Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>
projects/en/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 19 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id3042393">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3042393"></a>1. Introduction</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 4)
projects/en/torbrowser/design/index.html.en 5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
projects/en/torbrowser/design/index.html.en 6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
projects/en/torbrowser/design/index.html.en 7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing
projects/en/torbrowser/design/index.html.en 8) procedures</a> of the Tor Browser. It is
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 9) current as of Tor Browser 2.2.33-3.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 10)
projects/en/torbrowser/design/index.html.en 11) </p><p>
projects/en/torbrowser/design/index.html.en 12)
projects/en/torbrowser/design/index.html.en 13) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en 14) describe a reference implementation of a Private Browsing Mode that defends
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 15) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en 16) adversary currently addressed by the major browsers.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 17)
projects/en/torbrowser/design/index.html.en 18) </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 19)
projects/en/torbrowser/design/index.html.en 20) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/en/torbrowser/design/index.html.en 21) types that can be used to guide us towards a set of requirements for the
projects/en/torbrowser/design/index.html.en 22) Tor Browser. Let's start with the goals.
projects/en/torbrowser/design/index.html.en 23)
projects/en/torbrowser/design/index.html.en 24) </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
projects/en/torbrowser/design/index.html.en 25) Tor, causing the user to directly connect to an IP of the adversary's
projects/en/torbrowser/design/index.html.en 26) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/en/torbrowser/design/index.html.en 27) happily settle for the ability to correlate something a user did via Tor with
projects/en/torbrowser/design/index.html.en 28) their non-Tor activity. This can be done with cookies, cache identifiers,
projects/en/torbrowser/design/index.html.en 29) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
projects/en/torbrowser/design/index.html.en 30) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/en/torbrowser/design/index.html.en 31) The adversary may also be interested in history disclosure: the ability to
projects/en/torbrowser/design/index.html.en 32) query a user's history to see if they have issued certain censored search
projects/en/torbrowser/design/index.html.en 33) queries, or visited censored sites.
projects/en/torbrowser/design/index.html.en 34) </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
projects/en/torbrowser/design/index.html.en 35)
projects/en/torbrowser/design/index.html.en 36) Location information such as timezone and locality can be useful for the
projects/en/torbrowser/design/index.html.en 37) adversary to determine if a user is in fact originating from one of the
projects/en/torbrowser/design/index.html.en 38) regions they are attempting to control, or to zero-in on the geographical
projects/en/torbrowser/design/index.html.en 39) location of a particular dissident or whistleblower.
projects/en/torbrowser/design/index.html.en 40)
projects/en/torbrowser/design/index.html.en 41) </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
projects/en/torbrowser/design/index.html.en 42)
projects/en/torbrowser/design/index.html.en 43) Anonymity set reduction is also useful in attempting to zero in on a
projects/en/torbrowser/design/index.html.en 44) particular individual. If the dissident or whistleblower is using a rare build
projects/en/torbrowser/design/index.html.en 45) of Firefox for an obscure operating system, this can be very useful
projects/en/torbrowser/design/index.html.en 46) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
projects/en/torbrowser/design/index.html.en 47)
projects/en/torbrowser/design/index.html.en 48) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/en/torbrowser/design/index.html.en 49) information</strong></span><p>
projects/en/torbrowser/design/index.html.en 50) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/en/torbrowser/design/index.html.en 51) seizing the computers of all Tor users in an area (especially after narrowing
projects/en/torbrowser/design/index.html.en 52) the field by the above two pieces of information). History records and cache
projects/en/torbrowser/design/index.html.en 53) data are the primary goals here.
projects/en/torbrowser/design/index.html.en 54) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en 55) The adversary can position themselves at a number of different locations in
projects/en/torbrowser/design/index.html.en 56) order to execute their attacks.
projects/en/torbrowser/design/index.html.en 57) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en 58) The adversary can run exit nodes, or alternatively, they may control routers
projects/en/torbrowser/design/index.html.en 59) upstream of exit nodes. Both of these scenarios have been observed in the
projects/en/torbrowser/design/index.html.en 60) wild.
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 61) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 62) The adversary can also run websites, or more likely, they can contract out
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 63) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en 64) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en 65) inconceivable that ad servers may try to subvert or reduce a user's anonymity
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 66) through Tor for marketing purposes.
projects/en/torbrowser/design/index.html.en 67) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en 68) The adversary can also inject malicious content at the user's upstream router
projects/en/torbrowser/design/index.html.en 69) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/en/torbrowser/design/index.html.en 70) activity.
projects/en/torbrowser/design/index.html.en 71) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/en/torbrowser/design/index.html.en 72) Some users face adversaries with intermittent or constant physical access.
projects/en/torbrowser/design/index.html.en 73) Users in Internet cafes, for example, face such a threat. In addition, in
projects/en/torbrowser/design/index.html.en 74) countries where simply using tools like Tor is illegal, users may face
projects/en/torbrowser/design/index.html.en 75) confiscation of their computer equipment for excessive Tor usage or just
projects/en/torbrowser/design/index.html.en 76) general suspicion.
projects/en/torbrowser/design/index.html.en 77) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en 78)
projects/en/torbrowser/design/index.html.en 79) The adversary can perform the following attacks from a number of different
projects/en/torbrowser/design/index.html.en 80) positions to accomplish various aspects of their goals. It should be noted
projects/en/torbrowser/design/index.html.en 81) that many of these attacks (especially those involving IP address leakage) are
projects/en/torbrowser/design/index.html.en 82) often performed by accident by websites that simply have Javascript, dynamic
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 83) CSS elements, and plugins. Others are performed by ad servers seeking to
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 84) correlate users' activity across different IP addresses, and still others are
projects/en/torbrowser/design/index.html.en 85) performed by malicious agents on the Tor network and at national firewalls.
projects/en/torbrowser/design/index.html.en 86)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 87) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 88)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 89) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en 90) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en 91) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en 92) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en 93) even TLS Session IDs.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 94)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 95) </p><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 96)
projects/en/torbrowser/design/index.html.en 97) An adversary in a position to perform MITM content alteration can inject
projects/en/torbrowser/design/index.html.en 98) document content elements to both read and inject cookies for arbitrary
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 99) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 100) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
projects/en/torbrowser/design/index.html.en 101) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/en/torbrowser/design/index.html.en 102) with cookies as well.
projects/en/torbrowser/design/index.html.en 103)
projects/en/torbrowser/design/index.html.en 104) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
projects/en/torbrowser/design/index.html.en 105) attributes</strong></span><p>
projects/en/torbrowser/design/index.html.en 106)
projects/en/torbrowser/design/index.html.en 107) There is an absurd amount of information available to websites via attributes
projects/en/torbrowser/design/index.html.en 108) of the browser. This information can be used to reduce anonymity set, or even
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 109) uniquely fingerprint individual users. Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en 110) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en 111) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en 112) to linkability between visits.
projects/torbrowser/design/index.html.en 113)
projects/torbrowser/design/index.html.en 114) </p><p>
projects/torbrowser/design/index.html.en 115)
projects/torbrowser/design/index.html.en 116) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
projects/torbrowser/design/index.html.en 117) done</a> by the EFF uses the actual entropy - the number of identifying
projects/torbrowser/design/index.html.en 118) bits of information encoded in browser properties - as this metric. Their
projects/torbrowser/design/index.html.en 119) <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a>
projects/torbrowser/design/index.html.en 120) is definitely useful, and the metric is probably the appropriate one for
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 121) determining how identifying a particular browser property is. However, some
projects/en/torbrowser/design/index.html.en 122) quirks of their study means that they do not extract as much information as
|
Minor cleanup to TBB design...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 123) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en 124) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en 125) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en 126) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en 127) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en 128) final.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 129)
projects/torbrowser/design/index.html.en 130) </p><p>
projects/torbrowser/design/index.html.en 131)
projects/torbrowser/design/index.html.en 132) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en 133) attack vectors:
projects/torbrowser/design/index.html.en 134)
projects/torbrowser/design/index.html.en 135) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
projects/torbrowser/design/index.html.en 136)
projects/torbrowser/design/index.html.en 137) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en 138) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en 139) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en 140) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en 141) (as an extreme example).
projects/torbrowser/design/index.html.en 142)
projects/torbrowser/design/index.html.en 143) </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 144)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 145) Javascript can reveal a lot of fingerprinting information. It provides DOM
|
Minor cleanup to TBB design...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 146) objects such as window.screen and window.navigator to extract information
projects/torbrowser/design/index.html.en 147) about the useragent.
