446803ab4bfc19b8e0e736631447b4ded1059699
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>
projects/en/torbrowser/design/index.html.en    2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en       3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 19 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id3042393">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3042393"></a>1. Introduction</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    4) 
projects/en/torbrowser/design/index.html.en    5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
projects/en/torbrowser/design/index.html.en    6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
projects/en/torbrowser/design/index.html.en    7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing
projects/en/torbrowser/design/index.html.en    8) procedures</a> of the Tor Browser. It is
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en       9) current as of Tor Browser 2.2.33-3.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   10) 
projects/en/torbrowser/design/index.html.en   11)   </p><p>
projects/en/torbrowser/design/index.html.en   12) 
projects/en/torbrowser/design/index.html.en   13) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en   14) describe a reference implementation of a Private Browsing Mode that defends
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      15) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en      16) adversary currently addressed by the major browsers.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   17) 
projects/en/torbrowser/design/index.html.en   18)   </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en   19) 
projects/en/torbrowser/design/index.html.en   20) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/en/torbrowser/design/index.html.en   21) types that can be used to guide us towards a set of requirements for the
projects/en/torbrowser/design/index.html.en   22) Tor Browser. Let's start with the goals.
projects/en/torbrowser/design/index.html.en   23) 
projects/en/torbrowser/design/index.html.en   24)    </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
projects/en/torbrowser/design/index.html.en   25) Tor, causing the user to directly connect to an IP of the adversary's
projects/en/torbrowser/design/index.html.en   26) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/en/torbrowser/design/index.html.en   27) happily settle for the ability to correlate something a user did via Tor with
projects/en/torbrowser/design/index.html.en   28) their non-Tor activity. This can be done with cookies, cache identifiers,
projects/en/torbrowser/design/index.html.en   29) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
projects/en/torbrowser/design/index.html.en   30) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/en/torbrowser/design/index.html.en   31) The adversary may also be interested in history disclosure: the ability to
projects/en/torbrowser/design/index.html.en   32) query a user's history to see if they have issued certain censored search
projects/en/torbrowser/design/index.html.en   33) queries, or visited censored sites.
projects/en/torbrowser/design/index.html.en   34)      </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
projects/en/torbrowser/design/index.html.en   35) 
projects/en/torbrowser/design/index.html.en   36) Location information such as timezone and locality can be useful for the
projects/en/torbrowser/design/index.html.en   37) adversary to determine if a user is in fact originating from one of the
projects/en/torbrowser/design/index.html.en   38) regions they are attempting to control, or to zero-in on the geographical
projects/en/torbrowser/design/index.html.en   39) location of a particular dissident or whistleblower.
projects/en/torbrowser/design/index.html.en   40) 
projects/en/torbrowser/design/index.html.en   41)      </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
projects/en/torbrowser/design/index.html.en   42) 
projects/en/torbrowser/design/index.html.en   43) Anonymity set reduction is also useful in attempting to zero in on a
projects/en/torbrowser/design/index.html.en   44) particular individual. If the dissident or whistleblower is using a rare build
projects/en/torbrowser/design/index.html.en   45) of Firefox for an obscure operating system, this can be very useful
projects/en/torbrowser/design/index.html.en   46) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
projects/en/torbrowser/design/index.html.en   47) 
projects/en/torbrowser/design/index.html.en   48)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/en/torbrowser/design/index.html.en   49) information</strong></span><p>
projects/en/torbrowser/design/index.html.en   50) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/en/torbrowser/design/index.html.en   51) seizing the computers of all Tor users in an area (especially after narrowing
projects/en/torbrowser/design/index.html.en   52) the field by the above two pieces of information). History records and cache
projects/en/torbrowser/design/index.html.en   53) data are the primary goals here.
projects/en/torbrowser/design/index.html.en   54)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en   55) The adversary can position themselves at a number of different locations in
projects/en/torbrowser/design/index.html.en   56) order to execute their attacks.
projects/en/torbrowser/design/index.html.en   57)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en   58) The adversary can run exit nodes, or alternatively, they may control routers
projects/en/torbrowser/design/index.html.en   59) upstream of exit nodes. Both of these scenarios have been observed in the
projects/en/torbrowser/design/index.html.en   60) wild.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      61)      </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   62) The adversary can also run websites, or more likely, they can contract out
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      63) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en      64) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en      65) inconceivable that ad servers may try to subvert or reduce a user's anonymity 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   66) through Tor for marketing purposes.
projects/en/torbrowser/design/index.html.en   67)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en   68) The adversary can also inject malicious content at the user's upstream router
projects/en/torbrowser/design/index.html.en   69) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/en/torbrowser/design/index.html.en   70) activity.
projects/en/torbrowser/design/index.html.en   71)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/en/torbrowser/design/index.html.en   72) Some users face adversaries with intermittent or constant physical access.
projects/en/torbrowser/design/index.html.en   73) Users in Internet cafes, for example, face such a threat. In addition, in
projects/en/torbrowser/design/index.html.en   74) countries where simply using tools like Tor is illegal, users may face
projects/en/torbrowser/design/index.html.en   75) confiscation of their computer equipment for excessive Tor usage or just
projects/en/torbrowser/design/index.html.en   76) general suspicion.
projects/en/torbrowser/design/index.html.en   77)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en   78) 
projects/en/torbrowser/design/index.html.en   79) The adversary can perform the following attacks from a number of different 
projects/en/torbrowser/design/index.html.en   80) positions to accomplish various aspects of their goals. It should be noted
projects/en/torbrowser/design/index.html.en   81) that many of these attacks (especially those involving IP address leakage) are
projects/en/torbrowser/design/index.html.en   82) often performed by accident by websites that simply have Javascript, dynamic 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      83) CSS elements, and plugins. Others are performed by ad servers seeking to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   84) correlate users' activity across different IP addresses, and still others are
projects/en/torbrowser/design/index.html.en   85) performed by malicious agents on the Tor network and at national firewalls.
projects/en/torbrowser/design/index.html.en   86) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      87)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   88) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      89) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en      90) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en      91) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en      92) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en      93) even TLS Session IDs.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   94) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      95)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   96) 
projects/en/torbrowser/design/index.html.en   97) An adversary in a position to perform MITM content alteration can inject
projects/en/torbrowser/design/index.html.en   98) document content elements to both read and inject cookies for arbitrary
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      99) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  100) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
projects/en/torbrowser/design/index.html.en  101) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/en/torbrowser/design/index.html.en  102) with cookies as well.
projects/en/torbrowser/design/index.html.en  103) 
projects/en/torbrowser/design/index.html.en  104)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
projects/en/torbrowser/design/index.html.en  105) attributes</strong></span><p>
projects/en/torbrowser/design/index.html.en  106) 
projects/en/torbrowser/design/index.html.en  107) There is an absurd amount of information available to websites via attributes
projects/en/torbrowser/design/index.html.en  108) of the browser. This information can be used to reduce anonymity set, or even
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     109) uniquely fingerprint individual users. Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en     110) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en     111) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en     112) to linkability between visits.
projects/torbrowser/design/index.html.en     113) 
projects/torbrowser/design/index.html.en     114) </p><p>
projects/torbrowser/design/index.html.en     115) 
projects/torbrowser/design/index.html.en     116) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
projects/torbrowser/design/index.html.en     117) done</a> by the EFF uses the actual entropy - the number of identifying
projects/torbrowser/design/index.html.en     118) bits of information encoded in browser properties - as this metric. Their
projects/torbrowser/design/index.html.en     119) <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a>
projects/torbrowser/design/index.html.en     120) is definitely useful, and the metric is probably the appropriate one for
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  121) determining how identifying a particular browser property is. However, some
projects/en/torbrowser/design/index.html.en  122) quirks of their study means that they do not extract as much information as
Mike Perry Minor cleanup to TBB design...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     123) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en     124) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en     125) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en     126) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en     127) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en     128) final.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     129) 
projects/torbrowser/design/index.html.en     130)       </p><p>
projects/torbrowser/design/index.html.en     131) 
projects/torbrowser/design/index.html.en     132) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en     133) attack vectors:
projects/torbrowser/design/index.html.en     134) 
projects/torbrowser/design/index.html.en     135)      </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
projects/torbrowser/design/index.html.en     136) 
projects/torbrowser/design/index.html.en     137) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en     138) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en     139) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en     140) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en     141) (as an extreme example).
projects/torbrowser/design/index.html.en     142) 
projects/torbrowser/design/index.html.en     143)      </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  144) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     145) Javascript can reveal a lot of fingerprinting information. It provides DOM
Mike Perry Minor cleanup to TBB design...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     146) objects such as window.screen and window.navigator to extract information
projects/torbrowser/design/index.html.en     147) about the useragent. 
