not allowed to projects/torbrowser/design/index.html.en 681) audit (or both). For the EME case we use the <span class="command"><strong>--disable-eme</strong></span> projects/torbrowser/design/index.html.en 682) configure switch and set projects/torbrowser/design/index.html.en 683) <span class="command"><strong>browser.eme.ui.enabled</strong></span>, projects/torbrowser/design/index.html.en 684) <span class="command"><strong>media.gmp-eme-adobe.enabled</strong></span>, projects/torbrowser/design/index.html.en 685) <span class="command"><strong>media.eme.enabled</strong></span>, and projects/torbrowser/design/index.html.en 686) <span class="command"><strong>media.eme.apiVisible</strong></span> to <span class="command"><strong>false</strong></span> to indicate projects/torbrowser/design/index.html.en 687) to the user that this feature is disabled. For GMPs in general we make sure that projects/torbrowser/design/index.html.en 688) the external server is not even pinged for updates/downloads in the first place projects/torbrowser/design/index.html.en 689) by setting <span class="command"><strong>media.gmp-manager.url.override</strong></span> to projects/torbrowser/design/index.html.en 690) <span class="command"><strong>data:text/plain,</strong></span> and avoid any UI with <span class="command"><strong> projects/torbrowser/design/index.html.en 691) media.gmp-provider.enabled</strong></span> set to <span class="command"><strong>false</strong></span>.
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 692)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 693) </p></li><li class="listitem"><span class="command"><strong>External App Blocking and Drag Event Filtering</strong></span><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 694) projects/torbrowser/design/index.html.en 695) External apps can be induced to load files that perform network activity. projects/torbrowser/design/index.html.en 696) Unfortunately, there are cases where such apps can be launched automatically projects/torbrowser/design/index.html.en 697) with little to no user input. In order to prevent this, Torbutton installs a`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 698) component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 699) provide the user with a popup</a> whenever the browser attempts to launch projects/torbrowser/design/index.html.en 700) a helper app. projects/torbrowser/design/index.html.en 701) projects/torbrowser/design/index.html.en 702) </p><p> projects/torbrowser/design/index.html.en 703) projects/torbrowser/design/index.html.en 704) Additionally, modern desktops now pre-emptively fetch any URLs in Drag and projects/torbrowser/design/index.html.en 705) Drop events as soon as the drag is initiated. This download happens projects/torbrowser/design/index.html.en 706) independent of the browser's Tor settings, and can be triggered by something projects/torbrowser/design/index.html.en 707) as simple as holding the mouse button down for slightly too long while
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 708) clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 709) Torbutton</a> before the OS downloads the URLs the events contained.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 710)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 711) </p></li><li class="listitem"><span class="command"><strong>Disabling system extensions and clearing the addon whitelist</strong></span><p>`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 712) projects/torbrowser/design/index.html.en 713) Firefox addons can perform arbitrary activity on your computer, including projects/torbrowser/design/index.html.en 714) bypassing Tor. It is for this reason we disable the addon whitelist projects/torbrowser/design/index.html.en 715) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted projects/torbrowser/design/index.html.en 716) before installing addons regardless of the source. We also exclude projects/torbrowser/design/index.html.en 717) system-level addons from the browser through the use of projects/torbrowser/design/index.html.en 718) <span class="command"><strong>extensions.enabledScopes</strong></span> and
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 719) <span class="command"><strong>extensions.autoDisableScopes</strong></span>. Furthermore, we set projects/torbrowser/design/index.html.en 720) <span class="command"><strong>extensions.systemAddon.update.url</strong></span> and <span class="command"><strong> projects/torbrowser/design/index.html.en 721) extensions.hotfix.id</strong></span> to an empty string in order projects/torbrowser/design/index.html.en 722) to avoid the risk of getting extensions installed by Mozilla into Tor Browser.
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 723)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 724) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 725)`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 726) Tor Browser State is separated from existing browser state through use of a`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 727) custom Firefox profile, and by setting the $HOME environment variable to the`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 728) root of the bundle's directory. The browser also does not load any`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 729) system-wide extensions (through the use of projects/torbrowser/design/index.html.en 730) <span class="command"><strong>extensions.enabledScopes</strong></span> and`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 731) <span class="command"><strong>extensions.autoDisableScopes</strong></span>). Furthermore, plugins are`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 732) disabled, which prevents Flash cookies from leaking from a pre-existing Flash projects/torbrowser/design/index.html.en 733) directory. projects/torbrowser/design/index.html.en 734)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 735) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm357"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 736) projects/torbrowser/design/index.html.en 737) The User Agent MUST (at user option) prevent all disk records of browser activity.`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 738) The user SHOULD be able to optionally enable URL history and other history projects/torbrowser/design/index.html.en 739) features if they so desire. projects/torbrowser/design/index.html.en 740) projects/torbrowser/design/index.html.en 741) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm360"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> projects/torbrowser/design/index.html.en 742) projects/torbrowser/design/index.html.en 743) We are working towards this goal through several mechanisms. First, we set projects/torbrowser/design/index.html.en 744) the Firefox Private Browsing preference projects/torbrowser/design/index.html.en 745) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. projects/torbrowser/design/index.html.en 746) We also had to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>, to prevent HTML5 videos from being written to the OS temporary directory, which happened regardless of the private browsing mode setting. projects/torbrowser/design/index.html.en 747) Finally, we needed to disable asm.js as it turns out that projects/torbrowser/design/index.html.en 748) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1047105" target="_top">asm.js projects/torbrowser/design/index.html.en 749) cache entries get written to disk</a> in private browsing mode. This projects/torbrowser/design/index.html.en 750) is done by setting <span class="command"><strong>javascript.options.asmjs</strong></span> to projects/torbrowser/design/index.html.en 751) <span class="command"><strong>false</strong></span> (for linkability concerns with asm.js see below).
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 752) </blockquote></div><div class="blockquote"><blockquote class="blockquote"> projects/torbrowser/design/index.html.en 753) projects/torbrowser/design/index.html.en 754) As an additional defense-in-depth measure, we set the following preferences:`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 755) <span class="command"><strong></strong></span>,`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 756) <span class="command"><strong>browser.cache.disk.enable</strong></span>, projects/en/torbrowser/design/index.html.en 757) <span class="command"><strong>browser.cache.offline.enable</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 758) <span class="command"><strong>dom.indexedDB.enabled</strong></span>, projects/torbrowser/design/index.html.en 759) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 760) <span class="command"><strong>signon.rememberSignons</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 761) <span class="command"><strong>browser.formfill.enable</strong></span>,`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 762) <span class="command"><strong>browser.download.manager.retention</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 763) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>, projects/torbrowser/design/index.html.en 764) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these projects/torbrowser/design/index.html.en 765) preferences are likely redundant with projects/torbrowser/design/index.html.en 766) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the projects/torbrowser/design/index.html.en 767) auditing work to ensure that yet.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 768)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 769) </blockquote></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 770)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 771) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 772)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 773) Tor Browser MUST NOT cause any information to be written outside of the bundle projects/torbrowser/design/index.html.en 774) directory. This is to ensure that the user is able to completely and projects/torbrowser/design/index.html.en 775) safely remove it without leaving other traces of Tor usage on their computer.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 776)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 777) </p><p> projects/torbrowser/design/index.html.en 778)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 779) To ensure Tor Browser directory isolation, we set`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 780) <span class="command"><strong>browser.download.useDownloadDir</strong></span>, projects/torbrowser/design/index.html.en 781) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and projects/torbrowser/design/index.html.en 782) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 783) $HOME environment variable to be the Tor Browser extraction directory.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 784) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 785)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 786) The Cross-Origin Identifier Unlinkability design requirement is satisfied projects/torbrowser/design/index.html.en 787) through first party isolation of all browser identifier sources. First party projects/torbrowser/design/index.html.en 788) isolation means that all identifier sources and browser state are scoped projects/torbrowser/design/index.html.en 789) (isolated) using the URL bar domain. This scoping is performed in projects/torbrowser/design/index.html.en 790) combination with any additional third party scope. When first party isolation projects/torbrowser/design/index.html.en 791) is used with explicit identifier storage that already has a constrained third
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 792) party scope (such as cookies and DOM storage), this approach is`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 793) referred to as "double-keying".`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 794) projects/en/torbrowser/design/index.html.en 795) </p><p> projects/en/torbrowser/design/index.html.en 796) projects/en/torbrowser/design/index.html.en 797) The benefit of this approach comes not only in the form of reduced projects/en/torbrowser/design/index.html.en 798) linkability, but also in terms of simplified privacy UI. If all stored browser`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 799) state and permissions become associated with the URL bar origin, the six or`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 800) seven different pieces of privacy UI governing these identifiers and`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 801) permissions can become just one piece of UI. For instance, a window that lists`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 802) the URL bar origin for which browser state exists, possibly with a`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 803) context-menu option to drill down into specific types of state or permissions. projects/torbrowser/design/index.html.en 804) An example of this simplification can be seen in Figure 1.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 805)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 806) </p><div class="figure"><a id="idm393"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 807)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 808) This example UI is a mock-up of how isolating identifiers to the URL bar`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 809) domain can simplify the privacy UI for all data - not just cookies. Once`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 810) browser identifiers and site permissions operate on a URL bar basis, the same`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 811) privacy window can represent browsing history, DOM Storage, HTTP Auth, search projects/torbrowser/design/index.html.en 812) form history, login values, and so on within a context menu for each site.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 813)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 814) </div></div></div><br class="figure-break" /><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm400"></a>Identifier Unlinkability Defenses in the Tor Browser</h4></div></div></div><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 815) projects/torbrowser/design/index.html.en 816) Unfortunately, many aspects of browser state can serve as identifier storage, projects/torbrowser/design/index.html.en 817) and no other browser vendor or standards body has invested the effort to projects/torbrowser/design/index.html.en 818) enumerate or otherwise deal with these vectors for third party tracking. As projects/torbrowser/design/index.html.en 819) such, we have had to enumerate and isolate these identifier sources on a projects/torbrowser/design/index.html.en 820) piecemeal basis. Here is the list that we have discovered and dealt with to projects/torbrowser/design/index.html.en 821) date:
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 822)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 823) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 824) projects/torbrowser/design/index.html.en 825) All cookies MUST be double-keyed to the URL bar origin and third-party`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 826) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 827) that contains a prototype patch, but it lacks UI, and does not apply to modern`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 828) Firefox versions.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 829) projects/en/torbrowser/design/index.html.en 830) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 831) projects/en/torbrowser/design/index.html.en 832) As a stopgap to satisfy our design requirement of unlinkability, we currently projects/en/torbrowser/design/index.html.en 833) entirely disable 3rd party cookies by setting`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 834) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to <span class="command"><strong>1</strong></span>. We projects/torbrowser/design/index.html.en 835) would prefer that third party content continue to function, but we believe the projects/torbrowser/design/index.html.en 836) requirement for unlinkability trumps that desire.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 837)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 838) </p></li><li class="listitem"><span class="command"><strong>Cache</strong></span><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 839) All cache entries MUST be isolated to the URL bar domain. projects/torbrowser/design/index.html.en 840) </p><p><span class="command"><strong>Implementation Status:</strong></span>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 841)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 842) In Firefox, there are actually several distinct caching mechanisms: One is for projects/torbrowser/design/index.html.en 843) general content (HTML, JavaScript, CSS). That content cache is isolated to the projects/torbrowser/design/index.html.en 844) URL bar domain by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9e88ab764b1c9c5d26a398ec6381eef88689929c" target="_top">altering`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 845) each cache key</a> to include an additional ID that includes the URL bar projects/torbrowser/design/index.html.en 846) domain. This functionality can be observed by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key used for each cache`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 847) entry. Each third party element should have an additional "string@:" projects/torbrowser/design/index.html.en 848) property prepended, which will list the base domain that was used to source it.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 849)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 850) </p><p> projects/torbrowser/design/index.html.en 851)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 852) Additionally, there is the image cache. Because it is a separate entity from projects/torbrowser/design/index.html.en 853) the content cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=05749216781d470ab95c2d101dd28ad000d9161f" target="_top">isolate`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 854) this cache per URL bar domain</a>.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 855)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 856) </p><p> projects/torbrowser/design/index.html.en 857) Furthermore there is the Cache API (CacheStorage). That one is currently not projects/torbrowser/design/index.html.en 858) available in Tor Browser as we do not allow third party cookies and are in projects/torbrowser/design/index.html.en 859) Private Browsing Mode by default. projects/torbrowser/design/index.html.en 860) </p><p> projects/torbrowser/design/index.html.en 861) Finally, we have the asm.js cache. The cache entry of the sript is (among projects/torbrowser/design/index.html.en 862) others things, like type of CPU, build ID, source characters of the asm.js projects/torbrowser/design/index.html.en 863) module etc.) keyed <a class="ulink" href="https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-compilation-and-startup-performance/" target="_top">to the origin of the script</a>. projects/torbrowser/design/index.html.en 864) Lacking a good solution for binding it to the URL bar domain instead (and given projects/torbrowser/design/index.html.en 865) the storage of asm.js modules in Private Browsing Mode) we decided to disable projects/torbrowser/design/index.html.en 866) asm.js for the time being by setting <span class="command"><strong>javascript.options.asmjs</strong></span> to projects/torbrowser/design/index.html.en 867) <span class="command"><strong>false</strong></span>. It remains to be seen whether keying the cache entry projects/torbrowser/design/index.html.en 868) to the source characters of the asm.js module helps to avoid using it for projects/torbrowser/design/index.html.en 869) cross-origin tracking of users. We did not investigate that yet.
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 870) </p></li><li class="listitem"><span class="command"><strong>HTTP Authentication</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 871)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 872) HTTP Authorization headers can be used to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 873) third party tracking identifiers</a>. To prevent this, we remove HTTP`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 874) authentication tokens for third party elements through a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5e686c690cbc33cf3fdf984e6f3d3fe7b4d83701" target="_top">patch`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 875) to nsHTTPChannel</a>.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 876)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 877) </p></li><li class="listitem"><span class="command"><strong>DOM Storage</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 878)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 879) DOM storage for third party domains MUST be isolated to the URL bar domain,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 880) to prevent linkability between sites. This functionality is provided through a`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 881) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=20fee895321a7a18e79547e74f6739786558c0e8" target="_top">patch`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 882) to Firefox</a>.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 883)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 884) </p></li><li class="listitem"><span class="command"><strong>Flash cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>`
Describe our efforts agains... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 885) projects/torbrowser/design/index.html.en 886) Users should be able to click-to-play flash objects from trusted sites. To`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 887) make this behavior unlinkable, we wish to include a settings file for all projects/torbrowser/design/index.html.en 888) platforms that disables flash cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash`
Describe our efforts agains... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 889) settings manager</a>.`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 890)`
Describe our efforts agains... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 891) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 892)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 893) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having`
Describe our efforts agains... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 894) difficulties</a> causing Flash player to use this settings`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 895) file on Windows, so Flash remains difficult to enable.`
Describe our efforts agains... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 896)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 897) </p></li><li class="listitem"><span class="command"><strong>SSL+TLS session resumption</strong></span><p><span class="command"><strong>Design Goal:</strong></span>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 898)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 899) TLS session resumption tickets and SSL Session IDs MUST be limited to the URL`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 900) bar domain.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 901) projects/en/torbrowser/design/index.html.en 902) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 903)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 904) We disable TLS Session Tickets and SSL Session IDs by projects/torbrowser/design/index.html.en 905) setting <span class="command"><strong>security.ssl.disable_session_identifiers</strong></span> to projects/torbrowser/design/index.html.en 906) <span class="command"><strong>true</strong></span>. projects/torbrowser/design/index.html.en 907) To compensate for the increased round trip latency from disabling`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 908) these performance optimizations, we also enable`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 909) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 910) False Start</a> via the Firefox Pref`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 911) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 912)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 913) </p></li><li class="listitem"><span class="command"><strong>Tor circuit and HTTP connection linkability</strong></span><p> projects/torbrowser/design/index.html.en 914) projects/torbrowser/design/index.html.en 915) Tor circuits and HTTP connections from a third party in one URL bar origin projects/torbrowser/design/index.html.en 916) MUST NOT be reused for that same third party in another URL bar origin.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 917) projects/torbrowser/design/index.html.en 918) </p><p> projects/torbrowser/design/index.html.en 919)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 920) This isolation functionality is provided by a Torbutton`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 921) component that <a class="ulink" href="" target="_top">sets projects/torbrowser/design/index.html.en 922) the SOCKS username and password for each request</a>. The Tor client has projects/torbrowser/design/index.html.en 923) logic to prevent connections with different SOCKS usernames and passwords from`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 924) using the same Tor circuit. Firefox has existing logic to ensure that projects/torbrowser/design/index.html.en 925) connections with SOCKS proxies do not re-use existing HTTP Keep-Alive projects/torbrowser/design/index.html.en 926) connections unless the proxy settings match. projects/torbrowser/design/index.html.en 927) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1200802" target="_top">We extended projects/torbrowser/design/index.html.en 928) this logic</a> to cover SOCKS username and password authentication, projects/torbrowser/design/index.html.en 929) providing us with HTTP Keep-Alive unlinkability.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 930)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 931) </p></li><li class="listitem"><span class="command"><strong>SharedWorkers</strong></span><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 932) projects/torbrowser/design/index.html.en 933) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 934) are a special form of JavaScript Worker threads that have a shared scope between projects/torbrowser/design/index.html.en 935) all threads from the same Javascript origin.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 936)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 937) </p><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 938)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 939) The SharedWorker scope MUST be isolated to the URL bar domain. I.e. a projects/torbrowser/design/index.html.en 940) SharedWorker launched from a third party from one URL bar domain MUST NOT have projects/torbrowser/design/index.html.en 941) access to the objects created by that same third party loaded under another URL projects/torbrowser/design/index.html.en 942) bar domain. This functionality is provided by a projects/torbrowser/design/index.html.en 943) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d17c11445645908086c8d0af84e970e880f586eb" target="_top"> projects/torbrowser/design/index.html.en 944) Firefox patch</a>.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 945)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 946) </p></li><li class="listitem"><span class="command"><strong>blob: URIs (URL.createObjectURL)</strong></span><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 947) projects/torbrowser/design/index.html.en 948) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a> projects/torbrowser/design/index.html.en 949) API allows a site to load arbitrary content into a random UUID that is stored projects/torbrowser/design/index.html.en 950) in the user's browser, and this content can be accessed via a URL of the form projects/torbrowser/design/index.html.en 951) <span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the projects/torbrowser/design/index.html.en 952) web. While this UUID value is neither under control of the site nor projects/torbrowser/design/index.html.en 953) predictable, it can still be used to tag a set of users that are of high projects/torbrowser/design/index.html.en 954) interest to an adversary.