projects/torbrowser/design/index.html.en 148)
projects/torbrowser/design/index.html.en 149) Also, Javascript can be used to query the user's timezone via the
projects/torbrowser/design/index.html.en 150) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
projects/torbrowser/design/index.html.en 151) reveal information about the video cart in use, and high precision timing
projects/torbrowser/design/index.html.en 152) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
projects/torbrowser/design/index.html.en 153) interpreter speed</a>. In the future, new JavaScript features such as
projects/torbrowser/design/index.html.en 154) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
projects/torbrowser/design/index.html.en 155) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en 156) information.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 157)
projects/en/torbrowser/design/index.html.en 158)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 159)
projects/torbrowser/design/index.html.en 160) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en 161)
projects/torbrowser/design/index.html.en 162) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en 163) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en 164) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en 165) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en 166) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en 167) store unique identifiers that are more difficult to clear than standard
projects/torbrowser/design/index.html.en 168) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
projects/torbrowser/design/index.html.en 169) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en 170) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en 171) settings of the browser.
projects/torbrowser/design/index.html.en 172)
projects/torbrowser/design/index.html.en 173)
projects/torbrowser/design/index.html.en 174) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en 175)
projects/torbrowser/design/index.html.en 176) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
projects/torbrowser/design/index.html.en 177) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en 178) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en 179) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en 180)
projects/torbrowser/design/index.html.en 181) </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 182) OS</strong></span><p>
projects/en/torbrowser/design/index.html.en 183)
projects/en/torbrowser/design/index.html.en 184) Last, but definitely not least, the adversary can exploit either general
projects/en/torbrowser/design/index.html.en 185) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/en/torbrowser/design/index.html.en 186) install malware and surveillance software. An adversary with physical access
projects/en/torbrowser/design/index.html.en 187) can perform similar actions. Regrettably, this last attack capability is
projects/en/torbrowser/design/index.html.en 188) outside of our ability to defend against, but it is worth mentioning for
projects/en/torbrowser/design/index.html.en 189) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails
projects/en/torbrowser/design/index.html.en 190) system</a> however can provide some limited defenses against this
projects/en/torbrowser/design/index.html.en 191) adversary.
projects/en/torbrowser/design/index.html.en 192)
projects/en/torbrowser/design/index.html.en 193) </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
projects/en/torbrowser/design/index.html.en 194)
projects/en/torbrowser/design/index.html.en 195) The Tor Browser Design Requirements are meant to describe the properties of a
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 196) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en 197) adversaries.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 198)
projects/en/torbrowser/design/index.html.en 199) </p><p>
projects/en/torbrowser/design/index.html.en 200)
projects/en/torbrowser/design/index.html.en 201) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 202) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en 203) similar privacy proxies safely. Privacy requirements are the set of properties
projects/torbrowser/design/index.html.en 204) that cause us to prefer one browser platform over another.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 205)
projects/en/torbrowser/design/index.html.en 206) </p><p>
projects/en/torbrowser/design/index.html.en 207)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 208) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en 209) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en 210) browser distribution.
projects/torbrowser/design/index.html.en 211)
projects/torbrowser/design/index.html.en 212) </p><p>
projects/torbrowser/design/index.html.en 213)
projects/torbrowser/design/index.html.en 214) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en 215) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
projects/torbrowser/design/index.html.en 216) "OPTIONAL" in this document are to be interpreted as described in
projects/torbrowser/design/index.html.en 217) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 218)
projects/en/torbrowser/design/index.html.en 219) </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 220)
projects/en/torbrowser/design/index.html.en 221) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en 222) of Tor. Violations in these properties typically result in serious risk for
|
Add a couple extra sentence...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 223) the user in terms of immediate deanonymization and/or observability. With
projects/torbrowser/design/index.html.en 224) respect to platform support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en 225) in order for Tor to support the use of a web client platform.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 226)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 227) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="3.1. Proxy Obedience"><span class="command"><strong>Proxy
projects/torbrowser/design/index.html.en 228) Obedience</strong></span></a><p>The browser
projects/torbrowser/design/index.html.en 229) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="3.2. State Separation"><span class="command"><strong>State
projects/torbrowser/design/index.html.en 230) Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 231) from other browsers or other browsing modes, including shared state from
projects/en/torbrowser/design/index.html.en 232) plugins, machine identifiers, and TLS session state.
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 233) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance"><span class="command"><strong>Disk
projects/torbrowser/design/index.html.en 234) Avoidance</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 235)
projects/torbrowser/design/index.html.en 236) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en 237) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en 238) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en 239) store their browsing history information to disk.
projects/torbrowser/design/index.html.en 240)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 241) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="3.4. Application Data Isolation"><span class="command"><strong>Application Data
projects/torbrowser/design/index.html.en 242) Isolation</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 243)
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 244) The components involved in providing private browsing MUST be self-contained,
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 245) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en 246) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en 247) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en 248) of private browsing to disk outside of the application's control. The user
projects/torbrowser/design/index.html.en 249) must be able to ensure that secure removal of the software is sufficient to
projects/torbrowser/design/index.html.en 250) remove evidence of the use of the software. All exceptions and shortcomings
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 251) due to operating system behavior MUST be wiped by an uninstaller. However, due
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 252) to permissions issues with access to swap, implementations MAY choose to leave
projects/torbrowser/design/index.html.en 253) it out of scope, and/or leave it to the user to implement encrypted swap.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 254)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 255) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 256)
projects/en/torbrowser/design/index.html.en 257) The privacy requirements are primarily concerned with reducing linkability:
|
Add a couple extra sentence...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 258) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en 259) on another site without their knowledge or explicit consent. With respect to
projects/torbrowser/design/index.html.en 260) platform support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en 261) to prefer one platform over another.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 262)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 263) </p><p>
projects/torbrowser/design/index.html.en 264)
projects/torbrowser/design/index.html.en 265) For the purposes of the unlinkability requirements of this section as well as
projects/torbrowser/design/index.html.en 266) the descriptions in the <a class="link" href="#Implementation" title="3. Implementation">implementation
projects/torbrowser/design/index.html.en 267) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the
projects/torbrowser/design/index.html.en 268) second-level DNS name. For example, for mail.google.com, the origin would be
projects/torbrowser/design/index.html.en 269) google.com. Implementations MAY, at their option, restrict the url bar origin
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 270) to be the entire fully qualified domain name.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 271)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 272) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="3.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en 273) Identifier Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 274)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 275) User activity on one url bar origin MUST NOT be linkable to their activity in
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 276) any other url bar origin by any third party automatically or without user
projects/torbrowser/design/index.html.en 277) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en 278) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en 279) requirement does not apply to linkable information the user manually submits
projects/torbrowser/design/index.html.en 280) to sites, or due information submitted during manual link traversal. This
projects/torbrowser/design/index.html.en 281) functionality SHOULD NOT interfere with federated login in a substantial way.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 282)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 283) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="3.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en 284) Fingerprinting Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 285)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 286) User activity on one url bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en 287) any other url bar origin by any third party. This property specifically applies to
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 288) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en 289)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 290) </p></li><li class="listitem"><a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term
projects/torbrowser/design/index.html.en 291) Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 292)
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 293) The browser SHOULD provide an obvious, easy way to remove all of its
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 294) authentication tokens and browser state and obtain a fresh identity.
projects/torbrowser/design/index.html.en 295) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en 296) upon browser restart, except at user option.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 297)
projects/en/torbrowser/design/index.html.en 298) </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 299)
projects/en/torbrowser/design/index.html.en 300) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en 301) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en 302)
projects/en/torbrowser/design/index.html.en 303) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
projects/en/torbrowser/design/index.html.en 304)
projects/en/torbrowser/design/index.html.en 305) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en 306) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en 307) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en 308) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en 309) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en 310) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en 311)
projects/en/torbrowser/design/index.html.en 312) </p><p>
projects/en/torbrowser/design/index.html.en 313)
projects/en/torbrowser/design/index.html.en 314) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
projects/en/torbrowser/design/index.html.en 315) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en 316) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en 317) in the face of accumulating tabs from multiple states crossed with the current
projects/en/torbrowser/design/index.html.en 318) tor-state of the browser.
projects/en/torbrowser/design/index.html.en 319)
projects/en/torbrowser/design/index.html.en 320) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en 321) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en 322)
projects/en/torbrowser/design/index.html.en 323) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en 324) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en 325)
projects/en/torbrowser/design/index.html.en 326) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en 327)
projects/en/torbrowser/design/index.html.en 328) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en 329) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en 330) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en 331) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en 332) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en 333) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en 334)
projects/en/torbrowser/design/index.html.en 335) </p><p>
projects/en/torbrowser/design/index.html.en 336)
projects/en/torbrowser/design/index.html.en 337) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en 338) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en 339) placeholders), and/or be sandboxed to restrict the types of system calls they
projects/en/torbrowser/design/index.html.en 340) can execute. If the user decides to craft an exemption to allow a plugin to be
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 341) used, it MUST only apply to the top level url bar domain, and not to all sites,
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 342) to reduce linkability.
