tor-webwml.git

torbutton/en/design/index.html.en         1) <?xml version="1.0" encoding="UTF-8"?>
torbutton/en/design/index.html.en         2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

torbutton/en/design/index.html.en         3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Torbutton Design Documentation</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="Torbutton Design Documentation"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>Torbutton Design Documentation</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry.fscked/org">mikeperry.fscked/org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Apr 10 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2666923">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt><dt><span class="sect2"><a href="#requirements">1.2. Torbutton Requirements</a></span></dt><dt><span class="sect2"><a href="#layout">1.3. Extension Layout</a></span></dt></dl></dd><dt><span class="sect1"><a href="#components">2. Components</a></span></dt><dd><dl><dt><span class="sect2"><a href="#hookedxpcom">2.1. Hooked Components</a></span></dt><dt><span class="sect2"><a href="#id2690319">2.2. New Components</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2681735">3. Chrome</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2702019">3.1. XUL Windows and Overlays</a></span></dt><dt><span class="sect2"><a href="#id2694797">3.2. Major Chrome Observers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2696524">4. Toggle Code Path</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2699452">4.1. Button Click</a></span></dt><dt><span class="sect2"><a href="#id2697978">4.2. Proxy Update</a></span></dt><dt><span class="sect2"><a href="#id2697015">4.3. Settings Update</a></span></dt><dt><span class="sect2"><a href="#preferences">4.4. Firefox preferences touched during Toggle</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2702702">5. Description of Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2704948">5.1. Proxy Settings</a></span></dt><dt><span class="sect2"><a href="#id2686645">5.2. Dynamic Content Settings</a></span></dt><dt><span class="sect2"><a href="#id2705261">5.3. History and Forms Settings</a></span></dt><dt><span class="sect2"><a href="#id2705577">5.4. Cache Settings</a></span></dt><dt><span class="sect2"><a href="#id2705686">5.5. Cookie and Auth Settings</a></span></dt><dt><span class="sect2"><a href="#id2705999">5.6. Startup Settings</a></span></dt><dt><span class="sect2"><a href="#id2706113">5.7. Shutdown Settings</a></span></dt><dt><span class="sect2"><a href="#id2706173">5.8. Header Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="#FirefoxBugs">6. Relevant Firefox Bugs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#TorBrowserBugs">6.1. Tor Browser Bugs</a></span></dt><dt><span class="sect2"><a href="#ToggleModelBugs">6.2. Toggle Model Bugs</a></span></dt></dl></dd><dt><span class="sect1"><a href="#TestPlan">7. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">7.1. Single state testing</a></span></dt><dt><span class="sect2"><a href="#id2707624">7.2. Multi-state testing</a></span></dt><dt><span class="sect2"><a href="#HackTorbutton">7.3. Active testing (aka How to Hack Torbutton)</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2666923"></a>1. Introduction</h2></div></div></div><p>

torbutton/en/design/index.html.en         4) 
torbutton/en/design/index.html.en         5) This document describes the goals, operation, and testing procedures of the

torbutton/en/design/index.html.en         6) Torbutton Firefox extension. It is current as of Torbutton 1.3.2.

torbutton/en/design/index.html.en         7) 
torbutton/en/design/index.html.en         8)   </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
torbutton/en/design/index.html.en         9) 
torbutton/en/design/index.html.en        10) A Tor web browser adversary has a number of goals, capabilities, and attack
torbutton/en/design/index.html.en        11) types that can be used to guide us towards a set of requirements for the
torbutton/en/design/index.html.en        12) Torbutton extension. Let's start with the goals.
torbutton/en/design/index.html.en        13) 
torbutton/en/design/index.html.en        14)    </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
torbutton/en/design/index.html.en        15) Tor, causing the user to directly connect to an IP of the adversary's
torbutton/en/design/index.html.en        16) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
torbutton/en/design/index.html.en        17) happily settle for the ability to correlate something a user did via Tor with
torbutton/en/design/index.html.en        18) their non-Tor activity. This can be done with cookies, cache identifiers,
torbutton/en/design/index.html.en        19) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
torbutton/en/design/index.html.en        20) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
torbutton/en/design/index.html.en        21) The adversary may also be interested in history disclosure: the ability to
torbutton/en/design/index.html.en        22) query a user's history to see if they have issued certain censored search
torbutton/en/design/index.html.en        23) queries, or visited censored sites.
torbutton/en/design/index.html.en        24)      </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
torbutton/en/design/index.html.en        25) 
torbutton/en/design/index.html.en        26) Location information such as timezone and locality can be useful for the
torbutton/en/design/index.html.en        27) adversary to determine if a user is in fact originating from one of the
torbutton/en/design/index.html.en        28) regions they are attempting to control, or to zero-in on the geographical
torbutton/en/design/index.html.en        29) location of a particular dissident or whistleblower.
torbutton/en/design/index.html.en        30) 
torbutton/en/design/index.html.en        31)      </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
torbutton/en/design/index.html.en        32) 
torbutton/en/design/index.html.en        33) Anonymity set reduction is also useful in attempting to zero in on a
torbutton/en/design/index.html.en        34) particular individual. If the dissident or whistleblower is using a rare build
torbutton/en/design/index.html.en        35) of Firefox for an obscure operating system, this can be very useful
torbutton/en/design/index.html.en        36) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
torbutton/en/design/index.html.en        37) 
torbutton/en/design/index.html.en        38)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
torbutton/en/design/index.html.en        39) information</strong></span><p>
torbutton/en/design/index.html.en        40) In some cases, the adversary may opt for a heavy-handed approach, such as
torbutton/en/design/index.html.en        41) seizing the computers of all Tor users in an area (especially after narrowing
torbutton/en/design/index.html.en        42) the field by the above two pieces of information). History records and cache
torbutton/en/design/index.html.en        43) data are the primary goals here.
torbutton/en/design/index.html.en        44)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
torbutton/en/design/index.html.en        45) The adversary can position themselves at a number of different locations in
torbutton/en/design/index.html.en        46) order to execute their attacks.
torbutton/en/design/index.html.en        47)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
torbutton/en/design/index.html.en        48) The adversary can run exit nodes, or alternatively, they may control routers
torbutton/en/design/index.html.en        49) upstream of exit nodes. Both of these scenarios have been observed in the
torbutton/en/design/index.html.en        50) wild.
torbutton/en/design/index.html.en        51)      </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p>
torbutton/en/design/index.html.en        52) The adversary can also run websites, or more likely, they can contract out
torbutton/en/design/index.html.en        53) ad space from a number of different adservers and inject content that way. For
torbutton/en/design/index.html.en        54) some users, the adversary may be the adservers themselves. It is not
torbutton/en/design/index.html.en        55) inconceivable that adservers may try to subvert or reduce a user's anonymity 
torbutton/en/design/index.html.en        56) through Tor for marketing purposes.
torbutton/en/design/index.html.en        57)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
torbutton/en/design/index.html.en        58) The adversary can also inject malicious content at the user's upstream router
torbutton/en/design/index.html.en        59) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
torbutton/en/design/index.html.en        60) activity.
torbutton/en/design/index.html.en        61)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
torbutton/en/design/index.html.en        62) Some users face adversaries with intermittent or constant physical access.
torbutton/en/design/index.html.en        63) Users in Internet cafes, for example, face such a threat. In addition, in
torbutton/en/design/index.html.en        64) countries where simply using tools like Tor is illegal, users may face
torbutton/en/design/index.html.en        65) confiscation of their computer equipment for excessive Tor usage or just
torbutton/en/design/index.html.en        66) general suspicion.
torbutton/en/design/index.html.en        67)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
torbutton/en/design/index.html.en        68) 
torbutton/en/design/index.html.en        69) The adversary can perform the following attacks from a number of different 
torbutton/en/design/index.html.en        70) positions to accomplish various aspects of their goals. It should be noted
torbutton/en/design/index.html.en        71) that many of these attacks (especially those involving IP address leakage) are
torbutton/en/design/index.html.en        72) often performed by accident by websites that simply have Javascript, dynamic 
torbutton/en/design/index.html.en        73) CSS elements, and plugins. Others are performed by adservers seeking to
torbutton/en/design/index.html.en        74) correlate users' activity across different IP addresses, and still others are
torbutton/en/design/index.html.en        75) performed by malicious agents on the Tor network and at national firewalls.
torbutton/en/design/index.html.en        76) 
torbutton/en/design/index.html.en        77)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
torbutton/en/design/index.html.en        78) If not properly disabled, Javascript event handlers and timers
torbutton/en/design/index.html.en        79) can cause the browser to perform network activity after Tor has been disabled,
torbutton/en/design/index.html.en        80) thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
torbutton/en/design/index.html.en        81) a user's non-Tor IP address. Javascript
torbutton/en/design/index.html.en        82) also allows the adversary to execute <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure attacks</a>:
torbutton/en/design/index.html.en        83) to query the history via the different attributes of 'visited' links to search

torbutton/en/design/index.html.en        84) for particular Google queries, sites, or even to <a class="ulink" href="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/" target="_top">profile

torbutton/en/design/index.html.en        85) users based on gender and other classifications</a>. Finally,
torbutton/en/design/index.html.en        86) Javascript can be used to query the user's timezone via the
torbutton/en/design/index.html.en        87) <code class="function">Date()</code> object, and to reduce the anonymity set by querying
torbutton/en/design/index.html.en        88) the <code class="function">navigator</code> object for operating system, CPU, locale, 
torbutton/en/design/index.html.en        89) and user agent information.
torbutton/en/design/index.html.en        90)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
torbutton/en/design/index.html.en        91) 
torbutton/en/design/index.html.en        92) Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
torbutton/en/design/index.html.en        93) capable of performing network activity that the author has
torbutton/en/design/index.html.en        94) investigated is also capable of performing network activity independent of
torbutton/en/design/index.html.en        95) browser proxy settings - and often independent of its own proxy settings.
torbutton/en/design/index.html.en        96) Sites that have plugin content don't even have to be malicious to obtain a
torbutton/en/design/index.html.en        97) user's

docs/torbutton/en/design/index.html.en   98) Non-Tor IP (it usually leaks by itself), though plenty of active
docs/torbutton/en/design/index.html.en   99) exploits are possible as well. In addition, plugins can be used to store unique identifiers that are more

torbutton/en/design/index.html.en       100) difficult to clear than standard cookies. 
torbutton/en/design/index.html.en       101) <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
torbutton/en/design/index.html.en       102) cookies</a> fall into this category, but there are likely numerous other
torbutton/en/design/index.html.en       103) examples.
torbutton/en/design/index.html.en       104) 
torbutton/en/design/index.html.en       105)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
torbutton/en/design/index.html.en       106) 
torbutton/en/design/index.html.en       107) CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
torbutton/en/design/index.html.en       108) Non-Tor IP address, via the usage of
torbutton/en/design/index.html.en       109) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">CSS
torbutton/en/design/index.html.en       110) popups</a> - essentially CSS-based event handlers that fetch content via
torbutton/en/design/index.html.en       111) CSS's onmouseover attribute. If these popups are allowed to perform network
torbutton/en/design/index.html.en       112) activity in a different Tor state than they were loaded in, they can easily
torbutton/en/design/index.html.en       113) correlate Tor and Non-Tor activity and reveal a user's IP address. In
torbutton/en/design/index.html.en       114) addition, CSS can also be used without Javascript to perform <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only history disclosure
torbutton/en/design/index.html.en       115) attacks</a>.
torbutton/en/design/index.html.en       116)      </p></li><li class="listitem"><span class="command"><strong>Read and insert cookies</strong></span><p>
torbutton/en/design/index.html.en       117) 
torbutton/en/design/index.html.en       118) An adversary in a position to perform MITM content alteration can inject
torbutton/en/design/index.html.en       119) document content elements to both read and inject cookies for
torbutton/en/design/index.html.en       120) arbitrary domains. In fact, many "SSL secured" websites are vulnerable to this
torbutton/en/design/index.html.en       121) sort of <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
torbutton/en/design/index.html.en       122) sidejacking</a>.
torbutton/en/design/index.html.en       123) 
torbutton/en/design/index.html.en       124)      </p></li><li class="listitem"><span class="command"><strong>Create arbitrary cached content</strong></span><p>
torbutton/en/design/index.html.en       125) 
torbutton/en/design/index.html.en       126) Likewise, the browser cache can also be used to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en       127) identifiers</a>. Since by default the cache has no same-origin policy,
torbutton/en/design/index.html.en       128) these identifiers can be read by any domain, making them an ideal target for
torbutton/en/design/index.html.en       129) adserver-class adversaries.
torbutton/en/design/index.html.en       130) 
torbutton/en/design/index.html.en       131)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
torbutton/en/design/index.html.en       132) attributes</strong></span><p>
torbutton/en/design/index.html.en       133) 
torbutton/en/design/index.html.en       134) There is an absurd amount of information available to websites via attributes
torbutton/en/design/index.html.en       135) of the browser. This information can be used to reduce anonymity set, or even
torbutton/en/design/index.html.en       136) <a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">uniquely
torbutton/en/design/index.html.en       137) fingerprint individual users</a>. </p><p>
torbutton/en/design/index.html.en       138) For illustration, let's perform a
torbutton/en/design/index.html.en       139) back-of-the-envelope calculation on the number of anonymity sets for just the
torbutton/en/design/index.html.en       140) resolution information available in the <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window" target="_top">window</a> and
torbutton/en/design/index.html.en       141) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.screen" target="_top">window.screen</a>

torbutton/en/design/index.html.en       142) objects.
torbutton/en/design/index.html.en       143) 
torbutton/en/design/index.html.en       144) 
torbutton/en/design/index.html.en       145) 
torbutton/en/design/index.html.en       146) Browser window resolution information provides something like

torbutton/en/design/index.html.en       147) (1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution
torbutton/en/design/index.html.en       148) information contributes about another factor of 5 (for about 5 resolutions in
torbutton/en/design/index.html.en       149) typical use). In addition, the dimensions and position of the desktop taskbar
torbutton/en/design/index.html.en       150) are available, which can reveal hints on OS information. This boosts the count

docs/torbutton/en/design/index.html.en  151) by a factor of 5 (for each of the major desktop taskbars - Windows, Mac
docs/torbutton/en/design/index.html.en  152) OS X, KDE and Gnome, and None). Subtracting the browser content window

torbutton/en/design/index.html.en       153) size from the browser outer window size provide yet more information.
torbutton/en/design/index.html.en       154) Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give

torbutton/en/design/index.html.en       155) 2<sup>3</sup>=8). Interface effects such as title bar font size

torbutton/en/design/index.html.en       156) and window manager settings gives a factor of about 9 (say 3 common font sizes

torbutton/en/design/index.html.en       157) for the title bar and 3 common sizes for browser GUI element fonts).

