projects/torbrowser/design/index.html.en (446803ab4) - tor-webwml.git

446803ab4bfc19b8e0e736631447b4ded1059699

Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?> projects/en/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 19 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id3042393">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3042393"></a>1. Introduction</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 4) projects/en/torbrowser/design/index.html.en 5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>, projects/en/torbrowser/design/index.html.en 6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, projects/en/torbrowser/design/index.html.en 7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing projects/en/torbrowser/design/index.html.en 8) procedures</a> of the Tor Browser. It is
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 9) current as of Tor Browser 2.2.33-3.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 10) projects/en/torbrowser/design/index.html.en 11) </p><p> projects/en/torbrowser/design/index.html.en 12) projects/en/torbrowser/design/index.html.en 13) This document is also meant to serve as a set of design requirements and to projects/en/torbrowser/design/index.html.en 14) describe a reference implementation of a Private Browsing Mode that defends`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 15) against active network adversaries, in addition to the passive forensic local projects/torbrowser/design/index.html.en 16) adversary currently addressed by the major browsers.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 17) projects/en/torbrowser/design/index.html.en 18) </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 19) projects/en/torbrowser/design/index.html.en 20) A Tor web browser adversary has a number of goals, capabilities, and attack projects/en/torbrowser/design/index.html.en 21) types that can be used to guide us towards a set of requirements for the projects/en/torbrowser/design/index.html.en 22) Tor Browser. Let's start with the goals. projects/en/torbrowser/design/index.html.en 23) projects/en/torbrowser/design/index.html.en 24) </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of projects/en/torbrowser/design/index.html.en 25) Tor, causing the user to directly connect to an IP of the adversary's projects/en/torbrowser/design/index.html.en 26) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely projects/en/torbrowser/design/index.html.en 27) happily settle for the ability to correlate something a user did via Tor with projects/en/torbrowser/design/index.html.en 28) their non-Tor activity. This can be done with cookies, cache identifiers, projects/en/torbrowser/design/index.html.en 29) javascript events, and even CSS. Sometimes the fact that a user uses Tor may projects/en/torbrowser/design/index.html.en 30) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p> projects/en/torbrowser/design/index.html.en 31) The adversary may also be interested in history disclosure: the ability to projects/en/torbrowser/design/index.html.en 32) query a user's history to see if they have issued certain censored search projects/en/torbrowser/design/index.html.en 33) queries, or visited censored sites. projects/en/torbrowser/design/index.html.en 34) </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p> projects/en/torbrowser/design/index.html.en 35) projects/en/torbrowser/design/index.html.en 36) Location information such as timezone and locality can be useful for the projects/en/torbrowser/design/index.html.en 37) adversary to determine if a user is in fact originating from one of the projects/en/torbrowser/design/index.html.en 38) regions they are attempting to control, or to zero-in on the geographical projects/en/torbrowser/design/index.html.en 39) location of a particular dissident or whistleblower. projects/en/torbrowser/design/index.html.en 40) projects/en/torbrowser/design/index.html.en 41) </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p> projects/en/torbrowser/design/index.html.en 42) projects/en/torbrowser/design/index.html.en 43) Anonymity set reduction is also useful in attempting to zero in on a projects/en/torbrowser/design/index.html.en 44) particular individual. If the dissident or whistleblower is using a rare build projects/en/torbrowser/design/index.html.en 45) of Firefox for an obscure operating system, this can be very useful projects/en/torbrowser/design/index.html.en 46) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>. projects/en/torbrowser/design/index.html.en 47) projects/en/torbrowser/design/index.html.en 48) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk projects/en/torbrowser/design/index.html.en 49) information</strong></span><p> projects/en/torbrowser/design/index.html.en 50) In some cases, the adversary may opt for a heavy-handed approach, such as projects/en/torbrowser/design/index.html.en 51) seizing the computers of all Tor users in an area (especially after narrowing projects/en/torbrowser/design/index.html.en 52) the field by the above two pieces of information). History records and cache projects/en/torbrowser/design/index.html.en 53) data are the primary goals here. projects/en/torbrowser/design/index.html.en 54) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p> projects/en/torbrowser/design/index.html.en 55) The adversary can position themselves at a number of different locations in projects/en/torbrowser/design/index.html.en 56) order to execute their attacks. projects/en/torbrowser/design/index.html.en 57) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p> projects/en/torbrowser/design/index.html.en 58) The adversary can run exit nodes, or alternatively, they may control routers projects/en/torbrowser/design/index.html.en 59) upstream of exit nodes. Both of these scenarios have been observed in the projects/en/torbrowser/design/index.html.en 60) wild.
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 61) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 62) The adversary can also run websites, or more likely, they can contract out`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 63) ad space from a number of different ad servers and inject content that way. For projects/torbrowser/design/index.html.en 64) some users, the adversary may be the ad servers themselves. It is not projects/torbrowser/design/index.html.en 65) inconceivable that ad servers may try to subvert or reduce a user's anonymity`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 66) through Tor for marketing purposes. projects/en/torbrowser/design/index.html.en 67) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p> projects/en/torbrowser/design/index.html.en 68) The adversary can also inject malicious content at the user's upstream router projects/en/torbrowser/design/index.html.en 69) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor projects/en/torbrowser/design/index.html.en 70) activity. projects/en/torbrowser/design/index.html.en 71) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p> projects/en/torbrowser/design/index.html.en 72) Some users face adversaries with intermittent or constant physical access. projects/en/torbrowser/design/index.html.en 73) Users in Internet cafes, for example, face such a threat. In addition, in projects/en/torbrowser/design/index.html.en 74) countries where simply using tools like Tor is illegal, users may face projects/en/torbrowser/design/index.html.en 75) confiscation of their computer equipment for excessive Tor usage or just projects/en/torbrowser/design/index.html.en 76) general suspicion. projects/en/torbrowser/design/index.html.en 77) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p> projects/en/torbrowser/design/index.html.en 78) projects/en/torbrowser/design/index.html.en 79) The adversary can perform the following attacks from a number of different projects/en/torbrowser/design/index.html.en 80) positions to accomplish various aspects of their goals. It should be noted projects/en/torbrowser/design/index.html.en 81) that many of these attacks (especially those involving IP address leakage) are projects/en/torbrowser/design/index.html.en 82) often performed by accident by websites that simply have Javascript, dynamic
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 83) CSS elements, and plugins. Others are performed by ad servers seeking to`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 84) correlate users' activity across different IP addresses, and still others are projects/en/torbrowser/design/index.html.en 85) performed by malicious agents on the Tor network and at national firewalls. projects/en/torbrowser/design/index.html.en 86)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 87) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 88)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 89) The browser contains multiple facilities for storing identifiers that the projects/torbrowser/design/index.html.en 90) adversary creates for the purposes of tracking users. These identifiers are projects/torbrowser/design/index.html.en 91) most obviously cookies, but also include HTTP auth, DOM storage, cached projects/torbrowser/design/index.html.en 92) scripts and other elements with embedded identifiers, client certificates, and projects/torbrowser/design/index.html.en 93) even TLS Session IDs.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 94)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 95) </p><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 96) projects/en/torbrowser/design/index.html.en 97) An adversary in a position to perform MITM content alteration can inject projects/en/torbrowser/design/index.html.en 98) document content elements to both read and inject cookies for arbitrary`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 99) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 100) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active projects/en/torbrowser/design/index.html.en 101) sidejacking</a>. In addition, the ad networks of course perform tracking projects/en/torbrowser/design/index.html.en 102) with cookies as well. projects/en/torbrowser/design/index.html.en 103) projects/en/torbrowser/design/index.html.en 104) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser projects/en/torbrowser/design/index.html.en 105) attributes</strong></span><p> projects/en/torbrowser/design/index.html.en 106) projects/en/torbrowser/design/index.html.en 107) There is an absurd amount of information available to websites via attributes projects/en/torbrowser/design/index.html.en 108) of the browser. This information can be used to reduce anonymity set, or even
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 109) uniquely fingerprint individual users. Fingerprinting is an intimidating projects/torbrowser/design/index.html.en 110) problem to attempt to tackle, especially without a metric to determine or at projects/torbrowser/design/index.html.en 111) least intuitively understand and estimate which features will most contribute projects/torbrowser/design/index.html.en 112) to linkability between visits. projects/torbrowser/design/index.html.en 113) projects/torbrowser/design/index.html.en 114) </p><p> projects/torbrowser/design/index.html.en 115) projects/torbrowser/design/index.html.en 116) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study projects/torbrowser/design/index.html.en 117) done</a> by the EFF uses the actual entropy - the number of identifying projects/torbrowser/design/index.html.en 118) bits of information encoded in browser properties - as this metric. Their projects/torbrowser/design/index.html.en 119) <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> projects/torbrowser/design/index.html.en 120) is definitely useful, and the metric is probably the appropriate one for
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 121) determining how identifying a particular browser property is. However, some projects/en/torbrowser/design/index.html.en 122) quirks of their study means that they do not extract as much information as`
Minor cleanup to TBB design... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 123) they could from display information: they only use desktop resolution and do projects/torbrowser/design/index.html.en 124) not attempt to infer the size of toolbars. In the other direction, they may be projects/torbrowser/design/index.html.en 125) over-counting in some areas, as they did not compute joint entropy over projects/torbrowser/design/index.html.en 126) multiple attributes that may exhibit a high degree of correlation. Also, new projects/torbrowser/design/index.html.en 127) browser features are added regularly, so the data should not be taken as projects/torbrowser/design/index.html.en 128) final.