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 955)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 956) </p><p><span class="command"><strong>Design Goal:</strong></span>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 957) projects/torbrowser/design/index.html.en 958) URIs created with URL.createObjectURL MUST be limited in scope to the first`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 959) party URL bar domain that created them. projects/torbrowser/design/index.html.en 960) projects/torbrowser/design/index.html.en 961) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 962) projects/torbrowser/design/index.html.en 963) We provide the isolation in Tor Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f" target="_top">direct projects/torbrowser/design/index.html.en 964) patch to Firefox</a>. However, downloads of PDF files via the download button in the PDF viewer <a class="ulink" href="https://bugs.torproject.org/17933" target="_top">are not isolated yet</a>.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 965)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 966) </p></li><li class="listitem"><span class="command"><strong>SPDY and HTTP/2</strong></span><p><span class="command"><strong>Design Goal:</strong></span>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 967)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 968) SPDY and HTTP/2 connections MUST be isolated to the URL bar domain. Furthermore, projects/torbrowser/design/index.html.en 969) all associated means that could be used for cross-domain user tracking (alt-svc projects/torbrowser/design/index.html.en 970) headers come to mind) MUST adhere to this design principle as well. projects/torbrowser/design/index.html.en 971) projects/torbrowser/design/index.html.en 972) </p><p><span class="command"><strong>Implementation status:</strong></span> projects/torbrowser/design/index.html.en 973) projects/torbrowser/design/index.html.en 974) SPDY and HTTP/2 are currently disabled by setting the projects/torbrowser/design/index.html.en 975) Firefox preferences <span class="command"><strong>network.http.spdy.enabled</strong></span>, projects/torbrowser/design/index.html.en 976) <span class="command"><strong>network.http.spdy.enabled.v2</strong></span>, projects/torbrowser/design/index.html.en 977) <span class="command"><strong>network.http.spdy.enabled.v3</strong></span>, projects/torbrowser/design/index.html.en 978) <span class="command"><strong>network.http.spdy.enabled.v3-1</strong></span>, projects/torbrowser/design/index.html.en 979) <span class="command"><strong>network.http.spdy.enabled.http2</strong></span>, projects/torbrowser/design/index.html.en 980) <span class="command"><strong>network.http.spdy.enabled.http2draft</strong></span>, projects/torbrowser/design/index.html.en 981) <span class="command"><strong>network.http.altsvc.enabled</strong></span>, and projects/torbrowser/design/index.html.en 982) <span class="command"><strong>network.http.altsvc.oe</strong></span> to <span class="command"><strong>false</strong></span>.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 983)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 984) </p></li><li class="listitem"><span class="command"><strong>Automated cross-origin redirects</strong></span><p><span class="command"><strong>Design Goal:</strong></span>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 985) projects/torbrowser/design/index.html.en 986) To prevent attacks aimed at subverting the Cross-Origin Identifier projects/torbrowser/design/index.html.en 987) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 988) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc) projects/torbrowser/design/index.html.en 989) for cross-origin redirect intermediaries that do not prompt for user input.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 990) For example, if a user clicks on a bit.ly URL that redirects to a projects/torbrowser/design/index.html.en 991) doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 992) cnn.com should be retained after the redirect chain completes.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 993) projects/torbrowser/design/index.html.en 994) </p><p> projects/torbrowser/design/index.html.en 995)`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 996) Non-automated redirect chains that require user input at some step (such as projects/torbrowser/design/index.html.en 997) federated login systems) SHOULD still allow identifiers to persist.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 998)`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 999) </p><p><span class="command"><strong>Implementation status:</strong></span> projects/torbrowser/design/index.html.en 1000) projects/torbrowser/design/index.html.en 1001) There are numerous ways for the user to be redirected, and the Firefox API`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1002) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1003) open</a> to implement what we can. projects/torbrowser/design/index.html.en 1004)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1005) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1006)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1007) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1008) a magical DOM property that for some reason is allowed to retain a persistent value projects/en/torbrowser/design/index.html.en 1009) for the lifespan of a browser tab. It is possible to utilize this property for`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1010) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1011) storage</a>. projects/en/torbrowser/design/index.html.en 1012) projects/en/torbrowser/design/index.html.en 1013) </p><p> projects/en/torbrowser/design/index.html.en 1014)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1015) In order to eliminate non-consensual linkability but still allow for sites projects/torbrowser/design/index.html.en 1016) that utilize this property to function, we reset the window.name property of`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1017) tabs in Torbutton every time we encounter a blank Referer. This behavior`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1018) allows window.name to persist for the duration of a click-driven navigation projects/torbrowser/design/index.html.en 1019) session, but as soon as the user enters a new URL or navigates between`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1020) HTTPS/HTTP schemes, the property is cleared.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1021)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1022) </p></li><li class="listitem"><span class="command"><strong>Auto form-fill</strong></span><p>`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1023) projects/torbrowser/design/index.html.en 1024) We disable the password saving functionality in the browser as part of our`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1025) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1026) since users may decide to re-enable disk history records and password saving,`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1027) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1028) preference to false to prevent saved values from immediately populating`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1029) fields upon page load. Since JavaScript can read these values as soon as they`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1030) appear, setting this preference prevents automatic linkability from stored passwords. projects/torbrowser/design/index.html.en 1031)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1032) </p></li><li class="listitem"><span class="command"><strong>HSTS and HPKP supercookies</strong></span><p>`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1033)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1034) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS</a> projects/torbrowser/design/index.html.en 1035) <a class="ulink" href="http://www.radicalresearch.co.uk/lab/hstssupercookies/" target="_top">`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1036) supercookies</a>. Since HSTS effectively stores one bit of information per domain`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1037) name, an adversary in possession of numerous domains can use them to construct projects/torbrowser/design/index.html.en 1038) cookies based on stored HSTS state. projects/torbrowser/design/index.html.en 1039)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1040) </p><p> projects/torbrowser/design/index.html.en 1041) projects/torbrowser/design/index.html.en 1042) HPKP provides <a class="ulink" href="https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf" target="_top"> projects/torbrowser/design/index.html.en 1043) a mechanism for user tracking</a> across domains as well. It allows abusing the projects/torbrowser/design/index.html.en 1044) requirement to provide a backup pin and the option to report a pin validation projects/torbrowser/design/index.html.en 1045) failure. In a tracking scenario every user gets a unique SHA-256 value serving projects/torbrowser/design/index.html.en 1046) as backup pin. This value is sent back after (deliberate) pin validation failures projects/torbrowser/design/index.html.en 1047) working in fact as a cookie. projects/torbrowser/design/index.html.en 1048)
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1049) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 1050)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1051) HSTS and HPKP MUST be isolated to the URL bar domain. projects/torbrowser/design/index.html.en 1052) projects/torbrowser/design/index.html.en 1053) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1054) projects/torbrowser/design/index.html.en 1055) Currently, HSTS and HPKP state is both cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, projects/torbrowser/design/index.html.en 1056) but we don't defend against the creation and usage of any of these supercookies projects/torbrowser/design/index.html.en 1057) between <span class="command"><strong>New Identity</strong></span> invocations. projects/torbrowser/design/index.html.en 1058) projects/torbrowser/design/index.html.en 1059) </p></li><li class="listitem"><span class="command"><strong>Broadcast Channels</strong></span><p> projects/torbrowser/design/index.html.en 1060) projects/torbrowser/design/index.html.en 1061) The BroadcastChannel API allows cross-site communication within the same projects/torbrowser/design/index.html.en 1062) origin. However, to avoid cross-origin linkability broadcast channels MUST projects/torbrowser/design/index.html.en 1063) instead be isolated to the URL bar domain. projects/torbrowser/design/index.html.en 1064) projects/torbrowser/design/index.html.en 1065) </p><p> projects/torbrowser/design/index.html.en 1066) projects/torbrowser/design/index.html.en 1067) We provide the isolation in Tor Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=3460a38721810b5b7e785e18f202dde20b3434e8" target="_top">direct projects/torbrowser/design/index.html.en 1068) patch to Firefox</a>. If we lack a window for determining the URL bar projects/torbrowser/design/index.html.en 1069) domain (e.g. in some worker contexts) the use of broadcast channels is disabled. projects/torbrowser/design/index.html.en 1070) projects/torbrowser/design/index.html.en 1071) </p></li><li class="listitem"><span class="command"><strong>OCSP</strong></span><p> projects/torbrowser/design/index.html.en 1072) projects/torbrowser/design/index.html.en 1073) OCSP requests go to Certfication Authorities (CAs) to check for revoked projects/torbrowser/design/index.html.en 1074) certificates. They are sent once the browser is visiting a website via HTTPS and projects/torbrowser/design/index.html.en 1075) no cached results are available. Thus, to avoid information leaks, e.g. to exit projects/torbrowser/design/index.html.en 1076) relays, OCSP requests MUST go over the same circuit as the HTTPS request causing projects/torbrowser/design/index.html.en 1077) them and MUST therefore be isolated to the URL bar domain. The resulting cache projects/torbrowser/design/index.html.en 1078) entries MUST be bound to the URL bar domain as well. This functionality is projects/torbrowser/design/index.html.en 1079) provided by a projects/torbrowser/design/index.html.en 1080) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb1568275acd4fdf61359c9b1e97c2753e7b2be" target="_top">Firefox patch</a>. projects/torbrowser/design/index.html.en 1081) projects/torbrowser/design/index.html.en 1082) </p></li><li class="listitem"><span class="command"><strong>Favicons</strong></span><p> projects/torbrowser/design/index.html.en 1083) projects/torbrowser/design/index.html.en 1084) When visiting a website its favicon is fetched via a request originating from projects/torbrowser/design/index.html.en 1085) the browser itself (similar to the OCSP mechanism mentioned in the previous projects/torbrowser/design/index.html.en 1086) section). Those requests MUST be isolated to the URL bar domain. This projects/torbrowser/design/index.html.en 1087) functionality is provided by a projects/torbrowser/design/index.html.en 1088) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=f29f3ff28bbc471ea209d2181770677223c394d1" target="_top">Firefox patch</a>. projects/torbrowser/design/index.html.en 1089) projects/torbrowser/design/index.html.en 1090) </p></li><li class="listitem"><span class="command"><strong>mediasource: URIs and MediaStreams</strong></span><p> projects/torbrowser/design/index.html.en 1091) projects/torbrowser/design/index.html.en 1092) Much like blob URLs, mediasource: URIs and MediaStreams can be used to tag projects/torbrowser/design/index.html.en 1093) users. Therefore, mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain. projects/torbrowser/design/index.html.en 1094) This functionality is part of a projects/torbrowser/design/index.html.en 1095) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f" target="_top">Firefox patch</a> projects/torbrowser/design/index.html.en 1096) projects/torbrowser/design/index.html.en 1097) </p></li><li class="listitem"><span class="command"><strong>Speculative and prefetched connections</strong></span><p> projects/torbrowser/design/index.html.en 1098) projects/torbrowser/design/index.html.en 1099) Firefox provides the feature to <a class="ulink" href="https://www.igvita.com/2015/08/17/eliminating-roundtrips-with-preconnect/" target="_top">connect speculatively</a> to projects/torbrowser/design/index.html.en 1100) remote hosts if that is either indicated in the HTML file (e.g. by projects/torbrowser/design/index.html.en 1101) <a class="ulink" href="https://w3c.github.io/resource-hints/" target="_top">link projects/torbrowser/design/index.html.en 1102) rel="preconnect" and rel="prefetch"</a>) or otherwise deemed beneficial. projects/torbrowser/design/index.html.en 1103) projects/torbrowser/design/index.html.en 1104) </p><p> projects/torbrowser/design/index.html.en 1105) projects/torbrowser/design/index.html.en 1106) Firefox does not support rel="prerender", and Mozilla has disabled speculative projects/torbrowser/design/index.html.en 1107) connections and rel="preconnect" usage where a proxy is used (see <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18762#comment:3" target="_top"> comment projects/torbrowser/design/index.html.en 1108) 3 in bug 18762</a> for further details). Explicit prefetching via the projects/torbrowser/design/index.html.en 1109) rel="prefetch" attribute is still performed, however. projects/torbrowser/design/index.html.en 1110) projects/torbrowser/design/index.html.en 1111) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 1112) projects/torbrowser/design/index.html.en 1113) All pre-loaded links and speculative connections MUST be isolated to the URL projects/torbrowser/design/index.html.en 1114) bar domain, if enabled. This includes isolating both Tor circuit use, as well projects/torbrowser/design/index.html.en 1115) as the caching and associate browser state for the prefetched resource. projects/torbrowser/design/index.html.en 1116) projects/torbrowser/design/index.html.en 1117) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1118) projects/torbrowser/design/index.html.en 1119) For automatic speculative connects and rel="preconnect", we leave them projects/torbrowser/design/index.html.en 1120) disabled as per the Mozilla default for proxy settings. However, if enabled, projects/torbrowser/design/index.html.en 1121) speculative connects will be isolated to the proper first party Tor circuit by projects/torbrowser/design/index.html.en 1122) the same mechanism as is used for HTTP Keep-alive. This is true for rel="prefetch" projects/torbrowser/design/index.html.en 1123) requests as well. For rel="preconnect", we isolate them <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9126303651785d02f2df0554f391fffba0b0a00e" target="_top">via projects/torbrowser/design/index.html.en 1124) this patch</a>. This isolation makes both preconnecting and cache warming projects/torbrowser/design/index.html.en 1125) via rel=prefetch ineffective for links to domains other than the current URL projects/torbrowser/design/index.html.en 1126) bar domain. For links to the same domain as the URL bar domain, the full cache projects/torbrowser/design/index.html.en 1127) warming benefit is obtained. As an optimization, any preconnecting to domains projects/torbrowser/design/index.html.en 1128) other than the current URL bar domain can thus be disabled (perhaps with the projects/torbrowser/design/index.html.en 1129) exception of frames), but we do not do this. We allow these requests to projects/torbrowser/design/index.html.en 1130) proceed, but we isolate them.