projects/torbrowser/design/index.html.en     148) 
projects/torbrowser/design/index.html.en     149) Also, Javascript can be used to query the user's timezone via the
projects/torbrowser/design/index.html.en     150) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
projects/torbrowser/design/index.html.en     151) reveal information about the video cart in use, and high precision timing
projects/torbrowser/design/index.html.en     152) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
projects/torbrowser/design/index.html.en     153) interpreter speed</a>. In the future, new JavaScript features such as
projects/torbrowser/design/index.html.en     154) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
projects/torbrowser/design/index.html.en     155) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en     156) information.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  157) 
projects/en/torbrowser/design/index.html.en  158) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     159) 
projects/torbrowser/design/index.html.en     160)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en     161) 
projects/torbrowser/design/index.html.en     162) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en     163) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en     164) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en     165) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en     166) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en     167) store unique identifiers that are more difficult to clear than standard
projects/torbrowser/design/index.html.en     168) cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
projects/torbrowser/design/index.html.en     169) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en     170) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en     171) settings of the browser. 
projects/torbrowser/design/index.html.en     172) 
projects/torbrowser/design/index.html.en     173) 
projects/torbrowser/design/index.html.en     174)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en     175) 
projects/torbrowser/design/index.html.en     176) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
projects/torbrowser/design/index.html.en     177) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en     178) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en     179) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en     180) 
projects/torbrowser/design/index.html.en     181)      </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  182) OS</strong></span><p>
projects/en/torbrowser/design/index.html.en  183) 
projects/en/torbrowser/design/index.html.en  184) Last, but definitely not least, the adversary can exploit either general
projects/en/torbrowser/design/index.html.en  185) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/en/torbrowser/design/index.html.en  186) install malware and surveillance software. An adversary with physical access
projects/en/torbrowser/design/index.html.en  187) can perform similar actions. Regrettably, this last attack capability is
projects/en/torbrowser/design/index.html.en  188) outside of our ability to defend against, but it is worth mentioning for
projects/en/torbrowser/design/index.html.en  189) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails
projects/en/torbrowser/design/index.html.en  190) system</a> however can provide some limited defenses against this
projects/en/torbrowser/design/index.html.en  191) adversary.
projects/en/torbrowser/design/index.html.en  192) 
projects/en/torbrowser/design/index.html.en  193)      </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
projects/en/torbrowser/design/index.html.en  194) 
projects/en/torbrowser/design/index.html.en  195) The Tor Browser Design Requirements are meant to describe the properties of a
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     196) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en     197) adversaries. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  198) 
projects/en/torbrowser/design/index.html.en  199)   </p><p>
projects/en/torbrowser/design/index.html.en  200) 
projects/en/torbrowser/design/index.html.en  201) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     202) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en     203) similar privacy proxies safely. Privacy requirements are the set of properties
projects/torbrowser/design/index.html.en     204) that cause us to prefer one browser platform over another. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  205) 
projects/en/torbrowser/design/index.html.en  206)   </p><p>
projects/en/torbrowser/design/index.html.en  207) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     208) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en     209) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en     210) browser distribution.
projects/torbrowser/design/index.html.en     211) 
projects/torbrowser/design/index.html.en     212)   </p><p>
projects/torbrowser/design/index.html.en     213) 
projects/torbrowser/design/index.html.en     214)       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en     215)       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
projects/torbrowser/design/index.html.en     216)       "OPTIONAL" in this document are to be interpreted as described in
projects/torbrowser/design/index.html.en     217)       <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  218) 
projects/en/torbrowser/design/index.html.en  219)   </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  220) 
projects/en/torbrowser/design/index.html.en  221) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en  222) of Tor. Violations in these properties typically result in serious risk for
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     223) the user in terms of immediate deanonymization and/or observability. With
projects/torbrowser/design/index.html.en     224) respect to platform support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en     225) in order for Tor to support the use of a web client platform.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  226) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     227)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="3.1. Proxy Obedience"><span class="command"><strong>Proxy
projects/torbrowser/design/index.html.en     228) Obedience</strong></span></a><p>The browser
projects/torbrowser/design/index.html.en     229) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="3.2. State Separation"><span class="command"><strong>State
projects/torbrowser/design/index.html.en     230) Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  231) from other browsers or other browsing modes, including shared state from
projects/en/torbrowser/design/index.html.en  232) plugins, machine identifiers, and TLS session state.
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     233) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance"><span class="command"><strong>Disk
projects/torbrowser/design/index.html.en     234) Avoidance</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     235) 
projects/torbrowser/design/index.html.en     236) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en     237) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en     238) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en     239) store their browsing history information to disk.
projects/torbrowser/design/index.html.en     240) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     241) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="3.4. Application Data Isolation"><span class="command"><strong>Application Data
projects/torbrowser/design/index.html.en     242) Isolation</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     243) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     244) The components involved in providing private browsing MUST be self-contained,
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     245) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en     246) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en     247) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en     248) of private browsing to disk outside of the application's control. The user
projects/torbrowser/design/index.html.en     249) must be able to ensure that secure removal of the software is sufficient to
projects/torbrowser/design/index.html.en     250) remove evidence of the use of the software. All exceptions and shortcomings
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     251) due to operating system behavior MUST be wiped by an uninstaller. However, due
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     252) to permissions issues with access to swap, implementations MAY choose to leave
projects/torbrowser/design/index.html.en     253) it out of scope, and/or leave it to the user to implement encrypted swap.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  254) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     255) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  256) 
projects/en/torbrowser/design/index.html.en  257) The privacy requirements are primarily concerned with reducing linkability:
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     258) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en     259) on another site without their knowledge or explicit consent. With respect to
projects/torbrowser/design/index.html.en     260) platform support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en     261) to prefer one platform over another. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  262) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     263)    </p><p>
projects/torbrowser/design/index.html.en     264) 
projects/torbrowser/design/index.html.en     265) For the purposes of the unlinkability requirements of this section as well as
projects/torbrowser/design/index.html.en     266) the descriptions in the <a class="link" href="#Implementation" title="3. Implementation">implementation
projects/torbrowser/design/index.html.en     267) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the
projects/torbrowser/design/index.html.en     268) second-level DNS name.  For example, for mail.google.com, the origin would be
projects/torbrowser/design/index.html.en     269) google.com. Implementations MAY, at their option, restrict the url bar origin
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     270) to be the entire fully qualified domain name.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     271) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     272)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="3.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en     273) Identifier Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  274) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     275) User activity on one url bar origin MUST NOT be linkable to their activity in
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     276) any other url bar origin by any third party automatically or without user
projects/torbrowser/design/index.html.en     277) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en     278) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en     279) requirement does not apply to linkable information the user manually submits
projects/torbrowser/design/index.html.en     280) to sites, or due information submitted during manual link traversal. This
projects/torbrowser/design/index.html.en     281) functionality SHOULD NOT interfere with federated login in a substantial way.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  282) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     283)   </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="3.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en     284) Fingerprinting Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  285) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     286) User activity on one url bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     287) any other url bar origin by any third party. This property specifically applies to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  288) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en  289) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     290)   </p></li><li class="listitem"><a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><span class="command"><strong>Long-Term
projects/torbrowser/design/index.html.en     291) Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  292) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     293) The browser SHOULD provide an obvious, easy way to remove all of its
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     294) authentication tokens and browser state and obtain a fresh identity.
projects/torbrowser/design/index.html.en     295) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en     296) upon browser restart, except at user option.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  297) 
projects/en/torbrowser/design/index.html.en  298)   </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  299) 
projects/en/torbrowser/design/index.html.en  300) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en  301) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en  302) 
projects/en/torbrowser/design/index.html.en  303)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
projects/en/torbrowser/design/index.html.en  304) 
projects/en/torbrowser/design/index.html.en  305) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en  306) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en  307) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en  308) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en  309) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en  310) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en  311) 
projects/en/torbrowser/design/index.html.en  312)       </p><p>
projects/en/torbrowser/design/index.html.en  313) 
projects/en/torbrowser/design/index.html.en  314) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
projects/en/torbrowser/design/index.html.en  315) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en  316) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en  317) in the face of accumulating tabs from multiple states crossed with the current
projects/en/torbrowser/design/index.html.en  318) tor-state of the browser. 