projects/en/torbrowser/design/index.html.en 343)
projects/en/torbrowser/design/index.html.en 344) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en 345)
projects/en/torbrowser/design/index.html.en 346) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
projects/en/torbrowser/design/index.html.en 347) failure of Torbutton</a> was (and still is) the options panel. Each option
projects/en/torbrowser/design/index.html.en 348) that detectably alters browser behavior can be used as a fingerprinting tool.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 349) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 350) disabled in the mode</a> except as an opt-in basis. We should not load
projects/en/torbrowser/design/index.html.en 351) system-wide addons or plugins.
projects/en/torbrowser/design/index.html.en 352)
projects/en/torbrowser/design/index.html.en 353) </p><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 354) Instead of global browser privacy options, privacy decisions SHOULD be made
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 355) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 356) url bar origin</a> to eliminate the possibility of linkability
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 357) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en 358) window.plugins) is present in a page, the user should be given the choice of
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 359) allowing that plugin object for that url bar origin only. The same
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 360) goes for exemptions to third party cookie policy, geo-location, and any other
projects/en/torbrowser/design/index.html.en 361) privacy permissions.
projects/en/torbrowser/design/index.html.en 362) </p><p>
projects/en/torbrowser/design/index.html.en 363) If the user has indicated they do not care about local history storage, these
projects/en/torbrowser/design/index.html.en 364) permissions can be written to disk. Otherwise, they should remain memory-only.
projects/en/torbrowser/design/index.html.en 365) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en 366)
projects/en/torbrowser/design/index.html.en 367) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/en/torbrowser/design/index.html.en 368) Plus</a>, <a class="ulink" href="" target="_top">Request Policy</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
projects/en/torbrowser/design/index.html.en 369) avoided. We believe that these addons do not add any real privacy to a proper
projects/en/torbrowser/design/index.html.en 370) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are
projects/en/torbrowser/design/index.html.en 371) prevented from tracking users between sites by the implementation.
projects/en/torbrowser/design/index.html.en 372) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en 373) nightmares, and will also fail to do their job if an adversary simply
projects/en/torbrowser/design/index.html.en 374) registers a new domain or creates a new url path. Worse still, the unique
|
Fix a typo and some links i...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 375) filter sets that each user creates or installs will provide a wealth
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 376) of fingerprinting targets.
projects/en/torbrowser/design/index.html.en 377)
projects/en/torbrowser/design/index.html.en 378) </p><p>
projects/en/torbrowser/design/index.html.en 379)
projects/en/torbrowser/design/index.html.en 380) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en 381) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en 382) terms of demonstrating that we are providing privacy through a sound design
projects/en/torbrowser/design/index.html.en 383) alone, as well as damage the acceptance of Tor users by sites who support
projects/en/torbrowser/design/index.html.en 384) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en 385)
projects/en/torbrowser/design/index.html.en 386) </p><p>
projects/en/torbrowser/design/index.html.en 387) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en 388) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en 389) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en 390) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en 391) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en 392) their proper deployment or privacy realization. However, we will likely disable
projects/en/torbrowser/design/index.html.en 393) certain new features (where possible) pending analysis and audit.
projects/en/torbrowser/design/index.html.en 394) </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p>
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 395)
projects/torbrowser/design/index.html.en 396) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en 397) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en 398) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en 399) implementation is then described for that property.
projects/torbrowser/design/index.html.en 400)
projects/torbrowser/design/index.html.en 401) </p><p>
projects/torbrowser/design/index.html.en 402)
projects/torbrowser/design/index.html.en 403) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en 404) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en 405) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en 406) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en 407) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
projects/torbrowser/design/index.html.en 408) are typically linked for these cases.
projects/torbrowser/design/index.html.en 409)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 410) </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 411)
projects/en/torbrowser/design/index.html.en 412) Proxy obedience is assured through the following:
projects/en/torbrowser/design/index.html.en 413) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings
projects/en/torbrowser/design/index.html.en 414) <p>
projects/en/torbrowser/design/index.html.en 415) The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a
projects/en/torbrowser/design/index.html.en 416) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
projects/en/torbrowser/design/index.html.en 417) <span class="command"><strong>network.proxy.socks_version</strong></span>, and
projects/en/torbrowser/design/index.html.en 418) <span class="command"><strong>network.proxy.socks_port</strong></span>.
|
Comments from Georg + proxy...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 419) </p><p>
projects/torbrowser/design/index.html.en 420)
projects/torbrowser/design/index.html.en 421) We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP,
projects/torbrowser/design/index.html.en 422) gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity,
projects/torbrowser/design/index.html.en 423) including HTML5 audio and video objects, addon updates, wifi geolocation
projects/torbrowser/design/index.html.en 424) queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark
projects/torbrowser/design/index.html.en 425) updates. We have also verified that IPv6 connections are not attempted,
projects/torbrowser/design/index.html.en 426) through the proxy or otherwise (Tor does not yet support IPv6). We have also
projects/torbrowser/design/index.html.en 427) verified that external protocol helpers, such as smb urls and other custom
projects/torbrowser/design/index.html.en 428) protocol handers are all blocked.
projects/torbrowser/design/index.html.en 429)
projects/torbrowser/design/index.html.en 430) </p><p>
projects/torbrowser/design/index.html.en 431)
projects/torbrowser/design/index.html.en 432) Numerous other third parties have also reviewed and <a class="link" href="#SingleStateTesting" title="5.1. Single state testing">tested</a> the proxy settings
projects/torbrowser/design/index.html.en 433) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>.
projects/torbrowser/design/index.html.en 434)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 435) </p></li><li class="listitem">Disabling plugins
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 436)
projects/torbrowser/design/index.html.en 437) <p>Plugins have the ability to make arbitrary OS system calls and <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 438) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en 439) browser proxy settings.
projects/en/torbrowser/design/index.html.en 440) </p><p>
projects/en/torbrowser/design/index.html.en 441) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en 442) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
projects/en/torbrowser/design/index.html.en 443) as disabled. Additionally, we set
projects/en/torbrowser/design/index.html.en 444) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of
projects/en/torbrowser/design/index.html.en 445) supported mime types for all currently installed plugins.
projects/en/torbrowser/design/index.html.en 446) </p><p>
projects/en/torbrowser/design/index.html.en 447) In addition, to prevent any unproxied activity by plugins at load time, we
|
Fix a typo and some links i...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 448) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 449) for Flash and Gnash</a>.
projects/en/torbrowser/design/index.html.en 450)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 451) </p><p>
projects/torbrowser/design/index.html.en 452)
projects/torbrowser/design/index.html.en 453) Finally, even if the user alters their browser settings to re-enable the Flash
projects/torbrowser/design/index.html.en 454) plugin, we have configured NoScript to provide click-to-play placeholders, so
projects/torbrowser/design/index.html.en 455) that only desired objects will be loaded, and only after user confirmation.
projects/torbrowser/design/index.html.en 456)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 457) </p></li><li class="listitem">External App Blocking
projects/en/torbrowser/design/index.html.en 458) <p>
projects/en/torbrowser/design/index.html.en 459) External apps, if launched automatically, can be induced to load files that
projects/en/torbrowser/design/index.html.en 460) perform network activity. In order to prevent this, Torbutton installs a
projects/en/torbrowser/design/index.html.en 461) component to
|
Fix a typo and some links i...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 462) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 463) provide the user with a popup</a> whenever the browser attempts to
projects/en/torbrowser/design/index.html.en 464) launch a helper app.
projects/en/torbrowser/design/index.html.en 465) </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 466) Tor Browser State is separated from existing browser state through use of a
projects/en/torbrowser/design/index.html.en 467) custom Firefox profile. Furthermore, plugins are disabled, which prevents
projects/en/torbrowser/design/index.html.en 468) Flash cookies from leaking from a pre-existing Flash directory.
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 469) </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3048300"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 470) Tor Browser MUST (at user option) prevent all disk records of browser activity.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 471) The user should be able to optionally enable URL history and other history
projects/en/torbrowser/design/index.html.en 472) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
projects/en/torbrowser/design/index.html.en 473) preferences interface</a>, we will likely just enable Private Browsing
projects/en/torbrowser/design/index.html.en 474) mode by default to handle this goal.