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1131)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1132) </p></li></ol></div><p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1133) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1134) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1135) Browser fingerprinting is the act of inspecting browser behaviors and features in`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1136) an attempt to differentiate and track individual users. projects/torbrowser/design/index.html.en 1137) </p><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1138)`
More Tor Browser design doc... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1139) Fingerprinting attacks are typically broken up into passive and active projects/torbrowser/design/index.html.en 1140) vectors. Passive fingerprinting makes use of any information the browser projects/torbrowser/design/index.html.en 1141) provides automatically to a website without any specific action on the part of projects/torbrowser/design/index.html.en 1142) the website. Active fingerprinting makes use of any information that can be projects/torbrowser/design/index.html.en 1143) extracted from the browser by some specific website action, usually involving
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1144) JavaScript. Some definitions of browser fingerprinting also include`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1145) supercookies and cookie-like identifier storage, but we deal with those issues projects/torbrowser/design/index.html.en 1146) separately in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on projects/torbrowser/design/index.html.en 1147) identifier linkability</a>.`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1148)`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1149) </p><p>`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1150)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1151) For the most part, however, we do not differentiate between passive or active projects/torbrowser/design/index.html.en 1152) fingerprinting sources, since many active fingerprinting mechanisms are very projects/torbrowser/design/index.html.en 1153) rapid, and can be obfuscated or disguised as legitimate functionality.`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1154) projects/torbrowser/design/index.html.en 1155) </p><p> projects/torbrowser/design/index.html.en 1156)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1157) Instead, we believe fingerprinting can only be rationally addressed if we projects/torbrowser/design/index.html.en 1158) understand where the problem comes from, what sources of issues are the most`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1159) severe, what types of defenses are suitable for which sources, and have a projects/torbrowser/design/index.html.en 1160) consistent strategy for designing defenses that maximizes our ability to study projects/torbrowser/design/index.html.en 1161) defense efficacy. The following subsections address these issues from a high projects/torbrowser/design/index.html.en 1162) level, and we then conclude with a list of our current specific defenses.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1163) projects/torbrowser/design/index.html.en 1164) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p> projects/torbrowser/design/index.html.en 1165)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1166) All browser fingerprinting issues arise from one of four primary sources: projects/torbrowser/design/index.html.en 1167) end-user configuration details, device and hardware characteristics, operating projects/torbrowser/design/index.html.en 1168) system vendor and version differences, and browser vendor and version projects/torbrowser/design/index.html.en 1169) differences. Additionally, user behavior itself provides one more source of projects/torbrowser/design/index.html.en 1170) potential fingerprinting. projects/torbrowser/design/index.html.en 1171) projects/torbrowser/design/index.html.en 1172) </p><p> projects/torbrowser/design/index.html.en 1173) projects/torbrowser/design/index.html.en 1174) In order to help prioritize and inform defenses, we now list these sources in projects/torbrowser/design/index.html.en 1175) order from most severe to least severe in terms of the amount of information projects/torbrowser/design/index.html.en 1176) they reveal, and describe them in more detail.
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1177) projects/torbrowser/design/index.html.en 1178) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p> projects/torbrowser/design/index.html.en 1179) projects/torbrowser/design/index.html.en 1180) End-user configuration details are by far the most severe threat to projects/torbrowser/design/index.html.en 1181) fingerprinting, as they will quickly provide enough information to uniquely projects/torbrowser/design/index.html.en 1182) identify a user. We believe it is essential to avoid exposing platform projects/torbrowser/design/index.html.en 1183) configuration details to website content at all costs. We also discourage projects/torbrowser/design/index.html.en 1184) excessive fine-grained customization of Tor Browser by minimizing and projects/torbrowser/design/index.html.en 1185) aggregating user-facing privacy and security options, as well as by
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1186) discouraging the use of additional plugins and addons. When it is necessary to projects/torbrowser/design/index.html.en 1187) expose configuration details in the course of providing functionality, we projects/torbrowser/design/index.html.en 1188) strive to do so only on a per-site basis via site permissions, to avoid projects/torbrowser/design/index.html.en 1189) linkability.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1190) projects/torbrowser/design/index.html.en 1191) </p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p> projects/torbrowser/design/index.html.en 1192)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1193) Device and hardware characteristics can be determined in three ways: they can projects/torbrowser/design/index.html.en 1194) be reported explicitly by the browser, they can be inferred through browser projects/torbrowser/design/index.html.en 1195) functionality, or they can be extracted through statistical measurements of projects/torbrowser/design/index.html.en 1196) system performance. We are most concerned with the cases where this projects/torbrowser/design/index.html.en 1197) information is either directly reported or can be determined via a single use
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1198) of an API or feature, and prefer to either alter functionality to prevent projects/torbrowser/design/index.html.en 1199) exposing the most variable aspects of these characteristics, place such projects/torbrowser/design/index.html.en 1200) features behind site permissions, or disable them entirely.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1201)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1202) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1203)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1204) On the other hand, because statistical inference of system performance projects/torbrowser/design/index.html.en 1205) requires many iterations to achieve accuracy in the face of noise and projects/torbrowser/design/index.html.en 1206) concurrent activity, we are less concerned with this mechanism of extracting`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1207) this information. We also expect that reducing the resolution of JavaScript's`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1208) time sources will significantly increase the duration of execution required to projects/torbrowser/design/index.html.en 1209) extract accurate results, and thus make statistical approaches both projects/torbrowser/design/index.html.en 1210) unattractive and highly noticeable due to excessive resource consumption. projects/torbrowser/design/index.html.en 1211) projects/torbrowser/design/index.html.en 1212) </p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p> projects/torbrowser/design/index.html.en 1213) projects/torbrowser/design/index.html.en 1214) Operating system vendor and version differences permeate many different projects/torbrowser/design/index.html.en 1215) aspects of the browser. While it is possible to address these issues with some projects/torbrowser/design/index.html.en 1216) effort, the relative lack of diversity in operating systems causes us to projects/torbrowser/design/index.html.en 1217) primarily focus our efforts on passive operating system fingerprinting projects/torbrowser/design/index.html.en 1218) mechanisms at this point in time. For the purposes of protecting user projects/torbrowser/design/index.html.en 1219) anonymity, it is not strictly essential that the operating system be projects/torbrowser/design/index.html.en 1220) completely concealed, though we recognize that it is useful to reduce this projects/torbrowser/design/index.html.en 1221) differentiation ability where possible, especially for cases where the projects/torbrowser/design/index.html.en 1222) specific version of a system can be inferred. projects/torbrowser/design/index.html.en 1223)
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1224) </p></li><li class="listitem"><span class="command"><strong>User Behavior</strong></span><p> projects/torbrowser/design/index.html.en 1225) projects/torbrowser/design/index.html.en 1226) While somewhat outside the scope of browser fingerprinting, for completeness projects/torbrowser/design/index.html.en 1227) it is important to mention that users themselves theoretically might be projects/torbrowser/design/index.html.en 1228) fingerprinted through their behavior while interacting with a website. This projects/torbrowser/design/index.html.en 1229) behavior includes e.g. keystrokes, mouse movements, click speed, and writing projects/torbrowser/design/index.html.en 1230) style. Basic vectors such as keystroke and mouse usage fingerprinting can be
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1231) mitigated by altering JavaScript's notion of time. More advanced issues like`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1232) writing style fingerprinting are the domain of <a class="ulink" href="https://github.com/psal/anonymouth/blob/master/README.md" target="_top">other tools</a>.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1233)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1234) </p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p> projects/torbrowser/design/index.html.en 1235) projects/torbrowser/design/index.html.en 1236) Due to vast differences in feature set and implementation behavior even`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1237) between different (<a class="ulink" href="https://tsyrklevich.net/2014/10/28/abusing-strict-transport-security/" target="_top">minor</a>) projects/torbrowser/design/index.html.en 1238) versions of the same browser, browser vendor and version differences are simply projects/torbrowser/design/index.html.en 1239) not possible to conceal in any realistic way. It is only possible to minimize projects/torbrowser/design/index.html.en 1240) the differences among different installations of the same browser vendor and projects/torbrowser/design/index.html.en 1241) version. We make no effort to mimic any other major browser vendor, and in fact projects/torbrowser/design/index.html.en 1242) most of our fingerprinting defenses serve to differentiate Tor Browser users projects/torbrowser/design/index.html.en 1243) from normal Firefox users. Because of this, any study that lumps browser vendor projects/torbrowser/design/index.html.en 1244) and version differences into its analysis of the fingerprintability of a projects/torbrowser/design/index.html.en 1245) population is largely useless for evaluating either attacks or defenses. projects/torbrowser/design/index.html.en 1246) Unfortunately, this includes popular large-scale studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1247)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1248) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses-general"></a>General Fingerprinting Defenses</h4></div></div></div><p> projects/torbrowser/design/index.html.en 1249) projects/torbrowser/design/index.html.en 1250) To date, the Tor Browser team has concerned itself only with developing`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1251) defenses for APIs that have already been standardized and deployed. Once an`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1252) API or feature has been standardized and widely deployed, defenses to the projects/torbrowser/design/index.html.en 1253) associated fingerprinting issues tend to have only a few options available to`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1254) compensate for the lack of up-front privacy design. In our experience, so far`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1255) these options have been limited to value spoofing, subsystem modification or projects/torbrowser/design/index.html.en 1256) reimplementation, virtualization, site permissions, and feature removal. We projects/torbrowser/design/index.html.en 1257) will now describe these options and the fingerprinting sources they tend to projects/torbrowser/design/index.html.en 1258) work best with.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1259) projects/torbrowser/design/index.html.en 1260) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Value Spoofing</strong></span><p> projects/torbrowser/design/index.html.en 1261)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1262) Value spoofing can be used for simple cases where the browser provides some projects/torbrowser/design/index.html.en 1263) aspect of the user's configuration details, devices, hardware, or operating projects/torbrowser/design/index.html.en 1264) system directly to a website. It becomes less useful when the fingerprinting projects/torbrowser/design/index.html.en 1265) method relies on behavior to infer aspects of the hardware or operating system, projects/torbrowser/design/index.html.en 1266) rather than obtain them directly.
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1267)`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1268) </p></li><li class="listitem"><span class="command"><strong>Subsystem Modification or Reimplementation</strong></span><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1269) projects/torbrowser/design/index.html.en 1270) In cases where simple spoofing is not enough to properly conceal underlying`
More Tor Browser design doc... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1271) device characteristics or operating system details, the underlying subsystem projects/torbrowser/design/index.html.en 1272) that provides the functionality for a feature or API may need to be modified projects/torbrowser/design/index.html.en 1273) or completely reimplemented. This is most common in cases where customizable projects/torbrowser/design/index.html.en 1274) or version-specific aspects of the user's operating system are visible through projects/torbrowser/design/index.html.en 1275) the browser's featureset or APIs, usually because the browser directly exposes projects/torbrowser/design/index.html.en 1276) OS-provided implementations of underlying features. In these cases, such projects/torbrowser/design/index.html.en 1277) OS-provided implementations must be replaced by a generic implementation, or projects/torbrowser/design/index.html.en 1278) at least modified by an implementation wrapper layer that makes effort to
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1279) conceal any user-customized aspects of the system. projects/torbrowser/design/index.html.en 1280) projects/torbrowser/design/index.html.en 1281) </p></li><li class="listitem"><span class="command"><strong>Virtualization</strong></span><p> projects/torbrowser/design/index.html.en 1282) projects/torbrowser/design/index.html.en 1283) Virtualization is needed when simply reimplementing a feature in a different projects/torbrowser/design/index.html.en 1284) way is insufficient to fully conceal the underlying behavior. This is most projects/torbrowser/design/index.html.en 1285) common in instances of device and hardware fingerprinting, but since the projects/torbrowser/design/index.html.en 1286) notion of time can also be virtualized, virtualization also can apply to any projects/torbrowser/design/index.html.en 1287) instance where an accurate measurement of wall clock time is required for a projects/torbrowser/design/index.html.en 1288) fingerprinting vector to attain high accuracy. projects/torbrowser/design/index.html.en 1289) projects/torbrowser/design/index.html.en 1290) </p></li><li class="listitem"><span class="command"><strong>Site Permissions</strong></span><p> projects/torbrowser/design/index.html.en 1291) projects/torbrowser/design/index.html.en 1292) In the event that reimplementation or virtualization is too expensive in terms projects/torbrowser/design/index.html.en 1293) of performance or engineering effort, and the relative expected usage of a projects/torbrowser/design/index.html.en 1294) feature is rare, site permissions can be used to prevent the usage of a
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1295) feature for cross-site tracking. Unfortunately, site permissions become less projects/torbrowser/design/index.html.en 1296) effective once a feature is already widely overused and abused by many projects/torbrowser/design/index.html.en 1297) websites, since warning fatigue typically sets in for most users after just a projects/torbrowser/design/index.html.en 1298) few permission requests.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1299)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1300) </p></li><li class="listitem"><span class="command"><strong>Feature or Functionality Removal</strong></span><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1301) projects/torbrowser/design/index.html.en 1302) Due to the current bias in favor of invasive APIs that expose the maximum projects/torbrowser/design/index.html.en 1303) amount of platform information, some features and APIs are simply not projects/torbrowser/design/index.html.en 1304) salvageable in their current form. When such invasive features serve only a projects/torbrowser/design/index.html.en 1305) narrow domain or use case, or when there are alternate ways of accomplishing projects/torbrowser/design/index.html.en 1306) the same task, these features and/or certain aspects of their functionality projects/torbrowser/design/index.html.en 1307) may be simply removed. projects/torbrowser/design/index.html.en 1308)
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1309) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm608"></a>Strategies for Defense: Randomization versus Uniformity</h4></div></div></div><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1310)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1311) When applying a form of defense to a specific fingerprinting vector or source,`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1312) there are two general strategies available: either the implementation for all`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1313) users of a single browser version can be made to behave as uniformly as`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1314) possible, or the user agent can attempt to randomize its behavior so that`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1315) each interaction between a user and a site provides a different fingerprint. projects/torbrowser/design/index.html.en 1316) projects/torbrowser/design/index.html.en 1317) </p><p> projects/torbrowser/design/index.html.en 1318) projects/torbrowser/design/index.html.en 1319) Although <a class="ulink" href="http://research.microsoft.com/pubs/209989/tr1.pdf" target="_top">some projects/torbrowser/design/index.html.en 1320) research suggests</a> that randomization can be effective, so far striving projects/torbrowser/design/index.html.en 1321) for uniformity has generally proved to be a better strategy for Tor Browser projects/torbrowser/design/index.html.en 1322) for the following reasons: projects/torbrowser/design/index.html.en 1323)
More Tor Browser design doc... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1324) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Evaluation and measurement difficulties</strong></span><p> projects/torbrowser/design/index.html.en 1325) projects/torbrowser/design/index.html.en 1326) The fact that randomization causes behaviors to differ slightly with every projects/torbrowser/design/index.html.en 1327) site visit makes it appealing at first glance, but this same property makes it projects/torbrowser/design/index.html.en 1328) very difficult to objectively measure its effectiveness. By contrast, an projects/torbrowser/design/index.html.en 1329) implementation that strives for uniformity is very simple to evaluate. Despite projects/torbrowser/design/index.html.en 1330) their current flaws, a properly designed version of <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> or <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a> could report the entropy and projects/torbrowser/design/index.html.en 1331) uniqueness rates for all users of a single user agent version, without the projects/torbrowser/design/index.html.en 1332) need for complicated statistics about the variance of the measured behaviors. projects/torbrowser/design/index.html.en 1333) projects/torbrowser/design/index.html.en 1334) </p><p> projects/torbrowser/design/index.html.en 1335) projects/torbrowser/design/index.html.en 1336) Randomization (especially incomplete randomization) may also provide a false projects/torbrowser/design/index.html.en 1337) sense of security. When a fingerprinting attempt makes naive use of randomized projects/torbrowser/design/index.html.en 1338) information, a fingerprint will appear unstable, but may not actually be
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1339) sufficiently randomized to impede a dedicated adversary. Sophisticated`
More Tor Browser design doc... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1340) fingerprinting mechanisms may either ignore randomized information, or projects/torbrowser/design/index.html.en 1341) incorporate knowledge of the distribution and range of randomized values into projects/torbrowser/design/index.html.en 1342) the creation of a more stable fingerprint (by either removing the randomness, projects/torbrowser/design/index.html.en 1343) modeling it, or averaging it out). projects/torbrowser/design/index.html.en 1344) projects/torbrowser/design/index.html.en 1345) </p></li><li class="listitem"><span class="command"><strong>Randomization is not a shortcut</strong></span><p>
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1346) projects/torbrowser/design/index.html.en 1347) While many end-user configuration details that the browser currently exposes projects/torbrowser/design/index.html.en 1348) may be safely replaced by false information, randomization of these details projects/torbrowser/design/index.html.en 1349) must be just as exhaustive as an approach that seeks to make these behaviors`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1350) uniform. When confronting either strategy, the adversary can still make use of projects/torbrowser/design/index.html.en 1351) any details which have not been altered to be either sufficiently uniform or projects/torbrowser/design/index.html.en 1352) sufficiently random.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1353) projects/torbrowser/design/index.html.en 1354) </p><p> projects/torbrowser/design/index.html.en 1355) projects/torbrowser/design/index.html.en 1356) Furthermore, the randomization approach seems to break down when it is applied projects/torbrowser/design/index.html.en 1357) to deeper issues where underlying system functionality is directly exposed. In projects/torbrowser/design/index.html.en 1358) particular, it is not clear how to randomize the capabilities of hardware projects/torbrowser/design/index.html.en 1359) attached to a computer in such a way that it either convincingly behaves like
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1360) other hardware, or such that the exact properties of the hardware that vary projects/torbrowser/design/index.html.en 1361) from user to user are sufficiently randomized. Similarly, truly concealing projects/torbrowser/design/index.html.en 1362) operating system version differences through randomization may require projects/torbrowser/design/index.html.en 1363) multiple reimplementations of the underlying operating system functionality to projects/torbrowser/design/index.html.en 1364) ensure that every operating system version is covered by the range of possible projects/torbrowser/design/index.html.en 1365) behaviors.