projects/en/torbrowser/design/index.html.en  319) 
projects/en/torbrowser/design/index.html.en  320)       </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en  321) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en  322) 
projects/en/torbrowser/design/index.html.en  323) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en  324) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en  325) 
projects/en/torbrowser/design/index.html.en  326)       </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en  327) 
projects/en/torbrowser/design/index.html.en  328) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en  329) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en  330) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en  331) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en  332) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en  333) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en  334) 
projects/en/torbrowser/design/index.html.en  335)       </p><p>
projects/en/torbrowser/design/index.html.en  336) 
projects/en/torbrowser/design/index.html.en  337) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en  338) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en  339) placeholders), and/or be sandboxed to restrict the types of system calls they
projects/en/torbrowser/design/index.html.en  340) can execute. If the user decides to craft an exemption to allow a plugin to be
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     341) used, it MUST only apply to the top level url bar domain, and not to all sites,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  342) to reduce linkability.
projects/en/torbrowser/design/index.html.en  343) 
projects/en/torbrowser/design/index.html.en  344)        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en  345) 
projects/en/torbrowser/design/index.html.en  346) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
projects/en/torbrowser/design/index.html.en  347) failure of Torbutton</a> was (and still is) the options panel. Each option
projects/en/torbrowser/design/index.html.en  348) that detectably alters browser behavior can be used as a fingerprinting tool.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     349) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  350) disabled in the mode</a> except as an opt-in basis. We should not load
projects/en/torbrowser/design/index.html.en  351) system-wide addons or plugins.
projects/en/torbrowser/design/index.html.en  352) 
projects/en/torbrowser/design/index.html.en  353)      </p><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     354) Instead of global browser privacy options, privacy decisions SHOULD be made
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  355) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     356) url bar origin</a> to eliminate the possibility of linkability
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  357) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en  358) window.plugins) is present in a page, the user should be given the choice of
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     359) allowing that plugin object for that url bar origin only. The same
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  360) goes for exemptions to third party cookie policy, geo-location, and any other
projects/en/torbrowser/design/index.html.en  361) privacy permissions.
projects/en/torbrowser/design/index.html.en  362)      </p><p>
projects/en/torbrowser/design/index.html.en  363) If the user has indicated they do not care about local history storage, these
projects/en/torbrowser/design/index.html.en  364) permissions can be written to disk. Otherwise, they should remain memory-only. 
projects/en/torbrowser/design/index.html.en  365)      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en  366) 
projects/en/torbrowser/design/index.html.en  367) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/en/torbrowser/design/index.html.en  368) Plus</a>, <a class="ulink" href="" target="_top">Request Policy</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
projects/en/torbrowser/design/index.html.en  369) avoided. We believe that these addons do not add any real privacy to a proper
projects/en/torbrowser/design/index.html.en  370) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are
projects/en/torbrowser/design/index.html.en  371) prevented from tracking users between sites by the implementation.
projects/en/torbrowser/design/index.html.en  372) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en  373) nightmares, and will also fail to do their job if an adversary simply
projects/en/torbrowser/design/index.html.en  374) registers a new domain or creates a new url path. Worse still, the unique
Mike Perry Fix a typo and some links i...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     375) filter sets that each user creates or installs will provide a wealth
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  376) of fingerprinting targets.
projects/en/torbrowser/design/index.html.en  377) 
projects/en/torbrowser/design/index.html.en  378)       </p><p>
projects/en/torbrowser/design/index.html.en  379) 
projects/en/torbrowser/design/index.html.en  380) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en  381) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en  382) terms of demonstrating that we are providing privacy through a sound design
projects/en/torbrowser/design/index.html.en  383) alone, as well as damage the acceptance of Tor users by sites who support
projects/en/torbrowser/design/index.html.en  384) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en  385) 
projects/en/torbrowser/design/index.html.en  386)       </p><p>
projects/en/torbrowser/design/index.html.en  387) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en  388) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en  389)       </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en  390) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en  391) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en  392) their proper deployment or privacy realization. However, we will likely disable
projects/en/torbrowser/design/index.html.en  393) certain new features (where possible) pending analysis and audit.
projects/en/torbrowser/design/index.html.en  394)       </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p>
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     395) 
projects/torbrowser/design/index.html.en     396) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en     397) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en     398) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en     399) implementation is then described for that property.
projects/torbrowser/design/index.html.en     400) 
projects/torbrowser/design/index.html.en     401)   </p><p>
projects/torbrowser/design/index.html.en     402) 
projects/torbrowser/design/index.html.en     403) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en     404) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en     405) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en     406) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en     407) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
projects/torbrowser/design/index.html.en     408) are typically linked for these cases.
projects/torbrowser/design/index.html.en     409) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  410)   </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  411) 
projects/en/torbrowser/design/index.html.en  412) Proxy obedience is assured through the following:
projects/en/torbrowser/design/index.html.en  413)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings
projects/en/torbrowser/design/index.html.en  414)  <p>
projects/en/torbrowser/design/index.html.en  415)   The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a
projects/en/torbrowser/design/index.html.en  416) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
projects/en/torbrowser/design/index.html.en  417) <span class="command"><strong>network.proxy.socks_version</strong></span>, and
projects/en/torbrowser/design/index.html.en  418) <span class="command"><strong>network.proxy.socks_port</strong></span>.
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     419)  </p><p>
projects/torbrowser/design/index.html.en     420) 
projects/torbrowser/design/index.html.en     421) We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP,
projects/torbrowser/design/index.html.en     422) gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity,
projects/torbrowser/design/index.html.en     423) including HTML5 audio and video objects, addon updates, wifi geolocation
projects/torbrowser/design/index.html.en     424) queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark
projects/torbrowser/design/index.html.en     425) updates. We have also verified that IPv6 connections are not attempted,
projects/torbrowser/design/index.html.en     426) through the proxy or otherwise (Tor does not yet support IPv6). We have also
projects/torbrowser/design/index.html.en     427) verified that external protocol helpers, such as smb urls and other custom
projects/torbrowser/design/index.html.en     428) protocol handers are all blocked.
projects/torbrowser/design/index.html.en     429) 
projects/torbrowser/design/index.html.en     430)  </p><p>
projects/torbrowser/design/index.html.en     431) 
projects/torbrowser/design/index.html.en     432) Numerous other third parties have also reviewed and <a class="link" href="#SingleStateTesting" title="5.1. Single state testing">tested</a> the proxy settings
projects/torbrowser/design/index.html.en     433) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>. 
projects/torbrowser/design/index.html.en     434) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  435)  </p></li><li class="listitem">Disabling plugins
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     436) 
projects/torbrowser/design/index.html.en     437)  <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  438) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en  439) browser proxy settings.
projects/en/torbrowser/design/index.html.en  440)  </p><p>
projects/en/torbrowser/design/index.html.en  441) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en  442) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
projects/en/torbrowser/design/index.html.en  443) as disabled. Additionally, we set
projects/en/torbrowser/design/index.html.en  444) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of
projects/en/torbrowser/design/index.html.en  445) supported mime types for all currently installed plugins.
projects/en/torbrowser/design/index.html.en  446)  </p><p>
projects/en/torbrowser/design/index.html.en  447) In addition, to prevent any unproxied activity by plugins at load time, we
Mike Perry Fix a typo and some links i...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     448) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  449) for Flash and Gnash</a>.
projects/en/torbrowser/design/index.html.en  450) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     451)  </p><p>
projects/torbrowser/design/index.html.en     452) 
projects/torbrowser/design/index.html.en     453) Finally, even if the user alters their browser settings to re-enable the Flash
projects/torbrowser/design/index.html.en     454) plugin, we have configured NoScript to provide click-to-play placeholders, so
projects/torbrowser/design/index.html.en     455) that only desired objects will be loaded, and only after user confirmation.
projects/torbrowser/design/index.html.en     456) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  457)  </p></li><li class="listitem">External App Blocking
projects/en/torbrowser/design/index.html.en  458)   <p>
projects/en/torbrowser/design/index.html.en  459) External apps, if launched automatically, can be induced to load files that
projects/en/torbrowser/design/index.html.en  460) perform network activity. In order to prevent this, Torbutton installs a
projects/en/torbrowser/design/index.html.en  461) component to 
Mike Perry Fix a typo and some links i...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     462) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  463) provide the user with a popup</a> whenever the browser attempts to
projects/en/torbrowser/design/index.html.en  464) launch a helper app. 
projects/en/torbrowser/design/index.html.en  465)   </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  466) Tor Browser State is separated from existing browser state through use of a
projects/en/torbrowser/design/index.html.en  467) custom Firefox profile. Furthermore, plugins are disabled, which prevents
projects/en/torbrowser/design/index.html.en  468) Flash cookies from leaking from a pre-existing Flash directory.
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     469)    </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3048300"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     470) Tor Browser MUST (at user option) prevent all disk records of browser activity.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  471) The user should be able to optionally enable URL history and other history
projects/en/torbrowser/design/index.html.en  472) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
projects/en/torbrowser/design/index.html.en  473) preferences interface</a>, we will likely just enable Private Browsing
projects/en/torbrowser/design/index.html.en  474) mode by default to handle this goal.