torbutton/en/design/index.html.en       158) Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~=
torbutton/en/design/index.html.en       159) 2<sup>29</sup>, or a 29 bit identifier based on resolution
torbutton/en/design/index.html.en       160) information alone. </p><p>
torbutton/en/design/index.html.en       161) 

torbutton/en/design/index.html.en       162) Of course, this space is non-uniform in user density and prone to incremental
torbutton/en/design/index.html.en       163) changes. The <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">Panopticlick study
torbutton/en/design/index.html.en       164) done</a> by the EFF attempts to measure the actual entropy - the number of
torbutton/en/design/index.html.en       165) identifying bits of information encoded in browser properties.  Their result
torbutton/en/design/index.html.en       166) data is definitely useful, and the metric is probably the appropriate one for
torbutton/en/design/index.html.en       167) determining how identifying a particular browser property is. However, some
torbutton/en/design/index.html.en       168) quirks of their study means that they do not extract as much information as
torbutton/en/design/index.html.en       169) they could from display information: they only use desktop resolution (which
torbutton/en/design/index.html.en       170) Torbutton reports as the window resolution) and do not attempt to infer the
torbutton/en/design/index.html.en       171) size of toolbars.

torbutton/en/design/index.html.en       172) 
torbutton/en/design/index.html.en       173) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
torbutton/en/design/index.html.en       174) OS</strong></span><p>
torbutton/en/design/index.html.en       175) Last, but definitely not least, the adversary can exploit either general 
torbutton/en/design/index.html.en       176) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
torbutton/en/design/index.html.en       177) install malware and surveillance software. An adversary with physical access
torbutton/en/design/index.html.en       178) can perform similar actions. Regrettably, this last attack capability is
torbutton/en/design/index.html.en       179) outside of Torbutton's ability to defend against, but it is worth mentioning
torbutton/en/design/index.html.en       180) for completeness.
torbutton/en/design/index.html.en       181)      </p></li></ol></div></div></div><div class="sect2" title="1.2. Torbutton Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="requirements"></a>1.2. Torbutton Requirements</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
torbutton/en/design/index.html.en       182) 
torbutton/en/design/index.html.en       183) Since many settings satisfy multiple requirements, this design document is
torbutton/en/design/index.html.en       184) organized primarily by Torbutton components and settings. However, if you are
torbutton/en/design/index.html.en       185) the type that would rather read the document from the requirements
torbutton/en/design/index.html.en       186) perspective, it is in fact possible to search for each of the following
torbutton/en/design/index.html.en       187) requirement phrases in the text to find the relevant features that help meet
torbutton/en/design/index.html.en       188) that requirement.
torbutton/en/design/index.html.en       189) 
torbutton/en/design/index.html.en       190) </div><p>
torbutton/en/design/index.html.en       191) 
torbutton/en/design/index.html.en       192) From the above Adversary Model, a number of requirements become clear. 
torbutton/en/design/index.html.en       193) 
torbutton/en/design/index.html.en       194)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="proxy"></a><span class="command"><strong>Proxy Obedience</strong></span><p>The browser

torbutton/en/design/index.html.en       195) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a id="state"></a><span class="command"><strong>State Separation</strong></span><p>Browser state (cookies, cache, history, 'DOM storage'), accumulated in

torbutton/en/design/index.html.en       196)  one Tor state MUST NOT be accessible via the network in

torbutton/en/design/index.html.en       197)  another Tor state.</p></li><li class="listitem"><a id="isolation"></a><span class="command"><strong>Network Isolation</strong></span><p>Pages MUST NOT perform any network activity in a Tor state different

torbutton/en/design/index.html.en       198)  from the state they were originally loaded in.</p><p>Note that this requirement is
torbutton/en/design/index.html.en       199) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en       200) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="undiscoverability"></a><span class="command"><strong>Tor Undiscoverability</strong></span><p>With

torbutton/en/design/index.html.en       201) the advent of bridge support in Tor 0.2.0.x, there are now a class of Tor
torbutton/en/design/index.html.en       202) users whose network fingerprint does not obviously betray the fact that they
torbutton/en/design/index.html.en       203) are using Tor. This should extend to the browser as well - Torbutton MUST NOT 

torbutton/en/design/index.html.en       204) reveal its presence while Tor is disabled.
torbutton/en/design/index.html.en       205) </p><p>Note that this requirement is
torbutton/en/design/index.html.en       206) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en       207) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="disk"></a><span class="command"><strong>Disk Avoidance</strong></span><p>The browser SHOULD NOT write any Tor-related state to disk, or store it

torbutton/en/design/index.html.en       208)  in memory beyond the duration of one Tor toggle.</p></li><li class="listitem"><a id="location"></a><span class="command"><strong>Location Neutrality</strong></span><p>The browser SHOULD NOT leak location-specific information, such as
torbutton/en/design/index.html.en       209)  timezone or locale via Tor.</p></li><li class="listitem"><a id="setpreservation"></a><span class="command"><strong>Anonymity Set

torbutton/en/design/index.html.en       210) Preservation</strong></span><p>The browser SHOULD NOT leak any other anonymity
torbutton/en/design/index.html.en       211) set reducing or fingerprinting information

torbutton/en/design/index.html.en       212)  (such as user agent, extension presence, and resolution information)
torbutton/en/design/index.html.en       213) automatically via Tor. The assessment of the attacks above should make it clear
torbutton/en/design/index.html.en       214) that anonymity set reduction is a very powerful method of tracking and
torbutton/en/design/index.html.en       215) eventually identifying anonymous users.
torbutton/en/design/index.html.en       216) </p></li><li class="listitem"><a id="updates"></a><span class="command"><strong>Update Safety</strong></span><p>The browser
torbutton/en/design/index.html.en       217) SHOULD NOT perform unauthenticated updates or upgrades via Tor.</p></li><li class="listitem"><a id="interoperate"></a><span class="command"><strong>Interoperability</strong></span><p>Torbutton SHOULD interoperate with third-party proxy switchers that
torbutton/en/design/index.html.en       218)  enable the user to switch between a number of different proxies. It MUST
torbutton/en/design/index.html.en       219)  provide full Tor protection in the event a third-party proxy switcher has
torbutton/en/design/index.html.en       220)  enabled the Tor proxy settings.</p></li></ol></div></div><div class="sect2" title="1.3. Extension Layout"><div class="titlepage"><div><div><h3 class="title"><a id="layout"></a>1.3. Extension Layout</h3></div></div></div><p>Firefox extensions consist of two main categories of code: 'Components' and
torbutton/en/design/index.html.en       221) 'Chrome'. Components are a fancy name for classes that implement a given
torbutton/en/design/index.html.en       222) interface or interfaces. In Firefox, components <a class="ulink" href="https://developer.mozilla.org/en/XPCOM" target="_top">can be
torbutton/en/design/index.html.en       223) written</a> in C++,
torbutton/en/design/index.html.en       224) Javascript, or a mixture of both. Components have two identifiers: their
torbutton/en/design/index.html.en       225) '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005005" target="_top">Contract
torbutton/en/design/index.html.en       226) ID</a>' (a human readable path-like string), and their '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005329" target="_top">Class
torbutton/en/design/index.html.en       227) ID</a>' (a GUID hex-string). In addition, the interfaces they implement each have a hex
torbutton/en/design/index.html.en       228) 'Interface ID'. It is possible to 'hook' system components - to reimplement
torbutton/en/design/index.html.en       229) their interface members with your own wrappers - but only if the rest of the
torbutton/en/design/index.html.en       230) browser refers to the component by its Contract ID. If the browser refers to
torbutton/en/design/index.html.en       231) the component by Class ID, it bypasses your hooks in that use case.
torbutton/en/design/index.html.en       232) Technically, it may be possible to hook Class IDs by unregistering the
torbutton/en/design/index.html.en       233) original component, and then re-registering your own, but this relies on
torbutton/en/design/index.html.en       234) obsolete and deprecated interfaces and has proved to be less than
torbutton/en/design/index.html.en       235) stable.</p><p>'Chrome' is a combination of XML and Javascript used to describe a window.
torbutton/en/design/index.html.en       236) Extensions are allowed to create 'overlays' that are 'bound' to existing XML
torbutton/en/design/index.html.en       237) window definitions, or they can create their own windows. The DTD for this XML

torbutton/en/design/index.html.en       238) is called <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XUL</a>.</p></div></div><div class="sect1" title="2. Components"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="components"></a>2. Components</h2></div></div></div><p>

torbutton/en/design/index.html.en       239) 
torbutton/en/design/index.html.en       240) Torbutton installs components for two purposes: hooking existing components to
torbutton/en/design/index.html.en       241) reimplement their interfaces; and creating new components that provide
torbutton/en/design/index.html.en       242) services to other pieces of the extension.
torbutton/en/design/index.html.en       243) 

torbutton/en/design/index.html.en       244)   </p><div class="sect2" title="2.1. Hooked Components"><div class="titlepage"><div><div><h3 class="title"><a id="hookedxpcom"></a>2.1. Hooked Components</h3></div></div></div><p>Torbutton makes extensive use of Contract ID hooking, and implements some

torbutton/en/design/index.html.en       245) of its own standalone components as well.  Let's discuss the hooked components

torbutton/en/design/index.html.en       246) first.</p><div class="sect3" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="appblocker"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-protocol-service%3B1" target="_top">@mozilla.org/uriloader/external-protocol-service;1

torbutton/en/design/index.html.en       247) </a>, <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-helper-app-service%3B1" target="_top">@mozilla.org/uriloader/external-helper-app-service;1</a>,
torbutton/en/design/index.html.en       248) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/mime%3B1" target="_top">@mozilla.org/mime;1</a>

torbutton/en/design/index.html.en       249) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">components/external-app-blocker.js</a></h4></div></div></div><p>

torbutton/en/design/index.html.en       250) Due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a> allowing Firefox 3.x to automatically launch some
torbutton/en/design/index.html.en       251) applications without user intervention, Torbutton had to wrap the three
torbutton/en/design/index.html.en       252) components involved in launching external applications to provide user
torbutton/en/design/index.html.en       253) confirmation before doing so while Tor is enabled. Since external applications
torbutton/en/design/index.html.en       254) do not obey proxy settings, they can be manipulated to automatically connect
torbutton/en/design/index.html.en       255) back to arbitrary servers outside of Tor with no user intervention. Fixing
torbutton/en/design/index.html.en       256) this issue helps to satisfy Torbutton's <a class="link" href="#proxy">Proxy
torbutton/en/design/index.html.en       257) Obedience</a> Requirement.

torbutton/en/design/index.html.en       258)  </p></div><div class="sect3" title="@mozilla.org/browser/global-history;2 - components/ignore-history.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2696239"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>

torbutton/en/design/index.html.en       259) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a></h4></div></div></div><p>This component was contributed by <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin Jackson</a> as a method for defeating

torbutton/en/design/index.html.en       260) CSS and Javascript-based methods of history disclosure. The global-history
torbutton/en/design/index.html.en       261) component is what is used by Firefox to determine if a link was visited or not
torbutton/en/design/index.html.en       262) (to apply the appropriate style to the link). By hooking the <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#isVisited.28.29" target="_top">isVisited</a>
torbutton/en/design/index.html.en       263) and <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#addURI.28.29" target="_top">addURI</a>
torbutton/en/design/index.html.en       264) methods, Torbutton is able to selectively prevent history items from being
torbutton/en/design/index.html.en       265) added or being displayed as visited, depending on the Tor state and the user's
torbutton/en/design/index.html.en       266) preferences.
torbutton/en/design/index.html.en       267) </p><p>
torbutton/en/design/index.html.en       268) This component helps satisfy the <a class="link" href="#state">State Separation</a>

torbutton/en/design/index.html.en       269) and <a class="link" href="#disk">Disk Avoidance</a> requirements of Torbutton. It
torbutton/en/design/index.html.en       270) is only needed for Firefox 3.x. On Firefox 4, we omit this component in favor
torbutton/en/design/index.html.en       271) of the <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">built-in
torbutton/en/design/index.html.en       272) history protections</a>.