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 475) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3052558"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 476) For now, Tor Browser blocks write access to the disk through Torbutton
projects/en/torbrowser/design/index.html.en 477) using several Firefox preferences.
projects/en/torbrowser/design/index.html.en 478)
projects/en/torbrowser/design/index.html.en 479)
projects/en/torbrowser/design/index.html.en 480)
projects/en/torbrowser/design/index.html.en 481) The set of prefs is:
projects/en/torbrowser/design/index.html.en 482) <span class="command"><strong>dom.storage.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en 483) <span class="command"><strong>browser.cache.memory.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 484) <span class="command"><strong>network.http.use-cache</strong></span>,
projects/en/torbrowser/design/index.html.en 485) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 486) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 487) <span class="command"><strong>general.open_location.last_url</strong></span>,
projects/en/torbrowser/design/index.html.en 488) <span class="command"><strong>places.history.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en 489) <span class="command"><strong>browser.formfill.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 490) <span class="command"><strong>signon.rememberSignons</strong></span>,
projects/en/torbrowser/design/index.html.en 491) <span class="command"><strong>browser.download.manager.retention</strong></span>,
projects/en/torbrowser/design/index.html.en 492) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>.
projects/en/torbrowser/design/index.html.en 493) </blockquote></div></div><p>
projects/en/torbrowser/design/index.html.en 494) In addition, three Firefox patches are needed to prevent disk writes, even if
projects/en/torbrowser/design/index.html.en 495) Private Browsing Mode is enabled. We need to
projects/en/torbrowser/design/index.html.en 496)
projects/en/torbrowser/design/index.html.en 497) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 498) the permissions manager from recording HTTPS STS state</a>,
projects/en/torbrowser/design/index.html.en 499) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 500) intermediate SSL certificates from being recorded</a>, and
projects/en/torbrowser/design/index.html.en 501) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 502) the content preferences service from recording site zoom</a>.
projects/en/torbrowser/design/index.html.en 503)
projects/en/torbrowser/design/index.html.en 504) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the
projects/en/torbrowser/design/index.html.en 505) Firefox Patches section</a>.
projects/en/torbrowser/design/index.html.en 506)
projects/en/torbrowser/design/index.html.en 507) </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 508)
projects/en/torbrowser/design/index.html.en 509) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en 510) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en 511) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en 512) computer.
projects/en/torbrowser/design/index.html.en 513)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 514) </p><p>FIXME: sjmurdoch, Erinn: explain what magic we do to satisfy this,
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 515) and/or what additional work or auditing needs to be done.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 516) </p></div><div class="sect2" title="3.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 517)
projects/en/torbrowser/design/index.html.en 518) The Tor Browser MUST prevent a user's activity on one site from being linked
projects/en/torbrowser/design/index.html.en 519) to their activity on another site. When this goal cannot yet be met with an
projects/en/torbrowser/design/index.html.en 520) existing web technology, that technology or functionality is disabled. Our
projects/en/torbrowser/design/index.html.en 521) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary
projects/en/torbrowser/design/index.html.en 522) technologies, and instead simply alter them in ways that allows them to
projects/en/torbrowser/design/index.html.en 523) function in a backwards-compatible way while avoiding linkability. Users
projects/en/torbrowser/design/index.html.en 524) should be able to use federated login of various kinds to explicitly inform
projects/en/torbrowser/design/index.html.en 525) sites who they are, but that information should not transparently allow a
projects/en/torbrowser/design/index.html.en 526) third party to record their activity from site to site without their prior
projects/en/torbrowser/design/index.html.en 527) consent.
projects/en/torbrowser/design/index.html.en 528)
projects/en/torbrowser/design/index.html.en 529) </p><p>
projects/en/torbrowser/design/index.html.en 530)
projects/en/torbrowser/design/index.html.en 531) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en 532) linkability, but also in terms of simplified privacy UI. If all stored browser
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 533) state and permissions become associated with the url bar origin, the six or
projects/torbrowser/design/index.html.en 534) seven different pieces of privacy UI governing these identifiers and
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 535) permissions can become just one piece of UI. For instance, a window that lists
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 536) the url bar origin for which browser state exists, possibly with a
projects/torbrowser/design/index.html.en 537) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en 538) An example of this simplification can be seen in Figure 1.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 539)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 540) </p><div class="figure"><a id="id3051496"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 541)
projects/en/torbrowser/design/index.html.en 542) On the left is the standard Firefox cookie manager. On the right is a mock-up
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 543) of how isolating identifiers to the URL bar origin might simplify the privacy
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 544) UI for all data - not just cookies. Both windows represent the set of
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 545) Cookies accumulated after visiting just five sites, but the window on the
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 546) right has the option of also representing history, DOM Storage, HTTP Auth,
projects/en/torbrowser/design/index.html.en 547) search form history, login values, and so on within a context menu for each
projects/en/torbrowser/design/index.html.en 548) site.
projects/en/torbrowser/design/index.html.en 549)
projects/en/torbrowser/design/index.html.en 550) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies
projects/en/torbrowser/design/index.html.en 551) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 552)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 553) All cookies MUST be double-keyed to the url bar origin and third-party
projects/torbrowser/design/index.html.en 554) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
projects/torbrowser/design/index.html.en 555) that contains a prototype patch, but it lacks UI, and does not apply to modern
projects/torbrowser/design/index.html.en 556) Firefoxes.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 557)
projects/en/torbrowser/design/index.html.en 558) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 559)
projects/en/torbrowser/design/index.html.en 560) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en 561) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en 562) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
|
Comments from Georg + proxy...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 563) third party content continue to function, but we believe the requirement for
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 564) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en 565)
projects/en/torbrowser/design/index.html.en 566) </p></li><li class="listitem">Cache
projects/en/torbrowser/design/index.html.en 567) <p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 568)
projects/torbrowser/design/index.html.en 569) Cache is isolated to the url bar origin by using a technique pioneered by
projects/torbrowser/design/index.html.en 570) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 571) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 572) attribute that Firefox uses internally to prevent improper caching and reuse
projects/torbrowser/design/index.html.en 573) of HTTP POST data.
projects/torbrowser/design/index.html.en 574)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 575) </p><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 576)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 577) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 578) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts
projects/torbrowser/design/index.html.en 579) with OCSP relying the cacheKey property for reuse of POST requests</a>, we
projects/torbrowser/design/index.html.en 580) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
projects/torbrowser/design/index.html.en 581) Firefox to provide a cacheDomain cache attribute</a>. We use the fully
projects/torbrowser/design/index.html.en 582) qualified url bar domain as input to this field.
projects/torbrowser/design/index.html.en 583)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 584) </p><p>
projects/en/torbrowser/design/index.html.en 585)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 586) Furthermore, we chose a different
projects/torbrowser/design/index.html.en 587) isolation scheme than the Stanford implementation. First, we decoupled the
projects/torbrowser/design/index.html.en 588) cache isolation from the third party cookie attribute. Second, we use several
projects/torbrowser/design/index.html.en 589) mechanisms to attempt to determine the actual location attribute of the
projects/torbrowser/design/index.html.en 590) top-level window (to obtain the url bar FQDN) used to load the page, as
projects/torbrowser/design/index.html.en 591) opposed to relying solely on the referer property.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 592)
projects/en/torbrowser/design/index.html.en 593) </p><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 594)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 595) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 596) Stanford test cases</a> are expected to fail. Functionality can still be
projects/torbrowser/design/index.html.en 597) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and
projects/torbrowser/design/index.html.en 598) viewing the key used for each cache entry. Each third party element should
projects/torbrowser/design/index.html.en 599) have an additional "domain=string" property prepended, which will list the
projects/torbrowser/design/index.html.en 600) FQDN that was used to source the third party element.
projects/torbrowser/design/index.html.en 601)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 602) </p></li><li class="listitem">HTTP Auth
projects/en/torbrowser/design/index.html.en 603) <p>
projects/en/torbrowser/design/index.html.en 604)
projects/en/torbrowser/design/index.html.en 605) HTTP authentication tokens are removed for third party elements using the
projects/en/torbrowser/design/index.html.en 606) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
projects/en/torbrowser/design/index.html.en 607) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
projects/en/torbrowser/design/index.html.en 608) linkability between domains</a>. We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch
projects/en/torbrowser/design/index.html.en 609) Firefox to cause the headers to get added early enough</a> to allow the
projects/en/torbrowser/design/index.html.en 610) observer to modify it.
projects/en/torbrowser/design/index.html.en 611)
projects/en/torbrowser/design/index.html.en 612) </p></li><li class="listitem">DOM Storage
projects/en/torbrowser/design/index.html.en 613) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 614)
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 615) DOM storage for third party domains MUST be isolated to the url bar origin,
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 616) to prevent linkability between sites.
projects/en/torbrowser/design/index.html.en 617)
projects/en/torbrowser/design/index.html.en 618) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 619)
projects/en/torbrowser/design/index.html.en 620) Because it is isolated to third party domain as opposed to top level url bar
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 621) origin, we entirely disable DOM storage as a stopgap to ensure unlinkability.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 622)
|
Describe our efforts agains...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 623) </p></li><li class="listitem">Flash cookies
projects/torbrowser/design/index.html.en 624) <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 625)
projects/torbrowser/design/index.html.en 626) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en 627) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
projects/torbrowser/design/index.html.en 628) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
projects/torbrowser/design/index.html.en 629) settings manager</a>.