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     475)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3052558"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  476) For now, Tor Browser blocks write access to the disk through Torbutton
projects/en/torbrowser/design/index.html.en  477) using several Firefox preferences. 
projects/en/torbrowser/design/index.html.en  478) 
projects/en/torbrowser/design/index.html.en  479) 
projects/en/torbrowser/design/index.html.en  480) 
projects/en/torbrowser/design/index.html.en  481) The set of prefs is:
projects/en/torbrowser/design/index.html.en  482) <span class="command"><strong>dom.storage.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en  483) <span class="command"><strong>browser.cache.memory.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  484) <span class="command"><strong>network.http.use-cache</strong></span>,
projects/en/torbrowser/design/index.html.en  485) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  486) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  487) <span class="command"><strong>general.open_location.last_url</strong></span>,
projects/en/torbrowser/design/index.html.en  488) <span class="command"><strong>places.history.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en  489) <span class="command"><strong>browser.formfill.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  490) <span class="command"><strong>signon.rememberSignons</strong></span>,
projects/en/torbrowser/design/index.html.en  491) <span class="command"><strong>browser.download.manager.retention</strong></span>,
projects/en/torbrowser/design/index.html.en  492) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>.
projects/en/torbrowser/design/index.html.en  493)     </blockquote></div></div><p>
projects/en/torbrowser/design/index.html.en  494) In addition, three Firefox patches are needed to prevent disk writes, even if
projects/en/torbrowser/design/index.html.en  495) Private Browsing Mode is enabled. We need to
projects/en/torbrowser/design/index.html.en  496) 
projects/en/torbrowser/design/index.html.en  497) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en  498) the permissions manager from recording HTTPS STS state</a>,
projects/en/torbrowser/design/index.html.en  499) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en  500) intermediate SSL certificates from being recorded</a>, and
projects/en/torbrowser/design/index.html.en  501) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en  502) the content preferences service from recording site zoom</a>.
projects/en/torbrowser/design/index.html.en  503) 
projects/en/torbrowser/design/index.html.en  504) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the
projects/en/torbrowser/design/index.html.en  505) Firefox Patches section</a>.
projects/en/torbrowser/design/index.html.en  506) 
projects/en/torbrowser/design/index.html.en  507)    </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  508) 
projects/en/torbrowser/design/index.html.en  509) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en  510) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en  511) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en  512) computer.
projects/en/torbrowser/design/index.html.en  513) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     514)    </p><p>FIXME: sjmurdoch, Erinn: explain what magic we do to satisfy this,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  515) and/or what additional work or auditing needs to be done.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     516)    </p></div><div class="sect2" title="3.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  517) 
projects/en/torbrowser/design/index.html.en  518) The Tor Browser MUST prevent a user's activity on one site from being linked
projects/en/torbrowser/design/index.html.en  519) to their activity on another site. When this goal cannot yet be met with an
projects/en/torbrowser/design/index.html.en  520) existing web technology, that technology or functionality is disabled. Our
projects/en/torbrowser/design/index.html.en  521) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary
projects/en/torbrowser/design/index.html.en  522) technologies, and instead simply alter them in ways that allows them to
projects/en/torbrowser/design/index.html.en  523) function in a backwards-compatible way while avoiding linkability. Users
projects/en/torbrowser/design/index.html.en  524) should be able to use federated login of various kinds to explicitly inform
projects/en/torbrowser/design/index.html.en  525) sites who they are, but that information should not transparently allow a
projects/en/torbrowser/design/index.html.en  526) third party to record their activity from site to site without their prior
projects/en/torbrowser/design/index.html.en  527) consent.
projects/en/torbrowser/design/index.html.en  528) 
projects/en/torbrowser/design/index.html.en  529)    </p><p>
projects/en/torbrowser/design/index.html.en  530) 
projects/en/torbrowser/design/index.html.en  531) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en  532) linkability, but also in terms of simplified privacy UI. If all stored browser
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     533) state and permissions become associated with the url bar origin, the six or
projects/torbrowser/design/index.html.en     534) seven different pieces of privacy UI governing these identifiers and
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  535) permissions can become just one piece of UI. For instance, a window that lists
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     536) the url bar origin for which browser state exists, possibly with a
projects/torbrowser/design/index.html.en     537) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en     538) An example of this simplification can be seen in Figure 1.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  539) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     540)    </p><div class="figure"><a id="id3051496"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  541) 
projects/en/torbrowser/design/index.html.en  542) On the left is the standard Firefox cookie manager. On the right is a mock-up
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     543) of how isolating identifiers to the URL bar origin might simplify the privacy
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  544) UI for all data - not just cookies. Both windows represent the set of
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     545) Cookies accumulated after visiting just five sites, but the window on the
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  546) right has the option of also representing history, DOM Storage, HTTP Auth,
projects/en/torbrowser/design/index.html.en  547) search form history, login values, and so on within a context menu for each
projects/en/torbrowser/design/index.html.en  548) site.
projects/en/torbrowser/design/index.html.en  549) 
projects/en/torbrowser/design/index.html.en  550) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies
projects/en/torbrowser/design/index.html.en  551)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  552) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     553) All cookies MUST be double-keyed to the url bar origin and third-party
projects/torbrowser/design/index.html.en     554) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
projects/torbrowser/design/index.html.en     555) that contains a prototype patch, but it lacks UI, and does not apply to modern
projects/torbrowser/design/index.html.en     556) Firefoxes.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  557) 
projects/en/torbrowser/design/index.html.en  558)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  559) 
projects/en/torbrowser/design/index.html.en  560) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en  561) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en  562) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     563) third party content continue to function, but we believe the requirement for 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  564) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en  565) 
projects/en/torbrowser/design/index.html.en  566)      </p></li><li class="listitem">Cache
projects/en/torbrowser/design/index.html.en  567)      <p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     568) 
projects/torbrowser/design/index.html.en     569) Cache is isolated to the url bar origin by using a technique pioneered by
projects/torbrowser/design/index.html.en     570) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  571) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     572) attribute that Firefox uses internally to prevent improper caching and reuse
projects/torbrowser/design/index.html.en     573) of HTTP POST data.  
projects/torbrowser/design/index.html.en     574) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  575)      </p><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     576) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  577) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     578) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts
projects/torbrowser/design/index.html.en     579) with OCSP relying the cacheKey property for reuse of POST requests</a>, we
projects/torbrowser/design/index.html.en     580) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
projects/torbrowser/design/index.html.en     581) Firefox to provide a cacheDomain cache attribute</a>. We use the fully
projects/torbrowser/design/index.html.en     582) qualified url bar domain as input to this field.
projects/torbrowser/design/index.html.en     583) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  584)      </p><p>
projects/en/torbrowser/design/index.html.en  585) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     586)  Furthermore, we chose a different
projects/torbrowser/design/index.html.en     587) isolation scheme than the Stanford implementation. First, we decoupled the
projects/torbrowser/design/index.html.en     588) cache isolation from the third party cookie attribute. Second, we use several
projects/torbrowser/design/index.html.en     589) mechanisms to attempt to determine the actual location attribute of the
projects/torbrowser/design/index.html.en     590) top-level window (to obtain the url bar FQDN) used to load the page, as
projects/torbrowser/design/index.html.en     591) opposed to relying solely on the referer property.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  592) 
projects/en/torbrowser/design/index.html.en  593)      </p><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     594) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  595) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     596) Stanford test cases</a> are expected to fail. Functionality can still be
projects/torbrowser/design/index.html.en     597) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and
projects/torbrowser/design/index.html.en     598) viewing the key used for each cache entry. Each third party element should
projects/torbrowser/design/index.html.en     599) have an additional "domain=string" property prepended, which will list the
projects/torbrowser/design/index.html.en     600) FQDN that was used to source the third party element.
projects/torbrowser/design/index.html.en     601) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  602)      </p></li><li class="listitem">HTTP Auth
projects/en/torbrowser/design/index.html.en  603)      <p>
projects/en/torbrowser/design/index.html.en  604) 
projects/en/torbrowser/design/index.html.en  605) HTTP authentication tokens are removed for third party elements using the
projects/en/torbrowser/design/index.html.en  606) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
projects/en/torbrowser/design/index.html.en  607) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
projects/en/torbrowser/design/index.html.en  608) linkability between domains</a>.  We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch
projects/en/torbrowser/design/index.html.en  609) Firefox to cause the headers to get added early enough</a> to allow the
projects/en/torbrowser/design/index.html.en  610) observer to modify it.