torbutton/en/design/index.html.en       273) </p></div><div class="sect3" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js"><div class="titlepage"><div><div><h4 class="title"><a id="livemarks"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">@mozilla.org/browser/livemark-service;2</a>

torbutton/en/design/index.html.en       274) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/block-livemarks.js" target="_top">components/block-livemarks.js</a></h4></div></div></div><p>

torbutton/en/design/index.html.en       275) 
torbutton/en/design/index.html.en       276) The <a class="ulink" href="http://www.mozilla.com/en-US/firefox/livebookmarks.html" target="_top">livemark</a> service
torbutton/en/design/index.html.en       277) is started by a timer that runs 5 seconds after Firefox
torbutton/en/design/index.html.en       278) startup. As a result, we cannot simply call the stopUpdateLivemarks() method to
torbutton/en/design/index.html.en       279) disable it. We must wrap the component to prevent this start() call from
torbutton/en/design/index.html.en       280) firing in the event the browser starts in Tor mode.
torbutton/en/design/index.html.en       281) 
torbutton/en/design/index.html.en       282) </p><p>
torbutton/en/design/index.html.en       283) This component helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       284) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en       285) Preservation</a> requirements.

torbutton/en/design/index.html.en       286) </p></div></div><div class="sect2" title="2.2. New Components"><div class="titlepage"><div><div><h3 class="title"><a id="id2690319"></a>2.2. New Components</h3></div></div></div><p>Torbutton creates four new components that are used throughout the

torbutton/en/design/index.html.en       287) extension. These components do not hook any interfaces, nor are they used

torbutton/en/design/index.html.en       288) anywhere besides Torbutton itself.</p><div class="sect3" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js"><div class="titlepage"><div><div><h4 class="title"><a id="cookiejar"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2

torbutton/en/design/index.html.en       289) - components/cookie-jar-selector.js</a></h4></div></div></div><p>The cookie jar selector (also based on code from <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin
torbutton/en/design/index.html.en       290) Jackson</a>) is used by the Torbutton chrome to switch between

torbutton/en/design/index.html.en       291) Tor and Non-Tor cookies. It stores an XML representation of the current
torbutton/en/design/index.html.en       292) cookie state in memory and/or on disk. When Tor is toggled, it syncs the
torbutton/en/design/index.html.en       293) current cookies to this XML store, and then loads the cookies for the other
torbutton/en/design/index.html.en       294) state from the XML store.
torbutton/en/design/index.html.en       295) </p><p>

torbutton/en/design/index.html.en       296) This component helps to address the <a class="link" href="#state">State
torbutton/en/design/index.html.en       297) Isolation</a> requirement of Torbutton.

torbutton/en/design/index.html.en       298) </p></div><div class="sect3" title="@torproject.org/torbutton-logger;1 - components/torbutton-logger.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2683534"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torbutton-logger.js" target="_top">@torproject.org/torbutton-logger;1

torbutton/en/design/index.html.en       299) - components/torbutton-logger.js</a></h4></div></div></div><p>The torbutton logger component allows on-the-fly redirection of torbutton
torbutton/en/design/index.html.en       300) logging messages to either Firefox stderr
torbutton/en/design/index.html.en       301) (<span class="command"><strong>extensions.torbutton.logmethod=0</strong></span>), the Javascript error console
torbutton/en/design/index.html.en       302) (<span class="command"><strong>extensions.torbutton.logmethod=1</strong></span>), or the DebugLogger extension (if
torbutton/en/design/index.html.en       303) available - <span class="command"><strong>extensions.torbutton.logmethod=2</strong></span>). It also allows you to
torbutton/en/design/index.html.en       304) change the loglevel on the fly by changing
torbutton/en/design/index.html.en       305) <span class="command"><strong>extensions.torbutton.loglevel</strong></span> (1-5, 1 is most verbose).

torbutton/en/design/index.html.en       306) </p></div><div class="sect3" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js"><div class="titlepage"><div><div><h4 class="title"><a id="windowmapper"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/window-mapper.js" target="_top">@torproject.org/content-window-mapper;1

torbutton/en/design/index.html.en       307) - components/window-mapper.js</a></h4></div></div></div><p>Torbutton tags Firefox <a class="ulink" href="https://developer.mozilla.org/en/XUL_Tutorial/Tabboxes" target="_top">tabs</a> with a special variable that indicates the Tor
torbutton/en/design/index.html.en       308) state the tab was most recently used under to fetch a page. The problem is
torbutton/en/design/index.html.en       309) that for many Firefox events, it is not possible to determine the tab that is
torbutton/en/design/index.html.en       310) actually receiving the event. The Torbutton window mapper allows the Torbutton
torbutton/en/design/index.html.en       311) chrome and other components to look up a <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en       312) tab</a> for a given <a class="ulink" href="https://developer.mozilla.org/en/nsIDOMWindow" target="_top">HTML content
torbutton/en/design/index.html.en       313) window</a>. It does this by traversing all windows and all browsers, until it
torbutton/en/design/index.html.en       314) finds the browser with the requested <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser#p-contentWindow" target="_top">contentWindow</a> element. Since the content policy
torbutton/en/design/index.html.en       315) and page loading in general can generate hundreds of these lookups, this
torbutton/en/design/index.html.en       316) result is cached inside the component.

torbutton/en/design/index.html.en       317) </p></div><div class="sect3" title="@torproject.org/crash-observer;1"><div class="titlepage"><div><div><h4 class="title"><a id="crashobserver"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/crash-observer.js" target="_top">@torproject.org/crash-observer;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en       318) 
torbutton/en/design/index.html.en       319) This component detects when Firefox crashes by altering Firefox prefs during
torbutton/en/design/index.html.en       320) runtime and checking for the same values at startup. It <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIPrefService#savePrefFile()" target="_top">synchronizes
torbutton/en/design/index.html.en       321) the preference service</a> to ensure the altered prefs are written to disk
torbutton/en/design/index.html.en       322) immediately.
torbutton/en/design/index.html.en       323) 
torbutton/en/design/index.html.en       324)   </p></div><div class="sect3" title="@torproject.org/torbutton-ss-blocker;1"><div class="titlepage"><div><div><h4 class="title"><a id="tbsessionstore"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/tbSessionStore.js" target="_top">@torproject.org/torbutton-ss-blocker;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en       325) 
torbutton/en/design/index.html.en       326) This component subscribes to the Firefox <a class="ulink" href="https://developer.mozilla.org/en/Observer_Notifications#Session_Store" target="_top">sessionstore-state-write</a>
torbutton/en/design/index.html.en       327) observer event to filter out URLs from tabs loaded during Tor, to prevent them
torbutton/en/design/index.html.en       328) from being written to disk. To do this, it checks the
torbutton/en/design/index.html.en       329) <span class="command"><strong>__tb_tor_fetched</strong></span> tag of tab objects before writing them out. If
torbutton/en/design/index.html.en       330) the tag is from a blocked Tor state, the tab is not written to disk.  This is
torbutton/en/design/index.html.en       331) a rather expensive operation that involves potentially very large JSON
torbutton/en/design/index.html.en       332) evaluations and object tree traversals, but it preferable to replacing the
torbutton/en/design/index.html.en       333) Firefox session store with our own implementation, which is what was done in
torbutton/en/design/index.html.en       334) years past.
torbutton/en/design/index.html.en       335) 
torbutton/en/design/index.html.en       336)   </p></div><div class="sect3" title="@torproject.org/torRefSpoofer;1"><div class="titlepage"><div><div><h4 class="title"><a id="refspoofer"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torRefSpoofer.js" target="_top">@torproject.org/torRefSpoofer;1</a></h4></div></div></div><p>

torbutton/en/design/index.html.en       337) This component handles optional referer spoofing for Torbutton. It implements a

torbutton/en/design/index.html.en       338) form of "smart" referer spoofing using <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers" target="_top">http-on-modify-request</a>

torbutton/en/design/index.html.en       339) to modify the Referer header. The code sends the default browser referer

torbutton/en/design/index.html.en       340) header only if the destination domain is a suffix of the source, or if the
torbutton/en/design/index.html.en       341) source is a suffix of the destination. Otherwise, it sends no referer. This
torbutton/en/design/index.html.en       342) strange suffix logic is used as a heuristic: some rare sites on the web block
torbutton/en/design/index.html.en       343) requests without proper referer headers, and this logic is an attempt to cater
torbutton/en/design/index.html.en       344) to them. Unfortunately, it may not be enough. For example, google.fr will not
torbutton/en/design/index.html.en       345) send a referer to google.com using this logic. Hence, it is off by default.
torbutton/en/design/index.html.en       346)  </p></div><div class="sect3" title="@torproject.org/cssblocker;1 - components/cssblocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="contentpolicy"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1

torbutton/en/design/index.html.en       347) - components/cssblocker.js</a></h4></div></div></div><p>This is a key component to Torbutton's security measures. When Tor is
torbutton/en/design/index.html.en       348) toggled, Javascript is disabled, and pages are instructed to stop loading.
torbutton/en/design/index.html.en       349) However, CSS is still able to perform network operations by loading styles for
torbutton/en/design/index.html.en       350) onmouseover events and other operations. In addition, favicons can still be
torbutton/en/design/index.html.en       351) loaded by the browser. The cssblocker component prevents this by implementing
torbutton/en/design/index.html.en       352) and registering an <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy" target="_top">nsIContentPolicy</a>.
torbutton/en/design/index.html.en       353) When an nsIContentPolicy is registered, Firefox checks every attempted network
torbutton/en/design/index.html.en       354) request against its <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy#shouldLoad()" target="_top">shouldLoad</a>
torbutton/en/design/index.html.en       355) member function to determine if the load should proceed. In Torbutton's case,
torbutton/en/design/index.html.en       356) the content policy looks up the appropriate browser tab using the <a class="link" href="#windowmapper" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js">window mapper</a>,
torbutton/en/design/index.html.en       357) and checks that tab's load tag against the current Tor state. If the tab was
torbutton/en/design/index.html.en       358) loaded in a different state than the current state, the fetch is denied.
torbutton/en/design/index.html.en       359) Otherwise, it is allowed.</p> This helps to achieve the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       360) Isolation</a> requirements of Torbutton.
torbutton/en/design/index.html.en       361) 
torbutton/en/design/index.html.en       362) <p>In addition, the content policy also blocks website javascript from

torbutton/en/design/index.html.en       363) <a class="ulink" href="http://webdevwonders.com/detecting-firefox-add-ons/" target="_top">querying for

torbutton/en/design/index.html.en       364) versions and existence of extension chrome</a> while Tor is enabled, and
torbutton/en/design/index.html.en       365) also masks the presence of Torbutton to website javascript while Tor is
torbutton/en/design/index.html.en       366) disabled. </p><p>
torbutton/en/design/index.html.en       367) 
torbutton/en/design/index.html.en       368) Finally, some of the work that logically belongs to the content policy is
torbutton/en/design/index.html.en       369) instead handled by the <span class="command"><strong>torbutton_http_observer</strong></span> and

torbutton/en/design/index.html.en       370) <span class="command"><strong>torbutton_weblistener</strong></span> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>. These two objects handle blocking of

torbutton/en/design/index.html.en       371) Firefox 3 favicon loads, popups, and full page plugins, which for whatever
torbutton/en/design/index.html.en       372) reason are not passed to the Firefox content policy itself (see Firefox Bugs 
torbutton/en/design/index.html.en       373) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and 
torbutton/en/design/index.html.en       374) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en       375) 
torbutton/en/design/index.html.en       376) </p><p>
torbutton/en/design/index.html.en       377) 
torbutton/en/design/index.html.en       378) This helps to fulfill both the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirements of

torbutton/en/design/index.html.en       379) Torbutton.</p></div></div></div><div class="sect1" title="3. Chrome"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2681735"></a>3. Chrome</h2></div></div></div><p>The chrome is where all the torbutton graphical elements and windows are
torbutton/en/design/index.html.en       380) located. </p><div class="sect2" title="3.1. XUL Windows and Overlays"><div class="titlepage"><div><div><h3 class="title"><a id="id2702019"></a>3.1. XUL Windows and Overlays</h3></div></div></div><p>

torbutton/en/design/index.html.en       381) Each window is described as an <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XML file</a>, with zero or more Javascript

torbutton/en/design/index.html.en       382) files attached. The scope of these Javascript files is their containing

torbutton/en/design/index.html.en       383) window. XUL files that add new elements and script to existing Firefox windows
torbutton/en/design/index.html.en       384) are called overlays.</p><div class="sect3" title="Browser Overlay - torbutton.xul"><div class="titlepage"><div><div><h4 class="title"><a id="browseroverlay"></a>Browser Overlay - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a></h4></div></div></div><p>The browser overlay, torbutton.xul, defines the toolbar button, the status
torbutton/en/design/index.html.en       385) bar, and events for toggling the button. The overlay code is in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>.