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 630)
|
Describe our efforts agains...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 631) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 632)
projects/torbrowser/design/index.html.en 633) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
projects/torbrowser/design/index.html.en 634) difficulties</a> causing Flash player to use this settings
projects/torbrowser/design/index.html.en 635) file on Windows.
projects/torbrowser/design/index.html.en 636)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 637) </p></li><li class="listitem">TLS session resumption and HTTP Keep-Alive
projects/en/torbrowser/design/index.html.en 638) <p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 639) TLS session resumption and HTTP Keep-Alive MUST NOT allow third party origins
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 640) to track users via either TLS session IDs, or the fact that different requests
projects/en/torbrowser/design/index.html.en 641) arrive on the same TCP connection.
projects/en/torbrowser/design/index.html.en 642) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 643)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 644) TLS session resumption IDs MUST be limited to the url bar origin.
projects/torbrowser/design/index.html.en 645) HTTP Keep-Alive connections from a third party in one url bar origin must
projects/torbrowser/design/index.html.en 646) not be reused for that same third party in another url bar origin.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 647)
projects/en/torbrowser/design/index.html.en 648) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 649)
|
Comments from Georg + proxy...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 650) We currently clear TLS Session IDs upon <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New
projects/torbrowser/design/index.html.en 651) Identity</a>, but we have no origin restriction implementation as of yet.
projects/torbrowser/design/index.html.en 652) We plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099" target="_top">disable TLS session
projects/torbrowser/design/index.html.en 653) resumption</a>, and limit HTTP Keep-alive duration as stopgaps to limit
projects/torbrowser/design/index.html.en 654) linkability until we can implement <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4100" target="_top">true origin
projects/torbrowser/design/index.html.en 655) isolation</a> (the latter we feel will be fairly tricky).
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 656)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 657) </p></li><li class="listitem">User confirmation for cross-origin redirects
projects/torbrowser/design/index.html.en 658) <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 659)
projects/torbrowser/design/index.html.en 660) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en 661) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 662) MUST prompt the user before following redirects that would cause the user to
projects/torbrowser/design/index.html.en 663) automatically navigate between two different url bar origins. The prompt
projects/torbrowser/design/index.html.en 664) SHOULD inform the user about the ability to use <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a> to clear the linked identifiers
projects/torbrowser/design/index.html.en 665) created by the redirect.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 666)
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 667) </p><p>
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 668)
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 669) To reduce the occurrence of warning fatigue, these warning messages MAY be limited
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 670) to automated redirect cycles only. For example, the automated redirect
projects/torbrowser/design/index.html.en 671) sequence <span class="command"><strong>User Click -> t.co -> bit.ly -> cnn.com</strong></span> can be
projects/torbrowser/design/index.html.en 672) assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -> t.co ->
projects/torbrowser/design/index.html.en 673) bit.ly -> cnn.com -> 2o7.net -> scorecardresearch.net -> cnn.com</strong></span> is
projects/torbrowser/design/index.html.en 674) clearly due to tracking. Non-automated redirect cycles that require
projects/torbrowser/design/index.html.en 675) user input at some step (such as federated login systems) need not be
projects/torbrowser/design/index.html.en 676) interrupted by the UI.
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 677)
projects/torbrowser/design/index.html.en 678) </p><p>
projects/torbrowser/design/index.html.en 679)
projects/torbrowser/design/index.html.en 680) We are not concerned with linkability due to explicit user action (either by
projects/torbrowser/design/index.html.en 681) accepting cross-origin redirects, or by clicking normal links) because it is
projects/torbrowser/design/index.html.en 682) assumed that private browsing sessions will be relatively short-lived,
projects/torbrowser/design/index.html.en 683) especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New
projects/torbrowser/design/index.html.en 684) Identity</a> button.
projects/torbrowser/design/index.html.en 685)
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 686) </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en 687)
projects/torbrowser/design/index.html.en 688) There are numerous ways for the user to be redirected, and the Firefox API
projects/torbrowser/design/index.html.en 689) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
projects/torbrowser/design/index.html.en 690) open</a> to implement what we can.
projects/torbrowser/design/index.html.en 691)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 692) </p></li><li class="listitem">window.name
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 693) <p>
projects/en/torbrowser/design/index.html.en 694)
projects/en/torbrowser/design/index.html.en 695) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
projects/en/torbrowser/design/index.html.en 696) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en 697) for the lifespan of a browser tab. It is possible to utilize this property for
projects/en/torbrowser/design/index.html.en 698) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
projects/en/torbrowser/design/index.html.en 699) storage</a>.
projects/en/torbrowser/design/index.html.en 700)
projects/en/torbrowser/design/index.html.en 701) </p><p>
projects/en/torbrowser/design/index.html.en 702)
projects/en/torbrowser/design/index.html.en 703) In order to eliminate linkability but still allow for sites that utilize this
projects/en/torbrowser/design/index.html.en 704) property to function, we reset the window.name property of tabs in Torbutton every
projects/en/torbrowser/design/index.html.en 705) time we encounter a blank referer. This behavior allows window.name to persist
projects/en/torbrowser/design/index.html.en 706) for the duration of a link-driven navigation session, but as soon as the user
projects/en/torbrowser/design/index.html.en 707) enters a new URL or navigates between https/http schemes, the property is cleared.
projects/en/torbrowser/design/index.html.en 708)
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 709) </p></li><li class="listitem">Auto form-fill
projects/torbrowser/design/index.html.en 710) <p>
projects/torbrowser/design/index.html.en 711)
projects/torbrowser/design/index.html.en 712) We disable the password saving functionality in the browser as part of our
projects/torbrowser/design/index.html.en 713) <a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
projects/torbrowser/design/index.html.en 714) since users may decide to re-enable disk history records and password saving,
projects/torbrowser/design/index.html.en 715) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
projects/torbrowser/design/index.html.en 716) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en 717) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en 718) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en 719)
projects/torbrowser/design/index.html.en 720) </p></li><li class="listitem">HSTS supercookies
projects/torbrowser/design/index.html.en 721) <p>
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 722)
projects/torbrowser/design/index.html.en 723) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
projects/torbrowser/design/index.html.en 724) supercookies</a>. Since HSTS effectively stores one bit of information per domain
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 725) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en 726) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en 727)
projects/torbrowser/design/index.html.en 728) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 729)
projects/torbrowser/design/index.html.en 730) There appears to be three options for us: 1. Disable HSTS entirely, and rely
|
Additional comments from Ge...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 731) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
projects/torbrowser/design/index.html.en 732) Restrict the number of HSTS-enabled third parties allowed per url bar origin.
projects/torbrowser/design/index.html.en 733) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en 734) the best approach.
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 735)
projects/torbrowser/design/index.html.en 736) </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
projects/torbrowser/design/index.html.en 737) cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't
projects/torbrowser/design/index.html.en 738) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en 739) Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en 740) </p></li><li class="listitem">Exit node usage
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 741) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 742)
projects/en/torbrowser/design/index.html.en 743) Every distinct navigation session (as defined by a non-blank referer header)
projects/en/torbrowser/design/index.html.en 744) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
projects/en/torbrowser/design/index.html.en 745) observers from linking concurrent browsing activity.
projects/en/torbrowser/design/index.html.en 746)
projects/en/torbrowser/design/index.html.en 747) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 748)
projects/en/torbrowser/design/index.html.en 749) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
projects/en/torbrowser/design/index.html.en 750) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket
projects/en/torbrowser/design/index.html.en 751) #3455</a> is the Torbutton ticket to make use of the new Tor
projects/en/torbrowser/design/index.html.en 752) functionality.