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 129) projects/torbrowser/design/index.html.en 130) </p><p> projects/torbrowser/design/index.html.en 131) projects/torbrowser/design/index.html.en 132) Despite the uncertainty, all fingerprinting attacks leverage the following projects/torbrowser/design/index.html.en 133) attack vectors: projects/torbrowser/design/index.html.en 134) projects/torbrowser/design/index.html.en 135) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p> projects/torbrowser/design/index.html.en 136) projects/torbrowser/design/index.html.en 137) Properties of the user's request behavior comprise the bulk of low-hanging projects/torbrowser/design/index.html.en 138) fingerprinting targets. These include: User agent, Accept-* headers, pipeline projects/torbrowser/design/index.html.en 139) usage, and request ordering. Additionally, the use of custom filters such as projects/torbrowser/design/index.html.en 140) AdBlock and other privacy filters can be used to fingerprint request patterns projects/torbrowser/design/index.html.en 141) (as an extreme example). projects/torbrowser/design/index.html.en 142) projects/torbrowser/design/index.html.en 143) </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 144)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 145) Javascript can reveal a lot of fingerprinting information. It provides DOM`
Minor cleanup to TBB design... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 146) objects such as window.screen and window.navigator to extract information projects/torbrowser/design/index.html.en 147) about the useragent. projects/torbrowser/design/index.html.en 148) projects/torbrowser/design/index.html.en 149) Also, Javascript can be used to query the user's timezone via the projects/torbrowser/design/index.html.en 150) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can projects/torbrowser/design/index.html.en 151) reveal information about the video cart in use, and high precision timing projects/torbrowser/design/index.html.en 152) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and projects/torbrowser/design/index.html.en 153) interpreter speed</a>. In the future, new JavaScript features such as projects/torbrowser/design/index.html.en 154) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource projects/torbrowser/design/index.html.en 155) Timing</a> may leak an unknown amount of network timing related projects/torbrowser/design/index.html.en 156) information.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 157) projects/en/torbrowser/design/index.html.en 158)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 159) projects/torbrowser/design/index.html.en 160) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p> projects/torbrowser/design/index.html.en 161) projects/torbrowser/design/index.html.en 162) The Panopticlick project found that the mere list of installed plugins (in projects/torbrowser/design/index.html.en 163) navigator.plugins) was sufficient to provide a large degree of projects/torbrowser/design/index.html.en 164) fingerprintability. Additionally, plugins are capable of extracting font lists, projects/torbrowser/design/index.html.en 165) interface addresses, and other machine information that is beyond what the projects/torbrowser/design/index.html.en 166) browser would normally provide to content. In addition, plugins can be used to projects/torbrowser/design/index.html.en 167) store unique identifiers that are more difficult to clear than standard projects/torbrowser/design/index.html.en 168) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based projects/torbrowser/design/index.html.en 169) cookies</a> fall into this category, but there are likely numerous other projects/torbrowser/design/index.html.en 170) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy projects/torbrowser/design/index.html.en 171) settings of the browser. projects/torbrowser/design/index.html.en 172) projects/torbrowser/design/index.html.en 173) projects/torbrowser/design/index.html.en 174) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p> projects/torbrowser/design/index.html.en 175) projects/torbrowser/design/index.html.en 176) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media projects/torbrowser/design/index.html.en 177) queries</a> can be inserted to gather information about the desktop size, projects/torbrowser/design/index.html.en 178) widget size, display type, DPI, user agent type, and other information that projects/torbrowser/design/index.html.en 179) was formerly available only to Javascript. projects/torbrowser/design/index.html.en 180) projects/torbrowser/design/index.html.en 181) </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 182) OS</strong></span><p> projects/en/torbrowser/design/index.html.en 183) projects/en/torbrowser/design/index.html.en 184) Last, but definitely not least, the adversary can exploit either general projects/en/torbrowser/design/index.html.en 185) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to projects/en/torbrowser/design/index.html.en 186) install malware and surveillance software. An adversary with physical access projects/en/torbrowser/design/index.html.en 187) can perform similar actions. Regrettably, this last attack capability is projects/en/torbrowser/design/index.html.en 188) outside of our ability to defend against, but it is worth mentioning for projects/en/torbrowser/design/index.html.en 189) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails projects/en/torbrowser/design/index.html.en 190) system</a> however can provide some limited defenses against this projects/en/torbrowser/design/index.html.en 191) adversary. projects/en/torbrowser/design/index.html.en 192) projects/en/torbrowser/design/index.html.en 193) </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p> projects/en/torbrowser/design/index.html.en 194) projects/en/torbrowser/design/index.html.en 195) The Tor Browser Design Requirements are meant to describe the properties of a
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 196) Private Browsing Mode that defends against both network and local forensic projects/torbrowser/design/index.html.en 197) adversaries.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 198) projects/en/torbrowser/design/index.html.en 199) </p><p> projects/en/torbrowser/design/index.html.en 200) projects/en/torbrowser/design/index.html.en 201) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 202) minimum properties in order for a browser to be able to support Tor and projects/torbrowser/design/index.html.en 203) similar privacy proxies safely. Privacy requirements are the set of properties projects/torbrowser/design/index.html.en 204) that cause us to prefer one browser platform over another.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 205) projects/en/torbrowser/design/index.html.en 206) </p><p> projects/en/torbrowser/design/index.html.en 207)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 208) While we will endorse the use of browsers that meet the security requirements, projects/torbrowser/design/index.html.en 209) it is primarily the privacy requirements that cause us to maintain our own projects/torbrowser/design/index.html.en 210) browser distribution. projects/torbrowser/design/index.html.en 211) projects/torbrowser/design/index.html.en 212) </p><p> projects/torbrowser/design/index.html.en 213) projects/torbrowser/design/index.html.en 214) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL projects/torbrowser/design/index.html.en 215) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and projects/torbrowser/design/index.html.en 216) "OPTIONAL" in this document are to be interpreted as described in projects/torbrowser/design/index.html.en 217) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 218) projects/en/torbrowser/design/index.html.en 219) </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 220) projects/en/torbrowser/design/index.html.en 221) The security requirements are primarily concerned with ensuring the safe use projects/en/torbrowser/design/index.html.en 222) of Tor. Violations in these properties typically result in serious risk for
Add a couple extra sentence... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 223) the user in terms of immediate deanonymization and/or observability. With projects/torbrowser/design/index.html.en 224) respect to platform support, security requirements are the minimum properties projects/torbrowser/design/index.html.en 225) in order for Tor to support the use of a web client platform.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 226)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 227) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="3.1. Proxy Obedience"><span class="command"><strong>Proxy projects/torbrowser/design/index.html.en 228) Obedience</strong></span></a><p>The browser projects/torbrowser/design/index.html.en 229) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="3.2. State Separation"><span class="command"><strong>State projects/torbrowser/design/index.html.en 230) Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 231) from other browsers or other browsing modes, including shared state from projects/en/torbrowser/design/index.html.en 232) plugins, machine identifiers, and TLS session state.`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 233) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance"><span class="command"><strong>Disk projects/torbrowser/design/index.html.en 234) Avoidance</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 235) projects/torbrowser/design/index.html.en 236) The browser MUST NOT write any information that is derived from or that projects/torbrowser/design/index.html.en 237) reveals browsing activity to the disk, or store it in memory beyond the projects/torbrowser/design/index.html.en 238) duration of one browsing session, unless the user has explicitly opted to projects/torbrowser/design/index.html.en 239) store their browsing history information to disk. projects/torbrowser/design/index.html.en 240)
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 241) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="3.4. Application Data Isolation"><span class="command"><strong>Application Data projects/torbrowser/design/index.html.en 242) Isolation</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 243)`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 244) The components involved in providing private browsing MUST be self-contained,`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 245) or MUST provide a mechanism for rapid, complete removal of all evidence of the projects/torbrowser/design/index.html.en 246) use of the mode. In other words, the browser MUST NOT write or cause the projects/torbrowser/design/index.html.en 247) operating system to write <span class="emphasis"><em>any information</em></span> about the use projects/torbrowser/design/index.html.en 248) of private browsing to disk outside of the application's control. The user projects/torbrowser/design/index.html.en 249) must be able to ensure that secure removal of the software is sufficient to projects/torbrowser/design/index.html.en 250) remove evidence of the use of the software. All exceptions and shortcomings
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 251) due to operating system behavior MUST be wiped by an uninstaller. However, due`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 252) to permissions issues with access to swap, implementations MAY choose to leave projects/torbrowser/design/index.html.en 253) it out of scope, and/or leave it to the user to implement encrypted swap.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 254)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 255) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 256) projects/en/torbrowser/design/index.html.en 257) The privacy requirements are primarily concerned with reducing linkability:`
Add a couple extra sentence... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 258) the ability for a user's activity on one site to be linked with their activity projects/torbrowser/design/index.html.en 259) on another site without their knowledge or explicit consent. With respect to projects/torbrowser/design/index.html.en 260) platform support, privacy requirements are the set of properties that cause us projects/torbrowser/design/index.html.en 261) to prefer one platform over another.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 262)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 263) </p><p> projects/torbrowser/design/index.html.en 264) projects/torbrowser/design/index.html.en 265) For the purposes of the unlinkability requirements of this section as well as projects/torbrowser/design/index.html.en 266) the descriptions in the <a class="link" href="#Implementation" title="3. Implementation">implementation projects/torbrowser/design/index.html.en 267) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the projects/torbrowser/design/index.html.en 268) second-level DNS name. For example, for mail.google.com, the origin would be projects/torbrowser/design/index.html.en 269) google.com. Implementations MAY, at their option, restrict the url bar origin
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 270) to be the entire fully qualified domain name.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 271)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 272) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="3.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin projects/torbrowser/design/index.html.en 273) Identifier Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 274)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 275) User activity on one url bar origin MUST NOT be linkable to their activity in`