torbutton/en/design/index.html.en       386) It contains event handlers for preference update, shutdown, upgrade, and

torbutton/en/design/index.html.en       387) location change events.</p></div><div class="sect3" title="Preferences Window - preferences.xul"><div class="titlepage"><div><div><h4 class="title"><a id="id2704559"></a>Preferences Window - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences.xul</a></h4></div></div></div><p>The preferences window of course lays out the Torbutton preferences, with
torbutton/en/design/index.html.en       388) handlers located in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">chrome/content/preferences.js</a>.</p></div><div class="sect3" title="Other Windows"><div class="titlepage"><div><div><h4 class="title"><a id="id2669673"></a>Other Windows</h4></div></div></div><p>There are additional windows that describe popups for right clicking on
torbutton/en/design/index.html.en       389) the status bar, the toolbutton, and the about page.</p></div></div><div class="sect2" title="3.2. Major Chrome Observers"><div class="titlepage"><div><div><h3 class="title"><a id="id2694797"></a>3.2. Major Chrome Observers</h3></div></div></div><p>

torbutton/en/design/index.html.en       390) In addition to the <a class="link" href="#components" title="2. Components">components described
torbutton/en/design/index.html.en       391) above</a>, Torbutton also instantiates several observers in the browser
torbutton/en/design/index.html.en       392) overlay window. These mostly grew due to scoping convenience, and many should
torbutton/en/design/index.html.en       393) probably be relocated into their own components.
torbutton/en/design/index.html.en       394)  </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>torbutton_window_pref_observer</strong></span><p>
torbutton/en/design/index.html.en       395) This is an observer that listens for Torbutton state changes, for the purposes
torbutton/en/design/index.html.en       396) of updating the Torbutton button graphic as the Tor state changes.
torbutton/en/design/index.html.en       397)     </p></li><li class="listitem"><span class="command"><strong>torbutton_unique_pref_observer</strong></span><p>
torbutton/en/design/index.html.en       398) 
torbutton/en/design/index.html.en       399) This is an observer that only runs in one window, called the main window. It
torbutton/en/design/index.html.en       400) listens for changes to all of the Torbutton preferences, as well as Torbutton
torbutton/en/design/index.html.en       401) controlled Firefox preferences. It is what carries out the toggle path when
torbutton/en/design/index.html.en       402) the proxy settings change. When the main window is closed, the
torbutton/en/design/index.html.en       403) torbutton_close_window event handler runs to dub a new window the "main
torbutton/en/design/index.html.en       404) window".
torbutton/en/design/index.html.en       405) 
torbutton/en/design/index.html.en       406)     </p></li><li class="listitem"><span class="command"><strong>tbHistoryListener</strong></span><p>
torbutton/en/design/index.html.en       407) The tbHistoryListener exists to prevent client window Javascript from
torbutton/en/design/index.html.en       408) interacting with window.history to forcibly navigate a user to a tab session
torbutton/en/design/index.html.en       409) history entry from a different Tor state. It also expunges the window.history
torbutton/en/design/index.html.en       410) entries during toggle. This listener helps Torbutton
torbutton/en/design/index.html.en       411) satisfy the <a class="link" href="#isolation">Network Isolation</a> requirement as
torbutton/en/design/index.html.en       412) well as the <a class="link" href="#state">State Separation</a> requirement.
torbutton/en/design/index.html.en       413) 
torbutton/en/design/index.html.en       414)     </p></li><li class="listitem"><span class="command"><strong>torbutton_http_observer</strong></span><p>
torbutton/en/design/index.html.en       415) 
torbutton/en/design/index.html.en       416) The torbutton_http_observer performs some of the work that logically belongs
torbutton/en/design/index.html.en       417) to the content policy. This handles blocking of
torbutton/en/design/index.html.en       418) Firefox 3 favicon loads, which for whatever
torbutton/en/design/index.html.en       419) reason are not passed to the Firefox content policy itself (see Firefox Bugs
torbutton/en/design/index.html.en       420) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and
torbutton/en/design/index.html.en       421) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en       422) 
torbutton/en/design/index.html.en       423)     </p><p>
torbutton/en/design/index.html.en       424) The observer is also responsible for redirecting users to alternate
torbutton/en/design/index.html.en       425) search engines when Google presents them with a Captcha, as well as copying
torbutton/en/design/index.html.en       426) Google Captcha-related cookies between international Google domains.
torbutton/en/design/index.html.en       427)     </p></li><li class="listitem"><span class="command"><strong>torbutton_proxyservice</strong></span><p>
torbutton/en/design/index.html.en       428) The Torbutton proxy service handles redirecting Torbutton-related update
torbutton/en/design/index.html.en       429) checks on addons.mozilla.org through Tor. This is done to help satisfy the
torbutton/en/design/index.html.en       430) <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en       431)     </p></li><li class="listitem"><span class="command"><strong>torbutton_weblistener</strong></span><p>The <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener#onLocationChange" target="_top">location

torbutton/en/design/index.html.en       432) change</a> <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgress" target="_top">webprogress
torbutton/en/design/index.html.en       433) listener</a>, <span class="command"><strong>torbutton_weblistener</strong></span> is one of the most
torbutton/en/design/index.html.en       434) important parts of the chrome from a security standpoint. It is a <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en       435) listener</a> that handles receiving an event every time a page load or
torbutton/en/design/index.html.en       436) iframe load occurs. This class eventually calls down to
torbutton/en/design/index.html.en       437) <code class="function">torbutton_update_tags()</code> and
torbutton/en/design/index.html.en       438) <code class="function">torbutton_hookdoc()</code>, which apply the browser Tor load
torbutton/en/design/index.html.en       439) state tags, plugin permissions, and install the Javascript hooks to hook the
torbutton/en/design/index.html.en       440) <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en       441) object to obfuscate browser and desktop resolution information.
torbutton/en/design/index.html.en       442) 

torbutton/en/design/index.html.en       443) </p></li></ol></div></div></div><div class="sect1" title="4. Toggle Code Path"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2696524"></a>4. Toggle Code Path</h2></div></div></div><p>

torbutton/en/design/index.html.en       444) 
torbutton/en/design/index.html.en       445) The act of toggling is connected to <code class="function">torbutton_toggle()</code>
torbutton/en/design/index.html.en       446) via the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a>
torbutton/en/design/index.html.en       447) and <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/popup.xul" target="_top">popup.xul</a>
torbutton/en/design/index.html.en       448) overlay files. Most of the work in the toggling process is present in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a> 
torbutton/en/design/index.html.en       449) 

torbutton/en/design/index.html.en       450) </p><p>

torbutton/en/design/index.html.en       451) 
torbutton/en/design/index.html.en       452) Toggling is a 3 stage process: Button Click, Proxy Update, and
torbutton/en/design/index.html.en       453) Settings Update. These stages are reflected in the prefs
torbutton/en/design/index.html.en       454) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span>,
torbutton/en/design/index.html.en       455) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span>, and
torbutton/en/design/index.html.en       456) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>. The reason for the
torbutton/en/design/index.html.en       457) three stage preference update is to ensure immediate enforcement of <a class="link" href="#isolation">Network Isolation</a> via the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>. Since the content window
torbutton/en/design/index.html.en       458) javascript runs on a different thread than the chrome javascript, it is
torbutton/en/design/index.html.en       459) important to properly convey the stages to the content policy to avoid race
torbutton/en/design/index.html.en       460) conditions and leakage, especially with <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug 
torbutton/en/design/index.html.en       461) 409737</a> unfixed. The content policy does not allow any network activity
torbutton/en/design/index.html.en       462) whatsoever during this three stage transition.
torbutton/en/design/index.html.en       463) 

torbutton/en/design/index.html.en       464)  </p><div class="sect2" title="4.1. Button Click"><div class="titlepage"><div><div><h3 class="title"><a id="id2699452"></a>4.1. Button Click</h3></div></div></div><p>

torbutton/en/design/index.html.en       465) 
torbutton/en/design/index.html.en       466) This is the first step in the toggling process. When the user clicks the
torbutton/en/design/index.html.en       467) toggle button or the toolbar, <code class="function">torbutton_toggle()</code> is
torbutton/en/design/index.html.en       468) called. This function checks the current Tor status by comparing the current
torbutton/en/design/index.html.en       469) proxy settings to the selected Tor settings, and then sets the proxy settings
torbutton/en/design/index.html.en       470) to the opposite state, and sets the pref
torbutton/en/design/index.html.en       471) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> to reflect the new state.
torbutton/en/design/index.html.en       472) It is this proxy pref update that gives notification via the <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">pref
torbutton/en/design/index.html.en       473) observer</a>
torbutton/en/design/index.html.en       474) <span class="command"><strong>torbutton_unique_pref_observer</strong></span> to perform the rest of the
torbutton/en/design/index.html.en       475) toggle.
torbutton/en/design/index.html.en       476) 

torbutton/en/design/index.html.en       477)   </p></div><div class="sect2" title="4.2. Proxy Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697978"></a>4.2. Proxy Update</h3></div></div></div><p>

torbutton/en/design/index.html.en       478) 
torbutton/en/design/index.html.en       479) When Torbutton receives any proxy change notifications via its
torbutton/en/design/index.html.en       480) <span class="command"><strong>torbutton_unique_pref_observer</strong></span>, it calls
torbutton/en/design/index.html.en       481) <code class="function">torbutton_set_status()</code> which checks against the Tor
torbutton/en/design/index.html.en       482) settings to see if the Tor proxy settings match the current settings. If so,
torbutton/en/design/index.html.en       483) it calls <code class="function">torbutton_update_status()</code>, which determines if
torbutton/en/design/index.html.en       484) the Tor state has actually changed, and sets
torbutton/en/design/index.html.en       485) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span> to the appropriate Tor
torbutton/en/design/index.html.en       486) state value, and ensures that
torbutton/en/design/index.html.en       487) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> is also set to the correct
torbutton/en/design/index.html.en       488) value. This is decoupled from the button click functionality via the pref
torbutton/en/design/index.html.en       489) observer so that other addons (such as SwitchProxy) can switch the proxy
torbutton/en/design/index.html.en       490) settings between multiple proxies.
torbutton/en/design/index.html.en       491) 

torbutton/en/design/index.html.en       492)   </p></div><div class="sect2" title="4.3. Settings Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697015"></a>4.3. Settings Update</h3></div></div></div><p>

torbutton/en/design/index.html.en       493) 
torbutton/en/design/index.html.en       494) The next stage is also handled by
torbutton/en/design/index.html.en       495) <code class="function">torbutton_update_status()</code>. This function sets scores of
torbutton/en/design/index.html.en       496) Firefox preferences, saving the original values to prefs under
torbutton/en/design/index.html.en       497) <span class="command"><strong>extensions.torbutton.saved.*</strong></span>, and performs the <a class="link" href="#cookiejar" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js">cookie jarring</a>, state clearing (such as window.name
torbutton/en/design/index.html.en       498) and DOM storage), and <a class="link" href="#preferences" title="4.4. Firefox preferences touched during Toggle">preference
torbutton/en/design/index.html.en       499) toggling</a>. At the
torbutton/en/design/index.html.en       500) end of its work, it sets
torbutton/en/design/index.html.en       501) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>, which signifies the
torbutton/en/design/index.html.en       502) completion of the toggle operation to the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en       503) 
torbutton/en/design/index.html.en       504)   </p></div><div class="sect2" title="4.4. Firefox preferences touched during Toggle"><div class="titlepage"><div><div><h3 class="title"><a id="preferences"></a>4.4. Firefox preferences touched during Toggle</h3></div></div></div><p>
torbutton/en/design/index.html.en       505) There are also a number of Firefox preferences set in

torbutton/en/design/index.html.en       506) <code class="function">torbutton_update_status()</code> that aren't governed by any
torbutton/en/design/index.html.en       507) Torbutton setting. These are:
torbutton/en/design/index.html.en       508) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.security.ports.banned" target="_top">network.security.ports.banned</a><p>
torbutton/en/design/index.html.en       509) Torbutton sets this setting to add ports 8123, 8118, 9050 and 9051 (which it
torbutton/en/design/index.html.en       510) reads from <span class="command"><strong>extensions.torbutton.banned_ports</strong></span>) to the list
torbutton/en/design/index.html.en       511) of ports Firefox is forbidden to access. These ports are Polipo, Privoxy, Tor,
torbutton/en/design/index.html.en       512) and the Tor control port, respectively. This is set for both Tor and Non-Tor
torbutton/en/design/index.html.en       513) usage, and prevents websites from attempting to do http fetches from these
torbutton/en/design/index.html.en       514) ports to see if they are open, which addresses the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en       515)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.send_pings" target="_top">browser.send_pings</a><p>
torbutton/en/design/index.html.en       516) This setting is currently always disabled. If anyone ever complains saying
torbutton/en/design/index.html.en       517) that they *want* their browser to be able to send ping notifications to a
torbutton/en/design/index.html.en       518) page or arbitrary link, I'll make this a pref or Tor-only. But I'm not holding
torbutton/en/design/index.html.en       519) my breath. I haven't checked if the content policy is called for pings, but if
torbutton/en/design/index.html.en       520) not, this setting helps with meeting the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       521) Isolation</a> requirement.
torbutton/en/design/index.html.en       522)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups" target="_top">browser.safebrowsing.remoteLookups</a><p>
torbutton/en/design/index.html.en       523) Likewise for this setting. I find it hard to imagine anyone who wants to ask
torbutton/en/design/index.html.en       524) Google in real time if each URL they visit is safe, especially when the list
torbutton/en/design/index.html.en       525) of unsafe URLs is downloaded anyway. This helps fulfill the <a class="link" href="#disk">Disk Avoidance</a> requirement, by preventing your entire
torbutton/en/design/index.html.en       526) browsing history from ending up on Google's disks.
torbutton/en/design/index.html.en       527)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.enabled" target="_top">browser.safebrowsing.enabled</a><p>
torbutton/en/design/index.html.en       528) Safebrowsing does <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=360387" target="_top">unauthenticated
torbutton/en/design/index.html.en       529) updates under Firefox 2</a>, so it is disabled during Tor usage. 
torbutton/en/design/index.html.en       530) This helps fulfill the <a class="link" href="#updates">Update
torbutton/en/design/index.html.en       531) Safety</a> requirement. Firefox 3 has the fix for that bug, and so
torbutton/en/design/index.html.en       532) safebrowsing updates are enabled during Tor usage.
torbutton/en/design/index.html.en       533)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29" target="_top">network.protocol-handler.warn-external.(protocol)</a><p>
torbutton/en/design/index.html.en       534) If Tor is enabled, we need to prevent random external applications from
torbutton/en/design/index.html.en       535) launching without at least warning the user. This group of settings only
torbutton/en/design/index.html.en       536) partially accomplishes this, however. Applications can still be launched via
torbutton/en/design/index.html.en       537) plugins. The mechanisms for handling this are described under the "Disable
torbutton/en/design/index.html.en       538) Plugins During Tor Usage" preference. This helps fulfill the <a class="link" href="#proxy">Proxy Obedience</a> requirement, by preventing external
torbutton/en/design/index.html.en       539) applications from accessing network resources at the command of Tor-fetched
torbutton/en/design/index.html.en       540) pages. Unfortunately, due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a>
torbutton/en/design/index.html.en       541) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a>,
torbutton/en/design/index.html.en       542) these prefs are no longer obeyed. They are set still anyway out of respect for
torbutton/en/design/index.html.en       543) the dead.
torbutton/en/design/index.html.en       544)  </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.sessionstore.max_tabs_undo" target="_top">browser.sessionstore.max_tabs_undo</a><p>
torbutton/en/design/index.html.en       545) 
torbutton/en/design/index.html.en       546) To help satisfy the Torbutton <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en       547) and <a class="link" href="#isolation">Network Isolation</a> requirements,
torbutton/en/design/index.html.en       548) Torbutton needs to purge the Undo Tab history on toggle to prevent repeat
torbutton/en/design/index.html.en       549) "Undo Close" operations from accidentally restoring tabs from a different Tor
torbutton/en/design/index.html.en       550) State. This purge is accomplished by setting this preference to 0 and then
torbutton/en/design/index.html.en       551) restoring it to the previous user value upon toggle.
torbutton/en/design/index.html.en       552) 