projects/en/torbrowser/design/index.html.en 753)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 754) </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 755)
projects/en/torbrowser/design/index.html.en 756) In order to properly address the fingerprinting adversary on a technical
projects/en/torbrowser/design/index.html.en 757) level, we need a metric to measure linkability of the various browser
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 758) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 759) by the EFF provides us with exactly this metric. The researchers conducted a
projects/en/torbrowser/design/index.html.en 760) survey of volunteers who were asked to visit an experiment page that harvested
projects/en/torbrowser/design/index.html.en 761) many of the above components. They then computed the Shannon Entropy of the
projects/en/torbrowser/design/index.html.en 762) resulting distribution of each of several key attributes to determine how many
projects/en/torbrowser/design/index.html.en 763) bits of identifying information each attribute provided.
projects/en/torbrowser/design/index.html.en 764)
projects/en/torbrowser/design/index.html.en 765) </p><p>
projects/en/torbrowser/design/index.html.en 766)
projects/en/torbrowser/design/index.html.en 767) The study is not exhaustive, though. In particular, the test does not take in
projects/en/torbrowser/design/index.html.en 768) all aspects of resolution information. It did not calculate the size of
projects/en/torbrowser/design/index.html.en 769) widgets, window decoration, or toolbar size, which we believe may add high
projects/en/torbrowser/design/index.html.en 770) amounts of entropy. It also did not measure clock offset and other time-based
projects/en/torbrowser/design/index.html.en 771) fingerprints. Furthermore, as new browser features are added, this experiment
projects/en/torbrowser/design/index.html.en 772) should be repeated to include them.
projects/en/torbrowser/design/index.html.en 773)
projects/en/torbrowser/design/index.html.en 774) </p><p>
projects/en/torbrowser/design/index.html.en 775)
projects/en/torbrowser/design/index.html.en 776) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for
projects/en/torbrowser/design/index.html.en 777) fingerprinting resistance by only concerning ourselves with reducing the
projects/en/torbrowser/design/index.html.en 778) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We
projects/en/torbrowser/design/index.html.en 779) do not believe it is productive to concern ourselves with cross-browser
projects/en/torbrowser/design/index.html.en 780) fingerprinting issues, at least not at this stage.
projects/en/torbrowser/design/index.html.en 781)
projects/en/torbrowser/design/index.html.en 782) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
projects/en/torbrowser/design/index.html.en 783) <p>
projects/en/torbrowser/design/index.html.en 784)
projects/en/torbrowser/design/index.html.en 785) Plugins add to fingerprinting risk via two main vectors: their mere presence in
projects/en/torbrowser/design/index.html.en 786) window.navigator.plugins, as well as their internal functionality.
projects/en/torbrowser/design/index.html.en 787)
projects/en/torbrowser/design/index.html.en 788) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 789)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 790) All plugins that have not been specifically audited or sandboxed MUST be
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 791) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en 792) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en 793) barrier. Additionally, version information should be reduced or obfuscated
projects/en/torbrowser/design/index.html.en 794) until the plugin object is loaded.
projects/en/torbrowser/design/index.html.en 795)
projects/en/torbrowser/design/index.html.en 796) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 797)
projects/en/torbrowser/design/index.html.en 798) Currently, we entirely disable all plugins in Tor Browser. However, as a
projects/en/torbrowser/design/index.html.en 799) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work
projects/en/torbrowser/design/index.html.en 800) towards</a> a
projects/en/torbrowser/design/index.html.en 801) click-to-play barrier using NoScript that is available only after the user has
projects/en/torbrowser/design/index.html.en 802) specifically enabled plugins. Flash will be the only plugin available, and we
projects/en/torbrowser/design/index.html.en 803) will ship a settings.sol file to disable Flash cookies, and to restrict P2P
projects/en/torbrowser/design/index.html.en 804) features that likely bypass proxy settings.
projects/en/torbrowser/design/index.html.en 805)
projects/en/torbrowser/design/index.html.en 806) </p></li><li class="listitem">Fonts
projects/en/torbrowser/design/index.html.en 807) <p>
projects/en/torbrowser/design/index.html.en 808)
projects/en/torbrowser/design/index.html.en 809) According to the Panopticlick study, fonts provide the most linkability when
projects/en/torbrowser/design/index.html.en 810) they are provided as an enumerable list in filesystem order, via either the
projects/en/torbrowser/design/index.html.en 811) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en 812) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en 813) pre-built list to query, a large amount of fingerprintable information may
projects/en/torbrowser/design/index.html.en 814) still be available.
projects/en/torbrowser/design/index.html.en 815)
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 816) </p><p>
projects/torbrowser/design/index.html.en 817)
projects/torbrowser/design/index.html.en 818) The sure-fire way to address font linkability is to ship the browser with a
projects/torbrowser/design/index.html.en 819) font for every language, typeface, and style in use in the world, and to only
projects/torbrowser/design/index.html.en 820) use those fonts at the exclusion of system fonts. However, this set may be
projects/torbrowser/design/index.html.en 821) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common
projects/torbrowser/design/index.html.en 822) subset</a> may be found that provides total coverage. However, we believe
projects/torbrowser/design/index.html.en 823) that with strong url bar origin identifier isolation, a simpler approach can reduce the
projects/torbrowser/design/index.html.en 824) number of bits available to the adversary while avoiding the rendering and
projects/torbrowser/design/index.html.en 825) language issues of supporting a global font set.
projects/torbrowser/design/index.html.en 826)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 827) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 828)
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 829) We intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of
projects/torbrowser/design/index.html.en 830) fonts</a> a url bar origin can load, gracefully degrading to built-in
projects/torbrowser/design/index.html.en 831) and/or remote fonts once the limit is reached.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 832)
projects/en/torbrowser/design/index.html.en 833) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 834)
projects/en/torbrowser/design/index.html.en 835) Aside from disabling plugins to prevent enumeration, we have not yet
projects/en/torbrowser/design/index.html.en 836) implemented any defense against CSS or Javascript fonts.
projects/en/torbrowser/design/index.html.en 837)
projects/en/torbrowser/design/index.html.en 838) </p></li><li class="listitem">User Agent and HTTP Headers
projects/en/torbrowser/design/index.html.en 839) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 840)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 841) All Tor Browser users MUST provide websites with an identical user agent and
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 842) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/en/torbrowser/design/index.html.en 843) and report a popular Windows platform. If the software is kept up to date,
projects/en/torbrowser/design/index.html.en 844) these headers should remain identical across the population even when updated.
projects/en/torbrowser/design/index.html.en 845)
projects/en/torbrowser/design/index.html.en 846) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 847)
projects/en/torbrowser/design/index.html.en 848) Firefox provides several options for controlling the browser user agent string
projects/en/torbrowser/design/index.html.en 849) which we leverage. We also set similar prefs for controlling the
projects/en/torbrowser/design/index.html.en 850) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
projects/en/torbrowser/design/index.html.en 851) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove
projects/en/torbrowser/design/index.html.en 852) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
projects/en/torbrowser/design/index.html.en 853) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Desktop resolution and CSS Media Queries
projects/en/torbrowser/design/index.html.en 854) <p>
projects/en/torbrowser/design/index.html.en 855)
projects/en/torbrowser/design/index.html.en 856) Both CSS and Javascript have a lot of irrelevant information about the screen
projects/en/torbrowser/design/index.html.en 857) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and
projects/en/torbrowser/design/index.html.en 858) other desktop features that are not at all relevant to rendering and serve
projects/en/torbrowser/design/index.html.en 859) only to provide information for fingerprinting.
projects/en/torbrowser/design/index.html.en 860)
projects/en/torbrowser/design/index.html.en 861) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 862)
projects/en/torbrowser/design/index.html.en 863) Our design goal here is to reduce the resolution information down to the bare
projects/en/torbrowser/design/index.html.en 864) minimum required for properly rendering inside a content window. We intend to
projects/en/torbrowser/design/index.html.en 865) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 866) properties of the content window, but report an effective size of 0 for all
projects/en/torbrowser/design/index.html.en 867) border material, and also report that the desktop is only as big as the
projects/en/torbrowser/design/index.html.en 868) inner content window. Additionally, new browser windows are sized such that
projects/en/torbrowser/design/index.html.en 869) their content windows are one of ~5 fixed sizes based on the user's
projects/en/torbrowser/design/index.html.en 870) desktop resolution.
projects/en/torbrowser/design/index.html.en 871)
projects/en/torbrowser/design/index.html.en 872) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 873)
projects/en/torbrowser/design/index.html.en 874) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript
projects/en/torbrowser/design/index.html.en 875) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize
projects/en/torbrowser/design/index.html.en 876) new windows based on desktop resolution</a>. However, CSS Media Queries
projects/en/torbrowser/design/index.html.en 877) still <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2875" target="_top">need
projects/en/torbrowser/design/index.html.en 878) to be dealt with</a>.