projects/en/torbrowser/design/index.html.en  611) 
projects/en/torbrowser/design/index.html.en  612)      </p></li><li class="listitem">DOM Storage
projects/en/torbrowser/design/index.html.en  613)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  614) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     615) DOM storage for third party domains MUST be isolated to the url bar origin,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  616) to prevent linkability between sites.
projects/en/torbrowser/design/index.html.en  617) 
projects/en/torbrowser/design/index.html.en  618)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  619) 
projects/en/torbrowser/design/index.html.en  620) Because it is isolated to third party domain as opposed to top level url bar
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     621) origin, we entirely disable DOM storage as a stopgap to ensure unlinkability.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  622) 
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     623)      </p></li><li class="listitem">Flash cookies
projects/torbrowser/design/index.html.en     624)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     625) 
projects/torbrowser/design/index.html.en     626) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en     627) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
projects/torbrowser/design/index.html.en     628) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
projects/torbrowser/design/index.html.en     629) settings manager</a>.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     630) 
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     631)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en     632) 
projects/torbrowser/design/index.html.en     633) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
projects/torbrowser/design/index.html.en     634) difficulties</a> causing Flash player to use this settings
projects/torbrowser/design/index.html.en     635) file on Windows.
projects/torbrowser/design/index.html.en     636) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  637)      </p></li><li class="listitem">TLS session resumption and HTTP Keep-Alive
projects/en/torbrowser/design/index.html.en  638)      <p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     639) TLS session resumption and HTTP Keep-Alive MUST NOT allow third party origins
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  640) to track users via either TLS session IDs, or the fact that different requests
projects/en/torbrowser/design/index.html.en  641) arrive on the same TCP connection.
projects/en/torbrowser/design/index.html.en  642)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  643) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     644) TLS session resumption IDs MUST be limited to the url bar origin.
projects/torbrowser/design/index.html.en     645) HTTP Keep-Alive connections from a third party in one url bar origin must
projects/torbrowser/design/index.html.en     646) not be reused for that same third party in another url bar origin.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  647) 
projects/en/torbrowser/design/index.html.en  648)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  649) 
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     650) We currently clear TLS Session IDs upon <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
projects/torbrowser/design/index.html.en     651) Identity</a>, but we have no origin restriction implementation as of yet.
projects/torbrowser/design/index.html.en     652) We plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099" target="_top">disable TLS session
projects/torbrowser/design/index.html.en     653) resumption</a>, and limit HTTP Keep-alive duration as stopgaps to limit
projects/torbrowser/design/index.html.en     654) linkability until we can implement <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4100" target="_top">true origin
projects/torbrowser/design/index.html.en     655) isolation</a> (the latter we feel will be fairly tricky).
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  656) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     657)      </p></li><li class="listitem">User confirmation for cross-origin redirects
projects/torbrowser/design/index.html.en     658)     <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     659) 
projects/torbrowser/design/index.html.en     660) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en     661) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     662) MUST prompt the user before following redirects that would cause the user to
projects/torbrowser/design/index.html.en     663) automatically navigate between two different url bar origins. The prompt
projects/torbrowser/design/index.html.en     664) SHOULD inform the user about the ability to use <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a> to clear the linked identifiers
projects/torbrowser/design/index.html.en     665) created by the redirect.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     666) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     667) </p><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     668) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     669) To reduce the occurrence of warning fatigue, these warning messages MAY be limited
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     670) to automated redirect cycles only. For example, the automated redirect
projects/torbrowser/design/index.html.en     671) sequence <span class="command"><strong>User Click -&gt; t.co -&gt; bit.ly -&gt; cnn.com</strong></span> can be
projects/torbrowser/design/index.html.en     672) assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -&gt; t.co -&gt;
projects/torbrowser/design/index.html.en     673) bit.ly -&gt; cnn.com -&gt; 2o7.net -&gt; scorecardresearch.net -&gt; cnn.com</strong></span> is
projects/torbrowser/design/index.html.en     674) clearly due to tracking. Non-automated redirect cycles that require
projects/torbrowser/design/index.html.en     675) user input at some step (such as federated login systems) need not be
projects/torbrowser/design/index.html.en     676) interrupted by the UI.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     677) 
projects/torbrowser/design/index.html.en     678)     </p><p>
projects/torbrowser/design/index.html.en     679) 
projects/torbrowser/design/index.html.en     680) We are not concerned with linkability due to explicit user action (either by
projects/torbrowser/design/index.html.en     681) accepting cross-origin redirects, or by clicking normal links) because it is
projects/torbrowser/design/index.html.en     682) assumed that private browsing sessions will be relatively short-lived,
projects/torbrowser/design/index.html.en     683) especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
projects/torbrowser/design/index.html.en     684) Identity</a> button.
projects/torbrowser/design/index.html.en     685) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     686)     </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en     687) 
projects/torbrowser/design/index.html.en     688) There are numerous ways for the user to be redirected, and the Firefox API
projects/torbrowser/design/index.html.en     689) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
projects/torbrowser/design/index.html.en     690) open</a> to implement what we can.
projects/torbrowser/design/index.html.en     691) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     692)     </p></li><li class="listitem">window.name
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  693)      <p>
projects/en/torbrowser/design/index.html.en  694) 
projects/en/torbrowser/design/index.html.en  695) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
projects/en/torbrowser/design/index.html.en  696) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en  697) for the lifespan of a browser tab. It is possible to utilize this property for
projects/en/torbrowser/design/index.html.en  698) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
projects/en/torbrowser/design/index.html.en  699) storage</a>.
projects/en/torbrowser/design/index.html.en  700) 
projects/en/torbrowser/design/index.html.en  701)      </p><p>
projects/en/torbrowser/design/index.html.en  702) 
projects/en/torbrowser/design/index.html.en  703) In order to eliminate linkability but still allow for sites that utilize this
projects/en/torbrowser/design/index.html.en  704) property to function, we reset the window.name property of tabs in Torbutton every
projects/en/torbrowser/design/index.html.en  705) time we encounter a blank referer. This behavior allows window.name to persist
projects/en/torbrowser/design/index.html.en  706) for the duration of a link-driven navigation session, but as soon as the user
projects/en/torbrowser/design/index.html.en  707) enters a new URL or navigates between https/http schemes, the property is cleared.
projects/en/torbrowser/design/index.html.en  708) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     709)      </p></li><li class="listitem">Auto form-fill
projects/torbrowser/design/index.html.en     710)      <p>
projects/torbrowser/design/index.html.en     711) 
projects/torbrowser/design/index.html.en     712) We disable the password saving functionality in the browser as part of our
projects/torbrowser/design/index.html.en     713) <a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
projects/torbrowser/design/index.html.en     714) since users may decide to re-enable disk history records and password saving,
projects/torbrowser/design/index.html.en     715) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
projects/torbrowser/design/index.html.en     716) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en     717) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en     718) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en     719) 
projects/torbrowser/design/index.html.en     720)      </p></li><li class="listitem">HSTS supercookies
projects/torbrowser/design/index.html.en     721)       <p>
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     722) 
projects/torbrowser/design/index.html.en     723) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
projects/torbrowser/design/index.html.en     724) supercookies</a>. Since HSTS effectively stores one bit of information per domain
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     725) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en     726) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en     727) 
projects/torbrowser/design/index.html.en     728)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     729) 
projects/torbrowser/design/index.html.en     730) There appears to be three options for us: 1. Disable HSTS entirely, and rely
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     731) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
projects/torbrowser/design/index.html.en     732) Restrict the number of HSTS-enabled third parties allowed per url bar origin.
projects/torbrowser/design/index.html.en     733) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en     734) the best approach.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     735) 
projects/torbrowser/design/index.html.en     736)       </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
projects/torbrowser/design/index.html.en     737) cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
projects/torbrowser/design/index.html.en     738) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en     739) Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en     740)       </p></li><li class="listitem">Exit node usage
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  741)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  742) 
projects/en/torbrowser/design/index.html.en  743) Every distinct navigation session (as defined by a non-blank referer header)
projects/en/torbrowser/design/index.html.en  744) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
projects/en/torbrowser/design/index.html.en  745) observers from linking concurrent browsing activity.
projects/en/torbrowser/design/index.html.en  746) 
projects/en/torbrowser/design/index.html.en  747)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  748) 
projects/en/torbrowser/design/index.html.en  749) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
projects/en/torbrowser/design/index.html.en  750) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket
projects/en/torbrowser/design/index.html.en  751) #3455</a> is the Torbutton ticket to make use of the new Tor
projects/en/torbrowser/design/index.html.en  752) functionality.