torbutton/en/design/index.html.en       553)    </p></li><li class="listitem"><span class="command"><strong>security.enable_ssl2</strong></span> or <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/interfaces/nsIDOMCrypto" target="_top">nsIDOMCrypto::logout()</a><p>

torbutton/en/design/index.html.en       554) TLS Session IDs can persist for an indefinite duration, providing an
torbutton/en/design/index.html.en       555) identifier that is sent to TLS sites that can be used to link activity. This
torbutton/en/design/index.html.en       556) is particularly troublesome now that we have certificate verification in place
torbutton/en/design/index.html.en       557) in Firefox 3: The OCSP server can use this Session ID to build a history of
torbutton/en/design/index.html.en       558) TLS sites someone visits, and also correlate their activity as users move from
torbutton/en/design/index.html.en       559) network to network (such as home to work to coffee shop, etc), inside and

torbutton/en/design/index.html.en       560) outside of Tor. To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>, we call the logout()
torbutton/en/design/index.html.en       561) function of nsIDOMCrypto. Since this may be absent, or may fail, we fall back
torbutton/en/design/index.html.en       562) to toggling

torbutton/en/design/index.html.en       563) <span class="command"><strong>security.enable_ssl2</strong></span>, which clears the SSL Session ID

torbutton/en/design/index.html.en       564) cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en       565)    </p></li><li class="listitem"><span class="command"><strong>security.OCSP.enabled</strong></span><p>
torbutton/en/design/index.html.en       566) Similarly, we toggle <span class="command"><strong>security.OCSP.enabled</strong></span>, which clears the OCSP certificate
torbutton/en/design/index.html.en       567) validation cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en       568) In this way, exit nodes will not be able to fingerprint you
torbutton/en/design/index.html.en       569) based the fact that non-Tor OCSP lookups were obviously previously cached.
torbutton/en/design/index.html.en       570) To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>,
torbutton/en/design/index.html.en       571)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Updating_extensions#Disabling_update_checks_for_individual_add-ons_-_Advanced_users" target="_top">extensions.e0204bd5-9d31-402b-a99d-a6aa8ffebdca.getAddons.cache.enabled</a></strong></span><p>
torbutton/en/design/index.html.en       572) We permanently disable addon usage statistic reporting to the
torbutton/en/design/index.html.en       573) addons.mozilla.org statistics engine. These statistics send version
torbutton/en/design/index.html.en       574) information about Torbutton users via non-Tor, allowing their Tor use to be
torbutton/en/design/index.html.en       575) uncovered. Disabling this reporting helps Torbutton to satisfy its <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en       576) 
torbutton/en/design/index.html.en       577)   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://www.mozilla.com/en-US/firefox/geolocation/" target="_top">geo.enabled</a></strong></span><p>

torbutton/en/design/index.html.en       578) 
torbutton/en/design/index.html.en       579) Torbutton disables Geolocation support in Firefox 3.5 and above whenever tor
torbutton/en/design/index.html.en       580) is enabled. This helps Torbutton maintain its
torbutton/en/design/index.html.en       581) <a class="link" href="#location">Location Neutrality</a> requirement.
torbutton/en/design/index.html.en       582) While Firefox does prompt before divulging geolocational information,
torbutton/en/design/index.html.en       583) the assumption is that Tor users will never want to give their
torbutton/en/design/index.html.en       584) location away during Tor usage, and even allowing websites to prompt
torbutton/en/design/index.html.en       585) them to do so will only cause confusion and accidents to happen. Moreover,
torbutton/en/design/index.html.en       586) just because users may approve a site to know their location in non-Tor mode
torbutton/en/design/index.html.en       587) does not mean they want it divulged during Tor mode.
torbutton/en/design/index.html.en       588) 
torbutton/en/design/index.html.en       589)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.zoom.siteSpecific" target="_top">browser.zoom.siteSpecific</a></strong></span><p>
torbutton/en/design/index.html.en       590) 
torbutton/en/design/index.html.en       591) Firefox actually remembers your zoom settings for certain sites. CSS
torbutton/en/design/index.html.en       592) and Javascript rule can use this to recognize previous visitors to a site.
torbutton/en/design/index.html.en       593) This helps Torbutton fulfill its <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en       594) requirement.
torbutton/en/design/index.html.en       595) 
torbutton/en/design/index.html.en       596)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="https://developer.mozilla.org/en/controlling_dns_prefetching" target="_top">network.dns.disablePrefetch</a></strong></span><p>
torbutton/en/design/index.html.en       597) 
torbutton/en/design/index.html.en       598) Firefox 3.5 and above implement prefetching of DNS resolution for hostnames in
torbutton/en/design/index.html.en       599) links on a page to decrease page load latency. While Firefox does typically
torbutton/en/design/index.html.en       600) disable this behavior when proxies are enabled, we set this pref for added
torbutton/en/design/index.html.en       601) safety during Tor usage. Additionally, to prevent Tor-loaded tabs from having
torbutton/en/design/index.html.en       602) their links prefetched after a toggle to Non-Tor mode occurs,
torbutton/en/design/index.html.en       603) we also set the docShell attribute
torbutton/en/design/index.html.en       604) <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell" target="_top">
torbutton/en/design/index.html.en       605) allowDNSPrefetch</a> to false on Tor loaded tabs. This happens in the same
torbutton/en/design/index.html.en       606) positions in the code as those for disabling plugins via the allowPlugins
torbutton/en/design/index.html.en       607) docShell attribute. This helps Torbutton fulfill its <a class="link" href="#isolation">Network Isolation</a> requirement.
torbutton/en/design/index.html.en       608) 
torbutton/en/design/index.html.en       609)    </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.cache.offline.enable" target="_top">browser.cache.offline.enable</a></strong></span><p>
torbutton/en/design/index.html.en       610) 
torbutton/en/design/index.html.en       611) Firefox has the ability to store web applications in a special cache to allow
torbutton/en/design/index.html.en       612) them to continue to operate while the user is offline. Since this subsystem
torbutton/en/design/index.html.en       613) is actually different than the normal disk cache, it must be dealt with
torbutton/en/design/index.html.en       614) separately. Thus, Torbutton sets this preference to false whenever Tor is
torbutton/en/design/index.html.en       615) enabled. This helps Torbutton fulfill its <a class="link" href="#disk">Disk
torbutton/en/design/index.html.en       616) Avoidance</a> and <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en       617) requirements.
torbutton/en/design/index.html.en       618) 

torbutton/en/design/index.html.en       619)    </p></li></ol></div></div></div><div class="sect1" title="5. Description of Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2702702"></a>5. Description of Options</h2></div></div></div><p>This section provides a detailed description of Torbutton's options. Each

torbutton/en/design/index.html.en       620) option is presented as the string from the preferences window, a summary, the
torbutton/en/design/index.html.en       621) preferences it touches, and the effect this has on the components, chrome, and

torbutton/en/design/index.html.en       622) browser properties.</p><div class="sect2" title="5.1. Proxy Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2704948"></a>5.1. Proxy Settings</h3></div></div></div><div class="sect3" title="Test Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2683681"></a>Test Settings</h4></div></div></div><p>

torbutton/en/design/index.html.en       623) This button under the Proxy Settings tab provides a way to verify that the 
torbutton/en/design/index.html.en       624) proxy settings are correct, and actually do route through the Tor network. It
torbutton/en/design/index.html.en       625) performs this check by issuing an <a class="ulink" href="http://developer.mozilla.org/en/docs/XMLHttpRequest" target="_top">XMLHTTPRequest</a>
torbutton/en/design/index.html.en       626) for <a class="ulink" href="https://check.torproject.org/?TorButton=True" target="_top">https://check.torproject.org/?Torbutton=True</a>.
torbutton/en/design/index.html.en       627) This is a special page that returns very simple, yet well-formed XHTML that
torbutton/en/design/index.html.en       628) Torbutton can easily inspect for a hidden link with an id of
torbutton/en/design/index.html.en       629) <span class="command"><strong>TorCheckResult</strong></span> and a target of <span class="command"><strong>success</strong></span>
torbutton/en/design/index.html.en       630) or <span class="command"><strong>failure</strong></span> to indicate if the
torbutton/en/design/index.html.en       631) user hit the page from a Tor IP, a non-Tor IP. This check is handled in

torbutton/en/design/index.html.en       632) <code class="function">torbutton_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>.
torbutton/en/design/index.html.en       633) Presenting the results to the user is handled by the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences

torbutton/en/design/index.html.en       634) window</a>

torbutton/en/design/index.html.en       635) callback <code class="function">torbutton_prefs_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">preferences.js</a>.  

torbutton/en/design/index.html.en       636) 

torbutton/en/design/index.html.en       637)   </p></div></div><div class="sect2" title="5.2. Dynamic Content Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2686645"></a>5.2. Dynamic Content Settings</h3></div></div></div><div class="sect3" title="Disable plugins on Tor Usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="plugins"></a>Disable plugins on Tor Usage (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_tor_plugins</strong></span></p><p>Java and plugins <a class="ulink" href="http://java.sun.com/j2se/1.5.0/docs/api/java/net/class-use/NetworkInterface.html" target="_top">can query</a> the <a class="ulink" href="http://www.rgagnon.com/javadetails/java-0095.html" target="_top">local IP

torbutton/en/design/index.html.en       638) address</a> and report it back to the

docs/torbutton/en/design/index.html.en  639) remote site. They can also bypass proxy settings and directly connect to a

torbutton/en/design/index.html.en       640) remote site without Tor. Every browser plugin we have tested with Firefox has
torbutton/en/design/index.html.en       641) some form of network capability, and every one ignores proxy settings or worse - only
torbutton/en/design/index.html.en       642) partially obeys them. This includes but is not limited to:
torbutton/en/design/index.html.en       643) QuickTime, Windows Media Player, RealPlayer, mplayerplug-in, AcroRead, and
torbutton/en/design/index.html.en       644) Flash. 
torbutton/en/design/index.html.en       645) 
torbutton/en/design/index.html.en       646)  </p><p>
torbutton/en/design/index.html.en       647) Enabling this preference causes the above mentioned Torbutton chrome web progress
torbutton/en/design/index.html.en       648)  listener <span class="command"><strong>torbutton_weblistener</strong></span> to disable Java via <span class="command"><strong>security.enable_java</strong></span> and to disable
torbutton/en/design/index.html.en       649)  plugins via the browser <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a>
torbutton/en/design/index.html.en       650)  attribute <span class="command"><strong>allowPlugins</strong></span>. These flags are set every time a new window is
torbutton/en/design/index.html.en       651)  created (<code class="function">torbutton_tag_new_browser()</code>), every time a web
torbutton/en/design/index.html.en       652) load
torbutton/en/design/index.html.en       653) event occurs
torbutton/en/design/index.html.en       654)  (<code class="function">torbutton_update_tags()</code>), and every time the tor state is changed
torbutton/en/design/index.html.en       655)  (<code class="function">torbutton_update_status()</code>). As a backup measure, plugins are also

torbutton/en/design/index.html.en       656)  prevented from loading by the content policy in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> if Tor is

torbutton/en/design/index.html.en       657)  enabled and this option is set.
torbutton/en/design/index.html.en       658)  </p><p>All of this turns out to be insufficient if the user directly clicks
torbutton/en/design/index.html.en       659) on a plugin-handled mime-type. <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">In this case</a>,
torbutton/en/design/index.html.en       660) the browser decides that maybe it should ignore all these other settings and
torbutton/en/design/index.html.en       661) load the plugin anyways, because maybe the user really did want to load it
torbutton/en/design/index.html.en       662) (never mind this same load-style could happen automatically  with meta-refresh
torbutton/en/design/index.html.en       663) or any number of other ways..). To handle these cases, Torbutton stores a list
torbutton/en/design/index.html.en       664) of plugin-handled mime-types, and sets the pref
torbutton/en/design/index.html.en       665) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to this list.
torbutton/en/design/index.html.en       666) Additionally, (since nothing can be assumed when relying on Firefox
torbutton/en/design/index.html.en       667) preferences and internals) if it detects a load of one of them from the web
torbutton/en/design/index.html.en       668) progress listener, it cancels the request, tells the associated DOMWindow to
torbutton/en/design/index.html.en       669) stop loading, clears the document, AND throws an exception. Anything short of
torbutton/en/design/index.html.en       670) all this and the plugin managed to find some way to load.
torbutton/en/design/index.html.en       671)  </p><p>
torbutton/en/design/index.html.en       672)  All this could be avoided, of course, if Firefox would either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">obey
torbutton/en/design/index.html.en       673)  allowPlugins</a> for directly visited URLs, or notify its content policy for such
torbutton/en/design/index.html.en       674)  loads either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">via</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">shouldProcess</a> or shouldLoad. The fact that it does not is
torbutton/en/design/index.html.en       675)  not very encouraging.
torbutton/en/design/index.html.en       676)  </p><p>
torbutton/en/design/index.html.en       677) 
torbutton/en/design/index.html.en       678) Since most plugins completely ignore browser proxy settings, the actions
torbutton/en/design/index.html.en       679) performed by this setting are crucial to satisfying the <a class="link" href="#proxy">Proxy Obedience</a> requirement.
torbutton/en/design/index.html.en       680) 