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1366)`
More Tor Browser design doc... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1367) </p></li><li class="listitem"><span class="command"><strong>Usability issues</strong></span><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1368) projects/torbrowser/design/index.html.en 1369) When randomization is introduced to features that affect site behavior, it can projects/torbrowser/design/index.html.en 1370) be very distracting for this behavior to change between visits of a given`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1371) site. For the simplest cases, this will lead to minor visual nuisances. projects/torbrowser/design/index.html.en 1372) However, when this information affects reported functionality or hardware projects/torbrowser/design/index.html.en 1373) characteristics, sometimes a site will function one way on one visit, and projects/torbrowser/design/index.html.en 1374) another way on a subsequent visit.`
Update Tor Browser design doc. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1375) projects/torbrowser/design/index.html.en 1376) </p></li><li class="listitem"><span class="command"><strong>Performance costs</strong></span><p> projects/torbrowser/design/index.html.en 1377) projects/torbrowser/design/index.html.en 1378) Randomizing involves performance costs. This is especially true if the projects/torbrowser/design/index.html.en 1379) fingerprinting surface is large (like in a modern browser) and one needs more projects/torbrowser/design/index.html.en 1380) elaborate randomizing strategies (including randomized virtualization) to projects/torbrowser/design/index.html.en 1381) ensure that the randomization fully conceals the true behavior. Many calls to projects/torbrowser/design/index.html.en 1382) a cryptographically secure random number generator during the course of a page projects/torbrowser/design/index.html.en 1383) load will both serve to exhaust available entropy pools, as well as lead to projects/torbrowser/design/index.html.en 1384) increased computation while loading a page. projects/torbrowser/design/index.html.en 1385) projects/torbrowser/design/index.html.en 1386) </p></li><li class="listitem"><span class="command"><strong>Increased vulnerability surface</strong></span><p> projects/torbrowser/design/index.html.en 1387) projects/torbrowser/design/index.html.en 1388) Improper randomization might introduce a new fingerprinting vector, as the projects/torbrowser/design/index.html.en 1389) process of generating the values for the fingerprintable attributes could be projects/torbrowser/design/index.html.en 1390) itself susceptible to side-channel attacks, analysis, or exploitation. projects/torbrowser/design/index.html.en 1391) projects/torbrowser/design/index.html.en 1392) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Specific Fingerprinting Defenses in the Tor Browser</h4></div></div></div><p>
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1393) projects/torbrowser/design/index.html.en 1394) The following defenses are listed roughly in order of most severe`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1395) fingerprinting threat first. This ordering is based on the above intuition projects/torbrowser/design/index.html.en 1396) that user configurable aspects of the computer are the most severe source of projects/torbrowser/design/index.html.en 1397) fingerprintability, followed by device characteristics and hardware, and then projects/torbrowser/design/index.html.en 1398) finally operating system vendor and version information.`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1399) projects/torbrowser/design/index.html.en 1400) </p><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1401) projects/torbrowser/design/index.html.en 1402) Where our actual implementation differs from an ideal solution, we separately projects/torbrowser/design/index.html.en 1403) describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation projects/torbrowser/design/index.html.en 1404) Status</strong></span>.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1405)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1406) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Plugins</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1407)`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1408) Plugins add to fingerprinting risk via two main vectors: their mere presence projects/torbrowser/design/index.html.en 1409) in window.navigator.plugins (because they are optional, end-user installed projects/torbrowser/design/index.html.en 1410) third party software), as well as their internal functionality.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1411) projects/en/torbrowser/design/index.html.en 1412) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1413)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1414) All plugins that have not been specifically audited or sandboxed MUST be`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1415) disabled. To reduce linkability potential, even sandboxed plugins SHOULD NOT`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1416) be allowed to load objects until the user has clicked through a click-to-play`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1417) barrier. Additionally, version information SHOULD be reduced or obfuscated projects/torbrowser/design/index.html.en 1418) until the plugin object is loaded. For Flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1419) settings.sol file</a> to disable Flash cookies, and to restrict P2P`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1420) features that are likely to bypass proxy settings. We'd also like to restrict projects/torbrowser/design/index.html.en 1421) access to fonts and other system information (such as IP address and MAC projects/torbrowser/design/index.html.en 1422) address) in such a sandbox.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1423) projects/en/torbrowser/design/index.html.en 1424) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1425) projects/en/torbrowser/design/index.html.en 1426) Currently, we entirely disable all plugins in Tor Browser. However, as a`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1427) compromise due to the popularity of Flash, we allow users to re-enable Flash, projects/torbrowser/design/index.html.en 1428) and flash objects are blocked behind a click-to-play barrier that is available projects/torbrowser/design/index.html.en 1429) only after the user has specifically enabled plugins. Flash is the only plugin`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1430) available, the rest are entirely projects/torbrowser/design/index.html.en 1431) blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience projects/torbrowser/design/index.html.en 1432) section</a>. We also set the Firefox`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1433) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid projects/torbrowser/design/index.html.en 1434) leaking plugin installation information. projects/torbrowser/design/index.html.en 1435)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1436) </p></li><li class="listitem"><span class="command"><strong>HTML5 Canvas Image Extraction</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1437)`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1438) After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5 projects/torbrowser/design/index.html.en 1439) Canvas</a> is the single largest fingerprinting threat browsers face`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1440) today. <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top"> projects/torbrowser/design/index.html.en 1441) Studies</a> <a class="ulink" href="https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf" target="_top">show</a> that the Canvas can provide an easy-access fingerprinting`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1442) target: The adversary simply renders WebGL, font, and named color data to a projects/torbrowser/design/index.html.en 1443) Canvas element, extracts the image buffer, and computes a hash of that image projects/torbrowser/design/index.html.en 1444) data. Subtle differences in the video card, font packs, and even font and projects/torbrowser/design/index.html.en 1445) graphics library versions allow the adversary to produce a stable, simple, projects/torbrowser/design/index.html.en 1446) high-entropy fingerprint of a computer. In fact, the hash of the rendered projects/torbrowser/design/index.html.en 1447) image can be used almost identically to a tracking cookie by the web server. projects/torbrowser/design/index.html.en 1448) projects/torbrowser/design/index.html.en 1449) </p><p> projects/torbrowser/design/index.html.en 1450)
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1451) In some sense, the canvas can be seen as the union of many other`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1452) fingerprinting vectors. If WebGL is normalized through software rendering, projects/torbrowser/design/index.html.en 1453) system colors were standardized, and the browser shipped a fixed collection of`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1454) fonts (see later points in this list), it might not be necessary to create a projects/torbrowser/design/index.html.en 1455) canvas permission. However, until then, to reduce the threat from this vector,`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1456) we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=526e6d0bc5c68d8c409cbaefc231c71973d949cc" target="_top">prompt before returning valid image data</a> to the Canvas APIs, projects/torbrowser/design/index.html.en 1457) and for access to isPointInPath and related functions. Moreover, we put media projects/torbrowser/design/index.html.en 1458) streams on a canvas behind the site permission in that patch as well.
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1459) If the user hasn't previously allowed the site in the URL bar to access Canvas`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1460) image data, pure white image data is returned to the JavaScript APIs. projects/torbrowser/design/index.html.en 1461) Extracting canvas image data by third parties is not allowed, though.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1462) projects/torbrowser/design/index.html.en 1463) </p><p>`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1464) </p></li><li class="listitem"><span class="command"><strong>Open TCP Port and Local Network Fingerprinting</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1465) projects/torbrowser/design/index.html.en 1466) In Firefox, by using either WebSockets or XHR, it is possible for remote projects/torbrowser/design/index.html.en 1467) content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1468) the list of TCP ports open on 127.0.0.1</a>, as well as on any other projects/torbrowser/design/index.html.en 1469) machines on the local network. In other browsers, this can be accomplished by projects/torbrowser/design/index.html.en 1470) DOM events on image or script tags. This open vs filtered vs closed port list projects/torbrowser/design/index.html.en 1471) can provide a very unique fingerprint of a machine, because it essentially projects/torbrowser/design/index.html.en 1472) enables the detection of many different popular third party applications and projects/torbrowser/design/index.html.en 1473) optional system services (Skype, Bitcoin, Bittorrent and other P2P software, projects/torbrowser/design/index.html.en 1474) SSH ports, SMB and related LAN services, CUPS and printer daemon config ports, projects/torbrowser/design/index.html.en 1475) mail servers, and so on). It is also possible to determine when ports are projects/torbrowser/design/index.html.en 1476) closed versus filtered/blocked (and thus probe custom firewall configuration). projects/torbrowser/design/index.html.en 1477) projects/torbrowser/design/index.html.en 1478) </p><p> projects/torbrowser/design/index.html.en 1479) projects/torbrowser/design/index.html.en 1480) In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even projects/torbrowser/design/index.html.en 1481) these requests are still sent by Firefox to our SOCKS proxy (ie we set
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1482) <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local projects/torbrowser/design/index.html.en 1483) Tor client then rejects them, since it is configured to proxy for internal IP`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1484) addresses by default. Access to the local network is forbidden via the same`
One more TBB design doc upd... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1485) mechanism. We also disable the WebRTC API as mentioned previously, since even projects/torbrowser/design/index.html.en 1486) if it were usable over Tor, it still currently provides the local IP address projects/torbrowser/design/index.html.en 1487) and associated network information to websites.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1488)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1489) </p></li><li class="listitem"><span class="command"><strong>Invasive Authentication Mechanisms (NTLM and SPNEGO)</strong></span><p>`
Updates to fingerprinting s... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1490) projects/torbrowser/design/index.html.en 1491) Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in projects/torbrowser/design/index.html.en 1492) some cases the current username. The only reason why these aren't a more projects/torbrowser/design/index.html.en 1493) serious problem is that they typically involve user interaction, and likely projects/torbrowser/design/index.html.en 1494) aren't an attractive vector for this reason. However, because it is not clear projects/torbrowser/design/index.html.en 1495) if certain carefully-crafted error conditions in these protocols could cause projects/torbrowser/design/index.html.en 1496) them to reveal machine information and still fail silently prior to the projects/torbrowser/design/index.html.en 1497) password prompt, these authentication mechanisms should either be disabled, or projects/torbrowser/design/index.html.en 1498) placed behind a site permission before their use. We simply disable them. projects/torbrowser/design/index.html.en 1499)
One more TBB design doc upd... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1500) </p></li><li class="listitem"><span class="command"><strong>USB Device ID Enumeration via the GamePad API</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1501) projects/torbrowser/design/index.html.en 1502) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad projects/torbrowser/design/index.html.en 1503) API</a> provides web pages with the <a class="ulink" href="https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.html#widl-Gamepad-id" target="_top">USB projects/torbrowser/design/index.html.en 1504) device id, product id, and driver name</a> of all connected game
One more TBB design doc upd... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1505) controllers, as well as detailed information about their capabilities. projects/torbrowser/design/index.html.en 1506) </p><p> projects/torbrowser/design/index.html.en 1507) projects/torbrowser/design/index.html.en 1508) It's our opinion that this API needs to be completely redesigned to provide an projects/torbrowser/design/index.html.en 1509) abstract notion of a game controller rather than offloading all of the projects/torbrowser/design/index.html.en 1510) complexity associated with handling specific game controller models to web projects/torbrowser/design/index.html.en 1511) content authors. For systems without a game controller, a standard controller projects/torbrowser/design/index.html.en 1512) can be virtualized through the keyboard, which will serve to both improve projects/torbrowser/design/index.html.en 1513) usability by normalizing user interaction with different games, as well as projects/torbrowser/design/index.html.en 1514) eliminate fingerprinting vectors. Barring that, this API should be behind a projects/torbrowser/design/index.html.en 1515) site permission in Private Browsing Modes. For now though, we simply disable projects/torbrowser/design/index.html.en 1516) it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1517)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1518) </p></li><li class="listitem"><span class="command"><strong>Fonts</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1519) projects/en/torbrowser/design/index.html.en 1520) According to the Panopticlick study, fonts provide the most linkability when`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1521) they are provided as an enumerable list in file system order, via either the`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1522) Flash or Java plugins. However, it is still possible to use CSS and/or`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1523) JavaScript to query for the existence of specific fonts. With a large enough`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1524) pre-built list to query, a large amount of fingerprintable information may`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1525) still be available, especially given that additional fonts often end up projects/torbrowser/design/index.html.en 1526) installed by third party software and for multilingual support.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1527)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1528) </p><p><span class="command"><strong>Design Goal:</strong></span>Font-based fingerprinting MUST be rendered ineffective</p><p><span class="command"><strong>Implementation Status:</strong></span>`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1529)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1530) We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/13313" target="_top">investigated projects/torbrowser/design/index.html.en 1531) </a>shipping a predefined set of fonts to all of our users allowing only projects/torbrowser/design/index.html.en 1532) those fonts to be used by websites at the exclusion of system fonts. We are projects/torbrowser/design/index.html.en 1533) currently following this approach, which has been <a class="ulink" href="https://www.bamsoftware.com/papers/fontfp.pdf" target="_top"> projects/torbrowser/design/index.html.en 1534) suggested</a> <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top">by projects/torbrowser/design/index.html.en 1535) researchers</a> previously. This defense is available for all three projects/torbrowser/design/index.html.en 1536) supported platforms: Windows, macOS, and Linux, although the implementations projects/torbrowser/design/index.html.en 1537) vary in detail. projects/torbrowser/design/index.html.en 1538) projects/torbrowser/design/index.html.en 1539) </p><p>
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1540)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1541) For Windows and macOS we use a preference, <span class="command"><strong>font.system.whitelist</strong></span>, projects/torbrowser/design/index.html.en 1542) to restrict fonts being used to those in the whitelist. This functionality is projects/torbrowser/design/index.html.en 1543) provided <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=80d233db514a556d7255034ae057b138527cb2ea" target="_top">by a Firefox patch</a>. projects/torbrowser/design/index.html.en 1544) The whitelist for Windows and macOS contains both a set of projects/torbrowser/design/index.html.en 1545) <a class="ulink" href="https://www.google.com/get/noto" target="_top">Noto fonts</a> which we bundle projects/torbrowser/design/index.html.en 1546) and fonts provided by the operating system. For Linux systems we only bundle projects/torbrowser/design/index.html.en 1547) fonts and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=b88443f6d8af62f763b069eb15e008a46d9b468a" target="_top"> projects/torbrowser/design/index.html.en 1548) deploy </a> a <span class="command"><strong>fonts.conf</strong></span> file to restrict the browser to projects/torbrowser/design/index.html.en 1549) use those fonts exclusively. In addition to that we set the <span class="command"><strong>font.name* projects/torbrowser/design/index.html.en 1550) </strong></span> preferences for macOS and Linux to make sure that a given code point projects/torbrowser/design/index.html.en 1551) is always displayed with the same font. This is not guaranteed even if we bundle projects/torbrowser/design/index.html.en 1552) all the fonts Tor Browser uses as it can happen that fonts are loaded in a projects/torbrowser/design/index.html.en 1553) different order on different systems. Setting the above mentioned preferences projects/torbrowser/design/index.html.en 1554) works around this issue by specifying the font to use explicitely.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1555)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1556) </p><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1557)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1558) Allowing fonts provided by the operating system for Windows and macOS users is projects/torbrowser/design/index.html.en 1559) currently a compromise between fingerprintability resistance and usability projects/torbrowser/design/index.html.en 1560) concerns. We are still investigating the right balance between them and have projects/torbrowser/design/index.html.en 1561) created a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18097" target="_top"> projects/torbrowser/design/index.html.en 1562) ticket in our bug tracker</a> to summarize the current state of our defense projects/torbrowser/design/index.html.en 1563) and future work that remains to be done.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1564)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1565) </p></li><li class="listitem"><span class="command"><strong>Monitor, Widget, and OS Desktop Resolution</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1566)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1567) Both CSS and JavaScript have access to a lot of information about the screen`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1568) resolution, usable desktop size, OS widget size, toolbar size, title bar size,`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1569) and OS desktop widget sizing information that are not at all relevant to`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1570) rendering and serve only to provide information for fingerprinting. Since many projects/torbrowser/design/index.html.en 1571) aspects of desktop widget positioning and size are user configurable, these projects/torbrowser/design/index.html.en 1572) properties yield customized information about the computer, even beyond the projects/torbrowser/design/index.html.en 1573) monitor size.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1574) projects/en/torbrowser/design/index.html.en 1575) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1576) projects/en/torbrowser/design/index.html.en 1577) Our design goal here is to reduce the resolution information down to the bare`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1578) minimum required for properly rendering inside a content window. We intend to`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1579) report all rendering information correctly with respect to the size and projects/en/torbrowser/design/index.html.en 1580) properties of the content window, but report an effective size of 0 for all`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1581) border material, and also report that the desktop is only as big as the inner projects/torbrowser/design/index.html.en 1582) content window. Additionally, new browser windows are sized such that their projects/torbrowser/design/index.html.en 1583) content windows are one of a few fixed sizes based on the user's desktop projects/torbrowser/design/index.html.en 1584) resolution. In addition, to further reduce resolution-based fingerprinting, we projects/torbrowser/design/index.html.en 1585) are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating projects/torbrowser/design/index.html.en 1586) zoom/viewport-based mechanisms</a> that might allow us to always report the projects/torbrowser/design/index.html.en 1587) same desktop resolution regardless of the actual size of the content window,