projects/en/torbrowser/design/index.html.en  753) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     754)      </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  755) 
projects/en/torbrowser/design/index.html.en  756) In order to properly address the fingerprinting adversary on a technical
projects/en/torbrowser/design/index.html.en  757) level, we need a metric to measure linkability of the various browser
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     758) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  759) by the EFF provides us with exactly this metric. The researchers conducted a
projects/en/torbrowser/design/index.html.en  760) survey of volunteers who were asked to visit an experiment page that harvested
projects/en/torbrowser/design/index.html.en  761) many of the above components. They then computed the Shannon Entropy of the
projects/en/torbrowser/design/index.html.en  762) resulting distribution of each of several key attributes to determine how many
projects/en/torbrowser/design/index.html.en  763) bits of identifying information each attribute provided.
projects/en/torbrowser/design/index.html.en  764) 
projects/en/torbrowser/design/index.html.en  765)    </p><p>
projects/en/torbrowser/design/index.html.en  766) 
projects/en/torbrowser/design/index.html.en  767) The study is not exhaustive, though. In particular, the test does not take in
projects/en/torbrowser/design/index.html.en  768) all aspects of resolution information. It did not calculate the size of
projects/en/torbrowser/design/index.html.en  769) widgets, window decoration, or toolbar size, which we believe may add high
projects/en/torbrowser/design/index.html.en  770) amounts of entropy. It also did not measure clock offset and other time-based
projects/en/torbrowser/design/index.html.en  771) fingerprints. Furthermore, as new browser features are added, this experiment
projects/en/torbrowser/design/index.html.en  772) should be repeated to include them.
projects/en/torbrowser/design/index.html.en  773) 
projects/en/torbrowser/design/index.html.en  774)    </p><p>
projects/en/torbrowser/design/index.html.en  775) 
projects/en/torbrowser/design/index.html.en  776) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for
projects/en/torbrowser/design/index.html.en  777) fingerprinting resistance by only concerning ourselves with reducing the
projects/en/torbrowser/design/index.html.en  778) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We
projects/en/torbrowser/design/index.html.en  779) do not believe it is productive to concern ourselves with cross-browser
projects/en/torbrowser/design/index.html.en  780) fingerprinting issues, at least not at this stage.
projects/en/torbrowser/design/index.html.en  781) 
projects/en/torbrowser/design/index.html.en  782)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
projects/en/torbrowser/design/index.html.en  783)      <p>
projects/en/torbrowser/design/index.html.en  784) 
projects/en/torbrowser/design/index.html.en  785) Plugins add to fingerprinting risk via two main vectors: their mere presence in
projects/en/torbrowser/design/index.html.en  786) window.navigator.plugins, as well as their internal functionality.
projects/en/torbrowser/design/index.html.en  787) 
projects/en/torbrowser/design/index.html.en  788)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  789) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     790) All plugins that have not been specifically audited or sandboxed MUST be
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  791) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en  792) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en  793) barrier.  Additionally, version information should be reduced or obfuscated
projects/en/torbrowser/design/index.html.en  794) until the plugin object is loaded.
projects/en/torbrowser/design/index.html.en  795) 
projects/en/torbrowser/design/index.html.en  796)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  797) 
projects/en/torbrowser/design/index.html.en  798) Currently, we entirely disable all plugins in Tor Browser. However, as a
projects/en/torbrowser/design/index.html.en  799) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work
projects/en/torbrowser/design/index.html.en  800) towards</a> a
projects/en/torbrowser/design/index.html.en  801) click-to-play barrier using NoScript that is available only after the user has
projects/en/torbrowser/design/index.html.en  802) specifically enabled plugins. Flash will be the only plugin available, and we
projects/en/torbrowser/design/index.html.en  803) will ship a settings.sol file to disable Flash cookies, and to restrict P2P
projects/en/torbrowser/design/index.html.en  804) features that likely bypass proxy settings.
projects/en/torbrowser/design/index.html.en  805) 
projects/en/torbrowser/design/index.html.en  806)      </p></li><li class="listitem">Fonts
projects/en/torbrowser/design/index.html.en  807)      <p>
projects/en/torbrowser/design/index.html.en  808) 
projects/en/torbrowser/design/index.html.en  809) According to the Panopticlick study, fonts provide the most linkability when
projects/en/torbrowser/design/index.html.en  810) they are provided as an enumerable list in filesystem order, via either the
projects/en/torbrowser/design/index.html.en  811) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en  812) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en  813) pre-built list to query, a large amount of fingerprintable information may
projects/en/torbrowser/design/index.html.en  814) still be available.
projects/en/torbrowser/design/index.html.en  815) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     816)      </p><p>
projects/torbrowser/design/index.html.en     817) 
projects/torbrowser/design/index.html.en     818) The sure-fire way to address font linkability is to ship the browser with a
projects/torbrowser/design/index.html.en     819) font for every language, typeface, and style in use in the world, and to only
projects/torbrowser/design/index.html.en     820) use those fonts at the exclusion of system fonts.  However, this set may be
projects/torbrowser/design/index.html.en     821) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common
projects/torbrowser/design/index.html.en     822) subset</a> may be found that provides total coverage. However, we believe
projects/torbrowser/design/index.html.en     823) that with strong url bar origin identifier isolation, a simpler approach can reduce the
projects/torbrowser/design/index.html.en     824) number of bits available to the adversary while avoiding the rendering and
projects/torbrowser/design/index.html.en     825) language issues of supporting a global font set.
projects/torbrowser/design/index.html.en     826) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  827)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  828) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     829) We intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of
projects/torbrowser/design/index.html.en     830) fonts</a> a url bar origin can load, gracefully degrading to built-in
projects/torbrowser/design/index.html.en     831) and/or remote fonts once the limit is reached.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  832) 
projects/en/torbrowser/design/index.html.en  833)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  834) 
projects/en/torbrowser/design/index.html.en  835) Aside from disabling plugins to prevent enumeration, we have not yet
projects/en/torbrowser/design/index.html.en  836) implemented any defense against CSS or Javascript fonts.
projects/en/torbrowser/design/index.html.en  837) 
projects/en/torbrowser/design/index.html.en  838)      </p></li><li class="listitem">User Agent and HTTP Headers
projects/en/torbrowser/design/index.html.en  839)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  840) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     841) All Tor Browser users MUST provide websites with an identical user agent and
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  842) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/en/torbrowser/design/index.html.en  843) and report a popular Windows platform. If the software is kept up to date,
projects/en/torbrowser/design/index.html.en  844) these headers should remain identical across the population even when updated.
projects/en/torbrowser/design/index.html.en  845) 
projects/en/torbrowser/design/index.html.en  846)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  847) 
projects/en/torbrowser/design/index.html.en  848) Firefox provides several options for controlling the browser user agent string
projects/en/torbrowser/design/index.html.en  849) which we leverage. We also set similar prefs for controlling the
projects/en/torbrowser/design/index.html.en  850) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
projects/en/torbrowser/design/index.html.en  851) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove
projects/en/torbrowser/design/index.html.en  852) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
projects/en/torbrowser/design/index.html.en  853) used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem">Desktop resolution and CSS Media Queries
projects/en/torbrowser/design/index.html.en  854)      <p>
projects/en/torbrowser/design/index.html.en  855) 
projects/en/torbrowser/design/index.html.en  856) Both CSS and Javascript have a lot of irrelevant information about the screen
projects/en/torbrowser/design/index.html.en  857) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and
projects/en/torbrowser/design/index.html.en  858) other desktop features that are not at all relevant to rendering and serve
projects/en/torbrowser/design/index.html.en  859) only to provide information for fingerprinting.
projects/en/torbrowser/design/index.html.en  860) 
projects/en/torbrowser/design/index.html.en  861)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  862) 
projects/en/torbrowser/design/index.html.en  863) Our design goal here is to reduce the resolution information down to the bare
projects/en/torbrowser/design/index.html.en  864) minimum required for properly rendering inside a content window. We intend to 
projects/en/torbrowser/design/index.html.en  865) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en  866) properties of the content window, but report an effective size of 0 for all
projects/en/torbrowser/design/index.html.en  867) border material, and also report that the desktop is only as big as the
projects/en/torbrowser/design/index.html.en  868) inner content window. Additionally, new browser windows are sized such that 
projects/en/torbrowser/design/index.html.en  869) their content windows are one of ~5 fixed sizes based on the user's
projects/en/torbrowser/design/index.html.en  870) desktop resolution.
projects/en/torbrowser/design/index.html.en  871) 
projects/en/torbrowser/design/index.html.en  872)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  873) 
projects/en/torbrowser/design/index.html.en  874) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript
projects/en/torbrowser/design/index.html.en  875) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize
projects/en/torbrowser/design/index.html.en  876) new windows based on desktop resolution</a>. However, CSS Media Queries
projects/en/torbrowser/design/index.html.en  877) still <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2875" target="_top">need
projects/en/torbrowser/design/index.html.en  878) to be dealt with</a>.