torbutton/en/design/index.html.en       681)  </p></div><div class="sect3" title="Isolate Dynamic Content to Tor State (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2688604"></a>Isolate Dynamic Content to Tor State (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.isolate_content</strong></span></p><p>Enabling this preference is what enables the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> content policy

torbutton/en/design/index.html.en       682) mentioned above, and causes it to block content load attempts in pages an
torbutton/en/design/index.html.en       683) opposite Tor state from the current state. Freshly loaded <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en       684) tabs</a> are tagged
torbutton/en/design/index.html.en       685) with a <span class="command"><strong>__tb_load_state</strong></span> member in
torbutton/en/design/index.html.en       686) <code class="function">torbutton_update_tags()</code> and this
torbutton/en/design/index.html.en       687) value is compared against the current tor state in the content policy.</p><p>It also kills all Javascript in each page loaded under that state by
torbutton/en/design/index.html.en       688) toggling the <span class="command"><strong>allowJavascript</strong></span> <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a> property, and issues a
torbutton/en/design/index.html.en       689) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIWebNavigation#stop()" target="_top">webNavigation.stop(webNavigation.STOP_ALL)</a> to each browser tab (the
torbutton/en/design/index.html.en       690) equivalent of hitting the STOP button).</p><p>
torbutton/en/design/index.html.en       691) 
torbutton/en/design/index.html.en       692) Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox bug
torbutton/en/design/index.html.en       693) 409737</a> prevents <span class="command"><strong>docShell.allowJavascript</strong></span> from killing
torbutton/en/design/index.html.en       694) all event handlers, and event handlers registered with <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:element.addEventListener" target="_top">addEventListener()</a>
torbutton/en/design/index.html.en       695) are still able to execute. The <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton Content
torbutton/en/design/index.html.en       696) Policy</a> should prevent such code from performing network activity within
torbutton/en/design/index.html.en       697) the current tab, but activity that happens via a popup window or via a
torbutton/en/design/index.html.en       698) Javascript redirect can still slip by. For this reason, Torbutton blocks
torbutton/en/design/index.html.en       699) popups by checking for a valid <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.opener" target="_top">window.opener</a>
torbutton/en/design/index.html.en       700) attribute in <code class="function">torbutton_check_progress()</code>. If the window
torbutton/en/design/index.html.en       701) has an opener from a different Tor state, its load is blocked. The content
torbutton/en/design/index.html.en       702) policy also takes similar action to prevent Javascript redirects. This also
torbutton/en/design/index.html.en       703) has the side effect/feature of preventing the user from following any links
torbutton/en/design/index.html.en       704) from a page loaded in an opposite Tor state.
torbutton/en/design/index.html.en       705) 
torbutton/en/design/index.html.en       706) </p><p>
torbutton/en/design/index.html.en       707) This setting is responsible for satisfying the <a class="link" href="#isolation">Network Isolation</a> requirement.

torbutton/en/design/index.html.en       708) </p></div><div class="sect3" title="Hook Dangerous Javascript"><div class="titlepage"><div><div><h4 class="title"><a id="jshooks"></a>Hook Dangerous Javascript</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.kill_bad_js</strong></span></p><p>This setting enables injection of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/jshooks.js" target="_top">Javascript

torbutton/en/design/index.html.en       709) hooking code</a>. This is done in the chrome in
torbutton/en/design/index.html.en       710) <code class="function">torbutton_hookdoc()</code>, which is called ultimately by both the 
torbutton/en/design/index.html.en       711) <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en       712) listener</a> <span class="command"><strong>torbutton_weblistener</strong></span> and the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> (the latter being a hack to handle
torbutton/en/design/index.html.en       713) javascript: urls).
torbutton/en/design/index.html.en       714) 
torbutton/en/design/index.html.en       715) In the Firefox 2 days, this option did a lot more than
torbutton/en/design/index.html.en       716) it does now. It used to be responsible for timezone and improved useragent
torbutton/en/design/index.html.en       717) spoofing, and history object cloaking. However, now it only provides
torbutton/en/design/index.html.en       718) obfuscation of the <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en       719) object to mask your browser and desktop resolution.
torbutton/en/design/index.html.en       720) The resolution hooks
torbutton/en/design/index.html.en       721) effectively make the Firefox browser window appear to websites as if the renderable area
torbutton/en/design/index.html.en       722) takes up the entire desktop, has no toolbar or other GUI element space, and
torbutton/en/design/index.html.en       723) the desktop itself has no toolbars.
torbutton/en/design/index.html.en       724) These hooks drastically reduce the amount of information available to do <a class="link" href="#fingerprinting">anonymity set reduction attacks</a> and help to
torbutton/en/design/index.html.en       725) meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en       726) requirements. Unfortunately, Gregory Fleischer discovered it is still possible
torbutton/en/design/index.html.en       727) to retrieve the original screen values by using <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-sandbox-xpcnativewrapper.html" target="_top">XPCNativeWrapper</a>
torbutton/en/design/index.html.en       728) or <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-components-lookupmethod.html" target="_top">Components.lookupMethod</a>.

torbutton/en/design/index.html.en       729) We are still looking for a workaround as of Torbutton 1.3.2.

torbutton/en/design/index.html.en       730) 
torbutton/en/design/index.html.en       731) 
torbutton/en/design/index.html.en       732) 

torbutton/en/design/index.html.en       733) 
torbutton/en/design/index.html.en       734) </p></div><div class="sect3" title="Resize windows to multiples of 50px during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663307"></a>Resize windows to multiples of 50px during Tor usage (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.resize_windows</strong></span></p><p>

torbutton/en/design/index.html.en       735) 
torbutton/en/design/index.html.en       736) This option drastically cuts down on the number of distinct anonymity sets
torbutton/en/design/index.html.en       737) that divide the Tor web userbase. Without this setting, the dimensions for a
torbutton/en/design/index.html.en       738) typical browser window range from 600-1200 horizontal pixels and 400-1000
torbutton/en/design/index.html.en       739) vertical pixels, or about 600x600 = 360000 different sets. Resizing the
torbutton/en/design/index.html.en       740) browser window to multiples of 50 on each side reduces the number of sets by
torbutton/en/design/index.html.en       741) 50^2, bringing the total number of sets to 144. Of course, the distribution
torbutton/en/design/index.html.en       742) among these sets are not uniform, but scaling by 50 will improve the situation
torbutton/en/design/index.html.en       743) due to this non-uniformity for users in the less common resolutions.
torbutton/en/design/index.html.en       744) Obviously the ideal situation would be to lie entirely about the browser
torbutton/en/design/index.html.en       745) window size, but this will likely cause all sorts of rendering issues, and is
torbutton/en/design/index.html.en       746) also not implementable in a foolproof way from extension land.
torbutton/en/design/index.html.en       747) 
torbutton/en/design/index.html.en       748) </p><p>
torbutton/en/design/index.html.en       749) 
torbutton/en/design/index.html.en       750) The implementation of this setting is spread across a couple of different

torbutton/en/design/index.html.en       751) locations in the Torbutton javascript <a class="link" href="#browseroverlay" title="Browser Overlay - torbutton.xul">browser

torbutton/en/design/index.html.en       752) overlay</a>. Since resizing minimized windows causes them to be restored,
torbutton/en/design/index.html.en       753) and since maximized windows remember their previous size to the pixel, windows
torbutton/en/design/index.html.en       754) must be resized before every document load (at the time of browser tagging)
torbutton/en/design/index.html.en       755) via <code class="function">torbutton_check_round()</code>, called by
torbutton/en/design/index.html.en       756) <code class="function">torbutton_update_tags()</code>. To prevent drift, the extension
torbutton/en/design/index.html.en       757) tracks the original values of the windows and uses this to perform the
torbutton/en/design/index.html.en       758) rounding on document load. In addition, to prevent the user from resizing a
torbutton/en/design/index.html.en       759) window to a non-50px multiple, a resize listener
torbutton/en/design/index.html.en       760) (<code class="function">torbutton_do_resize()</code>) is installed on every new browser
torbutton/en/design/index.html.en       761) window to record the new size and round it to a 50px multiple while Tor is
torbutton/en/design/index.html.en       762) enabled. In all cases, the browser's contentWindow.innerWidth and innerHeight
torbutton/en/design/index.html.en       763) are set. This ensures that there is no discrepancy between the 50 pixel cutoff
torbutton/en/design/index.html.en       764) and the actual renderable area of the browser (so that it is not possible to
torbutton/en/design/index.html.en       765) infer toolbar size/presence by the distance to the nearest 50 pixel roundoff).
torbutton/en/design/index.html.en       766) 
torbutton/en/design/index.html.en       767) </p><p>
torbutton/en/design/index.html.en       768) This setting helps to meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirements.

torbutton/en/design/index.html.en       769) </p></div><div class="sect3" title="Disable Search Suggestions during Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663391"></a>Disable Search Suggestions during Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_search</strong></span></p><p>

torbutton/en/design/index.html.en       770) This setting causes Torbutton to disable <a class="ulink" href="http://kb.mozillazine.org/Browser.search.suggest.enabled" target="_top"><span class="command"><strong>browser.search.suggest.enabled</strong></span></a>
torbutton/en/design/index.html.en       771) during Tor usage.
torbutton/en/design/index.html.en       772) This governs if you get Google search suggestions during Tor
torbutton/en/design/index.html.en       773) usage. Your Google cookie is transmitted with google search suggestions, hence
torbutton/en/design/index.html.en       774) this is recommended to be disabled.
torbutton/en/design/index.html.en       775) 
torbutton/en/design/index.html.en       776) </p><p>
torbutton/en/design/index.html.en       777) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en       778) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en       779) for Tor usage.

torbutton/en/design/index.html.en       780) </p></div><div class="sect3" title="Disable Updates During Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2663430"></a>Disable Updates During Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_updates</strong></span></p><p>This setting causes Torbutton to disable the four <a class="ulink" href="http://wiki.mozilla.org/Update:Users/Checking_For_Updates#Preference_Controls_and_State" target="_top">Firefox

torbutton/en/design/index.html.en       781) update settings</a> during Tor
torbutton/en/design/index.html.en       782)   usage: <span class="command"><strong>extensions.update.enabled</strong></span>,
torbutton/en/design/index.html.en       783) <span class="command"><strong>app.update.enabled</strong></span>,
torbutton/en/design/index.html.en       784)   <span class="command"><strong>app.update.auto</strong></span>, and
torbutton/en/design/index.html.en       785) <span class="command"><strong>browser.search.update</strong></span>.  These prevent the
torbutton/en/design/index.html.en       786)   browser from updating extensions, checking for Firefox upgrades, and
torbutton/en/design/index.html.en       787)   checking for search plugin updates while Tor is enabled.
torbutton/en/design/index.html.en       788)   </p><p>
torbutton/en/design/index.html.en       789) This setting satisfies the <a class="link" href="#updates">Update Safety</a> requirement.

torbutton/en/design/index.html.en       790) </p></div><div class="sect3" title="Redirect Torbutton Updates Via Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663492"></a>Redirect Torbutton Updates Via Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.update_torbutton_via_tor</strong></span></p><p>This setting causes Torbutton to install an

torbutton/en/design/index.html.en       791) 
torbutton/en/design/index.html.en       792) <a class="ulink" href="https://developer.mozilla.org/en/nsIProtocolProxyFilter" target="_top">nsIProtocolProxyFilter</a>
torbutton/en/design/index.html.en       793) in order to redirect all version update checks and Torbutton update downloads
torbutton/en/design/index.html.en       794) via Tor, regardless of if Tor is enabled or not. This was done both to address
torbutton/en/design/index.html.en       795) concerns about data retention done by <a class="ulink" href="https://www.addons.mozilla.org" target="_top">addons.mozilla.org</a>, as well as to
torbutton/en/design/index.html.en       796) help censored users meet the <a class="link" href="#undiscoverability">Tor
torbutton/en/design/index.html.en       797) Undiscoverability</a> requirement.
torbutton/en/design/index.html.en       798) 

torbutton/en/design/index.html.en       799)   </p></div><div class="sect3" title="Disable livemarks updates during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663536"></a>Disable livemarks updates during Tor usage (recommended)</h4></div></div></div><p>Option:

torbutton/en/design/index.html.en       800)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.disable_livemarks</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en       801)   </p><p>

torbutton/en/design/index.html.en       802) 

torbutton/en/design/index.html.en       803) This option causes Torbutton to prevent Firefox from loading <a class="ulink" href="http://www.mozilla.com/firefox/livebookmarks.html" target="_top">Livemarks</a> during
torbutton/en/design/index.html.en       804) Tor usage. Because people often have very personalized Livemarks (such as RSS
torbutton/en/design/index.html.en       805) feeds of Wikipedia articles they maintain, etc). This is accomplished both by
torbutton/en/design/index.html.en       806) <a class="link" href="#livemarks" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js">wrapping the livemark-service component</a> and
torbutton/en/design/index.html.en       807) by calling stopUpdateLivemarks() on the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">Livemark
torbutton/en/design/index.html.en       808) service</a> when Tor is enabled.
torbutton/en/design/index.html.en       809) 
torbutton/en/design/index.html.en       810) </p><p>
torbutton/en/design/index.html.en       811) This helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       812) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en       813) Preservation</a> requirements.