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1588) and simply scale to make up the difference. As an alternative to zoom-based projects/torbrowser/design/index.html.en 1589) solutions we are testing a projects/torbrowser/design/index.html.en 1590) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/14429" target="_top">different projects/torbrowser/design/index.html.en 1591) approach</a> in our alpha series that tries to round the browser window at projects/torbrowser/design/index.html.en 1592) all times to a multiple 200x100 pixels. Regardless which solution we finally projects/torbrowser/design/index.html.en 1593) pick, until it will be available the user should also be informed that projects/torbrowser/design/index.html.en 1594) maximizing their windows can lead to fingerprintability under the current scheme.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1595) projects/en/torbrowser/design/index.html.en 1596) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1597)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1598) We automatically resize new browser windows to a 200x100 pixel multiple <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b3e68bd7172d4f3feac11e74c65b06729a502b2" target="_top">based projects/torbrowser/design/index.html.en 1599) on desktop resolution</a> which is provided by a Firefox patch. To minimize projects/torbrowser/design/index.html.en 1600) the effect of the long tail of large monitor sizes, we also cap the window size projects/torbrowser/design/index.html.en 1601) at 1000 pixels in each direction. In addition to that we set projects/torbrowser/design/index.html.en 1602) <span class="command"><strong>privacy.resistFingerprinting</strong></span> projects/torbrowser/design/index.html.en 1603) to <span class="command"><strong>true</strong></span> to use the client content window size for projects/torbrowser/design/index.html.en 1604) window.screen, and to report a window.devicePixelRatio of 1.0. Similarly, projects/torbrowser/design/index.html.en 1605) we use that preference to return content window relative points for DOM events.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1606)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1607) We also force popups to open in new tabs (via`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1608) <span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid projects/torbrowser/design/index.html.en 1609) full-screen popups inferring information about the browser resolution. In`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1610) addition, we prevent auto-maximizing on browser start, and inform users that projects/torbrowser/design/index.html.en 1611) maximized windows are detrimental to privacy in this mode.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1612)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1613) </p></li><li class="listitem"><span class="command"><strong>Display Media information</strong></span><p>`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1614)`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1615) Beyond simple resolution information, a large amount of so-called "Media"`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1616) information is also exported to content. Even without JavaScript, CSS has`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1617) access to a lot of information about the device orientation, system theme`
More fingerprinting clarifi... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1618) colors, and other desktop and display features that are not at all relevant to projects/torbrowser/design/index.html.en 1619) rendering and also user configurable. Most of this`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1620) information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS projects/torbrowser/design/index.html.en 1621) Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several projects/torbrowser/design/index.html.en 1622) user and OS theme defined color values</a> to CSS as well.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1623) projects/torbrowser/design/index.html.en 1624) </p><p><span class="command"><strong>Design Goal:</strong></span>`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1625)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1626) A website MUST NOT be able infer anything that the user has configured about projects/torbrowser/design/index.html.en 1627) their computer. Additionally, it SHOULD NOT be able to infer machine-specific`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1628) details such as screen orientation or type.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1629) projects/torbrowser/design/index.html.en 1630) </p><p><span class="command"><strong>Implementation Status:</strong></span>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1631)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1632) We set <span class="command"><strong>ui.use_standins_for_native_colors</strong></span> to <span class="command"><strong>true projects/torbrowser/design/index.html.en 1633) </strong></span> and provide a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=c6be9ba561a69250c7d5926d90e0112091453643" target="_top">Firefox patch</a> projects/torbrowser/design/index.html.en 1634) to report a fixed set of system colors to content window CSS, and prevent projects/torbrowser/design/index.html.en 1635) detection of font smoothing on macOS with the help of projects/torbrowser/design/index.html.en 1636) <span class="command"><strong>privacy.resistFingerprinting</strong></span>. We also always projects/torbrowser/design/index.html.en 1637) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5a159c6bfa310b4339555de389ac16cf8e13b3f5" target="_top"> projects/torbrowser/design/index.html.en 1638) report landscape-primary</a> for the <a class="ulink" href="https://w3c.github.io/screen-orientation/" target="_top">screen orientation</a>.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1639)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1640) </p></li><li class="listitem"><span class="command"><strong>WebGL</strong></span><p>`
Updates to fingerprinting s... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1641) projects/torbrowser/design/index.html.en 1642) WebGL is fingerprintable both through information that is exposed about the projects/torbrowser/design/index.html.en 1643) underlying driver and optimizations, as well as through performance projects/torbrowser/design/index.html.en 1644) fingerprinting. projects/torbrowser/design/index.html.en 1645) projects/torbrowser/design/index.html.en 1646) </p><p> projects/torbrowser/design/index.html.en 1647) projects/torbrowser/design/index.html.en 1648) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed projects/torbrowser/design/index.html.en 1649) vulnerability surface</a>, we deploy a similar strategy against WebGL as projects/torbrowser/design/index.html.en 1650) for plugins. First, WebGL Canvases have click-to-play placeholders (provided projects/torbrowser/design/index.html.en 1651) by NoScript), and do not run until authorized by the user. Second, we projects/torbrowser/design/index.html.en 1652) obfuscate driver information by setting the Firefox preferences
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1653) <span class="command"><strong>webgl.disable-extensions</strong></span>, projects/torbrowser/design/index.html.en 1654) <span class="command"><strong>webgl.min_capability_mode</strong></span>, and projects/torbrowser/design/index.html.en 1655) <span class="command"><strong>webgl.disable-fail-if-major-performance-caveat</strong></span> which reduce projects/torbrowser/design/index.html.en 1656) the information provided by the following WebGL API calls: projects/torbrowser/design/index.html.en 1657) <span class="command"><strong>getParameter()</strong></span>, <span class="command"><strong>getSupportedExtensions()</strong></span>, projects/torbrowser/design/index.html.en 1658) and <span class="command"><strong>getExtension()</strong></span>. To make the minimal WebGL mode usable we projects/torbrowser/design/index.html.en 1659) additionally <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b0caa1224c3417754d688344eacc97fbbabf7d5" target="_top"> projects/torbrowser/design/index.html.en 1660) normalize its properties with a Firefox patch</a>.
Updates to fingerprinting s... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1661) projects/torbrowser/design/index.html.en 1662) </p><p> projects/torbrowser/design/index.html.en 1663) projects/torbrowser/design/index.html.en 1664) Another option for WebGL might be to use software-only rendering, using a projects/torbrowser/design/index.html.en 1665) library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of projects/torbrowser/design/index.html.en 1666) such a library would avoid hardware-specific rendering differences. projects/torbrowser/design/index.html.en 1667)
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1668) </p></li><li class="listitem"><span class="command"><strong>MediaDevices API</strong></span><p> projects/torbrowser/design/index.html.en 1669) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices" target="_top"> projects/torbrowser/design/index.html.en 1670) MediaDevices API</a> provides access to connected media input devices like projects/torbrowser/design/index.html.en 1671) cameras and microphones, as well as screen sharing. In particular, it allows web projects/torbrowser/design/index.html.en 1672) content to easily enumerate those devices with <span class="command"><strong> projects/torbrowser/design/index.html.en 1673) MediaDevices.enumerateDevices()</strong></span>. This relies on WebRTC being compiled projects/torbrowser/design/index.html.en 1674) in which we currently don't do. Nevertheless, we disable this feature for now as projects/torbrowser/design/index.html.en 1675) a defense-in-depth by setting <span class="command"><strong>media.peerconnection.enabled</strong></span> and projects/torbrowser/design/index.html.en 1676) <span class="command"><strong>media.navigator.enabled</strong></span> to <span class="command"><strong>false</strong></span>. projects/torbrowser/design/index.html.en 1677) </p></li><li class="listitem"><span class="command"><strong>MIME Types</strong></span><p> projects/torbrowser/design/index.html.en 1678) projects/torbrowser/design/index.html.en 1679) Which MIME Types are registered with an operating system depends to a great deal projects/torbrowser/design/index.html.en 1680) on the application software and/or drivers a user chose to install. Web pages projects/torbrowser/design/index.html.en 1681) can not only estimate the amount of MIME types registered by checking projects/torbrowser/design/index.html.en 1682) <span class="command"><strong>navigator.mimetypes.length</strong></span>. Rather, they are even able to projects/torbrowser/design/index.html.en 1683) test whether particular MIME types are available which can have a non-negligible projects/torbrowser/design/index.html.en 1684) impact on a user's fingerprint. We prevent both of these information leaks with projects/torbrowser/design/index.html.en 1685) a direct <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=38999857761196b0b7f59f49ee93ae13f73c6149" target="_top">Firefox patch</a>. projects/torbrowser/design/index.html.en 1686) projects/torbrowser/design/index.html.en 1687) </p></li><li class="listitem"><span class="command"><strong>System Uptime</strong></span><p> projects/torbrowser/design/index.html.en 1688) projects/torbrowser/design/index.html.en 1689) It is possible to get the system uptime of a Tor Browser user by querying the projects/torbrowser/design/index.html.en 1690) <span class="command"><strong>Event.timestamp</strong></span> property. We avoid this by setting <span class="command"><strong> projects/torbrowser/design/index.html.en 1691) dom.event.highrestimestamp.enabled</strong></span> to <span class="command"><strong>true</strong></span>. projects/torbrowser/design/index.html.en 1692) projects/torbrowser/design/index.html.en 1693) </p></li><li class="listitem"><span class="command"><strong>Keyboard Layout Fingerprinting</strong></span><p> projects/torbrowser/design/index.html.en 1694) projects/torbrowser/design/index.html.en 1695) <span class="command"><strong>KeyboardEvent</strong></span>s provide a way for a website to find out projects/torbrowser/design/index.html.en 1696) information about the keyboard layout of its visitors. In fact there are <a class="ulink" href="https://developers.google.com/web/updates/2016/04/keyboardevent-keys-codes" target="_top"> projects/torbrowser/design/index.html.en 1697) several dimensions</a> to this fingerprinting vector. The <span class="command"><strong> projects/torbrowser/design/index.html.en 1698) KeyboardEvent.code</strong></span> property represents a physical key that can't be projects/torbrowser/design/index.html.en 1699) changed by the keyboard layout nor by the modifier state. On the other hand the projects/torbrowser/design/index.html.en 1700) <span class="command"><strong>KeyboardEvent.key</strong></span> property contains the character that is projects/torbrowser/design/index.html.en 1701) generated by that key. This is dependent on things like keyboard layout, locale projects/torbrowser/design/index.html.en 1702) and modifier keys. projects/torbrowser/design/index.html.en 1703) projects/torbrowser/design/index.html.en 1704) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 1705) projects/torbrowser/design/index.html.en 1706) Websites MUST NOT be able to infer any information about the keyboard of a Tor projects/torbrowser/design/index.html.en 1707) Browser user. projects/torbrowser/design/index.html.en 1708) projects/torbrowser/design/index.html.en 1709) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1710) projects/torbrowser/design/index.html.en 1711) We provide <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a65b5269ff04e4fbbb3689e2adf853543804ffbf" target="_top">two</a> projects/torbrowser/design/index.html.en 1712) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=383b8e7e073ea79e70f19858efe1c5fde64b99cf" target="_top">Firefox patches</a> that projects/torbrowser/design/index.html.en 1713) take care of spoofing <span class="command"><strong>KeyboardEvent.code</strong></span> and <span class="command"><strong> projects/torbrowser/design/index.html.en 1714) KeyboardEvent.keyCode</strong></span> by providing consensus (US-English-style) fake projects/torbrowser/design/index.html.en 1715) properties. This is achieved by hiding the user's use of the numpad, and any projects/torbrowser/design/index.html.en 1716) non-QWERTY US English keyboard. Characters from non-en-US languages projects/torbrowser/design/index.html.en 1717) are currently returning an empty <span class="command"><strong>KeyboardEvent.code</strong></span> and a projects/torbrowser/design/index.html.en 1718) <span class="command"><strong>KeyboardEvent.keyCode</strong></span> of <span class="command"><strong>0</strong></span>. Moreover, projects/torbrowser/design/index.html.en 1719) neither <span class="command"><strong>Alt</strong></span> or <span class="command"><strong>Shift</strong></span>, or projects/torbrowser/design/index.html.en 1720) <span class="command"><strong>AltGr</strong></span> keyboard events are reported to content. projects/torbrowser/design/index.html.en 1721) </p></li><li class="listitem"><span class="command"><strong>User Agent and HTTP Headers</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1722)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1723) All Tor Browser users MUST provide websites with an identical user agent and projects/torbrowser/design/index.html.en 1724) HTTP header set for a given request type. We omit the Firefox minor revision, projects/torbrowser/design/index.html.en 1725) and report a popular Windows platform. If the software is kept up to date, projects/torbrowser/design/index.html.en 1726) these headers should remain identical across the population even when updated. projects/torbrowser/design/index.html.en 1727) projects/torbrowser/design/index.html.en 1728) </p><p><span class="command"><strong>Implementation Status:</strong></span>
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1729)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1730) Firefox provides several options for controlling the browser user agent string projects/torbrowser/design/index.html.en 1731) which we leverage. We also set similar prefs for controlling the projects/torbrowser/design/index.html.en 1732) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1733) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=848da9cdb2b7c09dc8ec335d687f535fc5c87a67" target="_top">remove`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1734) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1735) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem"><span class="command"><strong>Timing-based Side Channels</strong></span><p> projects/torbrowser/design/index.html.en 1736) Attacks based on timing side channels are nothing new in the browser context. projects/torbrowser/design/index.html.en 1737) <a class="ulink" href="http://sip.cs.princeton.edu/pub/webtiming.pdf" target="_top">Cache-based</a>, projects/torbrowser/design/index.html.en 1738) <a class="ulink" href="https://www.abortz.net/papers/timingweb.pdf" target="_top">cross-site timing</a>, projects/torbrowser/design/index.html.en 1739) and <a class="ulink" href="https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf" target="_top"> projects/torbrowser/design/index.html.en 1740) pixel stealing</a>, to name just a few, got investigated in the past. projects/torbrowser/design/index.html.en 1741) While their fingerprinting potential varies all timing-based attacks have in projects/torbrowser/design/index.html.en 1742) common that they need sufficiently fine-grained clocks. projects/torbrowser/design/index.html.en 1743) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 1744) projects/torbrowser/design/index.html.en 1745) Websites MUST NOT be able to fingerprint a Tor Browser user by exploiting projects/torbrowser/design/index.html.en 1746) timing-based side channels. projects/torbrowser/design/index.html.en 1747) projects/torbrowser/design/index.html.en 1748) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1749) projects/torbrowser/design/index.html.en 1750) The cleanest solution to timing-based side channels would be to get rid of them. projects/torbrowser/design/index.html.en 1751) However, this does not seem to be trivial even considering just a projects/torbrowser/design/index.html.en 1752) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=711043" target="_top">single</a> projects/torbrowser/design/index.html.en 1753) <a class="ulink" href="https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf" target="_top">side channel</a>. projects/torbrowser/design/index.html.en 1754) Thus, we rely on disabling all possible timing sources or making them projects/torbrowser/design/index.html.en 1755) coarse-grained enough in order to render timing side channels unsuitable as a projects/torbrowser/design/index.html.en 1756) means for fingerprinting browser users. projects/torbrowser/design/index.html.en 1757) projects/torbrowser/design/index.html.en 1758) </p><p> projects/torbrowser/design/index.html.en 1759) projects/torbrowser/design/index.html.en 1760) We set <span class="command"><strong>dom.enable_user_timing</strong></span> and projects/torbrowser/design/index.html.en 1761) <span class="command"><strong>dom.enable_resource_timing</strong></span> to <span class="command"><strong>false</strong></span> to projects/torbrowser/design/index.html.en 1762) disable these explicit timing sources. Furthermore, we clamp the resolution of projects/torbrowser/design/index.html.en 1763) explicit clocks to 100ms <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774" target="_top">with a Firefox patch</a>. projects/torbrowser/design/index.html.en 1764) projects/torbrowser/design/index.html.en 1765) This includes <span class="command"><strong>performance.now()</strong></span>, <span class="command"><strong>new Date().getTime() projects/torbrowser/design/index.html.en 1766) </strong></span>, <span class="command"><strong>audioContext.currentTime</strong></span>, <span class="command"><strong> projects/torbrowser/design/index.html.en 1767) canvasStream.currentTime</strong></span>, <span class="command"><strong>video.currentTime</strong></span>, projects/torbrowser/design/index.html.en 1768) <span class="command"><strong>audio.currentTime</strong></span>, <span class="command"><strong>new File([], "").lastModified projects/torbrowser/design/index.html.en 1769) </strong></span>, and <span class="command"><strong>new File([], "").lastModifiedDate.getTime()</strong></span>. projects/torbrowser/design/index.html.en 1770) projects/torbrowser/design/index.html.en 1771) </p><p> projects/torbrowser/design/index.html.en 1772) projects/torbrowser/design/index.html.en 1773) While clamping the clock resolution to 100ms is a step towards neutering the projects/torbrowser/design/index.html.en 1774) timing-based side channel fingerprinting, it is by no means sufficient. It turns projects/torbrowser/design/index.html.en 1775) out that it is possible to subvert our clamping of explicit clocks by using projects/torbrowser/design/index.html.en 1776) <a class="ulink" href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf" target="_top"> projects/torbrowser/design/index.html.en 1777) implicit ones</a>, e.g. extrapolating the true time by running a busy loop projects/torbrowser/design/index.html.en 1778) with a predictable operation in it. We are tracking projects/torbrowser/design/index.html.en 1779) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/16110" target="_top">this problem projects/torbrowser/design/index.html.en 1780) </a> in our bug tracker and are working with the research community and projects/torbrowser/design/index.html.en 1781) Mozilla to develop and test a proper solution to this part of our defense projects/torbrowser/design/index.html.en 1782) against timing-based side channel fingerprinting risks. projects/torbrowser/design/index.html.en 1783) projects/torbrowser/design/index.html.en 1784) </p></li><li class="listitem"><span class="command"><strong>resource:// and chrome:// URIs Leaks</strong></span><p> projects/torbrowser/design/index.html.en 1785) Due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=863246" target="_top">bugs projects/torbrowser/design/index.html.en 1786) </a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1120398" target="_top"> projects/torbrowser/design/index.html.en 1787) in Firefox</a> it is possible to detect the locale and the platform of a projects/torbrowser/design/index.html.en 1788) Tor Browser user. Moreover, it is possible to find out the extensions a user has projects/torbrowser/design/index.html.en 1789) installed. This is done by including resource:// and/or chrome:// URIs into projects/torbrowser/design/index.html.en 1790) web content which point to resources included in Tor Browser itself or in projects/torbrowser/design/index.html.en 1791) installed extensions. projects/torbrowser/design/index.html.en 1792) </p><p> projects/torbrowser/design/index.html.en 1793) projects/torbrowser/design/index.html.en 1794) We believe that it should be impossible for web content to extract information projects/torbrowser/design/index.html.en 1795) out of a Tor Browser user by deploying resource:// and/or chrome:// URIs. Until projects/torbrowser/design/index.html.en 1796) this is fixed in Firefox <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/content-policy.js" target="_top"> projects/torbrowser/design/index.html.en 1797) we filter</a> resource:// and chrome:// requests done projects/torbrowser/design/index.html.en 1798) by web content denying them by default. We need a whitelist of resource:// and projects/torbrowser/design/index.html.en 1799) chrome:// URIs, though, to avoid breaking parts of Firefox. Those nearly a projects/torbrowser/design/index.html.en 1800) dozen Firefox resources do not aid in fingerprinting Tor Browser users as they projects/torbrowser/design/index.html.en 1801) are not different on the platforms and in the locales we support. projects/torbrowser/design/index.html.en 1802) projects/torbrowser/design/index.html.en 1803) </p></li><li class="listitem"><span class="command"><strong>Locale Fingerprinting</strong></span><p>
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1804) projects/torbrowser/design/index.html.en 1805) In Tor Browser, we provide non-English users the option of concealing their OS projects/torbrowser/design/index.html.en 1806) and browser locale from websites. It is debatable if this should be as high of`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1807) a priority as information specific to the user's computer, but for completeness, projects/torbrowser/design/index.html.en 1808) we attempt to maintain this property.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1809) projects/torbrowser/design/index.html.en 1810) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1811) projects/torbrowser/design/index.html.en 1812) We set the fallback character set to set to windows-1252 for all locales, via`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1813) <span class="command"><strong>intl.charset.default</strong></span>. We also set projects/torbrowser/design/index.html.en 1814) <span class="command"><strong>javascript.use_us_english_locale</strong></span> to <span class="command"><strong>true</strong></span> projects/torbrowser/design/index.html.en 1815) to instruct the JS engine to use en-US as its internal C locale for all Date, projects/torbrowser/design/index.html.en 1816) Math, and exception handling. Additionally, we provide a patch to use an projects/torbrowser/design/index.html.en 1817) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0080b2d6bafcbfb8a57f54a26e53d7f74d239389" target="_top"> projects/torbrowser/design/index.html.en 1818) en-US label for the <span class="command"><strong>isindex</strong></span> HTML element</a> instead of projects/torbrowser/design/index.html.en 1819) letting the label leak the browser's UI locale.