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 276) any other url bar origin by any third party automatically or without user projects/torbrowser/design/index.html.en 277) interaction or approval. This requirement specifically applies to linkability projects/torbrowser/design/index.html.en 278) from stored browser identifiers, authentication tokens, and shared state. The projects/torbrowser/design/index.html.en 279) requirement does not apply to linkable information the user manually submits projects/torbrowser/design/index.html.en 280) to sites, or due information submitted during manual link traversal. This projects/torbrowser/design/index.html.en 281) functionality SHOULD NOT interfere with federated login in a substantial way.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 282)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 283) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="3.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin projects/torbrowser/design/index.html.en 284) Fingerprinting Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 285)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 286) User activity on one url bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 287) any other url bar origin by any third party. This property specifically applies to`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 288) linkability from fingerprinting browser behavior. projects/en/torbrowser/design/index.html.en 289)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 290) </p></li><li class="listitem"><a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term projects/torbrowser/design/index.html.en 291) Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 292)`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 293) The browser SHOULD provide an obvious, easy way to remove all of its`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 294) authentication tokens and browser state and obtain a fresh identity. projects/torbrowser/design/index.html.en 295) Additionally, the browser SHOULD clear linkable state by default automatically projects/torbrowser/design/index.html.en 296) upon browser restart, except at user option.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 297) projects/en/torbrowser/design/index.html.en 298) </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 299) projects/en/torbrowser/design/index.html.en 300) In addition to the above design requirements, the technology decisions about projects/en/torbrowser/design/index.html.en 301) Tor Browser are also guided by some philosophical positions about technology. projects/en/torbrowser/design/index.html.en 302) projects/en/torbrowser/design/index.html.en 303) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p> projects/en/torbrowser/design/index.html.en 304) projects/en/torbrowser/design/index.html.en 305) The existing way that the user expects to use a browser must be preserved. If projects/en/torbrowser/design/index.html.en 306) the user has to maintain a different mental model of how the sites they are projects/en/torbrowser/design/index.html.en 307) using behave depending on tab, browser state, or anything else that would not projects/en/torbrowser/design/index.html.en 308) normally be what they experience in their default browser, the user will projects/en/torbrowser/design/index.html.en 309) inevitably be confused. They will make mistakes and reduce their privacy as a projects/en/torbrowser/design/index.html.en 310) result. Worse, they may just stop using the browser, assuming it is broken. projects/en/torbrowser/design/index.html.en 311) projects/en/torbrowser/design/index.html.en 312) </p><p> projects/en/torbrowser/design/index.html.en 313) projects/en/torbrowser/design/index.html.en 314) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures projects/en/torbrowser/design/index.html.en 315) of Torbutton</a>: Even if users managed to install everything properly, projects/en/torbrowser/design/index.html.en 316) the toggle model was too hard for the average user to understand, especially projects/en/torbrowser/design/index.html.en 317) in the face of accumulating tabs from multiple states crossed with the current projects/en/torbrowser/design/index.html.en 318) tor-state of the browser. projects/en/torbrowser/design/index.html.en 319) projects/en/torbrowser/design/index.html.en 320) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to projects/en/torbrowser/design/index.html.en 321) break sites</strong></span><p> projects/en/torbrowser/design/index.html.en 322) projects/en/torbrowser/design/index.html.en 323) In general, we try to find solutions to privacy issues that will not induce projects/en/torbrowser/design/index.html.en 324) site breakage, though this is not always possible. projects/en/torbrowser/design/index.html.en 325) projects/en/torbrowser/design/index.html.en 326) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p> projects/en/torbrowser/design/index.html.en 327) projects/en/torbrowser/design/index.html.en 328) Even if plugins always properly used the browser proxy settings (which none of projects/en/torbrowser/design/index.html.en 329) them do) and could not be induced to bypass them (which all of them can), the projects/en/torbrowser/design/index.html.en 330) activities of closed-source plugins are very difficult to audit and control. projects/en/torbrowser/design/index.html.en 331) They can obtain and transmit all manner of system information to websites, projects/en/torbrowser/design/index.html.en 332) often have their own identifier storage for tracking users, and also projects/en/torbrowser/design/index.html.en 333) contribute to fingerprinting. projects/en/torbrowser/design/index.html.en 334) projects/en/torbrowser/design/index.html.en 335) </p><p> projects/en/torbrowser/design/index.html.en 336) projects/en/torbrowser/design/index.html.en 337) Therefore, if plugins are to be enabled in private browsing modes, they must projects/en/torbrowser/design/index.html.en 338) be restricted from running automatically on every page (via click-to-play projects/en/torbrowser/design/index.html.en 339) placeholders), and/or be sandboxed to restrict the types of system calls they projects/en/torbrowser/design/index.html.en 340) can execute. If the user decides to craft an exemption to allow a plugin to be
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 341) used, it MUST only apply to the top level url bar domain, and not to all sites,`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 342) to reduce linkability. projects/en/torbrowser/design/index.html.en 343) projects/en/torbrowser/design/index.html.en 344) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p> projects/en/torbrowser/design/index.html.en 345) projects/en/torbrowser/design/index.html.en 346) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another projects/en/torbrowser/design/index.html.en 347) failure of Torbutton</a> was (and still is) the options panel. Each option projects/en/torbrowser/design/index.html.en 348) that detectably alters browser behavior can be used as a fingerprinting tool.
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 349) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 350) disabled in the mode</a> except as an opt-in basis. We should not load projects/en/torbrowser/design/index.html.en 351) system-wide addons or plugins. projects/en/torbrowser/design/index.html.en 352) projects/en/torbrowser/design/index.html.en 353) </p><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 354) Instead of global browser privacy options, privacy decisions SHOULD be made`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 355) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 356) url bar origin</a> to eliminate the possibility of linkability`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 357) between domains. For example, when a plugin object (or a Javascript access of projects/en/torbrowser/design/index.html.en 358) window.plugins) is present in a page, the user should be given the choice of`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 359) allowing that plugin object for that url bar origin only. The same`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 360) goes for exemptions to third party cookie policy, geo-location, and any other projects/en/torbrowser/design/index.html.en 361) privacy permissions. projects/en/torbrowser/design/index.html.en 362) </p><p> projects/en/torbrowser/design/index.html.en 363) If the user has indicated they do not care about local history storage, these projects/en/torbrowser/design/index.html.en 364) permissions can be written to disk. Otherwise, they should remain memory-only. projects/en/torbrowser/design/index.html.en 365) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p> projects/en/torbrowser/design/index.html.en 366) projects/en/torbrowser/design/index.html.en 367) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock projects/en/torbrowser/design/index.html.en 368) Plus</a>, <a class="ulink" href="" target="_top">Request Policy</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be projects/en/torbrowser/design/index.html.en 369) avoided. We believe that these addons do not add any real privacy to a proper projects/en/torbrowser/design/index.html.en 370) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are projects/en/torbrowser/design/index.html.en 371) prevented from tracking users between sites by the implementation. projects/en/torbrowser/design/index.html.en 372) Filter-based addons can also introduce strange breakage and cause usability projects/en/torbrowser/design/index.html.en 373) nightmares, and will also fail to do their job if an adversary simply projects/en/torbrowser/design/index.html.en 374) registers a new domain or creates a new url path. Worse still, the unique
Fix a typo and some links i... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 375) filter sets that each user creates or installs will provide a wealth`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 376) of fingerprinting targets. projects/en/torbrowser/design/index.html.en 377) projects/en/torbrowser/design/index.html.en 378) </p><p> projects/en/torbrowser/design/index.html.en 379) projects/en/torbrowser/design/index.html.en 380) As a general matter, we are also generally opposed to shipping an always-on Ad projects/en/torbrowser/design/index.html.en 381) blocker with Tor Browser. We feel that this would damage our credibility in projects/en/torbrowser/design/index.html.en 382) terms of demonstrating that we are providing privacy through a sound design projects/en/torbrowser/design/index.html.en 383) alone, as well as damage the acceptance of Tor users by sites who support projects/en/torbrowser/design/index.html.en 384) themselves through advertising revenue. projects/en/torbrowser/design/index.html.en 385) projects/en/torbrowser/design/index.html.en 386) </p><p> projects/en/torbrowser/design/index.html.en 387) Users are free to install these addons if they wish, but doing projects/en/torbrowser/design/index.html.en 388) so is not recommended, as it will alter the browser request fingerprint. projects/en/torbrowser/design/index.html.en 389) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p> projects/en/torbrowser/design/index.html.en 390) We believe that if we do not stay current with the support of new web projects/en/torbrowser/design/index.html.en 391) technologies, we cannot hope to substantially influence or be involved in projects/en/torbrowser/design/index.html.en 392) their proper deployment or privacy realization. However, we will likely disable projects/en/torbrowser/design/index.html.en 393) certain new features (where possible) pending analysis and audit. projects/en/torbrowser/design/index.html.en 394) </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p>
Update TBB design doc w/ an... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 395) projects/torbrowser/design/index.html.en 396) The Implementation section is divided into subsections, each of which projects/torbrowser/design/index.html.en 397) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>. projects/torbrowser/design/index.html.en 398) Each subsection is divided into specific web technologies or properties. The projects/torbrowser/design/index.html.en 399) implementation is then described for that property. projects/torbrowser/design/index.html.en 400) projects/torbrowser/design/index.html.en 401) </p><p> projects/torbrowser/design/index.html.en 402) projects/torbrowser/design/index.html.en 403) In some cases, the implementation meets the design requirements in a non-ideal projects/torbrowser/design/index.html.en 404) way (for example, by disabling features). In rare cases, there may be no projects/torbrowser/design/index.html.en 405) implementation at all. Both of these cases are denoted by differentiating projects/torbrowser/design/index.html.en 406) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation projects/torbrowser/design/index.html.en 407) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a> projects/torbrowser/design/index.html.en 408) are typically linked for these cases. projects/torbrowser/design/index.html.en 409)
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 410) </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 411) projects/en/torbrowser/design/index.html.en 412) Proxy obedience is assured through the following: projects/en/torbrowser/design/index.html.en 413) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings projects/en/torbrowser/design/index.html.en 414) <p> projects/en/torbrowser/design/index.html.en 415) The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a projects/en/torbrowser/design/index.html.en 416) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>, projects/en/torbrowser/design/index.html.en 417) <span class="command"><strong>network.proxy.socks_version</strong></span>, and projects/en/torbrowser/design/index.html.en 418) <span class="command"><strong>network.proxy.socks_port</strong></span>.