torbutton/en/design/index.html.en       814) </p></div><div class="sect3" title="Block Tor/Non-Tor access to network from file:// urls (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663607"></a>Block Tor/Non-Tor access to network from file:// urls (recommended)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       815)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tor_file_net</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nontor_file_net</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en       816)   </p><p>
torbutton/en/design/index.html.en       817) 
torbutton/en/design/index.html.en       818) These settings prevent file urls from performing network operations during the
torbutton/en/design/index.html.en       819) respective Tor states. Firefox 2's implementation of same origin policy allows
torbutton/en/design/index.html.en       820) file urls to read and <a class="ulink" href="http://www.gnucitizen.org/blog/content-disposition-hacking/" target="_top">submit
torbutton/en/design/index.html.en       821) arbitrary files from the local filesystem</a> to arbitrary websites. To
torbutton/en/design/index.html.en       822) make matters worse, the 'Content-Disposition' header can be injected
torbutton/en/design/index.html.en       823) arbitrarily by exit nodes to trick users into running arbitrary html files in
torbutton/en/design/index.html.en       824) the local context. These preferences cause the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> to block access to any network
torbutton/en/design/index.html.en       825) resources from File urls during the appropriate Tor state.
torbutton/en/design/index.html.en       826) 
torbutton/en/design/index.html.en       827) </p><p>
torbutton/en/design/index.html.en       828) 
torbutton/en/design/index.html.en       829) This preference helps to ensure Tor's <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       830) Isolation</a> requirement, by preventing file urls from executing network
torbutton/en/design/index.html.en       831) operations in opposite Tor states. Also, allowing pages to submit arbitrary
torbutton/en/design/index.html.en       832) files to arbitrary sites just generally seems like a bad idea.
torbutton/en/design/index.html.en       833) 

torbutton/en/design/index.html.en       834) </p></div><div class="sect3" title="Close all Tor/Non-Tor tabs and windows on toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663679"></a>Close all Tor/Non-Tor tabs and windows on toggle (optional)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       835)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.close_nontor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.close_tor</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en       836)   </p><p>
torbutton/en/design/index.html.en       837) 
torbutton/en/design/index.html.en       838) These settings cause Torbutton to enumerate through all windows and close all
torbutton/en/design/index.html.en       839) tabs in each window for the appropriate Tor state. This code can be found in
torbutton/en/design/index.html.en       840) <code class="function">torbutton_update_status()</code>.  The main reason these settings
torbutton/en/design/index.html.en       841) exist is as a backup mechanism in the event of any Javascript or content policy
torbutton/en/design/index.html.en       842) leaks due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en       843) 409737</a>.  Torbutton currently tries to block all Javascript network
torbutton/en/design/index.html.en       844) activity via the content policy, but until that bug is fixed, there is some
torbutton/en/design/index.html.en       845) risk that there are alternate ways to bypass the policy. This option is
torbutton/en/design/index.html.en       846) available as an extra assurance of <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en       847) Isolation</a> for those who would like to be sure that when Tor is toggled
torbutton/en/design/index.html.en       848) all page activity has ceased. It also serves as a potential future workaround
torbutton/en/design/index.html.en       849) in the event a content policy failure is discovered, and provides an additional
torbutton/en/design/index.html.en       850) level of protection for the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en       851) protection so that browser state is not sitting around waiting to be swapped
torbutton/en/design/index.html.en       852) out longer than necessary.
torbutton/en/design/index.html.en       853) 
torbutton/en/design/index.html.en       854) </p><p>
torbutton/en/design/index.html.en       855) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en       856) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en       857) for Tor usage.

torbutton/en/design/index.html.en       858) </p></div></div><div class="sect2" title="5.3. History and Forms Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705261"></a>5.3. History and Forms Settings</h3></div></div></div><div class="sect3" title="Isolate Access to History navigation to Tor state (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705267"></a>Isolate Access to History navigation to Tor state (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_js_history</strong></span></p><p>

torbutton/en/design/index.html.en       859) This setting determines if Torbutton installs an <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistoryListener" target="_top">nsISHistoryListener</a>
torbutton/en/design/index.html.en       860) attached to the <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">sessionHistory</a> of 
torbutton/en/design/index.html.en       861) of each browser's <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3awebNavigation" target="_top">webNavigatator</a>.
torbutton/en/design/index.html.en       862) The nsIShistoryListener is instantiated with a reference to the containing
torbutton/en/design/index.html.en       863) browser window and blocks the back, forward, and reload buttons on the browser
torbutton/en/design/index.html.en       864) navigation bar when Tor is in an opposite state than the one to load the
torbutton/en/design/index.html.en       865) current tab. In addition, Tor clears the session history during a new document
torbutton/en/design/index.html.en       866) load if this setting is enabled. 
torbutton/en/design/index.html.en       867) 
torbutton/en/design/index.html.en       868)   </p><p>
torbutton/en/design/index.html.en       869) 
torbutton/en/design/index.html.en       870) This is marked as a crucial setting in part
torbutton/en/design/index.html.en       871) because Javascript access to the history object is indistinguishable from 
torbutton/en/design/index.html.en       872) user clicks, and because
torbutton/en/design/index.html.en       873) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en       874) 409737</a> allows javascript to execute in opposite Tor states, javascript
torbutton/en/design/index.html.en       875) can issue reloads after Tor toggle to reveal your original IP. Even without
torbutton/en/design/index.html.en       876) this bug, however, Javascript is still able to access previous pages in your
torbutton/en/design/index.html.en       877) session history that may have been loaded under a different Tor state, to
torbutton/en/design/index.html.en       878) attempt to correlate your activity.
torbutton/en/design/index.html.en       879) 
torbutton/en/design/index.html.en       880)    </p><p>
torbutton/en/design/index.html.en       881) 
torbutton/en/design/index.html.en       882) This setting helps to fulfill Torbutton's <a class="link" href="#state">State
torbutton/en/design/index.html.en       883) Separation</a> and (until Bug 409737 is fixed) <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en       884) requirements.
torbutton/en/design/index.html.en       885) 

torbutton/en/design/index.html.en       886)    </p></div><div class="sect3" title="History Access Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2705344"></a>History Access Settings</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       887)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_thread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_thwrite</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthwrite</strong></span></td></tr></table><p>

torbutton/en/design/index.html.en       888)   </p><p>On Firefox 3.x, these four settings govern the behavior of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a>

torbutton/en/design/index.html.en       889) history blocker component mentioned above. By hooking the browser's view of
torbutton/en/design/index.html.en       890) the history itself via the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
torbutton/en/design/index.html.en       891) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/nav-history-service;1" target="_top">@mozilla.org/browser/nav-history-service;1</a>
torbutton/en/design/index.html.en       892) components, this mechanism defeats all document-based <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure
torbutton/en/design/index.html.en       893) attacks</a>, including <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only attacks</a>.
torbutton/en/design/index.html.en       894) 
torbutton/en/design/index.html.en       895) The component also hooks functions involved in writing history to disk via
torbutton/en/design/index.html.en       896) both the <a class="ulink" href="http://developer.mozilla.org/en/docs/Places_migration_guide#History" target="_top">Places
torbutton/en/design/index.html.en       897) Database</a> and the older Firefox 2 mechanisms.
torbutton/en/design/index.html.en       898) 

torbutton/en/design/index.html.en       899) </p><p>
torbutton/en/design/index.html.en       900) On Firefox 4, Mozilla finally <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">addressed
torbutton/en/design/index.html.en       901) these issues</a>, so we can effectively ignore the "read" pair of the
torbutton/en/design/index.html.en       902) above prefs. We then only need to link the write prefs to
torbutton/en/design/index.html.en       903) <span class="command"><strong>places.history.enabled</strong></span>, which disabled writing to the
torbutton/en/design/index.html.en       904) history store while set.

torbutton/en/design/index.html.en       905) </p><p>
torbutton/en/design/index.html.en       906) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       907) </p></div><div class="sect3" title="Clear History During Tor Toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705472"></a>Clear History During Tor Toggle (optional)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_history</strong></span></p><p>This setting governs if Torbutton calls

torbutton/en/design/index.html.en       908) <a class="ulink" href="https://developer.mozilla.org/en/nsIBrowserHistory#removeAllPages.28.29" target="_top">nsIBrowserHistory.removeAllPages</a>
torbutton/en/design/index.html.en       909) and <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">nsISHistory.PurgeHistory</a>
torbutton/en/design/index.html.en       910) for each tab on Tor toggle.</p><p>
torbutton/en/design/index.html.en       911) This setting is an optional way to help satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en       912) </p></div><div class="sect3" title="Block Password+Form saving during Tor/Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705515"></a>Block Password+Form saving during Tor/Non-Tor</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       913)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tforms</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_ntforms</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en       914)   </p><p>These settings govern if Torbutton disables
torbutton/en/design/index.html.en       915) <span class="command"><strong>browser.formfill.enable</strong></span>
torbutton/en/design/index.html.en       916) and <span class="command"><strong>signon.rememberSignons</strong></span> during Tor and Non-Tor usage.
torbutton/en/design/index.html.en       917) Since form fields can be read at any time by Javascript, this setting is a lot
torbutton/en/design/index.html.en       918) more important than it seems.
torbutton/en/design/index.html.en       919) </p><p>
torbutton/en/design/index.html.en       920) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       921) </p></div></div><div class="sect2" title="5.4. Cache Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705577"></a>5.4. Cache Settings</h3></div></div></div><div class="sect3" title="Block Tor disk cache and clear all cache on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705582"></a>Block Tor disk cache and clear all cache on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cache</strong></span>

torbutton/en/design/index.html.en       922)   </p><p>This option causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICacheService#evictEntries.28.29" target="_top">nsICacheService.evictEntries(0)</a>
torbutton/en/design/index.html.en       923) on Tor toggle to remove all entries from the cache. In addition, this setting
torbutton/en/design/index.html.en       924) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> to false.
torbutton/en/design/index.html.en       925) </p><p>
torbutton/en/design/index.html.en       926) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       927) </p></div><div class="sect3" title="Block disk and memory cache during Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705632"></a>Block disk and memory cache during Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_cache</strong></span></p><p>This setting

torbutton/en/design/index.html.en       928) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.memory.enable" target="_top">browser.cache.memory.enable</a>,
torbutton/en/design/index.html.en       929) <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> and
torbutton/en/design/index.html.en       930) <a class="ulink" href="http://kb.mozillazine.org/Network.http.use-cache" target="_top">network.http.use-cache</a> to false during tor usage.
torbutton/en/design/index.html.en       931) </p><p>
torbutton/en/design/index.html.en       932) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       933) </p></div></div><div class="sect2" title="5.5. Cookie and Auth Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705686"></a>5.5. Cookie and Auth Settings</h3></div></div></div><div class="sect3" title="Clear Cookies on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705691"></a>Clear Cookies on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cookies</strong></span>

torbutton/en/design/index.html.en       934)   </p><p>
torbutton/en/design/index.html.en       935) 
torbutton/en/design/index.html.en       936) This setting causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICookieManager#removeAll.28.29" target="_top">nsICookieManager.removeAll()</a> on
torbutton/en/design/index.html.en       937) every Tor toggle. In addition, this sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en       938) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en       939) which prevents them from being written to disk. 
torbutton/en/design/index.html.en       940) 
torbutton/en/design/index.html.en       941) </p><p>
torbutton/en/design/index.html.en       942) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       943) </p></div><div class="sect3" title="Store Non-Tor cookies in a protected jar"><div class="titlepage"><div><div><h4 class="title"><a id="id2705742"></a>Store Non-Tor cookies in a protected jar</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.cookie_jars</strong></span>

torbutton/en/design/index.html.en       944)   </p><p>
torbutton/en/design/index.html.en       945) 

torbutton/en/design/index.html.en       946) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store

torbutton/en/design/index.html.en       947) non-tor cookies in a cookie jar during Tor usage, and clear the Tor cookies
torbutton/en/design/index.html.en       948) before restoring the jar.
torbutton/en/design/index.html.en       949) </p><p>
torbutton/en/design/index.html.en       950) This setting also sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en       951) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en       952) which prevents them from being written to disk. 
torbutton/en/design/index.html.en       953) 
torbutton/en/design/index.html.en       954) </p><p>
torbutton/en/design/index.html.en       955) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.