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1820) </p></li><li class="listitem"><span class="command"><strong>Timezone and Clock Offset</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1821) projects/torbrowser/design/index.html.en 1822) While the latency in Tor connections varies anywhere from milliseconds to`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1823) a few seconds, it is still possible for the remote site to detect large`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1824) differences between the user's clock and an official reference time source.`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1825)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1826) </p><p><span class="command"><strong>Design Goal:</strong></span>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1827)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1828) All Tor Browser users MUST report the same timezone to websites. Currently, we projects/torbrowser/design/index.html.en 1829) choose UTC for this purpose, although an equally valid argument could be made projects/torbrowser/design/index.html.en 1830) for EDT/EST due to the large English-speaking population density (coupled with`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1831) the fact that we spoof a US English user agent). Additionally, the Tor`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1832) software should detect if the users clock is significantly divergent from the projects/torbrowser/design/index.html.en 1833) clocks of the relays that it connects to, and use this to reset the clock`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1834) values used in Tor Browser to something reasonably accurate. Alternatively, projects/torbrowser/design/index.html.en 1835) the browser can obtain this clock skew via a mechanism similar to that used in`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1836) <a class="ulink" href="https://github.com/ioerror/tlsdate" target="_top">tlsdate</a>.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1837) projects/en/torbrowser/design/index.html.en 1838) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1839)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1840) We <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0ee3aa4cbeb1be3301d8960d0cf3a64831ea6d1b" target="_top"> projects/torbrowser/design/index.html.en 1841) set the timezone to UTC</a> with a Firefox patch using the TZ environment projects/torbrowser/design/index.html.en 1842) variable, which is supported on all platforms. Moreover, with an additional projects/torbrowser/design/index.html.en 1843) patch just needed for the Windows platform, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=bdd0303a78347d17250950a4cf858de556afb1c7" target="_top"> projects/torbrowser/design/index.html.en 1844) we make sure</a> the TZ environment variable is respected by the projects/torbrowser/design/index.html.en 1845) <a class="ulink" href="http://site.icu-project.org/" target="_top">ICU library</a> as well.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1846)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1847) </p></li><li class="listitem"><span class="command"><strong>JavaScript Performance Fingerprinting</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1848)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1849) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">JavaScript performance`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1850) fingerprinting</a> is the act of profiling the performance`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1851) of various JavaScript functions for the purpose of fingerprinting the projects/torbrowser/design/index.html.en 1852) JavaScript engine and the CPU.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1853) projects/en/torbrowser/design/index.html.en 1854) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1855)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1856) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1857) mitigation approaches</a> to reduce the accuracy of performance projects/en/torbrowser/design/index.html.en 1858) fingerprinting without risking too much damage to functionality. Our current`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1859) favorite is to reduce the resolution of the Event.timeStamp and the JavaScript projects/torbrowser/design/index.html.en 1860) Date() object, while also introducing jitter. We believe that JavaScript time`
Updates to fingerprinting s... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1861) resolution may be reduced all the way up to the second before it seriously projects/torbrowser/design/index.html.en 1862) impacts site operation. Our goal with this quantization is to increase the projects/torbrowser/design/index.html.en 1863) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found projects/torbrowser/design/index.html.en 1864) that even with the default precision in most browsers, they required up to 120
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1865) seconds of amortization and repeated trials to get stable results from their projects/en/torbrowser/design/index.html.en 1866) feature set. We intend to work with the research community to establish the`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1867) optimum trade-off between quantization+jitter and amortization time, as well`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1868) as identify highly variable JavaScript operations. As long as these attacks`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1869) take several seconds or more to execute, they are unlikely to be appealing to projects/torbrowser/design/index.html.en 1870) advertisers, and are also very likely to be noticed if deployed against a projects/torbrowser/design/index.html.en 1871) large number of people.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1872) projects/en/torbrowser/design/index.html.en 1873) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1874)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1875) Currently, our mitigation against performance fingerprinting is to`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1876) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1877) Timing</a> through the Firefox preference`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1878) <span class="command"><strong>dom.enable_performance</strong></span>, and to disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla projects/torbrowser/design/index.html.en 1879) Video Statistics</a> API extensions via the preference projects/torbrowser/design/index.html.en 1880) <span class="command"><strong>media.video_stats.enabled</strong></span>.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1881)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1882) </p></li><li class="listitem"><span class="command"><strong>Keystroke Fingerprinting</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1883) projects/en/torbrowser/design/index.html.en 1884) Keystroke fingerprinting is the act of measuring key strike time and key projects/en/torbrowser/design/index.html.en 1885) flight time. It is seeing increasing use as a biometric. projects/en/torbrowser/design/index.html.en 1886) projects/en/torbrowser/design/index.html.en 1887) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1888)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1889) We intend to rely on the same mechanisms for defeating JavaScript performance`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1890) fingerprinting: timestamp quantization and jitter. projects/en/torbrowser/design/index.html.en 1891) projects/en/torbrowser/design/index.html.en 1892) </p><p><span class="command"><strong>Implementation Status:</strong></span>`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 1893) projects/torbrowser/design/index.html.en 1894) We clamp keyboard event resolution to 100ms with a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774" target="_top">Firefox patch</a>. projects/torbrowser/design/index.html.en 1895) projects/torbrowser/design/index.html.en 1896) </p></li><li class="listitem"><span class="command"><strong>Connection State</strong></span><p> projects/torbrowser/design/index.html.en 1897) projects/torbrowser/design/index.html.en 1898) It is possible to monitor the connection state of a browser over time with projects/torbrowser/design/index.html.en 1899) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine" target="_top"> projects/torbrowser/design/index.html.en 1900) navigator.onLine</a>. We prevent this by setting <span class="command"><strong> projects/torbrowser/design/index.html.en 1901) network.manage-offline-status</strong></span> to <span class="command"><strong>false</strong></span>. projects/torbrowser/design/index.html.en 1902) projects/torbrowser/design/index.html.en 1903) </p></li><li class="listitem"><span class="command"><strong>Reader View</strong></span><p> projects/torbrowser/design/index.html.en 1904) projects/torbrowser/design/index.html.en 1905) <a class="ulink" href="https://support.mozilla.org/t5/Basic-Browsing/Firefox-Reader-View-for-clutter-free-web-pages/ta-p/38466" target="_top">Reader View</a> projects/torbrowser/design/index.html.en 1906) is a Firefox feature to view web pages clutter-free and easily adjusted to projects/torbrowser/design/index.html.en 1907) own needs and preferences. To avoid fingerprintability risks we make Tor Browser projects/torbrowser/design/index.html.en 1908) users uniform by setting <span class="command"><strong>reader.parse-on-load.enabled</strong></span> to projects/torbrowser/design/index.html.en 1909) <span class="command"><strong>false</strong></span> and <span class="command"><strong>browser.reader.detectedFirstArticle</strong></span> projects/torbrowser/design/index.html.en 1910) to <span class="command"><strong>true</strong></span>. projects/torbrowser/design/index.html.en 1911) projects/torbrowser/design/index.html.en 1912) </p></li><li class="listitem"><span class="command"><strong>Contacting Mozilla Services</strong></span><p> projects/torbrowser/design/index.html.en 1913) projects/torbrowser/design/index.html.en 1914) Tor Browser is based on Firefox which is a Mozilla product. Quite naturally, projects/torbrowser/design/index.html.en 1915) Mozilla is interested in making users aware of new features and in gathering projects/torbrowser/design/index.html.en 1916) information to learn about the most pressing needs Firefox users are facing. projects/torbrowser/design/index.html.en 1917) This is often implemented by contacting Mozilla services, be it for displaying projects/torbrowser/design/index.html.en 1918) further information about a new feature or by projects/torbrowser/design/index.html.en 1919) <a class="ulink" href="https://wiki.mozilla.org/Telemetry" target="_top">sending (aggregated) data back projects/torbrowser/design/index.html.en 1920) for analysis</a>. While some of those mechanisms are disabled by default on projects/torbrowser/design/index.html.en 1921) release channels (gathering telemetry data comes to mind) others are not. We projects/torbrowser/design/index.html.en 1922) make sure that non of those Mozilla services is contacted to avoid possible projects/torbrowser/design/index.html.en 1923) fingerprinting risks. projects/torbrowser/design/index.html.en 1924) projects/torbrowser/design/index.html.en 1925) </p><p> projects/torbrowser/design/index.html.en 1926) projects/torbrowser/design/index.html.en 1927) In particular, we disable GeoIP-based search results by setting <span class="command"><strong> projects/torbrowser/design/index.html.en 1928) browser.search.countryCode</strong></span> and <span class="command"><strong>browser.search.region projects/torbrowser/design/index.html.en 1929) </strong></span> to <span class="command"><strong>US</strong></span> and <span class="command"><strong>browser.search.geoip.url projects/torbrowser/design/index.html.en 1930) </strong></span> to the empty string. Furthermore, we disable Selfsupport and Unified projects/torbrowser/design/index.html.en 1931) Telemetry by setting <span class="command"><strong>browser.selfsupport.enabled</strong></span> and <span class="command"><strong> projects/torbrowser/design/index.html.en 1932) toolkit.telemetry.unified</strong></span> to <span class="command"><strong>false</strong></span> and we make projects/torbrowser/design/index.html.en 1933) sure no related ping is reaching Mozilla by setting <span class="command"><strong> projects/torbrowser/design/index.html.en 1934) datareporting.healthreport.about.reportUrlUnified</strong></span> to <span class="command"><strong> projects/torbrowser/design/index.html.en 1935) data:text/plain,</strong></span>. The same is done with <span class="command"><strong> projects/torbrowser/design/index.html.en 1936) datareporting.healthreport.about.reportUrl</strong></span> and the new tiles feature projects/torbrowser/design/index.html.en 1937) related <span class="command"><strong>browser.newtabpage.directory.ping</strong></span> and <span class="command"><strong> projects/torbrowser/design/index.html.en 1938) browser.newtabpage.directory.source</strong></span> preferences. Additionally, we projects/torbrowser/design/index.html.en 1939) disable the UITour backend by setting <span class="command"><strong>browser.uitour.enabled</strong></span> projects/torbrowser/design/index.html.en 1940) to <span class="command"><strong>false</strong></span>. projects/torbrowser/design/index.html.en 1941) </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
Describe OS type fingerprin... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1942) projects/torbrowser/design/index.html.en 1943) As we mentioned in the introduction of this section, OS type fingerprinting is projects/torbrowser/design/index.html.en 1944) currently considered a lower priority, due simply to the numerous ways that`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1945) characteristics of the operating system type may leak into content, and the`
Describe OS type fingerprin... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1946) comparatively low contribution of OS to overall entropy. In particular, there projects/torbrowser/design/index.html.en 1947) are likely to be many ways to measure the differences in widget size, projects/torbrowser/design/index.html.en 1948) scrollbar size, and other rendered details on a page. Also, directly exported`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1949) OS routines (such as those from the standard C math library) expose projects/torbrowser/design/index.html.en 1950) differences in their implementations through their return values.`
Describe OS type fingerprin... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1951) projects/torbrowser/design/index.html.en 1952) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 1953) projects/torbrowser/design/index.html.en 1954) We intend to reduce or eliminate OS type fingerprinting to the best extent projects/torbrowser/design/index.html.en 1955) possible, but recognize that the effort for reward on this item is not as high projects/torbrowser/design/index.html.en 1956) as other areas. The entropy on the current OS distribution is somewhere around projects/torbrowser/design/index.html.en 1957) 2 bits, which is much lower than other vectors which can also be used to
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1958) fingerprint configuration and user-specific information. You can see the projects/torbrowser/design/index.html.en 1959) major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os projects/torbrowser/design/index.html.en 1960) tag on our bug tracker</a>.`
Describe OS type fingerprin... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1961) projects/torbrowser/design/index.html.en 1962) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 1963)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 1964) At least three HTML5 features have different implementation status across the projects/torbrowser/design/index.html.en 1965) major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery projects/torbrowser/design/index.html.en 1966) API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network projects/torbrowser/design/index.html.en 1967) Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences projects/torbrowser/design/index.html.en 1968) <span class="command"><strong>dom.battery.enabled</strong></span>, projects/torbrowser/design/index.html.en 1969) <span class="command"><strong>dom.network.enabled</strong></span>, and
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1970) <span class="command"><strong>device.sensors.enabled</strong></span>.`
Describe OS type fingerprin... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1971)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1972) </p></li></ol></div><p>`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1973) For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 1974) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1975)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1976) In order to avoid long-term linkability, we provide a "New Identity" context projects/torbrowser/design/index.html.en 1977) menu option in Torbutton. This context menu option is active if Torbutton can projects/torbrowser/design/index.html.en 1978) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1979)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1980) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm914"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1981)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1982) All linkable identifiers and browser state MUST be cleared by this feature.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1983)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1984) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm917"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1985)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1986) First, Torbutton disables JavaScript in all open tabs and windows by using projects/torbrowser/design/index.html.en 1987) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavaScript</a>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1988) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>. projects/torbrowser/design/index.html.en 1989) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1990) We then clear the site-specific Zoom by temporarily disabling the preference`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1991) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1992) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL preference (if projects/torbrowser/design/index.html.en 1993) it exists). Each tab is then closed.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1994)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1995) </p><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1996)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 1997) After closing all tabs, we then clear the searchbox and findbox text and emit projects/torbrowser/design/index.html.en 1998) "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>"`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1999) (which instructs addons and various Firefox components to clear their session`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2000) state). Then we manually clear the following state: HTTP auth, SSL state, projects/torbrowser/design/index.html.en 2001) crypto tokens, OCSP state, site-specific content preferences (including HSTS projects/torbrowser/design/index.html.en 2002) state), the undo tab history, content and image cache, offline and memory cache, projects/torbrowser/design/index.html.en 2003) offline storage, cookies, DOM storage, the safe browsing key, the projects/torbrowser/design/index.html.en 2004) Google wifi geolocation token (if it exists), and the domain isolator state. We projects/torbrowser/design/index.html.en 2005) also clear NoScript's site and temporary permissions, and all other browser site projects/torbrowser/design/index.html.en 2006) permissions.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 2007)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2008) </p><p>`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 2009)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2010) After the state is cleared, we then close all remaining HTTP keep-alive projects/torbrowser/design/index.html.en 2011) connections and then send the NEWNYM signal to the Tor control port to cause a projects/torbrowser/design/index.html.en 2012) new circuit to be created. projects/torbrowser/design/index.html.en 2013) </p><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2014)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2015) Finally, a fresh browser window is opened, and the current browser window is`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2016) closed (this does not spawn a new Firefox process, only a new window). Upon projects/torbrowser/design/index.html.en 2017) the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage projects/torbrowser/design/index.html.en 2018) collector</a>, which has the effect of immediately purging any blob:UUID projects/torbrowser/design/index.html.en 2019) URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>. projects/torbrowser/design/index.html.en 2020)
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2021) </p></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2022) projects/torbrowser/design/index.html.en 2023) In addition to the above mechanisms that are devoted to preserving privacy projects/torbrowser/design/index.html.en 2024) while browsing, we also have a number of technical mechanisms to address other projects/torbrowser/design/index.html.en 2025) privacy and security issues. projects/torbrowser/design/index.html.en 2026)`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2027) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p> projects/torbrowser/design/index.html.en 2028) In order to provide vulnerability surface reduction for users that need high`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2029) security, we have implemented a "Security Slider" to allow users to make a projects/torbrowser/design/index.html.en 2030) tradeoff between usability and security while minimizing the total number of projects/torbrowser/design/index.html.en 2031) choices (to reduce fingerprinting). Using metrics collected from projects/torbrowser/design/index.html.en 2032) Mozilla's bug tracker, we analyzed the vulnerability counts of core projects/torbrowser/design/index.html.en 2033) components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2034) gathered from a study performed by iSec Partners</a> to inform which projects/torbrowser/design/index.html.en 2035) features should be disabled at which security levels. projects/torbrowser/design/index.html.en 2036) projects/torbrowser/design/index.html.en 2037) </p><p> projects/torbrowser/design/index.html.en 2038)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2039) The Security Slider consists of three positions:`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2040)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2041) </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low (default)</strong></span><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2042)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2043) At this security level, the preferences are the Tor Browser defaults. This projects/torbrowser/design/index.html.en 2044) includes three features that were formerly governed by the slider at projects/torbrowser/design/index.html.en 2045) higher security levels: <span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span> projects/torbrowser/design/index.html.en 2046) is set to <span class="command"><strong>false</strong></span> now after Mozilla got convinced that projects/torbrowser/design/index.html.en 2047) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1255731" target="_top">leaving projects/torbrowser/design/index.html.en 2048) it enabled is too risky</a>. <span class="command"><strong>network.jar.block-remote-files</strong></span> projects/torbrowser/design/index.html.en 2049) is set to <span class="command"><strong>true</strong></span>. Mozilla tried to block remote JAR files in projects/torbrowser/design/index.html.en 2050) Firefox 45 but needed to revert that decision due to breaking IBM's iNotes. projects/torbrowser/design/index.html.en 2051) While Mozilla <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1329336" target="_top"> projects/torbrowser/design/index.html.en 2052) is working on getting this disabled again</a> we take the protective stance projects/torbrowser/design/index.html.en 2053) already now and block remote JAR files even on the low security level. Finally, projects/torbrowser/design/index.html.en 2054) we exempt asm.js from the security slider and block it on all levels. See the projects/torbrowser/design/index.html.en 2055) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> and the cache linkability projects/torbrowser/design/index.html.en 2056) concerns in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier projects/torbrowser/design/index.html.en 2057) Unlinkability</a> sections for further details.