projects/en/torbrowser/design/index.html.en 879)
projects/en/torbrowser/design/index.html.en 880) </p></li><li class="listitem">Timezone and clock offset
projects/en/torbrowser/design/index.html.en 881) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 882)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 883) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en 884) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en 885) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en 886) the fact that we spoof a US English user agent). Additionally, the Tor
projects/torbrowser/design/index.html.en 887) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en 888) clocks of the relays that it connects to, and use this to reset the clock
projects/torbrowser/design/index.html.en 889) values used in Tor Browser to something reasonably accurate.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 890)
projects/en/torbrowser/design/index.html.en 891) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 892)
projects/en/torbrowser/design/index.html.en 893) We set the timezone using the TZ environment variable, which is supported on
projects/en/torbrowser/design/index.html.en 894) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock
projects/en/torbrowser/design/index.html.en 895) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
projects/en/torbrowser/design/index.html.en 896) use.
projects/en/torbrowser/design/index.html.en 897)
projects/en/torbrowser/design/index.html.en 898) </p></li><li class="listitem">Javascript performance fingerprinting
projects/en/torbrowser/design/index.html.en 899) <p>
projects/en/torbrowser/design/index.html.en 900)
projects/en/torbrowser/design/index.html.en 901) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
projects/en/torbrowser/design/index.html.en 902) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en 903) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en 904) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en 905)
projects/en/torbrowser/design/index.html.en 906) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 907)
projects/en/torbrowser/design/index.html.en 908) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
projects/en/torbrowser/design/index.html.en 909) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 910) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en 911) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
projects/en/torbrowser/design/index.html.en 912) Date() object, while also introducing jitter. Our goal is to increase the
projects/en/torbrowser/design/index.html.en 913) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that
projects/en/torbrowser/design/index.html.en 914) even with the default precision in most browsers, they required up to 120
projects/en/torbrowser/design/index.html.en 915) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 916) feature set. We intend to work with the research community to establish the
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 917) optimum trade-off between quantization+jitter and amortization time.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 918)
projects/en/torbrowser/design/index.html.en 919)
projects/en/torbrowser/design/index.html.en 920) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 921)
projects/en/torbrowser/design/index.html.en 922) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en 923)
projects/en/torbrowser/design/index.html.en 924) </p></li><li class="listitem">Keystroke fingerprinting
projects/en/torbrowser/design/index.html.en 925) <p>
projects/en/torbrowser/design/index.html.en 926)
projects/en/torbrowser/design/index.html.en 927) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 928) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 929)
projects/en/torbrowser/design/index.html.en 930) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 931)
projects/en/torbrowser/design/index.html.en 932) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en 933) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 934)
projects/en/torbrowser/design/index.html.en 935) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 936) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en 937) </p></li><li class="listitem">WebGL
projects/en/torbrowser/design/index.html.en 938) <p>
projects/en/torbrowser/design/index.html.en 939)
projects/en/torbrowser/design/index.html.en 940) WebGL is fingerprintable both through information that is exposed about the
projects/en/torbrowser/design/index.html.en 941) underlying driver and optimizations, as well as through performance
projects/en/torbrowser/design/index.html.en 942) fingerprinting.
projects/en/torbrowser/design/index.html.en 943)
projects/en/torbrowser/design/index.html.en 944) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 945)
projects/en/torbrowser/design/index.html.en 946) Because of the large amount of potential fingerprinting vectors, we intend to
projects/en/torbrowser/design/index.html.en 947) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases
projects/en/torbrowser/design/index.html.en 948) will have click-to-play placeholders, and will not run until authorized by the
projects/en/torbrowser/design/index.html.en 949) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver
projects/en/torbrowser/design/index.html.en 950) information</a> by hooking
projects/en/torbrowser/design/index.html.en 951) <span class="command"><strong>getParameter()</strong></span>,
projects/en/torbrowser/design/index.html.en 952) <span class="command"><strong>getSupportedExtensions()</strong></span>,
projects/en/torbrowser/design/index.html.en 953) <span class="command"><strong>getExtension()</strong></span>, and
projects/en/torbrowser/design/index.html.en 954) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal,
projects/en/torbrowser/design/index.html.en 955) driver-neutral information.
projects/en/torbrowser/design/index.html.en 956)
projects/en/torbrowser/design/index.html.en 957) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 958)
projects/en/torbrowser/design/index.html.en 959) Currently we simply disable WebGL.
projects/en/torbrowser/design/index.html.en 960)
projects/en/torbrowser/design/index.html.en 961) </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 962) In order to avoid long-term linkability, we provide a "New Identity" context
projects/en/torbrowser/design/index.html.en 963) menu option in Torbutton.
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 964) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id3068567"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 965)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 966) All linkable identifiers and browser state MUST be cleared by this feature.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 967)
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 968) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3057460"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 969)
projects/torbrowser/design/index.html.en 970) First, Torbutton disables all open tabs and windows via nsIContentPolicy
projects/torbrowser/design/index.html.en 971) blocking, and then closes each tab and window. The extra step for blocking
projects/torbrowser/design/index.html.en 972) tabs is done as a precaution to ensure that any asynchronous Javascript is in
projects/torbrowser/design/index.html.en 973) fact properly disabled. After closing all of the windows, we then clear the
projects/torbrowser/design/index.html.en 974) following state: OCSP (by toggling security.OCSP.enabled), cache,
projects/torbrowser/design/index.html.en 975) site-specific zoom and content preferences, Cookies, DOM storage, safe
projects/torbrowser/design/index.html.en 976) browsing key, the Google wifi geolocation token (if exists), HTTP auth, SSL
projects/torbrowser/design/index.html.en 977) Session IDs, HSTS state, and the last opened URL field (via the pref
projects/torbrowser/design/index.html.en 978) general.open_location.last_url). After clearing the browser state, we then
projects/torbrowser/design/index.html.en 979) send the NEWNYM signal to the Tor control port to cause a new circuit to be
projects/torbrowser/design/index.html.en 980) created.
projects/torbrowser/design/index.html.en 981)
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 982) </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 983) Some content types are too invasive and/or too opaque for us to properly
projects/en/torbrowser/design/index.html.en 984) eliminate their linkability properties. For these content types, we use
projects/en/torbrowser/design/index.html.en 985) NoScript to provide click-to-play placeholders that do not activate the
projects/en/torbrowser/design/index.html.en 986) content until the user clicks on it. This will eliminate the ability for an
projects/en/torbrowser/design/index.html.en 987) adversary to use such content types to link users in a dragnet fashion across
projects/en/torbrowser/design/index.html.en 988) arbitrary sites.
projects/en/torbrowser/design/index.html.en 989) </p><p>
projects/en/torbrowser/design/index.html.en 990) Currently, the content types isolated in this way include Flash, WebGL, and
projects/en/torbrowser/design/index.html.en 991) audio and video objects.
projects/en/torbrowser/design/index.html.en 992) </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 993) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches" target="_top">current-patches
projects/en/torbrowser/design/index.html.en 994) directory of the torbrowser git repository</a>. They are:
projects/en/torbrowser/design/index.html.en 995) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod
projects/en/torbrowser/design/index.html.en 996) <p>
projects/en/torbrowser/design/index.html.en 997)
projects/en/torbrowser/design/index.html.en 998) In order to reduce fingerprinting, we block access to these two interfaces
projects/en/torbrowser/design/index.html.en 999) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript
projects/en/torbrowser/design/index.html.en 1000) hooks</a>,
projects/en/torbrowser/design/index.html.en 1001) and Components.interfaces can be used for fingerprinting the platform, OS, and
projects/en/torbrowser/design/index.html.en 1002) Firebox version, but not much else.
projects/en/torbrowser/design/index.html.en 1003)
projects/en/torbrowser/design/index.html.en 1004) </p></li><li class="listitem">Make Permissions Manager memory only
projects/en/torbrowser/design/index.html.en 1005) <p>
projects/en/torbrowser/design/index.html.en 1006)
projects/en/torbrowser/design/index.html.en 1007) This patch exposes a pref 'permissions.memory_only' that properly isolates the
projects/en/torbrowser/design/index.html.en 1008) permissions manager to memory, which is responsible for all user specified
|
Update TBB design doc based...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1009) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
projects/torbrowser/design/index.html.en 1010) policy from visited sites.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1011)
projects/en/torbrowser/design/index.html.en 1012) The pref does successfully clear the permissions manager memory if toggled. It
projects/en/torbrowser/design/index.html.en 1013) does not need to be set in prefs.js, and can be handled by Torbutton.