Comments from Georg + proxy... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 419) </p><p> projects/torbrowser/design/index.html.en 420) projects/torbrowser/design/index.html.en 421) We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP, projects/torbrowser/design/index.html.en 422) gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity, projects/torbrowser/design/index.html.en 423) including HTML5 audio and video objects, addon updates, wifi geolocation projects/torbrowser/design/index.html.en 424) queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark projects/torbrowser/design/index.html.en 425) updates. We have also verified that IPv6 connections are not attempted, projects/torbrowser/design/index.html.en 426) through the proxy or otherwise (Tor does not yet support IPv6). We have also projects/torbrowser/design/index.html.en 427) verified that external protocol helpers, such as smb urls and other custom projects/torbrowser/design/index.html.en 428) protocol handers are all blocked. projects/torbrowser/design/index.html.en 429) projects/torbrowser/design/index.html.en 430) </p><p> projects/torbrowser/design/index.html.en 431) projects/torbrowser/design/index.html.en 432) Numerous other third parties have also reviewed and <a class="link" href="#SingleStateTesting" title="5.1. Single state testing">tested</a> the proxy settings projects/torbrowser/design/index.html.en 433) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>. projects/torbrowser/design/index.html.en 434)
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 435) </p></li><li class="listitem">Disabling plugins`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 436) projects/torbrowser/design/index.html.en 437) <p>Plugins have the ability to make arbitrary OS system calls and <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 438) the ability to make UDP sockets and send arbitrary data independent of the projects/en/torbrowser/design/index.html.en 439) browser proxy settings. projects/en/torbrowser/design/index.html.en 440) </p><p> projects/en/torbrowser/design/index.html.en 441) Torbutton disables plugins by using the projects/en/torbrowser/design/index.html.en 442) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags projects/en/torbrowser/design/index.html.en 443) as disabled. Additionally, we set projects/en/torbrowser/design/index.html.en 444) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of projects/en/torbrowser/design/index.html.en 445) supported mime types for all currently installed plugins. projects/en/torbrowser/design/index.html.en 446) </p><p> projects/en/torbrowser/design/index.html.en 447) In addition, to prevent any unproxied activity by plugins at load time, we
Fix a typo and some links i... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 448) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 449) for Flash and Gnash</a>. projects/en/torbrowser/design/index.html.en 450)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 451) </p><p> projects/torbrowser/design/index.html.en 452) projects/torbrowser/design/index.html.en 453) Finally, even if the user alters their browser settings to re-enable the Flash projects/torbrowser/design/index.html.en 454) plugin, we have configured NoScript to provide click-to-play placeholders, so projects/torbrowser/design/index.html.en 455) that only desired objects will be loaded, and only after user confirmation. projects/torbrowser/design/index.html.en 456)
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 457) </p></li><li class="listitem">External App Blocking projects/en/torbrowser/design/index.html.en 458) <p> projects/en/torbrowser/design/index.html.en 459) External apps, if launched automatically, can be induced to load files that projects/en/torbrowser/design/index.html.en 460) perform network activity. In order to prevent this, Torbutton installs a projects/en/torbrowser/design/index.html.en 461) component to`
Fix a typo and some links i... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 462) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 463) provide the user with a popup</a> whenever the browser attempts to projects/en/torbrowser/design/index.html.en 464) launch a helper app. projects/en/torbrowser/design/index.html.en 465) </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 466) Tor Browser State is separated from existing browser state through use of a projects/en/torbrowser/design/index.html.en 467) custom Firefox profile. Furthermore, plugins are disabled, which prevents projects/en/torbrowser/design/index.html.en 468) Flash cookies from leaking from a pre-existing Flash directory.
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 469) </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3048300"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 470) Tor Browser MUST (at user option) prevent all disk records of browser activity.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 471) The user should be able to optionally enable URL history and other history projects/en/torbrowser/design/index.html.en 472) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the projects/en/torbrowser/design/index.html.en 473) preferences interface</a>, we will likely just enable Private Browsing projects/en/torbrowser/design/index.html.en 474) mode by default to handle this goal.
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 475) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3052558"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 476) For now, Tor Browser blocks write access to the disk through Torbutton projects/en/torbrowser/design/index.html.en 477) using several Firefox preferences. projects/en/torbrowser/design/index.html.en 478) projects/en/torbrowser/design/index.html.en 479) projects/en/torbrowser/design/index.html.en 480) projects/en/torbrowser/design/index.html.en 481) The set of prefs is: projects/en/torbrowser/design/index.html.en 482) <span class="command"><strong>dom.storage.enabled</strong></span>, projects/en/torbrowser/design/index.html.en 483) <span class="command"><strong>browser.cache.memory.enable</strong></span>, projects/en/torbrowser/design/index.html.en 484) <span class="command"><strong>network.http.use-cache</strong></span>, projects/en/torbrowser/design/index.html.en 485) <span class="command"><strong>browser.cache.disk.enable</strong></span>, projects/en/torbrowser/design/index.html.en 486) <span class="command"><strong>browser.cache.offline.enable</strong></span>, projects/en/torbrowser/design/index.html.en 487) <span class="command"><strong>general.open_location.last_url</strong></span>, projects/en/torbrowser/design/index.html.en 488) <span class="command"><strong>places.history.enabled</strong></span>, projects/en/torbrowser/design/index.html.en 489) <span class="command"><strong>browser.formfill.enable</strong></span>, projects/en/torbrowser/design/index.html.en 490) <span class="command"><strong>signon.rememberSignons</strong></span>, projects/en/torbrowser/design/index.html.en 491) <span class="command"><strong>browser.download.manager.retention</strong></span>, projects/en/torbrowser/design/index.html.en 492) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. projects/en/torbrowser/design/index.html.en 493) </blockquote></div></div><p> projects/en/torbrowser/design/index.html.en 494) In addition, three Firefox patches are needed to prevent disk writes, even if projects/en/torbrowser/design/index.html.en 495) Private Browsing Mode is enabled. We need to projects/en/torbrowser/design/index.html.en 496) projects/en/torbrowser/design/index.html.en 497) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 498) the permissions manager from recording HTTPS STS state</a>, projects/en/torbrowser/design/index.html.en 499) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 500) intermediate SSL certificates from being recorded</a>, and projects/en/torbrowser/design/index.html.en 501) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 502) the content preferences service from recording site zoom</a>. projects/en/torbrowser/design/index.html.en 503) projects/en/torbrowser/design/index.html.en 504) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the projects/en/torbrowser/design/index.html.en 505) Firefox Patches section</a>. projects/en/torbrowser/design/index.html.en 506) projects/en/torbrowser/design/index.html.en 507) </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 508) projects/en/torbrowser/design/index.html.en 509) Tor Browser Bundle MUST NOT cause any information to be written outside of the projects/en/torbrowser/design/index.html.en 510) bundle directory. This is to ensure that the user is able to completely and projects/en/torbrowser/design/index.html.en 511) safely remove the bundle without leaving other traces of Tor usage on their projects/en/torbrowser/design/index.html.en 512) computer. projects/en/torbrowser/design/index.html.en 513)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 514) </p><p>FIXME: sjmurdoch, Erinn: explain what magic we do to satisfy this,`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 515) and/or what additional work or auditing needs to be done.`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 516) </p></div><div class="sect2" title="3.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 517) projects/en/torbrowser/design/index.html.en 518) The Tor Browser MUST prevent a user's activity on one site from being linked projects/en/torbrowser/design/index.html.en 519) to their activity on another site. When this goal cannot yet be met with an projects/en/torbrowser/design/index.html.en 520) existing web technology, that technology or functionality is disabled. Our projects/en/torbrowser/design/index.html.en 521) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary projects/en/torbrowser/design/index.html.en 522) technologies, and instead simply alter them in ways that allows them to projects/en/torbrowser/design/index.html.en 523) function in a backwards-compatible way while avoiding linkability. Users projects/en/torbrowser/design/index.html.en 524) should be able to use federated login of various kinds to explicitly inform projects/en/torbrowser/design/index.html.en 525) sites who they are, but that information should not transparently allow a projects/en/torbrowser/design/index.html.en 526) third party to record their activity from site to site without their prior projects/en/torbrowser/design/index.html.en 527) consent. projects/en/torbrowser/design/index.html.en 528) projects/en/torbrowser/design/index.html.en 529) </p><p> projects/en/torbrowser/design/index.html.en 530) projects/en/torbrowser/design/index.html.en 531) The benefit of this approach comes not only in the form of reduced projects/en/torbrowser/design/index.html.en 532) linkability, but also in terms of simplified privacy UI. If all stored browser
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 533) state and permissions become associated with the url bar origin, the six or projects/torbrowser/design/index.html.en 534) seven different pieces of privacy UI governing these identifiers and`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 535) permissions can become just one piece of UI. For instance, a window that lists`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 536) the url bar origin for which browser state exists, possibly with a projects/torbrowser/design/index.html.en 537) context-menu option to drill down into specific types of state or permissions. projects/torbrowser/design/index.html.en 538) An example of this simplification can be seen in Figure 1.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 539)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 540) </p><div class="figure"><a id="id3051496"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 541) projects/en/torbrowser/design/index.html.en 542) On the left is the standard Firefox cookie manager. On the right is a mock-up`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 543) of how isolating identifiers to the URL bar origin might simplify the privacy`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 544) UI for all data - not just cookies. Both windows represent the set of`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 545) Cookies accumulated after visiting just five sites, but the window on the`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 546) right has the option of also representing history, DOM Storage, HTTP Auth, projects/en/torbrowser/design/index.html.en 547) search form history, login values, and so on within a context menu for each projects/en/torbrowser/design/index.html.en 548) site. projects/en/torbrowser/design/index.html.en 549) projects/en/torbrowser/design/index.html.en 550) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies projects/en/torbrowser/design/index.html.en 551) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 552)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 553) All cookies MUST be double-keyed to the url bar origin and third-party projects/torbrowser/design/index.html.en 554) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a> projects/torbrowser/design/index.html.en 555) that contains a prototype patch, but it lacks UI, and does not apply to modern projects/torbrowser/design/index.html.en 556) Firefoxes.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 557) projects/en/torbrowser/design/index.html.en 558) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 559) projects/en/torbrowser/design/index.html.en 560) As a stopgap to satisfy our design requirement of unlinkability, we currently projects/en/torbrowser/design/index.html.en 561) entirely disable 3rd party cookies by setting projects/en/torbrowser/design/index.html.en 562) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
Comments from Georg + proxy... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 563) third party content continue to function, but we believe the requirement for`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 564) unlinkability trumps that desire. projects/en/torbrowser/design/index.html.en 565) projects/en/torbrowser/design/index.html.en 566) </p></li><li class="listitem">Cache projects/en/torbrowser/design/index.html.en 567) <p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 568) projects/torbrowser/design/index.html.en 569) Cache is isolated to the url bar origin by using a technique pioneered by projects/torbrowser/design/index.html.en 570) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 571) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 572) attribute that Firefox uses internally to prevent improper caching and reuse projects/torbrowser/design/index.html.en 573) of HTTP POST data. projects/torbrowser/design/index.html.en 574)`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 575) </p><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 576)`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 577) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 578) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts projects/torbrowser/design/index.html.en 579) with OCSP relying the cacheKey property for reuse of POST requests</a>, we projects/torbrowser/design/index.html.en 580) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch projects/torbrowser/design/index.html.en 581) Firefox to provide a cacheDomain cache attribute</a>. We use the fully projects/torbrowser/design/index.html.en 582) qualified url bar domain as input to this field. projects/torbrowser/design/index.html.en 583)
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 584) </p><p> projects/en/torbrowser/design/index.html.en 585)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 586) Furthermore, we chose a different projects/torbrowser/design/index.html.en 587) isolation scheme than the Stanford implementation. First, we decoupled the projects/torbrowser/design/index.html.en 588) cache isolation from the third party cookie attribute. Second, we use several projects/torbrowser/design/index.html.en 589) mechanisms to attempt to determine the actual location attribute of the projects/torbrowser/design/index.html.en 590) top-level window (to obtain the url bar FQDN) used to load the page, as projects/torbrowser/design/index.html.en 591) opposed to relying solely on the referer property.