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2058)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2059) </p></li><li class="listitem"><span class="command"><strong>Medium</strong></span><p>`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2060) projects/torbrowser/design/index.html.en 2061) At this security level, we disable the ION JIT projects/torbrowser/design/index.html.en 2062) (<span class="command"><strong>javascript.options.ion.content</strong></span>), TypeInference JIT`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2063) (<span class="command"><strong>javascript.options.typeinference</strong></span>), Baseline JIT projects/torbrowser/design/index.html.en 2064) (<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), WebAudio`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2065) (<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2066) (<span class="command"><strong>mathml.disabled</strong></span>), SVG Opentype font rendering projects/torbrowser/design/index.html.en 2067) (<span class="command"><strong>gfx.font_rendering.opentype_svg.enabled</strong></span>), and make HTML5 audio projects/torbrowser/design/index.html.en 2068) and video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>). projects/torbrowser/design/index.html.en 2069) Furthermore, we only allow JavaScript to run if it is loaded over HTTPS and the projects/torbrowser/design/index.html.en 2070) URL bar is HTTPS (by setting <span class="command"><strong>noscript.global</strong></span> to false and
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2071) <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true). projects/torbrowser/design/index.html.en 2072) projects/torbrowser/design/index.html.en 2073) </p></li><li class="listitem"><span class="command"><strong>High</strong></span><p> projects/torbrowser/design/index.html.en 2074)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2075) This security level inherits the preferences from the Medium level, and projects/torbrowser/design/index.html.en 2076) additionally disables remote fonts (<span class="command"><strong>noscript.forbidFonts</strong></span>), projects/torbrowser/design/index.html.en 2077) completely disables JavaScript (by`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2078) unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG projects/torbrowser/design/index.html.en 2079) images (<span class="command"><strong>svg.in-content.enabled</strong></span>). projects/torbrowser/design/index.html.en 2080) projects/torbrowser/design/index.html.en 2081) </p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2082) projects/torbrowser/design/index.html.en 2083) <a class="link" href="#website-traffic-fingerprinting">Website Traffic projects/torbrowser/design/index.html.en 2084) Fingerprinting</a> is a statistical attack to attempt to recognize specific projects/torbrowser/design/index.html.en 2085) encrypted website activity. projects/torbrowser/design/index.html.en 2086)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2087) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm975"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2088)`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2089) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2090) for classification. This mechanism would either impact the true and false`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2091) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of web pages`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2092) that could be classified at a given accuracy rate. projects/torbrowser/design/index.html.en 2093) projects/torbrowser/design/index.html.en 2094) </p><p> projects/torbrowser/design/index.html.en 2095) projects/torbrowser/design/index.html.en 2096) Ideally, this mechanism would be as light-weight as possible, and would be projects/torbrowser/design/index.html.en 2097) tunable in terms of overhead. We suspect that it may even be possible to projects/torbrowser/design/index.html.en 2098) deploy a mechanism that reduces feature extraction resolution without any projects/torbrowser/design/index.html.en 2099) network overhead. In the no-overhead category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and projects/torbrowser/design/index.html.en 2100) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2101) use of HTTP pipelining and/or SPDY</a>.`
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2102) In the tunable/low-overhead`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2103) category, we have <a class="ulink" href="https://arxiv.org/abs/1512.00524" target="_top">Adaptive`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2104) Padding</a> and <a class="ulink" href="http://www.cs.sunysb.edu/~xcai/fp.pdf" target="_top"> projects/torbrowser/design/index.html.en 2105) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such projects/torbrowser/design/index.html.en 2106) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2107) network, making them also effectively no-overhead.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2108)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2109) </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm987"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> projects/torbrowser/design/index.html.en 2110) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=60f9e7f73f3dba5542f7fbe882f7c804cb8ecc18" target="_top">randomize
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2111) pipeline order and depth</a>. Unfortunately, pipelining is very fragile. projects/torbrowser/design/index.html.en 2112) Many sites do not support it, and even sites that advertise support for projects/torbrowser/design/index.html.en 2113) pipelining may simply return error codes for successive requests, effectively projects/torbrowser/design/index.html.en 2114) forcing the browser into non-pipelined behavior. Firefox also has code to back projects/torbrowser/design/index.html.en 2115) off and reduce or eliminate the pipeline if this happens. These projects/torbrowser/design/index.html.en 2116) shortcomings and fallback behaviors are the primary reason that Google
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2117) developed SPDY as opposed to simply extending HTTP to improve pipelining. It`
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2118) turns out that we could actually deploy exit-side proxies that allow us to`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2119) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use`
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2120) SPDY from the client to the exit node</a>. This would make our defense not projects/torbrowser/design/index.html.en 2121) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2122) projects/torbrowser/design/index.html.en 2123) </p><p> projects/torbrowser/design/index.html.en 2124)`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2125) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2126) research prototype</a> to help evaluate what could be done in the best`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2127) case with full server support. Unfortunately, the bias in favor of compelling projects/torbrowser/design/index.html.en 2128) attack papers has caused academia to ignore this request thus far, instead projects/torbrowser/design/index.html.en 2129) publishing only cursory (yet "devastating") evaluations that fail to provide projects/torbrowser/design/index.html.en 2130) even simple statistics such as the rates of actual pipeline utilization during projects/torbrowser/design/index.html.en 2131) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can projects/torbrowser/design/index.html.en 2132) accept that our defense might fail to work as well as others (in fact we projects/torbrowser/design/index.html.en 2133) expect it), but unfortunately the very same shortcuts that provide excellent projects/torbrowser/design/index.html.en 2134) attack results also allow the conclusion that all defenses are broken forever. projects/torbrowser/design/index.html.en 2135) So sadly, we are still left in the dark on this point.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2136) projects/torbrowser/design/index.html.en 2137) </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p> projects/torbrowser/design/index.html.en 2138) projects/torbrowser/design/index.html.en 2139) In order to inform the user when their Tor Browser is out of date, we perform a`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2140) privacy-preserving update check asynchronously in the background. The`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2141) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a> projects/torbrowser/design/index.html.en 2142) and searches that version list for the current value for the local preference projects/torbrowser/design/index.html.en 2143) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is projects/torbrowser/design/index.html.en 2144) present in the recommended version list, the check is considered to have projects/torbrowser/design/index.html.en 2145) succeeded and the user is up to date. If not, it is considered to have failed projects/torbrowser/design/index.html.en 2146) and an update is needed. The check is triggered upon browser launch, new projects/torbrowser/design/index.html.en 2147) window, and new tab, but is rate limited so as to happen no more frequently projects/torbrowser/design/index.html.en 2148) than once every 1.5 hours. projects/torbrowser/design/index.html.en 2149) projects/torbrowser/design/index.html.en 2150) </p><p> projects/torbrowser/design/index.html.en 2151) projects/torbrowser/design/index.html.en 2152) If the check fails, we cache this fact, and update the Torbutton graphic to projects/torbrowser/design/index.html.en 2153) display a flashing warning icon and insert a menu option that provides a link projects/torbrowser/design/index.html.en 2154) to our download page. Additionally, we reset the value for the browser projects/torbrowser/design/index.html.en 2155) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&small=1&uptodate=0" target="_top">page that projects/torbrowser/design/index.html.en 2156) informs the user</a> that their browser is out of projects/torbrowser/design/index.html.en 2157) date. projects/torbrowser/design/index.html.en 2158)
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2159) </p><p> projects/torbrowser/design/index.html.en 2160)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2161) We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a5a23f5d316a850f11063ead15353d677c9153fd" target="_top">patched`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2162) the updater</a> to avoid sending OS and Kernel version information as part projects/torbrowser/design/index.html.en 2163) of its update pings. projects/torbrowser/design/index.html.en 2164)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2165) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BuildSecurity"></a>5. Build Security and Package Integrity</h2></div></div></div><p>`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 2166)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2167) In the age of state-sponsored malware, <a class="ulink" href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise" target="_top">we projects/torbrowser/design/index.html.en 2168) believe</a> it is impossible to expect to keep a single build machine or projects/torbrowser/design/index.html.en 2169) software signing key secure, given the class of adversaries that Tor has to projects/torbrowser/design/index.html.en 2170) contend with. For this reason, we have deployed a build system projects/torbrowser/design/index.html.en 2171) that allows anyone to use our source code to reproduce byte-for-byte identical projects/torbrowser/design/index.html.en 2172) binary packages to the ones that we distribute.
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 2173)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2174) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1010"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 2175)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2176) The GNU toolchain has been working on providing reproducible builds for some projects/torbrowser/design/index.html.en 2177) time, however a large software project such as Firefox typically ends up projects/torbrowser/design/index.html.en 2178) embedding a large number of details about the machine it was built on, both projects/torbrowser/design/index.html.en 2179) intentionally and inadvertently. Additionally, manual changes to the build projects/torbrowser/design/index.html.en 2180) machine configuration can accumulate over time and are difficult for others to
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2181) replicate externally, which leads to difficulties with binary reproducibility.`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 2182)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2183) </p><p>`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2184) For this reason, we decided to leverage the work done by the <a class="ulink" href="https://gitian.org/" target="_top">Gitian Project</a> from the Bitcoin community.`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2185) Gitian is a wrapper around Ubuntu's virtualization tools that allows you to`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2186) specify an Ubuntu or Debian version, architecture, a set of additional packages, projects/torbrowser/design/index.html.en 2187) a set of input files, and a bash build scriptlet in an YAML document called a`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2188) "Gitian Descriptor". This document is used to install a qemu-kvm image, and projects/torbrowser/design/index.html.en 2189) execute your build scriptlet inside it. projects/torbrowser/design/index.html.en 2190) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2191)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2192) We have created a <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/refs/heads/master" target="_top">set projects/torbrowser/design/index.html.en 2193) of wrapper scripts</a> around Gitian to automate dependency download and projects/torbrowser/design/index.html.en 2194) authentication, as well as transfer intermediate build outputs between the`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2195) stages of the build process. Because Gitian creates a Linux build environment, projects/torbrowser/design/index.html.en 2196) we must use cross-compilation to create packages for Windows and macOS. For projects/torbrowser/design/index.html.en 2197) Windows, we use mingw-w64 as our cross compiler. For macOS, we use cctools and projects/torbrowser/design/index.html.en 2198) clang and a binary redistribution of the Mac OS 10.7 SDK.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2199)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2200) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2201)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2202) The use of the Gitian system eliminates build non-determinism by normalizing projects/torbrowser/design/index.html.en 2203) the build environment's hostname, username, build path, uname output, projects/torbrowser/design/index.html.en 2204) toolchain versions, and time. On top of what Gitian provides, we also had to projects/torbrowser/design/index.html.en 2205) address the following additional sources of non-determinism:`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2206)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2207) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Filesystem and archive reordering</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2208)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2209) The most prevalent source of non-determinism in the components of Tor Browser projects/torbrowser/design/index.html.en 2210) by far was various ways that archives (such as zip, tar, jar/ja, DMG, and projects/torbrowser/design/index.html.en 2211) Firefox manifest lists) could be reordered. Many file archivers walk the`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2212) file system in inode structure order by default, which will result in ordering`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2213) differences between two different archive invocations, especially on machines projects/torbrowser/design/index.html.en 2214) of different disk and hardware configurations.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2215)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2216) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2217)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2218) The fix for this is to perform an additional sorting step on the input list projects/torbrowser/design/index.html.en 2219) for archives, but care must be taken to instruct libc and other sorting routines projects/torbrowser/design/index.html.en 2220) to use a fixed locale to determine lexicographic ordering, or machines with projects/torbrowser/design/index.html.en 2221) different locale settings will produce different sort results. We chose the`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2222) 'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>, projects/torbrowser/design/index.html.en 2223) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>, projects/torbrowser/design/index.html.en 2224) and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2225) to aid in reproducible archive creation. projects/torbrowser/design/index.html.en 2226)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2227) </p></li><li class="listitem"><span class="command"><strong>Uninitialized memory in toolchain/archivers</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2228) projects/torbrowser/design/index.html.en 2229) We ran into difficulties with both binutils and the DMG archive script using projects/torbrowser/design/index.html.en 2230) uninitialized memory in certain data structures that ended up written to disk. projects/torbrowser/design/index.html.en 2231) Our binutils fixes were merged upstream, but the DMG archive fix remains an`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2232) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2233) patch</a>. projects/torbrowser/design/index.html.en 2234)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2235) </p></li><li class="listitem"><span class="command"><strong>Fine-grained timestamps and timezone leaks</strong></span><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2236) projects/torbrowser/design/index.html.en 2237) The standard way of controlling timestamps in Gitian is to use libfaketime, projects/torbrowser/design/index.html.en 2238) which hooks time-related library calls to provide a fixed timestamp. However,`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2239) due to our use of wine to run py2exe for python-based pluggable transports,`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2240) pyc timestamps had to be addressed with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2241) script</a>. The timezone leaks were addressed by setting the projects/torbrowser/design/index.html.en 2242) <span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2243)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2244) </p></li><li class="listitem"><span class="command"><strong>Deliberately generated entropy</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2245)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2246) In two circumstances, deliberately generated entropy was introduced in various projects/torbrowser/design/index.html.en 2247) components of the build process. First, the BuildID Debuginfo identifier projects/torbrowser/design/index.html.en 2248) (which associates detached debug files with their corresponding stripped projects/torbrowser/design/index.html.en 2249) executables) was introducing entropy from some unknown source. We removed this projects/torbrowser/design/index.html.en 2250) header using objcopy invocations in our build scriptlets, and opted to use GNU projects/torbrowser/design/index.html.en 2251) DebugLink instead of BuildID for this association.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2252)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2253) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2254)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2255) Second, on Linux, Firefox builds detached signatures of its cryptographic projects/torbrowser/design/index.html.en 2256) libraries using a temporary key for FIPS-140 certification. A rather insane projects/torbrowser/design/index.html.en 2257) subsection of the FIPS-140 certification standard requires that you distribute projects/torbrowser/design/index.html.en 2258) signatures for all of your cryptographic libraries. The Firefox build process projects/torbrowser/design/index.html.en 2259) meets this requirement by generating a temporary key, using it to sign the projects/torbrowser/design/index.html.en 2260) libraries, and discarding the private portion of that key. Because there are projects/torbrowser/design/index.html.en 2261) many other ways to intercept the crypto outside of modifying the actual DLL projects/torbrowser/design/index.html.en 2262) images, we opted to simply remove these signature files from distribution. projects/torbrowser/design/index.html.en 2263) There simply is no way to verify code integrity on a running system without projects/torbrowser/design/index.html.en 2264) both OS and co-processor assistance. Download package signatures make sense of projects/torbrowser/design/index.html.en 2265) course, but we handle those another way (as mentioned above).