projects/en/torbrowser/design/index.html.en 1014)
projects/en/torbrowser/design/index.html.en 1015) </p></li><li class="listitem">Make Intermediate Cert Store memory-only
projects/en/torbrowser/design/index.html.en 1016) <p>
projects/en/torbrowser/design/index.html.en 1017)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1018) The intermediate certificate store records the intermediate SSL certificates
projects/torbrowser/design/index.html.en 1019) the browser has seen to date. Because these intermediate certificates are used
projects/torbrowser/design/index.html.en 1020) by a limited number of domains (and in some cases, only a single domain),
projects/torbrowser/design/index.html.en 1021) the intermediate certificate store can serve as a low-resolution record of
projects/torbrowser/design/index.html.en 1022) browsing history.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1023)
projects/en/torbrowser/design/index.html.en 1024) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1025)
projects/en/torbrowser/design/index.html.en 1026) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 1027) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 1028) allow this.
projects/en/torbrowser/design/index.html.en 1029)
projects/en/torbrowser/design/index.html.en 1030) </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires
projects/en/torbrowser/design/index.html.en 1031) <p>
projects/en/torbrowser/design/index.html.en 1032)
projects/en/torbrowser/design/index.html.en 1033) This patch provides a trivial modification to allow us to properly remove HTTP
projects/en/torbrowser/design/index.html.en 1034) auth for third parties. This patch allows us to defend against an adversary
projects/en/torbrowser/design/index.html.en 1035) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP
projects/en/torbrowser/design/index.html.en 1036) auth to silently track users between domains</a>.
projects/en/torbrowser/design/index.html.en 1037)
projects/en/torbrowser/design/index.html.en 1038) </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation
projects/en/torbrowser/design/index.html.en 1039) <p>
projects/en/torbrowser/design/index.html.en 1040)
projects/en/torbrowser/design/index.html.en 1041) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
projects/en/torbrowser/design/index.html.en 1042) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
projects/en/torbrowser/design/index.html.en 1043) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1044) Firefox to provide a cacheDomain cache attribute</a>. We use the url bar
projects/torbrowser/design/index.html.en 1045) FQDN as input to this field.
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1046)
projects/en/torbrowser/design/index.html.en 1047) </p></li><li class="listitem">Randomize HTTP pipeline order and depth
projects/en/torbrowser/design/index.html.en 1048) <p>
projects/en/torbrowser/design/index.html.en 1049) As an
projects/en/torbrowser/design/index.html.en 1050) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
projects/en/torbrowser/design/index.html.en 1051) defense against Website Traffic Fingerprinting</a>, we patch the standard
projects/en/torbrowser/design/index.html.en 1052) HTTP pipelining code to randomize the number of requests in a
projects/en/torbrowser/design/index.html.en 1053) pipeline, as well as their order.
projects/en/torbrowser/design/index.html.en 1054) </p></li><li class="listitem">Block all plugins except flash
projects/en/torbrowser/design/index.html.en 1055) <p>
projects/en/torbrowser/design/index.html.en 1056) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">
projects/en/torbrowser/design/index.html.en 1057) @mozilla.org/extensions/blocklist;1</a> service, because we
projects/en/torbrowser/design/index.html.en 1058) actually want to stop plugins from ever entering the browser's process space
projects/en/torbrowser/design/index.html.en 1059) and/or executing code (for example, AV plugins that collect statistics/analyze
projects/en/torbrowser/design/index.html.en 1060) URLs, magical toolbars that phone home or "help" the user, skype buttons that
projects/en/torbrowser/design/index.html.en 1061) ruin our day, and censorship filters). Hence we rolled our own.
projects/en/torbrowser/design/index.html.en 1062) </p></li><li class="listitem">Make content-prefs service memory only
projects/en/torbrowser/design/index.html.en 1063) <p>
projects/en/torbrowser/design/index.html.en 1064) This patch prevents random URLs from being inserted into content-prefs.sqllite in
projects/en/torbrowser/design/index.html.en 1065) the profile directory as content prefs change (includes site-zoom and perhaps
projects/en/torbrowser/design/index.html.en 1066) other site prefs?).
|
Update TBB design doc w/ an...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1067) </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033960"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033967"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3033984"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1068)
projects/en/torbrowser/design/index.html.en 1069) The purpose of this section is to cover all the known ways that Tor browser
projects/en/torbrowser/design/index.html.en 1070) security can be subverted from a penetration testing perspective. The hope
projects/en/torbrowser/design/index.html.en 1071) is that it will be useful both for creating a "Tor Safety Check"
projects/en/torbrowser/design/index.html.en 1072) page, and for developing novel tests and actively attacking Torbutton with the
projects/en/torbrowser/design/index.html.en 1073) goal of finding vulnerabilities in either it or the Mozilla components,
projects/en/torbrowser/design/index.html.en 1074) interfaces and settings upon which it relies.
projects/en/torbrowser/design/index.html.en 1075)
projects/en/torbrowser/design/index.html.en 1076) </p><div class="sect2" title="5.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>5.1. Single state testing</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 1077)
projects/en/torbrowser/design/index.html.en 1078) Torbutton is a complicated piece of software. During development, changes to
projects/en/torbrowser/design/index.html.en 1079) one component can affect a whole slough of unrelated features. A number of
projects/en/torbrowser/design/index.html.en 1080) aggregated test suites exist that can be used to test for regressions in
projects/en/torbrowser/design/index.html.en 1081) Torbutton and to help aid in the development of Torbutton-like addons and
projects/en/torbrowser/design/index.html.en 1082) other privacy modifications of other browsers. Some of these test suites exist
projects/en/torbrowser/design/index.html.en 1083) as a single automated page, while others are a series of pages you must visit
projects/en/torbrowser/design/index.html.en 1084) individually. They are provided here for reference and future regression
projects/en/torbrowser/design/index.html.en 1085) testing, and also in the hope that some brave soul will one day decide to
projects/en/torbrowser/design/index.html.en 1086) combine them into a comprehensive automated test suite.
projects/en/torbrowser/design/index.html.en 1087)
projects/en/torbrowser/design/index.html.en 1088) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
projects/en/torbrowser/design/index.html.en 1089)
projects/en/torbrowser/design/index.html.en 1090) Decloak.net is the canonical source of plugin and external-application based
projects/en/torbrowser/design/index.html.en 1091) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
projects/en/torbrowser/design/index.html.en 1092) use to test their anonymity systems.
projects/en/torbrowser/design/index.html.en 1093)
projects/en/torbrowser/design/index.html.en 1094) </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p>
projects/en/torbrowser/design/index.html.en 1095)
projects/en/torbrowser/design/index.html.en 1096) Deanonymizer.com is another automated test suite that tests for proxy bypass
projects/en/torbrowser/design/index.html.en 1097) and other information disclosure vulnerabilities. It is maintained by Kyle
projects/en/torbrowser/design/index.html.en 1098) Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a>
projects/en/torbrowser/design/index.html.en 1099) and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>.
projects/en/torbrowser/design/index.html.en 1100)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1101) </p></li><li class="listitem"><a class="ulink" href="https://ip-check.info" target="_top">JonDos
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1102) AnonTest</a><p>
projects/en/torbrowser/design/index.html.en 1103)
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1104) The <a class="ulink" href="https://anonymous-proxy-servers.net/" target="_top">JonDos people</a> also provide an
projects/torbrowser/design/index.html.en 1105) anonymity tester. It is more focused on HTTP headers and behaviors than plugin bypass, and
|
Add design doc draft.
Mike Perry authored 13 years ago
|
projects/en/torbrowser/design/index.html.en 1106) points out a couple of headers Torbutton could do a better job with
projects/en/torbrowser/design/index.html.en 1107) obfuscating.
projects/en/torbrowser/design/index.html.en 1108)
projects/en/torbrowser/design/index.html.en 1109) </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
projects/en/torbrowser/design/index.html.en 1110)
projects/en/torbrowser/design/index.html.en 1111) Browserspy.dk provides a tremendous collection of browser fingerprinting and
projects/en/torbrowser/design/index.html.en 1112) general privacy tests. Unfortunately they are only available one page at a
projects/en/torbrowser/design/index.html.en 1113) time, and there is not really solid feedback on good vs bad behavior in
projects/en/torbrowser/design/index.html.en 1114) the test results.
projects/en/torbrowser/design/index.html.en 1115)
projects/en/torbrowser/design/index.html.en 1116) </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
projects/en/torbrowser/design/index.html.en 1117) Analyzer</a><p>
projects/en/torbrowser/design/index.html.en 1118)
projects/en/torbrowser/design/index.html.en 1119) The Privacy Analyzer provides a dump of all sorts of browser attributes and
|
Update TBB design doc with...
Mike Perry authored 13 years ago
|
projects/torbrowser/design/index.html.en 1120) settings that it detects, including some information on your original IP
|