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 592) projects/en/torbrowser/design/index.html.en 593) </p><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 594)`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 595) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 596) Stanford test cases</a> are expected to fail. Functionality can still be projects/torbrowser/design/index.html.en 597) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and projects/torbrowser/design/index.html.en 598) viewing the key used for each cache entry. Each third party element should projects/torbrowser/design/index.html.en 599) have an additional "domain=string" property prepended, which will list the projects/torbrowser/design/index.html.en 600) FQDN that was used to source the third party element. projects/torbrowser/design/index.html.en 601)
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 602) </p></li><li class="listitem">HTTP Auth projects/en/torbrowser/design/index.html.en 603) <p> projects/en/torbrowser/design/index.html.en 604) projects/en/torbrowser/design/index.html.en 605) HTTP authentication tokens are removed for third party elements using the projects/en/torbrowser/design/index.html.en 606) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request projects/en/torbrowser/design/index.html.en 607) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent projects/en/torbrowser/design/index.html.en 608) linkability between domains</a>. We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch projects/en/torbrowser/design/index.html.en 609) Firefox to cause the headers to get added early enough</a> to allow the projects/en/torbrowser/design/index.html.en 610) observer to modify it. projects/en/torbrowser/design/index.html.en 611) projects/en/torbrowser/design/index.html.en 612) </p></li><li class="listitem">DOM Storage projects/en/torbrowser/design/index.html.en 613) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 614)
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 615) DOM storage for third party domains MUST be isolated to the url bar origin,`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 616) to prevent linkability between sites. projects/en/torbrowser/design/index.html.en 617) projects/en/torbrowser/design/index.html.en 618) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 619) projects/en/torbrowser/design/index.html.en 620) Because it is isolated to third party domain as opposed to top level url bar`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 621) origin, we entirely disable DOM storage as a stopgap to ensure unlinkability.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 622)`
Describe our efforts agains... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 623) </p></li><li class="listitem">Flash cookies projects/torbrowser/design/index.html.en 624) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 625) projects/torbrowser/design/index.html.en 626) Users should be able to click-to-play flash objects from trusted sites. To projects/torbrowser/design/index.html.en 627) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash projects/torbrowser/design/index.html.en 628) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash projects/torbrowser/design/index.html.en 629) settings manager</a>.
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 630)`
Describe our efforts agains... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 631) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 632) projects/torbrowser/design/index.html.en 633) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having projects/torbrowser/design/index.html.en 634) difficulties</a> causing Flash player to use this settings projects/torbrowser/design/index.html.en 635) file on Windows. projects/torbrowser/design/index.html.en 636)
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 637) </p></li><li class="listitem">TLS session resumption and HTTP Keep-Alive projects/en/torbrowser/design/index.html.en 638) <p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 639) TLS session resumption and HTTP Keep-Alive MUST NOT allow third party origins`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 640) to track users via either TLS session IDs, or the fact that different requests projects/en/torbrowser/design/index.html.en 641) arrive on the same TCP connection. projects/en/torbrowser/design/index.html.en 642) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 643)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 644) TLS session resumption IDs MUST be limited to the url bar origin. projects/torbrowser/design/index.html.en 645) HTTP Keep-Alive connections from a third party in one url bar origin must projects/torbrowser/design/index.html.en 646) not be reused for that same third party in another url bar origin.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 647) projects/en/torbrowser/design/index.html.en 648) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 649)`
Comments from Georg + proxy... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 650) We currently clear TLS Session IDs upon <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New projects/torbrowser/design/index.html.en 651) Identity</a>, but we have no origin restriction implementation as of yet. projects/torbrowser/design/index.html.en 652) We plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099" target="_top">disable TLS session projects/torbrowser/design/index.html.en 653) resumption</a>, and limit HTTP Keep-alive duration as stopgaps to limit projects/torbrowser/design/index.html.en 654) linkability until we can implement <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4100" target="_top">true origin projects/torbrowser/design/index.html.en 655) isolation</a> (the latter we feel will be fairly tricky).
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 656)`
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 657) </p></li><li class="listitem">User confirmation for cross-origin redirects projects/torbrowser/design/index.html.en 658) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 659) projects/torbrowser/design/index.html.en 660) To prevent attacks aimed at subverting the Cross-Origin Identifier projects/torbrowser/design/index.html.en 661) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
Additional comments from Ge... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 662) MUST prompt the user before following redirects that would cause the user to projects/torbrowser/design/index.html.en 663) automatically navigate between two different url bar origins. The prompt projects/torbrowser/design/index.html.en 664) SHOULD inform the user about the ability to use <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a> to clear the linked identifiers projects/torbrowser/design/index.html.en 665) created by the redirect.
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 666)`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 667) </p><p>`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 668)`
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 669) To reduce the occurrence of warning fatigue, these warning messages MAY be limited`
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 670) to automated redirect cycles only. For example, the automated redirect projects/torbrowser/design/index.html.en 671) sequence <span class="command"><strong>User Click -> t.co -> bit.ly -> cnn.com</strong></span> can be projects/torbrowser/design/index.html.en 672) assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -> t.co -> projects/torbrowser/design/index.html.en 673) bit.ly -> cnn.com -> 2o7.net -> scorecardresearch.net -> cnn.com</strong></span> is projects/torbrowser/design/index.html.en 674) clearly due to tracking. Non-automated redirect cycles that require projects/torbrowser/design/index.html.en 675) user input at some step (such as federated login systems) need not be projects/torbrowser/design/index.html.en 676) interrupted by the UI.