projects/en/torbrowser/design/index.html.en  879) 
projects/en/torbrowser/design/index.html.en  880)      </p></li><li class="listitem">Timezone and clock offset
projects/en/torbrowser/design/index.html.en  881)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  882) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     883) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en     884) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en     885) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en     886) the fact that we spoof a US English user agent).  Additionally, the Tor
projects/torbrowser/design/index.html.en     887) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en     888) clocks of the relays that it connects to, and use this to reset the clock
projects/torbrowser/design/index.html.en     889) values used in Tor Browser to something reasonably accurate.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  890) 
projects/en/torbrowser/design/index.html.en  891)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  892) 
projects/en/torbrowser/design/index.html.en  893) We set the timezone using the TZ environment variable, which is supported on
projects/en/torbrowser/design/index.html.en  894) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock
projects/en/torbrowser/design/index.html.en  895) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
projects/en/torbrowser/design/index.html.en  896) use.
projects/en/torbrowser/design/index.html.en  897) 
projects/en/torbrowser/design/index.html.en  898)      </p></li><li class="listitem">Javascript performance fingerprinting
projects/en/torbrowser/design/index.html.en  899)      <p>
projects/en/torbrowser/design/index.html.en  900) 
projects/en/torbrowser/design/index.html.en  901) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
projects/en/torbrowser/design/index.html.en  902) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en  903) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en  904) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en  905) 
projects/en/torbrowser/design/index.html.en  906)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  907) 
projects/en/torbrowser/design/index.html.en  908) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
projects/en/torbrowser/design/index.html.en  909) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en  910) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en  911) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
projects/en/torbrowser/design/index.html.en  912) Date() object, while also introducing jitter. Our goal is to increase the
projects/en/torbrowser/design/index.html.en  913) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that
projects/en/torbrowser/design/index.html.en  914) even with the default precision in most browsers, they required up to 120
projects/en/torbrowser/design/index.html.en  915) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en  916) feature set. We intend to work with the research community to establish the
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     917) optimum trade-off between quantization+jitter and amortization time.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  918) 
projects/en/torbrowser/design/index.html.en  919) 
projects/en/torbrowser/design/index.html.en  920)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  921) 
projects/en/torbrowser/design/index.html.en  922) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en  923) 
projects/en/torbrowser/design/index.html.en  924)      </p></li><li class="listitem">Keystroke fingerprinting
projects/en/torbrowser/design/index.html.en  925)      <p>
projects/en/torbrowser/design/index.html.en  926) 
projects/en/torbrowser/design/index.html.en  927) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en  928) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en  929) 
projects/en/torbrowser/design/index.html.en  930)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  931) 
projects/en/torbrowser/design/index.html.en  932) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en  933) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en  934) 
projects/en/torbrowser/design/index.html.en  935)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  936) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en  937)      </p></li><li class="listitem">WebGL
projects/en/torbrowser/design/index.html.en  938)      <p>
projects/en/torbrowser/design/index.html.en  939) 
projects/en/torbrowser/design/index.html.en  940) WebGL is fingerprintable both through information that is exposed about the
projects/en/torbrowser/design/index.html.en  941) underlying driver and optimizations, as well as through performance
projects/en/torbrowser/design/index.html.en  942) fingerprinting.
projects/en/torbrowser/design/index.html.en  943) 
projects/en/torbrowser/design/index.html.en  944)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  945) 
projects/en/torbrowser/design/index.html.en  946) Because of the large amount of potential fingerprinting vectors, we intend to
projects/en/torbrowser/design/index.html.en  947) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases
projects/en/torbrowser/design/index.html.en  948) will have click-to-play placeholders, and will not run until authorized by the
projects/en/torbrowser/design/index.html.en  949) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver
projects/en/torbrowser/design/index.html.en  950) information</a> by hooking
projects/en/torbrowser/design/index.html.en  951) <span class="command"><strong>getParameter()</strong></span>,
projects/en/torbrowser/design/index.html.en  952) <span class="command"><strong>getSupportedExtensions()</strong></span>,
projects/en/torbrowser/design/index.html.en  953) <span class="command"><strong>getExtension()</strong></span>, and
projects/en/torbrowser/design/index.html.en  954) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal,
projects/en/torbrowser/design/index.html.en  955) driver-neutral information.
projects/en/torbrowser/design/index.html.en  956) 
projects/en/torbrowser/design/index.html.en  957)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  958) 
projects/en/torbrowser/design/index.html.en  959) Currently we simply disable WebGL. 
projects/en/torbrowser/design/index.html.en  960) 
projects/en/torbrowser/design/index.html.en  961)      </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  962) In order to avoid long-term linkability, we provide a "New Identity" context
projects/en/torbrowser/design/index.html.en  963) menu option in Torbutton.
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     964)    </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3068567"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  965) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     966) All linkable identifiers and browser state MUST be cleared by this feature.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  967) 
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     968)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3057460"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     969) 
projects/torbrowser/design/index.html.en     970)    First, Torbutton disables all open tabs and windows via nsIContentPolicy
projects/torbrowser/design/index.html.en     971) blocking, and then closes each tab and window. The extra step for blocking
projects/torbrowser/design/index.html.en     972) tabs is done as a precaution to ensure that any asynchronous Javascript is in
projects/torbrowser/design/index.html.en     973) fact properly disabled. After closing all of the windows, we then clear the
projects/torbrowser/design/index.html.en     974) following state: OCSP (by toggling security.OCSP.enabled), cache,
projects/torbrowser/design/index.html.en     975) site-specific zoom and content preferences, Cookies, DOM storage, safe
projects/torbrowser/design/index.html.en     976) browsing key, the Google wifi geolocation token (if exists), HTTP auth, SSL
projects/torbrowser/design/index.html.en     977) Session IDs, HSTS state, and the last opened URL field (via the pref
projects/torbrowser/design/index.html.en     978) general.open_location.last_url). After clearing the browser state, we then
projects/torbrowser/design/index.html.en     979) send the NEWNYM signal to the Tor control port to cause a new circuit to be
projects/torbrowser/design/index.html.en     980) created.
projects/torbrowser/design/index.html.en     981) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  982)     </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  983) Some content types are too invasive and/or too opaque for us to properly
projects/en/torbrowser/design/index.html.en  984) eliminate their linkability properties. For these content types, we use
projects/en/torbrowser/design/index.html.en  985) NoScript to provide click-to-play placeholders that do not activate the
projects/en/torbrowser/design/index.html.en  986) content until the user clicks on it. This will eliminate the ability for an
projects/en/torbrowser/design/index.html.en  987) adversary to use such content types to link users in a dragnet fashion across
projects/en/torbrowser/design/index.html.en  988) arbitrary sites.
projects/en/torbrowser/design/index.html.en  989)    </p><p>
projects/en/torbrowser/design/index.html.en  990) Currently, the content types isolated in this way include Flash, WebGL, and
projects/en/torbrowser/design/index.html.en  991) audio and video objects.
projects/en/torbrowser/design/index.html.en  992)    </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  993) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches" target="_top">current-patches
projects/en/torbrowser/design/index.html.en  994) directory of the torbrowser git repository</a>. They are:
projects/en/torbrowser/design/index.html.en  995)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod
projects/en/torbrowser/design/index.html.en  996)      <p>
projects/en/torbrowser/design/index.html.en  997) 
projects/en/torbrowser/design/index.html.en  998) In order to reduce fingerprinting, we block access to these two interfaces
projects/en/torbrowser/design/index.html.en  999) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript
projects/en/torbrowser/design/index.html.en 1000) hooks</a>,
projects/en/torbrowser/design/index.html.en 1001) and Components.interfaces can be used for fingerprinting the platform, OS, and
projects/en/torbrowser/design/index.html.en 1002) Firebox version, but not much else.
projects/en/torbrowser/design/index.html.en 1003) 
projects/en/torbrowser/design/index.html.en 1004)      </p></li><li class="listitem">Make Permissions Manager memory only
projects/en/torbrowser/design/index.html.en 1005)      <p>
projects/en/torbrowser/design/index.html.en 1006) 
projects/en/torbrowser/design/index.html.en 1007) This patch exposes a pref 'permissions.memory_only' that properly isolates the
projects/en/torbrowser/design/index.html.en 1008) permissions manager to memory, which is responsible for all user specified
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1009) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
projects/torbrowser/design/index.html.en    1010) policy from visited sites.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1011) 
projects/en/torbrowser/design/index.html.en 1012) The pref does successfully clear the permissions manager memory if toggled. It
projects/en/torbrowser/design/index.html.en 1013) does not need to be set in prefs.js, and can be handled by Torbutton.