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2266) projects/torbrowser/design/index.html.en 2267)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2268) </p></li><li class="listitem"><span class="command"><strong>LXC-specific leaks</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2269)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2270) Gitian provides an option to use LXC containers instead of full qemu-kvm projects/torbrowser/design/index.html.en 2271) virtualization. Unfortunately, these containers can allow additional details projects/torbrowser/design/index.html.en 2272) about the host OS to leak. In particular, umask settings as well as the projects/torbrowser/design/index.html.en 2273) hostname and Linux kernel version can leak from the host OS into the LXC projects/torbrowser/design/index.html.en 2274) container. We addressed umask by setting it explicitly in our Gitian projects/torbrowser/design/index.html.en 2275) descriptor scriptlet, and addressed the hostname and kernel version leaks by projects/torbrowser/design/index.html.en 2276) directly patching the aspects of the Firefox build process that included this
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2277) information into the build. It also turns out that some libraries (in projects/torbrowser/design/index.html.en 2278) particular: libgmp) attempt to detect the current CPU to determine which projects/torbrowser/design/index.html.en 2279) optimizations to compile in. This CPU type is uniform on our KVM instances,`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2280) but differs under LXC.`
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2281)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2282) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1042"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2283)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2284) The build process generates a single sha256sums-unsigned-build.txt file that projects/torbrowser/design/index.html.en 2285) contains a sorted list of the SHA-256 hashes of every package produced for that projects/torbrowser/design/index.html.en 2286) build version. Each official builder uploads this file and a GPG signature of it projects/torbrowser/design/index.html.en 2287) to a directory on a Tor Project's web server. The build scripts have an optional projects/torbrowser/design/index.html.en 2288) matching step that downloads these signatures, verifies them, and ensures that projects/torbrowser/design/index.html.en 2289) the local builds match this file.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2290)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2291) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2292)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2293) When builds are published officially, the single sha256sums-unsigned-build.txt projects/torbrowser/design/index.html.en 2294) file is accompanied by a detached GPG signature from each official builder that`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2295) produced a matching build. The packages are additionally signed with detached projects/torbrowser/design/index.html.en 2296) GPG signatures from an official signing key.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2297)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2298) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2299)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2300) The fact that the entire set of packages for a given version can be`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2301) authenticated by a single hash of the sha256sums-unsigned-build.txt file will projects/torbrowser/design/index.html.en 2302) also allow us to create a number of auxiliary authentication mechanisms for our projects/torbrowser/design/index.html.en 2303) packages, beyond just trusting a single offline build machine and a single projects/torbrowser/design/index.html.en 2304) cryptographic key's integrity. Interesting examples include providing multiple projects/torbrowser/design/index.html.en 2305) independent cryptographic signatures for packages, listing the package hashes in projects/torbrowser/design/index.html.en 2306) the Tor consensus, and encoding the package hashes in the Bitcoin blockchain.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2307)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2308) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2309)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	projects/torbrowser/design/index.html.en 2310) The Windows releases are also signed by a hardware token provided by Digicert. projects/torbrowser/design/index.html.en 2311) In order to verify package integrity, the signature must be stripped off using projects/torbrowser/design/index.html.en 2312) the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature projects/torbrowser/design/index.html.en 2313) Verification</a> page.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2314)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2315) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1049"></a>5.3. Anonymous Verification</h3></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2316)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2317) Due to the fact that bit-identical packages can be produced by anyone, the projects/torbrowser/design/index.html.en 2318) security of this build system extends beyond the security of the official projects/torbrowser/design/index.html.en 2319) build machines. In fact, it is still possible for build integrity to be`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2320) achieved even if all official build machines are compromised.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2321)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2322) </p><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2323)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2324) By default, all tor-specific dependencies and inputs to the build process are projects/torbrowser/design/index.html.en 2325) downloaded over Tor, which allows build verifiers to remain anonymous and projects/torbrowser/design/index.html.en 2326) hidden. Because of this, any individual can use our anonymity network to`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2327) privately download our source code, verify it against public, signed, audited,`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2328) and mirrored git repositories, and reproduce our builds exactly, without being projects/torbrowser/design/index.html.en 2329) subject to targeted attacks. If they notice any differences, they can alert projects/torbrowser/design/index.html.en 2330) the public builders/signers, hopefully using a pseudonym or our anonymous`
Updates to fingerprinting s... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2331) bug tracker account, to avoid revealing the fact that they are a build`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2332) verifier.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2333)`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2334) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p> projects/torbrowser/design/index.html.en 2335) projects/torbrowser/design/index.html.en 2336) We make use of the Firefox updater in order to provide automatic updates to`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2337) users. We make use of certificate pinning to ensure that update checks cannot`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2338) be tampered with by setting <span class="command"><strong>security.cert_pinning.enforcement_level projects/torbrowser/design/index.html.en 2339) </strong></span> to <span class="command"><strong>2</strong></span>, and we sign the individual MAR update files projects/torbrowser/design/index.html.en 2340) with keys that get rotated every year.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2341) projects/torbrowser/design/index.html.en 2342) </p><p> projects/torbrowser/design/index.html.en 2343) projects/torbrowser/design/index.html.en 2344) The Firefox updater also has code to ensure that it can reliably access the`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2345) update server to prevent availability attacks, and complains to the user after 48`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2346) hours go by without a successful response from the server. Additionally, we projects/torbrowser/design/index.html.en 2347) use Tor's SOCKS username and password isolation to ensure that every new`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2348) request to the updater (provided the former got issued more than 10 minutes ago) projects/torbrowser/design/index.html.en 2349) traverses a separate circuit, to avoid holdback attacks by exit nodes.`
Update Tor Browser Design D... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2350)`
Update design doc for TBB 4.0. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2351) </p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2352) projects/torbrowser/design/index.html.en 2353) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based projects/torbrowser/design/index.html.en 2354) upon the assumption that link-click navigation indicates user consent to projects/torbrowser/design/index.html.en 2355) tracking between the linking site and the destination site. While this projects/torbrowser/design/index.html.en 2356) definition is sufficient to allow us to eliminate cross-site third party projects/torbrowser/design/index.html.en 2357) tracking with only minimal site breakage, it is our long-term goal to further projects/torbrowser/design/index.html.en 2358) reduce cross-origin click navigation tracking to mechanisms that are projects/torbrowser/design/index.html.en 2359) detectable by attentive users, so they can alert the general public if projects/torbrowser/design/index.html.en 2360) cross-origin click navigation tracking is happening where it should not be. projects/torbrowser/design/index.html.en 2361) projects/torbrowser/design/index.html.en 2362) </p><p> projects/torbrowser/design/index.html.en 2363) projects/torbrowser/design/index.html.en 2364) In an ideal world, the mechanisms of tracking that can be employed during a projects/torbrowser/design/index.html.en 2365) link click would be limited to the contents of URL parameters and other projects/torbrowser/design/index.html.en 2366) properties that are fully visible to the user before they click. However, the projects/torbrowser/design/index.html.en 2367) entrenched nature of certain archaic web features make it impossible for us to projects/torbrowser/design/index.html.en 2368) achieve this transparency goal by ourselves without substantial site breakage. projects/torbrowser/design/index.html.en 2369) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation projects/torbrowser/design/index.html.en 2370) Wishlist</a> of archaic web technologies that are currently being (ab)used projects/torbrowser/design/index.html.en 2371) to facilitate federated login and other legitimate click-driven cross-domain projects/torbrowser/design/index.html.en 2372) activity but that can one day be replaced with more privacy friendly, projects/torbrowser/design/index.html.en 2373) auditable alternatives. projects/torbrowser/design/index.html.en 2374) projects/torbrowser/design/index.html.en 2375) </p><p> projects/torbrowser/design/index.html.en 2376) projects/torbrowser/design/index.html.en 2377) Because the total elimination of side channels during cross-origin navigation projects/torbrowser/design/index.html.en 2378) will undoubtedly break federated login as well as destroy ad revenue, we projects/torbrowser/design/index.html.en 2379) also describe auditable alternatives and promising web draft standards that would projects/torbrowser/design/index.html.en 2380) preserve this functionality while still providing transparency when tracking is
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2381) occurring.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2382)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2383) </p><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>The Referer Header</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2384)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2385) When leaving a .onion domain we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09188cb14dfaa8ac22f687c978166c7bd171b576" target="_top"> projects/torbrowser/design/index.html.en 2386) set the Referer header to the destination</a> to avoid leaking information projects/torbrowser/design/index.html.en 2387) which might be especially problematic in the case of transitioning from a .onion projects/torbrowser/design/index.html.en 2388) domain to one reached over clearnet. Apart from that we haven't disabled or projects/torbrowser/design/index.html.en 2389) restricted the Referer ourselves because of the non-trivial number of sites projects/torbrowser/design/index.html.en 2390) that rely on the Referer header to "authenticate" image requests and deep-link projects/torbrowser/design/index.html.en 2391) navigation on their sites. Furthermore, there seems to be no real privacy projects/torbrowser/design/index.html.en 2392) benefit to taking this action by itself in a vacuum, because many sites have projects/torbrowser/design/index.html.en 2393) begun encoding Referer URL information into GET parameters when they need it to projects/torbrowser/design/index.html.en 2394) cross HTTP to HTTPS scheme transitions. Google's +1 buttons are the best projects/torbrowser/design/index.html.en 2395) example of this activity.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2396) projects/torbrowser/design/index.html.en 2397) </p><p> projects/torbrowser/design/index.html.en 2398) projects/torbrowser/design/index.html.en 2399) Because of the availability of these other explicit vectors, we believe the`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2400) main risk of the Referer header is through inadvertent and/or covert data`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2401) leakage. In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2402) personal data</a> is inadvertently leaked to third parties through the`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2403) source URL parameters.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2404) projects/torbrowser/design/index.html.en 2405) </p><p> projects/torbrowser/design/index.html.en 2406)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	projects/torbrowser/design/index.html.en 2407) We believe the Referer header should be made explicit, and believe that Referrer projects/torbrowser/design/index.html.en 2408) Policy provides a <a class="ulink" href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header" target="_top"> projects/torbrowser/design/index.html.en 2409) decent step in this direction</a>. If a site wishes to transmit its URL to projects/torbrowser/design/index.html.en 2410) third party content elements during load or during link-click, it should have projects/torbrowser/design/index.html.en 2411) to specify this as a property of the associated <a class="ulink" href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/" target="_top"> projects/torbrowser/design/index.html.en 2412) HTML tag</a> or in an HTTP response header. With an explicit property or projects/torbrowser/design/index.html.en 2413) response header, it would then be possible for the user agent to inform the user projects/torbrowser/design/index.html.en 2414) if they are about to click on a link that will transmit Referer information
Update design document base... Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2415) (perhaps through something as subtle as a different color in the lower toolbar projects/torbrowser/design/index.html.en 2416) for the destination URL). This same UI notification can also be used for links`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2417) with the <a class="ulink" href="https://developers.whatwg.org/links.html#ping" target="_top">"ping"</a>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2418) attribute. projects/torbrowser/design/index.html.en 2419)`
Update Tor Browser design doc. Mike Perry authored 9 years ago	`projects/torbrowser/design/index.html.en 2420) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2421) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2422) a DOM property that for some reason is allowed to retain a persistent value projects/torbrowser/design/index.html.en 2423) for the lifespan of a browser tab. It is possible to utilize this property for`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2424) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2425) storage</a> during click navigation. This is sometimes used for additional`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2426) CSRF protection and federated login.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2427) </p><p> projects/torbrowser/design/index.html.en 2428) projects/torbrowser/design/index.html.en 2429) It's our opinion that the contents of window.name should not be preserved for projects/torbrowser/design/index.html.en 2430) cross-origin navigation, but doing so may break federated login for some sites. projects/torbrowser/design/index.html.en 2431)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2432) </p></li><li class="listitem"><span class="command"><strong>JavaScript link rewriting</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2433) projects/torbrowser/design/index.html.en 2434) In general, it should not be possible for onclick handlers to alter the projects/torbrowser/design/index.html.en 2435) navigation destination of 'a' tags, silently transform them into POST projects/torbrowser/design/index.html.en 2436) requests, or otherwise create situations where a user believes they are projects/torbrowser/design/index.html.en 2437) clicking on a link leading to one URL that ends up on another. This projects/torbrowser/design/index.html.en 2438) functionality is deceptive and is frequently a vector for malware and phishing projects/torbrowser/design/index.html.en 2439) attacks. Unfortunately, many legitimate sites also employ such transparent projects/torbrowser/design/index.html.en 2440) link rewriting, and blanket disabling this functionality ourselves will simply projects/torbrowser/design/index.html.en 2441) cause Tor Browser to fail to navigate properly on these sites. projects/torbrowser/design/index.html.en 2442) projects/torbrowser/design/index.html.en 2443) </p><p> projects/torbrowser/design/index.html.en 2444) projects/torbrowser/design/index.html.en 2445) Automated cross-origin redirects are one form of this behavior that is
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2446) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2447) ourselves</a>, as they are comparatively rare and can be handled with site projects/torbrowser/design/index.html.en 2448) permissions. projects/torbrowser/design/index.html.en 2449)`
Updating the Tor Browser de... Georg Koppen authored 7 years ago	`projects/torbrowser/design/index.html.en 2450) </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm1090"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2451) projects/torbrowser/design/index.html.en 2452) Web-Send is a browser-based link sharing and federated login widget that is projects/torbrowser/design/index.html.en 2453) designed to operate without relying on third-party tracking or abusing other`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2454) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2455) especially if used as a "Like button" replacement. projects/torbrowser/design/index.html.en 2456)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2457) </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 2458) projects/torbrowser/design/index.html.en 2459) Mozilla's Persona is designed to provide decentralized, cryptographically projects/torbrowser/design/index.html.en 2460) authenticated federated login in a way that does not expose the user to third projects/torbrowser/design/index.html.en 2461) party tracking or require browser redirects or side channels. While it does projects/torbrowser/design/index.html.en 2462) not directly provide the link sharing capabilities that Web-Send does, it is a projects/torbrowser/design/index.html.en 2463) better solution to the privacy issues associated with federated login than projects/torbrowser/design/index.html.en 2464) Web-Send is. projects/torbrowser/design/index.html.en 2465)