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 677) projects/torbrowser/design/index.html.en 678) </p><p> projects/torbrowser/design/index.html.en 679) projects/torbrowser/design/index.html.en 680) We are not concerned with linkability due to explicit user action (either by projects/torbrowser/design/index.html.en 681) accepting cross-origin redirects, or by clicking normal links) because it is projects/torbrowser/design/index.html.en 682) assumed that private browsing sessions will be relatively short-lived, projects/torbrowser/design/index.html.en 683) especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New projects/torbrowser/design/index.html.en 684) Identity</a> button. projects/torbrowser/design/index.html.en 685)
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 686) </p><p><span class="command"><strong>Implementation status:</strong></span> projects/torbrowser/design/index.html.en 687) projects/torbrowser/design/index.html.en 688) There are numerous ways for the user to be redirected, and the Firefox API projects/torbrowser/design/index.html.en 689) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug projects/torbrowser/design/index.html.en 690) open</a> to implement what we can. projects/torbrowser/design/index.html.en 691)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 692) </p></li><li class="listitem">window.name`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 693) <p> projects/en/torbrowser/design/index.html.en 694) projects/en/torbrowser/design/index.html.en 695) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is projects/en/torbrowser/design/index.html.en 696) a magical DOM property that for some reason is allowed to retain a persistent value projects/en/torbrowser/design/index.html.en 697) for the lifespan of a browser tab. It is possible to utilize this property for projects/en/torbrowser/design/index.html.en 698) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier projects/en/torbrowser/design/index.html.en 699) storage</a>. projects/en/torbrowser/design/index.html.en 700) projects/en/torbrowser/design/index.html.en 701) </p><p> projects/en/torbrowser/design/index.html.en 702) projects/en/torbrowser/design/index.html.en 703) In order to eliminate linkability but still allow for sites that utilize this projects/en/torbrowser/design/index.html.en 704) property to function, we reset the window.name property of tabs in Torbutton every projects/en/torbrowser/design/index.html.en 705) time we encounter a blank referer. This behavior allows window.name to persist projects/en/torbrowser/design/index.html.en 706) for the duration of a link-driven navigation session, but as soon as the user projects/en/torbrowser/design/index.html.en 707) enters a new URL or navigates between https/http schemes, the property is cleared. projects/en/torbrowser/design/index.html.en 708)
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 709) </p></li><li class="listitem">Auto form-fill projects/torbrowser/design/index.html.en 710) <p> projects/torbrowser/design/index.html.en 711) projects/torbrowser/design/index.html.en 712) We disable the password saving functionality in the browser as part of our projects/torbrowser/design/index.html.en 713) <a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However, projects/torbrowser/design/index.html.en 714) since users may decide to re-enable disk history records and password saving, projects/torbrowser/design/index.html.en 715) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a> projects/torbrowser/design/index.html.en 716) preference to false to prevent saved values from immediately populating projects/torbrowser/design/index.html.en 717) fields upon page load. Since Javascript can read these values as soon as they projects/torbrowser/design/index.html.en 718) appear, setting this preference prevents automatic linkability from stored passwords. projects/torbrowser/design/index.html.en 719) projects/torbrowser/design/index.html.en 720) </p></li><li class="listitem">HSTS supercookies projects/torbrowser/design/index.html.en 721) <p>
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 722) projects/torbrowser/design/index.html.en 723) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS projects/torbrowser/design/index.html.en 724) supercookies</a>. Since HSTS effectively stores one bit of information per domain`
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 725) name, an adversary in possession of numerous domains can use them to construct projects/torbrowser/design/index.html.en 726) cookies based on stored HSTS state. projects/torbrowser/design/index.html.en 727) projects/torbrowser/design/index.html.en 728) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 729) projects/torbrowser/design/index.html.en 730) There appears to be three options for us: 1. Disable HSTS entirely, and rely
Additional comments from Ge... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 731) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2. projects/torbrowser/design/index.html.en 732) Restrict the number of HSTS-enabled third parties allowed per url bar origin. projects/torbrowser/design/index.html.en 733) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon projects/torbrowser/design/index.html.en 734) the best approach.`
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 735) projects/torbrowser/design/index.html.en 736) </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is projects/torbrowser/design/index.html.en 737) cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't projects/torbrowser/design/index.html.en 738) defend against the creation of these cookies between <span class="command"><strong>New projects/torbrowser/design/index.html.en 739) Identity</strong></span> invocations. projects/torbrowser/design/index.html.en 740) </p></li><li class="listitem">Exit node usage
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 741) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 742) projects/en/torbrowser/design/index.html.en 743) Every distinct navigation session (as defined by a non-blank referer header) projects/en/torbrowser/design/index.html.en 744) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node projects/en/torbrowser/design/index.html.en 745) observers from linking concurrent browsing activity. projects/en/torbrowser/design/index.html.en 746) projects/en/torbrowser/design/index.html.en 747) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 748) projects/en/torbrowser/design/index.html.en 749) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha projects/en/torbrowser/design/index.html.en 750) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket projects/en/torbrowser/design/index.html.en 751) #3455</a> is the Torbutton ticket to make use of the new Tor projects/en/torbrowser/design/index.html.en 752) functionality. projects/en/torbrowser/design/index.html.en 753)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 754) </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 755) projects/en/torbrowser/design/index.html.en 756) In order to properly address the fingerprinting adversary on a technical projects/en/torbrowser/design/index.html.en 757) level, we need a metric to measure linkability of the various browser`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 758) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 759) by the EFF provides us with exactly this metric. The researchers conducted a projects/en/torbrowser/design/index.html.en 760) survey of volunteers who were asked to visit an experiment page that harvested projects/en/torbrowser/design/index.html.en 761) many of the above components. They then computed the Shannon Entropy of the projects/en/torbrowser/design/index.html.en 762) resulting distribution of each of several key attributes to determine how many projects/en/torbrowser/design/index.html.en 763) bits of identifying information each attribute provided. projects/en/torbrowser/design/index.html.en 764) projects/en/torbrowser/design/index.html.en 765) </p><p> projects/en/torbrowser/design/index.html.en 766) projects/en/torbrowser/design/index.html.en 767) The study is not exhaustive, though. In particular, the test does not take in projects/en/torbrowser/design/index.html.en 768) all aspects of resolution information. It did not calculate the size of projects/en/torbrowser/design/index.html.en 769) widgets, window decoration, or toolbar size, which we believe may add high projects/en/torbrowser/design/index.html.en 770) amounts of entropy. It also did not measure clock offset and other time-based projects/en/torbrowser/design/index.html.en 771) fingerprints. Furthermore, as new browser features are added, this experiment projects/en/torbrowser/design/index.html.en 772) should be repeated to include them. projects/en/torbrowser/design/index.html.en 773) projects/en/torbrowser/design/index.html.en 774) </p><p> projects/en/torbrowser/design/index.html.en 775) projects/en/torbrowser/design/index.html.en 776) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for projects/en/torbrowser/design/index.html.en 777) fingerprinting resistance by only concerning ourselves with reducing the projects/en/torbrowser/design/index.html.en 778) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We projects/en/torbrowser/design/index.html.en 779) do not believe it is productive to concern ourselves with cross-browser projects/en/torbrowser/design/index.html.en 780) fingerprinting issues, at least not at this stage. projects/en/torbrowser/design/index.html.en 781) projects/en/torbrowser/design/index.html.en 782) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins projects/en/torbrowser/design/index.html.en 783) <p> projects/en/torbrowser/design/index.html.en 784) projects/en/torbrowser/design/index.html.en 785) Plugins add to fingerprinting risk via two main vectors: their mere presence in projects/en/torbrowser/design/index.html.en 786) window.navigator.plugins, as well as their internal functionality. projects/en/torbrowser/design/index.html.en 787) projects/en/torbrowser/design/index.html.en 788) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 789)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 790) All plugins that have not been specifically audited or sandboxed MUST be`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 791) disabled. To reduce linkability potential, even sandboxed plugins should not projects/en/torbrowser/design/index.html.en 792) be allowed to load objects until the user has clicked through a click-to-play projects/en/torbrowser/design/index.html.en 793) barrier. Additionally, version information should be reduced or obfuscated projects/en/torbrowser/design/index.html.en 794) until the plugin object is loaded. projects/en/torbrowser/design/index.html.en 795) projects/en/torbrowser/design/index.html.en 796) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 797) projects/en/torbrowser/design/index.html.en 798) Currently, we entirely disable all plugins in Tor Browser. However, as a projects/en/torbrowser/design/index.html.en 799) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work projects/en/torbrowser/design/index.html.en 800) towards</a> a projects/en/torbrowser/design/index.html.en 801) click-to-play barrier using NoScript that is available only after the user has projects/en/torbrowser/design/index.html.en 802) specifically enabled plugins. Flash will be the only plugin available, and we projects/en/torbrowser/design/index.html.en 803) will ship a settings.sol file to disable Flash cookies, and to restrict P2P projects/en/torbrowser/design/index.html.en 804) features that likely bypass proxy settings. projects/en/torbrowser/design/index.html.en 805) projects/en/torbrowser/design/index.html.en 806) </p></li><li class="listitem">Fonts projects/en/torbrowser/design/index.html.en 807) <p> projects/en/torbrowser/design/index.html.en 808) projects/en/torbrowser/design/index.html.en 809) According to the Panopticlick study, fonts provide the most linkability when projects/en/torbrowser/design/index.html.en 810) they are provided as an enumerable list in filesystem order, via either the projects/en/torbrowser/design/index.html.en 811) Flash or Java plugins. However, it is still possible to use CSS and/or projects/en/torbrowser/design/index.html.en 812) Javascript to query for the existence of specific fonts. With a large enough projects/en/torbrowser/design/index.html.en 813) pre-built list to query, a large amount of fingerprintable information may projects/en/torbrowser/design/index.html.en 814) still be available. projects/en/torbrowser/design/index.html.en 815)
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 816) </p><p> projects/torbrowser/design/index.html.en 817) projects/torbrowser/design/index.html.en 818) The sure-fire way to address font linkability is to ship the browser with a projects/torbrowser/design/index.html.en 819) font for every language, typeface, and style in use in the world, and to only projects/torbrowser/design/index.html.en 820) use those fonts at the exclusion of system fonts. However, this set may be projects/torbrowser/design/index.html.en 821) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common projects/torbrowser/design/index.html.en 822) subset</a> may be found that provides total coverage. However, we believe projects/torbrowser/design/index.html.en 823) that with strong url bar origin identifier isolation, a simpler approach can reduce the projects/torbrowser/design/index.html.en 824) number of bits available to the adversary while avoiding the rendering and projects/torbrowser/design/index.html.en 825) language issues of supporting a global font set. projects/torbrowser/design/index.html.en 826)
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 827) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 828)`
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 829) We intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of projects/torbrowser/design/index.html.en 830) fonts</a> a url bar origin can load, gracefully degrading to built-in projects/torbrowser/design/index.html.en 831) and/or remote fonts once the limit is reached.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 832) projects/en/torbrowser/design/index.html.en 833) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 834) projects/en/torbrowser/design/index.html.en 835) Aside from disabling plugins to prevent enumeration, we have not yet projects/en/torbrowser/design/index.html.en 836) implemented any defense against CSS or Javascript fonts. projects/en/torbrowser/design/index.html.en 837) projects/en/torbrowser/design/index.html.en 838) </p></li><li class="listitem">User Agent and HTTP Headers projects/en/torbrowser/design/index.html.en 839) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 840)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 841) All Tor Browser users MUST provide websites with an identical user agent and`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 842) HTTP header set for a given request type. We omit the Firefox minor revision, projects/en/torbrowser/design/index.html.en 843) and report a popular Windows platform. If the software is kept up to date, projects/en/torbrowser/design/index.html.en 844) these headers should remain identical across the population even when updated. projects/en/torbrowser/design/index.html.en 845) projects/en/torbrowser/design/index.html.en 846) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 847) projects/en/torbrowser/design/index.html.en 848) Firefox provides several options for controlling the browser user agent string projects/en/torbrowser/design/index.html.en 849) which we leverage. We also set similar prefs for controlling the projects/en/torbrowser/design/index.html.en 850) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we projects/en/torbrowser/design/index.html.en 851) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove projects/en/torbrowser/design/index.html.en 852) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be projects/en/torbrowser/design/index.html.en 853) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Desktop resolution and CSS Media Queries projects/en/torbrowser/design/index.html.en 854) <p> projects/en/torbrowser/design/index.html.en 855) projects/en/torbrowser/design/index.html.en 856) Both CSS and Javascript have a lot of irrelevant information about the screen projects/en/torbrowser/design/index.html.en 857) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and projects/en/torbrowser/design/index.html.en 858) other desktop features that are not at all relevant to rendering and serve projects/en/torbrowser/design/index.html.en 859) only to provide information for fingerprinting. projects/en/torbrowser/design/index.html.en 860) projects/en/torbrowser/design/index.html.en 861) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 862) projects/en/torbrowser/design/index.html.en 863) Our design goal here is to reduce the resolution information down to the bare projects/en/torbrowser/design/index.html.en 864) minimum required for properly rendering inside a content window. We intend to projects/en/torbrowser/design/index.html.en 865) report all rendering information correctly with respect to the size and projects/en/torbrowser/design/index.html.en 866) properties of the content window, but report an effective size of 0 for all projects/en/torbrowser/design/index.html.en 867) border material, and also report that the desktop is only as big as the projects/en/torbrowser/design/index.html.en 868) inner content window. Additionally, new browser windows are sized such that projects/en/torbrowser/design/index.html.en 869) their content windows are one of ~5 fixed sizes based on the user's projects/en/torbrowser/design/index.html.en 870) desktop resolution. projects/en/torbrowser/design/index.html.en 871) projects/en/torbrowser/design/index.html.en 872) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 873) projects/en/torbrowser/design/index.html.en 874) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript projects/en/torbrowser/design/index.html.en 875) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize projects/en/torbrowser/design/index.html.en 876) new windows based on desktop resolution</a>. However, CSS Media Queries projects/en/torbrowser/design/index.html.en 877) still <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2875" target="_top">need projects/en/torbrowser/design/index.html.en 878) to be dealt with</a>. projects/en/torbrowser/design/index.html.en 879) projects/en/torbrowser/design/index.html.en 880) </p></li><li class="listitem">Timezone and clock offset projects/en/torbrowser/design/index.html.en 881) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 882)
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 883) All Tor Browser users MUST report the same timezone to websites. Currently, we projects/torbrowser/design/index.html.en 884) choose UTC for this purpose, although an equally valid argument could be made projects/torbrowser/design/index.html.en 885) for EDT/EST due to the large English-speaking population density (coupled with projects/torbrowser/design/index.html.en 886) the fact that we spoof a US English user agent). Additionally, the Tor projects/torbrowser/design/index.html.en 887) software should detect if the users clock is significantly divergent from the projects/torbrowser/design/index.html.en 888) clocks of the relays that it connects to, and use this to reset the clock projects/torbrowser/design/index.html.en 889) values used in Tor Browser to something reasonably accurate.