projects/en/torbrowser/design/index.html.en 1014) 
projects/en/torbrowser/design/index.html.en 1015)      </p></li><li class="listitem">Make Intermediate Cert Store memory-only
projects/en/torbrowser/design/index.html.en 1016)      <p>
projects/en/torbrowser/design/index.html.en 1017) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1018) The intermediate certificate store records the intermediate SSL certificates
projects/torbrowser/design/index.html.en    1019) the browser has seen to date. Because these intermediate certificates are used 
projects/torbrowser/design/index.html.en    1020) by a limited number of domains (and in some cases, only a single domain),
projects/torbrowser/design/index.html.en    1021) the intermediate certificate store can serve as a low-resolution record of
projects/torbrowser/design/index.html.en    1022) browsing history.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1023) 
projects/en/torbrowser/design/index.html.en 1024)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1025) 
projects/en/torbrowser/design/index.html.en 1026) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 1027) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 1028) allow this.
projects/en/torbrowser/design/index.html.en 1029) 
projects/en/torbrowser/design/index.html.en 1030)      </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires
projects/en/torbrowser/design/index.html.en 1031)      <p>
projects/en/torbrowser/design/index.html.en 1032) 
projects/en/torbrowser/design/index.html.en 1033) This patch provides a trivial modification to allow us to properly remove HTTP
projects/en/torbrowser/design/index.html.en 1034) auth for third parties. This patch allows us to defend against an adversary
projects/en/torbrowser/design/index.html.en 1035) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP
projects/en/torbrowser/design/index.html.en 1036) auth to silently track users between domains</a>.
projects/en/torbrowser/design/index.html.en 1037) 
projects/en/torbrowser/design/index.html.en 1038)      </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation
projects/en/torbrowser/design/index.html.en 1039)      <p>
projects/en/torbrowser/design/index.html.en 1040) 
projects/en/torbrowser/design/index.html.en 1041) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
projects/en/torbrowser/design/index.html.en 1042) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
projects/en/torbrowser/design/index.html.en 1043) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1044) Firefox to provide a cacheDomain cache attribute</a>. We use the url bar
projects/torbrowser/design/index.html.en    1045) FQDN as input to this field.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1046) 
projects/en/torbrowser/design/index.html.en 1047)      </p></li><li class="listitem">Randomize HTTP pipeline order and depth
projects/en/torbrowser/design/index.html.en 1048)      <p>
projects/en/torbrowser/design/index.html.en 1049) As an 
projects/en/torbrowser/design/index.html.en 1050) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
projects/en/torbrowser/design/index.html.en 1051) defense against Website Traffic Fingerprinting</a>, we patch the standard
projects/en/torbrowser/design/index.html.en 1052) HTTP pipelining code to randomize the number of requests in a
projects/en/torbrowser/design/index.html.en 1053) pipeline, as well as their order.
projects/en/torbrowser/design/index.html.en 1054)      </p></li><li class="listitem">Block all plugins except flash
projects/en/torbrowser/design/index.html.en 1055)      <p>
projects/en/torbrowser/design/index.html.en 1056) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">
projects/en/torbrowser/design/index.html.en 1057) @mozilla.org/extensions/blocklist;1</a> service, because we
projects/en/torbrowser/design/index.html.en 1058) actually want to stop plugins from ever entering the browser's process space
projects/en/torbrowser/design/index.html.en 1059) and/or executing code (for example, AV plugins that collect statistics/analyze
projects/en/torbrowser/design/index.html.en 1060) URLs, magical toolbars that phone home or "help" the user, skype buttons that
projects/en/torbrowser/design/index.html.en 1061) ruin our day, and censorship filters). Hence we rolled our own.
projects/en/torbrowser/design/index.html.en 1062)      </p></li><li class="listitem">Make content-prefs service memory only
projects/en/torbrowser/design/index.html.en 1063)      <p>
projects/en/torbrowser/design/index.html.en 1064) This patch prevents random URLs from being inserted into content-prefs.sqllite in
projects/en/torbrowser/design/index.html.en 1065) the profile directory as content prefs change (includes site-zoom and perhaps
projects/en/torbrowser/design/index.html.en 1066) other site prefs?).
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1067)      </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033960"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033967"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033984"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1068) 
projects/en/torbrowser/design/index.html.en 1069) The purpose of this section is to cover all the known ways that Tor browser
projects/en/torbrowser/design/index.html.en 1070) security can be subverted from a penetration testing perspective. The hope
projects/en/torbrowser/design/index.html.en 1071) is that it will be useful both for creating a "Tor Safety Check"
projects/en/torbrowser/design/index.html.en 1072) page, and for developing novel tests and actively attacking Torbutton with the
projects/en/torbrowser/design/index.html.en 1073) goal of finding vulnerabilities in either it or the Mozilla components,
projects/en/torbrowser/design/index.html.en 1074) interfaces and settings upon which it relies.
projects/en/torbrowser/design/index.html.en 1075) 
projects/en/torbrowser/design/index.html.en 1076)   </p><div class="sect2" title="5.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>5.1. Single state testing</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 1077) 
projects/en/torbrowser/design/index.html.en 1078) Torbutton is a complicated piece of software. During development, changes to
projects/en/torbrowser/design/index.html.en 1079) one component can affect a whole slough of unrelated features.  A number of
projects/en/torbrowser/design/index.html.en 1080) aggregated test suites exist that can be used to test for regressions in
projects/en/torbrowser/design/index.html.en 1081) Torbutton and to help aid in the development of Torbutton-like addons and
projects/en/torbrowser/design/index.html.en 1082) other privacy modifications of other browsers. Some of these test suites exist
projects/en/torbrowser/design/index.html.en 1083) as a single automated page, while others are a series of pages you must visit
projects/en/torbrowser/design/index.html.en 1084) individually. They are provided here for reference and future regression
projects/en/torbrowser/design/index.html.en 1085) testing, and also in the hope that some brave soul will one day decide to
projects/en/torbrowser/design/index.html.en 1086) combine them into a comprehensive automated test suite.
projects/en/torbrowser/design/index.html.en 1087) 
projects/en/torbrowser/design/index.html.en 1088)      </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
projects/en/torbrowser/design/index.html.en 1089) 
projects/en/torbrowser/design/index.html.en 1090) Decloak.net is the canonical source of plugin and external-application based
projects/en/torbrowser/design/index.html.en 1091) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
projects/en/torbrowser/design/index.html.en 1092) use to test their anonymity systems.
projects/en/torbrowser/design/index.html.en 1093) 
projects/en/torbrowser/design/index.html.en 1094)        </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p>
projects/en/torbrowser/design/index.html.en 1095) 
projects/en/torbrowser/design/index.html.en 1096) Deanonymizer.com is another automated test suite that tests for proxy bypass
projects/en/torbrowser/design/index.html.en 1097) and other information disclosure vulnerabilities. It is maintained by Kyle
projects/en/torbrowser/design/index.html.en 1098) Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a>
projects/en/torbrowser/design/index.html.en 1099) and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>.
projects/en/torbrowser/design/index.html.en 1100) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1101)        </p></li><li class="listitem"><a class="ulink" href="https://ip-check.info" target="_top">JonDos
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1102) AnonTest</a><p>
projects/en/torbrowser/design/index.html.en 1103) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1104) The <a class="ulink" href="https://anonymous-proxy-servers.net/" target="_top">JonDos people</a> also provide an
projects/torbrowser/design/index.html.en    1105) anonymity tester. It is more focused on HTTP headers and behaviors than plugin bypass, and
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1106) points out a couple of headers Torbutton could do a better job with
projects/en/torbrowser/design/index.html.en 1107) obfuscating.
projects/en/torbrowser/design/index.html.en 1108) 
projects/en/torbrowser/design/index.html.en 1109)        </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
projects/en/torbrowser/design/index.html.en 1110) 
projects/en/torbrowser/design/index.html.en 1111) Browserspy.dk provides a tremendous collection of browser fingerprinting and
projects/en/torbrowser/design/index.html.en 1112) general privacy tests. Unfortunately they are only available one page at a
projects/en/torbrowser/design/index.html.en 1113) time, and there is not really solid feedback on good vs bad behavior in
projects/en/torbrowser/design/index.html.en 1114) the test results.
projects/en/torbrowser/design/index.html.en 1115) 
projects/en/torbrowser/design/index.html.en 1116)        </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
projects/en/torbrowser/design/index.html.en 1117) Analyzer</a><p>
projects/en/torbrowser/design/index.html.en 1118) 
projects/en/torbrowser/design/index.html.en 1119) The Privacy Analyzer provides a dump of all sorts of browser attributes and
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1120) settings that it detects, including some information on your original IP