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 890) projects/en/torbrowser/design/index.html.en 891) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 892) projects/en/torbrowser/design/index.html.en 893) We set the timezone using the TZ environment variable, which is supported on projects/en/torbrowser/design/index.html.en 894) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock projects/en/torbrowser/design/index.html.en 895) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in projects/en/torbrowser/design/index.html.en 896) use. projects/en/torbrowser/design/index.html.en 897) projects/en/torbrowser/design/index.html.en 898) </p></li><li class="listitem">Javascript performance fingerprinting projects/en/torbrowser/design/index.html.en 899) <p> projects/en/torbrowser/design/index.html.en 900) projects/en/torbrowser/design/index.html.en 901) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance projects/en/torbrowser/design/index.html.en 902) fingerprinting</a> is the act of profiling the performance projects/en/torbrowser/design/index.html.en 903) of various Javascript functions for the purpose of fingerprinting the projects/en/torbrowser/design/index.html.en 904) Javascript engine and the CPU. projects/en/torbrowser/design/index.html.en 905) projects/en/torbrowser/design/index.html.en 906) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 907) projects/en/torbrowser/design/index.html.en 908) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential projects/en/torbrowser/design/index.html.en 909) mitigation approaches</a> to reduce the accuracy of performance projects/en/torbrowser/design/index.html.en 910) fingerprinting without risking too much damage to functionality. Our current projects/en/torbrowser/design/index.html.en 911) favorite is to reduce the resolution of the Event.timeStamp and the Javascript projects/en/torbrowser/design/index.html.en 912) Date() object, while also introducing jitter. Our goal is to increase the projects/en/torbrowser/design/index.html.en 913) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that projects/en/torbrowser/design/index.html.en 914) even with the default precision in most browsers, they required up to 120 projects/en/torbrowser/design/index.html.en 915) seconds of amortization and repeated trials to get stable results from their projects/en/torbrowser/design/index.html.en 916) feature set. We intend to work with the research community to establish the
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 917) optimum trade-off between quantization+jitter and amortization time.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 918) projects/en/torbrowser/design/index.html.en 919) projects/en/torbrowser/design/index.html.en 920) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 921) projects/en/torbrowser/design/index.html.en 922) We have no implementation as of yet. projects/en/torbrowser/design/index.html.en 923) projects/en/torbrowser/design/index.html.en 924) </p></li><li class="listitem">Keystroke fingerprinting projects/en/torbrowser/design/index.html.en 925) <p> projects/en/torbrowser/design/index.html.en 926) projects/en/torbrowser/design/index.html.en 927) Keystroke fingerprinting is the act of measuring key strike time and key projects/en/torbrowser/design/index.html.en 928) flight time. It is seeing increasing use as a biometric. projects/en/torbrowser/design/index.html.en 929) projects/en/torbrowser/design/index.html.en 930) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 931) projects/en/torbrowser/design/index.html.en 932) We intend to rely on the same mechanisms for defeating Javascript performance projects/en/torbrowser/design/index.html.en 933) fingerprinting: timestamp quantization and jitter. projects/en/torbrowser/design/index.html.en 934) projects/en/torbrowser/design/index.html.en 935) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 936) We have no implementation as of yet. projects/en/torbrowser/design/index.html.en 937) </p></li><li class="listitem">WebGL projects/en/torbrowser/design/index.html.en 938) <p> projects/en/torbrowser/design/index.html.en 939) projects/en/torbrowser/design/index.html.en 940) WebGL is fingerprintable both through information that is exposed about the projects/en/torbrowser/design/index.html.en 941) underlying driver and optimizations, as well as through performance projects/en/torbrowser/design/index.html.en 942) fingerprinting. projects/en/torbrowser/design/index.html.en 943) projects/en/torbrowser/design/index.html.en 944) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 945) projects/en/torbrowser/design/index.html.en 946) Because of the large amount of potential fingerprinting vectors, we intend to projects/en/torbrowser/design/index.html.en 947) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases projects/en/torbrowser/design/index.html.en 948) will have click-to-play placeholders, and will not run until authorized by the projects/en/torbrowser/design/index.html.en 949) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver projects/en/torbrowser/design/index.html.en 950) information</a> by hooking projects/en/torbrowser/design/index.html.en 951) <span class="command"><strong>getParameter()</strong></span>, projects/en/torbrowser/design/index.html.en 952) <span class="command"><strong>getSupportedExtensions()</strong></span>, projects/en/torbrowser/design/index.html.en 953) <span class="command"><strong>getExtension()</strong></span>, and projects/en/torbrowser/design/index.html.en 954) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal, projects/en/torbrowser/design/index.html.en 955) driver-neutral information. projects/en/torbrowser/design/index.html.en 956) projects/en/torbrowser/design/index.html.en 957) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 958) projects/en/torbrowser/design/index.html.en 959) Currently we simply disable WebGL. projects/en/torbrowser/design/index.html.en 960) projects/en/torbrowser/design/index.html.en 961) </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 962) In order to avoid long-term linkability, we provide a "New Identity" context projects/en/torbrowser/design/index.html.en 963) menu option in Torbutton.
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 964) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3068567"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 965)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 966) All linkable identifiers and browser state MUST be cleared by this feature.`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 967)`
Update TBB design doc w/ an... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 968) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3057460"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Update TBB design doc based... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 969) projects/torbrowser/design/index.html.en 970) First, Torbutton disables all open tabs and windows via nsIContentPolicy projects/torbrowser/design/index.html.en 971) blocking, and then closes each tab and window. The extra step for blocking projects/torbrowser/design/index.html.en 972) tabs is done as a precaution to ensure that any asynchronous Javascript is in projects/torbrowser/design/index.html.en 973) fact properly disabled. After closing all of the windows, we then clear the projects/torbrowser/design/index.html.en 974) following state: OCSP (by toggling security.OCSP.enabled), cache, projects/torbrowser/design/index.html.en 975) site-specific zoom and content preferences, Cookies, DOM storage, safe projects/torbrowser/design/index.html.en 976) browsing key, the Google wifi geolocation token (if exists), HTTP auth, SSL projects/torbrowser/design/index.html.en 977) Session IDs, HSTS state, and the last opened URL field (via the pref projects/torbrowser/design/index.html.en 978) general.open_location.last_url). After clearing the browser state, we then projects/torbrowser/design/index.html.en 979) send the NEWNYM signal to the Tor control port to cause a new circuit to be projects/torbrowser/design/index.html.en 980) created. projects/torbrowser/design/index.html.en 981)
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 982) </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 983) Some content types are too invasive and/or too opaque for us to properly projects/en/torbrowser/design/index.html.en 984) eliminate their linkability properties. For these content types, we use projects/en/torbrowser/design/index.html.en 985) NoScript to provide click-to-play placeholders that do not activate the projects/en/torbrowser/design/index.html.en 986) content until the user clicks on it. This will eliminate the ability for an projects/en/torbrowser/design/index.html.en 987) adversary to use such content types to link users in a dragnet fashion across projects/en/torbrowser/design/index.html.en 988) arbitrary sites. projects/en/torbrowser/design/index.html.en 989) </p><p> projects/en/torbrowser/design/index.html.en 990) Currently, the content types isolated in this way include Flash, WebGL, and projects/en/torbrowser/design/index.html.en 991) audio and video objects. projects/en/torbrowser/design/index.html.en 992) </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 993) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches" target="_top">current-patches projects/en/torbrowser/design/index.html.en 994) directory of the torbrowser git repository</a>. They are: projects/en/torbrowser/design/index.html.en 995) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod projects/en/torbrowser/design/index.html.en 996) <p> projects/en/torbrowser/design/index.html.en 997) projects/en/torbrowser/design/index.html.en 998) In order to reduce fingerprinting, we block access to these two interfaces projects/en/torbrowser/design/index.html.en 999) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript projects/en/torbrowser/design/index.html.en 1000) hooks</a>, projects/en/torbrowser/design/index.html.en 1001) and Components.interfaces can be used for fingerprinting the platform, OS, and projects/en/torbrowser/design/index.html.en 1002) Firebox version, but not much else. projects/en/torbrowser/design/index.html.en 1003) projects/en/torbrowser/design/index.html.en 1004) </p></li><li class="listitem">Make Permissions Manager memory only projects/en/torbrowser/design/index.html.en 1005) <p> projects/en/torbrowser/design/index.html.en 1006) projects/en/torbrowser/design/index.html.en 1007) This patch exposes a pref 'permissions.memory_only' that properly isolates the projects/en/torbrowser/design/index.html.en 1008) permissions manager to memory, which is responsible for all user specified
Update TBB design doc based... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1009) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a> projects/torbrowser/design/index.html.en 1010) policy from visited sites.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 1011) projects/en/torbrowser/design/index.html.en 1012) The pref does successfully clear the permissions manager memory if toggled. It projects/en/torbrowser/design/index.html.en 1013) does not need to be set in prefs.js, and can be handled by Torbutton. projects/en/torbrowser/design/index.html.en 1014) projects/en/torbrowser/design/index.html.en 1015) </p></li><li class="listitem">Make Intermediate Cert Store memory-only projects/en/torbrowser/design/index.html.en 1016) <p> projects/en/torbrowser/design/index.html.en 1017)
Update TBB design doc with... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 1018) The intermediate certificate store records the intermediate SSL certificates projects/torbrowser/design/index.html.en 1019) the browser has seen to date. Because these intermediate certificates are used projects/torbrowser/design/index.html.en 1020) by a limited number of domains (and in some cases, only a single domain), projects/torbrowser/design/index.html.en 1021) the intermediate certificate store can serve as a low-resolution record of projects/torbrowser/design/index.html.en 1022) browsing history.
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 1023) projects/en/torbrowser/design/index.html.en 1024) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1025) projects/en/torbrowser/design/index.html.en 1026) As an additional design goal, we would like to later alter this patch to allow this projects/en/torbrowser/design/index.html.en 1027) information to be cleared from memory. The implementation does not currently projects/en/torbrowser/design/index.html.en 1028) allow this. projects/en/torbrowser/design/index.html.en 1029) projects/en/torbrowser/design/index.html.en 1030) </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires projects/en/torbrowser/design/index.html.en 1031) <p> projects/en/torbrowser/design/index.html.en 1032) projects/en/torbrowser/design/index.html.en 1033) This patch provides a trivial modification to allow us to properly remove HTTP projects/en/torbrowser/design/index.html.en 1034) auth for third parties. This patch allows us to defend against an adversary projects/en/torbrowser/design/index.html.en 1035) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP projects/en/torbrowser/design/index.html.en 1036) auth to silently track users between domains</a>. projects/en/torbrowser/design/index.html.en 1037) projects/en/torbrowser/design/index.html.en 1038) </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation projects/en/torbrowser/design/index.html.en 1039) <p> projects/en/torbrowser/design/index.html.en 1040) projects/en/torbrowser/design/index.html.en 1041) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the projects/en/torbrowser/design/index.html.en 1042) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and projects/en/torbrowser/design/index.html.en 1043) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1044) Firefox to provide a cacheDomain cache attribute</a>. We use the url bar projects/torbrowser/design/index.html.en 1045) FQDN as input to this field.`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 1046) projects/en/torbrowser/design/index.html.en 1047) </p></li><li class="listitem">Randomize HTTP pipeline order and depth projects/en/torbrowser/design/index.html.en 1048) <p> projects/en/torbrowser/design/index.html.en 1049) As an projects/en/torbrowser/design/index.html.en 1050) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental projects/en/torbrowser/design/index.html.en 1051) defense against Website Traffic Fingerprinting</a>, we patch the standard projects/en/torbrowser/design/index.html.en 1052) HTTP pipelining code to randomize the number of requests in a projects/en/torbrowser/design/index.html.en 1053) pipeline, as well as their order. projects/en/torbrowser/design/index.html.en 1054) </p></li><li class="listitem">Block all plugins except flash projects/en/torbrowser/design/index.html.en 1055) <p> projects/en/torbrowser/design/index.html.en 1056) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top"> projects/en/torbrowser/design/index.html.en 1057) @mozilla.org/extensions/blocklist;1</a> service, because we projects/en/torbrowser/design/index.html.en 1058) actually want to stop plugins from ever entering the browser's process space projects/en/torbrowser/design/index.html.en 1059) and/or executing code (for example, AV plugins that collect statistics/analyze projects/en/torbrowser/design/index.html.en 1060) URLs, magical toolbars that phone home or "help" the user, skype buttons that projects/en/torbrowser/design/index.html.en 1061) ruin our day, and censorship filters). Hence we rolled our own. projects/en/torbrowser/design/index.html.en 1062) </p></li><li class="listitem">Make content-prefs service memory only projects/en/torbrowser/design/index.html.en 1063) <p> projects/en/torbrowser/design/index.html.en 1064) This patch prevents random URLs from being inserted into content-prefs.sqllite in projects/en/torbrowser/design/index.html.en 1065) the profile directory as content prefs change (includes site-zoom and perhaps projects/en/torbrowser/design/index.html.en 1066) other site prefs?).
Update TBB design doc w/ an... Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 1067) </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033960"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033967"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033984"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 1068) projects/en/torbrowser/design/index.html.en 1069) The purpose of this section is to cover all the known ways that Tor browser projects/en/torbrowser/design/index.html.en 1070) security can be subverted from a penetration testing perspective. The hope projects/en/torbrowser/design/index.html.en 1071) is that it will be useful both for creating a "Tor Safety Check" projects/en/torbrowser/design/index.html.en 1072) page, and for developing novel tests and actively attacking Torbutton with the projects/en/torbrowser/design/index.html.en 1073) goal of finding vulnerabilities in either it or the Mozilla components, projects/en/torbrowser/design/index.html.en 1074) interfaces and settings upon which it relies. projects/en/torbrowser/design/index.html.en 1075) projects/en/torbrowser/design/index.html.en 1076) </p><div class="sect2" title="5.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>5.1. Single state testing</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 1077) projects/en/torbrowser/design/index.html.en 1078) Torbutton is a complicated piece of software. During development, changes to projects/en/torbrowser/design/index.html.en 1079) one component can affect a whole slough of unrelated features. A number of projects/en/torbrowser/design/index.html.en 1080) aggregated test suites exist that can be used to test for regressions in projects/en/torbrowser/design/index.html.en 1081) Torbutton and to help aid in the development of Torbutton-like addons and projects/en/torbrowser/design/index.html.en 1082) other privacy modifications of other browsers. Some of these test suites exist projects/en/torbrowser/design/index.html.en 1083) as a single automated page, while others are a series of pages you must visit projects/en/torbrowser/design/index.html.en 1084) individually. They are provided here for reference and future regression projects/en/torbrowser/design/index.html.en 1085) testing, and also in the hope that some brave soul will one day decide to projects/en/torbrowser/design/index.html.en 1086) combine them into a comprehensive automated test suite. projects/en/torbrowser/design/index.html.en 1087) projects/en/torbrowser/design/index.html.en 1088) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p> projects/en/torbrowser/design/index.html.en 1089) projects/en/torbrowser/design/index.html.en 1090) Decloak.net is the canonical source of plugin and external-application based projects/en/torbrowser/design/index.html.en 1091) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to projects/en/torbrowser/design/index.html.en 1092) use to test their anonymity systems. projects/en/torbrowser/design/index.html.en 1093) projects/en/torbrowser/design/index.html.en 1094) </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p> projects/en/torbrowser/design/index.html.en 1095) projects/en/torbrowser/design/index.html.en 1096) Deanonymizer.com is another automated test suite that tests for proxy bypass projects/en/torbrowser/design/index.html.en 1097) and other information disclosure vulnerabilities. It is maintained by Kyle projects/en/torbrowser/design/index.html.en 1098) Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a> projects/en/torbrowser/design/index.html.en 1099) and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>. projects/en/torbrowser/design/index.html.en 1100)
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1101) </p></li><li class="listitem"><a class="ulink" href="https://ip-check.info" target="_top">JonDos`
Add design doc draft. Mike Perry authored 12 years ago	`projects/en/torbrowser/design/index.html.en 1102) AnonTest</a><p> projects/en/torbrowser/design/index.html.en 1103)`
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1104) The <a class="ulink" href="https://anonymous-proxy-servers.net/" target="_top">JonDos people</a> also provide an projects/torbrowser/design/index.html.en 1105) anonymity tester. It is more focused on HTTP headers and behaviors than plugin bypass, and`
Add design doc draft. Mike Perry authored 12 years ago	projects/en/torbrowser/design/index.html.en 1106) points out a couple of headers Torbutton could do a better job with projects/en/torbrowser/design/index.html.en 1107) obfuscating. projects/en/torbrowser/design/index.html.en 1108) projects/en/torbrowser/design/index.html.en 1109) </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p> projects/en/torbrowser/design/index.html.en 1110) projects/en/torbrowser/design/index.html.en 1111) Browserspy.dk provides a tremendous collection of browser fingerprinting and projects/en/torbrowser/design/index.html.en 1112) general privacy tests. Unfortunately they are only available one page at a projects/en/torbrowser/design/index.html.en 1113) time, and there is not really solid feedback on good vs bad behavior in projects/en/torbrowser/design/index.html.en 1114) the test results. projects/en/torbrowser/design/index.html.en 1115) projects/en/torbrowser/design/index.html.en 1116) </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy projects/en/torbrowser/design/index.html.en 1117) Analyzer</a><p> projects/en/torbrowser/design/index.html.en 1118) projects/en/torbrowser/design/index.html.en 1119) The Privacy Analyzer provides a dump of all sorts of browser attributes and
Update TBB design doc with... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1120) settings that it detects, including some information on your original IP`