torbutton/en/design/index.html.en       956) </p></div><div class="sect3" title="Store both Non-Tor and Tor cookies in a protected jar (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705799"></a>Store both Non-Tor and Tor cookies in a protected jar (dangerous)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.dual_cookie_jars</strong></span>

torbutton/en/design/index.html.en       957)   </p><p>
torbutton/en/design/index.html.en       958) 

torbutton/en/design/index.html.en       959) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store

torbutton/en/design/index.html.en       960) both Tor and Non-Tor cookies into protected jars.
torbutton/en/design/index.html.en       961) </p><p>
torbutton/en/design/index.html.en       962) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en       963) </p></div><div class="sect3" title="Manage My Own Cookies (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705841"></a>Manage My Own Cookies (dangerous)</h4></div></div></div><p>Options: None</p><p>This setting disables all Torbutton cookie handling by setting the above
torbutton/en/design/index.html.en       964) cookie prefs all to false.</p></div><div class="sect3" title="Disable DOM Storage during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705856"></a>Disable DOM Storage during Tor usage (crucial)</h4></div></div></div><div class="sect3" title="Do not write Tor/Non-Tor cookies to disk"><div class="titlepage"><div><div><h4 class="title"><a id="id2705859"></a>Do not write Tor/Non-Tor cookies to disk</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       965)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.tor_memory_jar</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.nontor_memory_jar</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en       966)   </p><p>
torbutton/en/design/index.html.en       967) These settings (contributed by arno) cause Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en       968) to 2 during the appropriate Tor state, and to store cookies acquired in that
torbutton/en/design/index.html.en       969) state into a Javascript
torbutton/en/design/index.html.en       970) <a class="ulink" href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Processing_XML_with_E4X" target="_top">E4X</a>
torbutton/en/design/index.html.en       971) object as opposed to writing them to disk.
torbutton/en/design/index.html.en       972) </p><p>
torbutton/en/design/index.html.en       973) This allows Torbutton to provide an option to preserve a user's 
torbutton/en/design/index.html.en       974) cookies while still satisfying the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en       975) requirement.
torbutton/en/design/index.html.en       976) </p></div><p>Option: <span class="command"><strong>extensions.torbutton.disable_domstorage</strong></span>
torbutton/en/design/index.html.en       977)   </p><p>
torbutton/en/design/index.html.en       978) 
torbutton/en/design/index.html.en       979) This setting causes Torbutton to toggle <span class="command"><strong>dom.storage.enabled</strong></span> during Tor
torbutton/en/design/index.html.en       980) usage to prevent 
torbutton/en/design/index.html.en       981) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:Storage" target="_top">DOM Storage</a> from
torbutton/en/design/index.html.en       982)   being used to store persistent information across Tor states.</p><p>
torbutton/en/design/index.html.en       983) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en       984) </p></div><div class="sect3" title="Clear HTTP Auth on Tor Toggle (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705960"></a>Clear HTTP Auth on Tor Toggle (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_http_auth</strong></span>

torbutton/en/design/index.html.en       985)   </p><p>
torbutton/en/design/index.html.en       986) This setting causes Torbutton to call <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIHttpAuthManager" target="_top">nsIHttpAuthManager.clearAll()</a>
torbutton/en/design/index.html.en       987) every time Tor is toggled.
torbutton/en/design/index.html.en       988) </p><p>
torbutton/en/design/index.html.en       989) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en       990) </p></div></div><div class="sect2" title="5.6. Startup Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705999"></a>5.6. Startup Settings</h3></div></div></div><div class="sect3" title="On Browser Startup, set Tor state to: Tor, Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2706004"></a>On Browser Startup, set Tor state to: Tor, Non-Tor</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en       991)    <span class="command"><strong>extensions.torbutton.restore_tor</strong></span>
torbutton/en/design/index.html.en       992)   </p><p>This option governs what Tor state tor is loaded in to.
torbutton/en/design/index.html.en       993) <code class="function">torbutton_set_initial_state()</code> covers the case where the
torbutton/en/design/index.html.en       994) browser did not crash, and <code class="function">torbutton_crash_recover()</code>
torbutton/en/design/index.html.en       995) covers the case where the <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash observer</a>
torbutton/en/design/index.html.en       996) detected a crash.

torbutton/en/design/index.html.en       997) </p><p>
torbutton/en/design/index.html.en       998) 
torbutton/en/design/index.html.en       999) Since the Tor state after a Firefox crash is unknown/indeterminate, this
torbutton/en/design/index.html.en      1000) setting helps to satisfy the <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en      1001) requirement in the event of Firefox crashes by ensuring all cookies,
torbutton/en/design/index.html.en      1002) settings and saved sessions are reloaded from a fixed Tor state.
torbutton/en/design/index.html.en      1003)  

torbutton/en/design/index.html.en      1004) </p></div><div class="sect3" title="Prevent session store from saving Non-Tor/Tor-loaded tabs"><div class="titlepage"><div><div><h4 class="title"><a id="id2706055"></a>Prevent session store from saving Non-Tor/Tor-loaded tabs</h4></div></div></div><p>Options: 

torbutton/en/design/index.html.en      1005)   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.nonontor_sessionstore</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.notor_sessionstore</strong></span></td></tr></table><p>

torbutton/en/design/index.html.en      1006)   </p><p>If these options are enabled, the <a class="link" href="#tbsessionstore" title="@torproject.org/torbutton-ss-blocker;1">tbSessionStore.js</a> component uses the session
torbutton/en/design/index.html.en      1007) store listeners to filter out the appropriate tabs before writing the session
torbutton/en/design/index.html.en      1008) store data to disk.
torbutton/en/design/index.html.en      1009) </p><p>

torbutton/en/design/index.html.en      1010) This setting helps to satisfy the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en      1011) requirement, and also helps to satisfy the <a class="link" href="#state">State Separation</a> requirement in the event of Firefox
torbutton/en/design/index.html.en      1012) crashes.
torbutton/en/design/index.html.en      1013) 

torbutton/en/design/index.html.en      1014) </p></div></div><div class="sect2" title="5.7. Shutdown Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706113"></a>5.7. Shutdown Settings</h3></div></div></div><div class="sect3" title="Clear cookies on Tor/Non-Tor shutdown"><div class="titlepage"><div><div><h4 class="title"><a id="id2706119"></a>Clear cookies on Tor/Non-Tor shutdown</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.shutdown_method</strong></span>

torbutton/en/design/index.html.en      1015)   </p><p> This option variable can actually take 3 values: 0, 1, and 2. 0 means no
torbutton/en/design/index.html.en      1016) cookie clearing, 1 means clear only during Tor-enabled shutdown, and 2 means
torbutton/en/design/index.html.en      1017) clear for both Tor and Non-Tor shutdown. When set to 1 or 2, Torbutton listens
torbutton/en/design/index.html.en      1018) for the <a class="ulink" href="http://developer.mozilla.org/en/docs/Observer_Notifications#Application_shutdown" target="_top">quit-application-granted</a> event in
torbutton/en/design/index.html.en      1019) <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash-observer.js</a> and use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a>
torbutton/en/design/index.html.en      1020) to clear out all cookies and all cookie jars upon shutdown.
torbutton/en/design/index.html.en      1021) </p><p>
torbutton/en/design/index.html.en      1022) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.

torbutton/en/design/index.html.en      1023) </p></div></div><div class="sect2" title="5.8. Header Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706173"></a>5.8. Header Settings</h3></div></div></div><div class="sect3" title="Set user agent during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706179"></a>Set user agent during Tor usage (crucial)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en      1024)    </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.set_uagent</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.platform_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.oscpu_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.buildID_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.productsub_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appname_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appversion_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendorSub</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en      1025)    </p><p>On face, user agent switching appears to be straight-forward in Firefox.
torbutton/en/design/index.html.en      1026) It provides several options for controlling the browser user agent string:
torbutton/en/design/index.html.en      1027) <span class="command"><strong>general.appname.override</strong></span>,
torbutton/en/design/index.html.en      1028) <span class="command"><strong>general.appversion.override</strong></span>,
torbutton/en/design/index.html.en      1029) <span class="command"><strong>general.platform.override</strong></span>,
torbutton/en/design/index.html.en      1030) <span class="command"><strong>general.oscpu.override</strong></span>,
torbutton/en/design/index.html.en      1031) <span class="command"><strong>general.productSub.override</strong></span>,
torbutton/en/design/index.html.en      1032) <span class="command"><strong>general.buildID.override</strong></span>,
torbutton/en/design/index.html.en      1033) <span class="command"><strong>general.useragent.override</strong></span>,
torbutton/en/design/index.html.en      1034) <span class="command"><strong>general.useragent.vendor</strong></span>, and
torbutton/en/design/index.html.en      1035) <span class="command"><strong>general.useragent.vendorSub</strong></span>. If
torbutton/en/design/index.html.en      1036) the Torbutton preference <span class="command"><strong>extensions.torbutton.set_uagent</strong></span> is
torbutton/en/design/index.html.en      1037) true, Torbutton copies all of the other above prefs into their corresponding
torbutton/en/design/index.html.en      1038) browser preferences during Tor usage.</p><p>
torbutton/en/design/index.html.en      1039) 
torbutton/en/design/index.html.en      1040) It also turns out that it is possible to detect the original Firefox version
torbutton/en/design/index.html.en      1041) by <a class="ulink" href="http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/" target="_top">inspecting
torbutton/en/design/index.html.en      1042) certain resource:// files</a>. These cases are handled by Torbutton's
torbutton/en/design/index.html.en      1043) <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en      1044) 
torbutton/en/design/index.html.en      1045) </p><p>
torbutton/en/design/index.html.en      1046) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.

torbutton/en/design/index.html.en      1047) </p></div><div class="sect3" title="Spoof US English Browser"><div class="titlepage"><div><div><h4 class="title"><a id="id2706353"></a>Spoof US English Browser</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en      1048) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.spoof_english</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_charset</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_language</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en      1049) </p><p> This option causes Torbutton to set
torbutton/en/design/index.html.en      1050) <span class="command"><strong>general.useragent.locale</strong></span>
torbutton/en/design/index.html.en      1051) <span class="command"><strong>intl.accept_languages</strong></span> to the value specified in
torbutton/en/design/index.html.en      1052) <span class="command"><strong>extensions.torbutton.spoof_locale</strong></span>,
torbutton/en/design/index.html.en      1053) <span class="command"><strong>extensions.torbutton.spoof_charset</strong></span> and
torbutton/en/design/index.html.en      1054) <span class="command"><strong>extensions.torbutton.spoof_language</strong></span> during Tor usage, as

torbutton/en/design/index.html.en      1055) well as hooking <span class="command"><strong>navigator.language</strong></span> via its <a class="link" href="#jshooks" title="Hook Dangerous Javascript">javascript hooks</a>.

torbutton/en/design/index.html.en      1056)  </p><p>
torbutton/en/design/index.html.en      1057) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and <a class="link" href="#location">Location Neutrality</a> requirements.

torbutton/en/design/index.html.en      1058) </p></div><div class="sect3" title="Referer Spoofing Options"><div class="titlepage"><div><div><h4 class="title"><a id="id2706446"></a>Referer Spoofing Options</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.refererspoof</strong></span>

torbutton/en/design/index.html.en      1059) </p><p>
torbutton/en/design/index.html.en      1060) This option variable has three values. If it is 0, "smart" referer spoofing is
torbutton/en/design/index.html.en      1061) enabled. If it is 1, the referer behaves as normal. If it is 2, no referer is
torbutton/en/design/index.html.en      1062) sent. The default value is 1. The smart referer spoofing is implemented by the
torbutton/en/design/index.html.en      1063) <a class="link" href="#refspoofer" title="@torproject.org/torRefSpoofer;1">torRefSpoofer</a> component.
torbutton/en/design/index.html.en      1064) 
torbutton/en/design/index.html.en      1065) </p><p>

torbutton/en/design/index.html.en      1066) This setting also does not directly satisfy any Torbutton requirement, but

torbutton/en/design/index.html.en      1067) some may desire to mask their referer for general privacy concerns.

torbutton/en/design/index.html.en      1068) </p></div><div class="sect3" title="Strip platform and language off of Google Search Box queries"><div class="titlepage"><div><div><h4 class="title"><a id="id2706480"></a>Strip platform and language off of Google Search Box queries</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.fix_google_srch</strong></span>

torbutton/en/design/index.html.en      1069) </p><p> 
torbutton/en/design/index.html.en      1070) 
torbutton/en/design/index.html.en      1071) This option causes Torbutton to use the <a class="ulink" href="https://wiki.mozilla.org/Search_Service:API" target="_top">@mozilla.org/browser/search-service;1</a>
torbutton/en/design/index.html.en      1072) component to wrap the Google search plugin. On many platforms, notably Debian
torbutton/en/design/index.html.en      1073) and Ubuntu, the Google search plugin is set to reveal a lot of language and
torbutton/en/design/index.html.en      1074) platform information. This setting strips off that info while Tor is enabled.
torbutton/en/design/index.html.en      1075) 
torbutton/en/design/index.html.en      1076) </p><p>
torbutton/en/design/index.html.en      1077) This setting helps Torbutton to fulfill its <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.

torbutton/en/design/index.html.en      1078) </p></div><div class="sect3" title="Automatically use an alternate search engine when presented with a Google Captcha"><div class="titlepage"><div><div><h4 class="title"><a id="id2706521"></a>Automatically use an alternate search engine when presented with a

torbutton/en/design/index.html.en      1079) Google Captcha</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en      1080) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.asked_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.dodge_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.google_redir_url</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en      1081) </p><p>
torbutton/en/design/index.html.en      1082) 
torbutton/en/design/index.html.en      1083) Google's search engine has rate limiting features that cause it to
torbutton/en/design/index.html.en      1084) <a class="ulink" href="http://googleonlinesecurity.blogspot.com/2007/07/reason-behind-were-sorry-message.html" target="_top">present
torbutton/en/design/index.html.en      1085) captchas</a> and sometimes even outright ban IPs that issue large numbers
torbutton/en/design/index.html.en      1086) of search queries, especially if a lot of these queries appear to be searching
torbutton/en/design/index.html.en      1087) for software vulnerabilities or unprotected comment areas.
torbutton/en/design/index.html.en      1088) 
torbutton/en/design/index.html.en      1089) </p><p>
torbutton/en/design/index.html.en      1090) 
torbutton/en/design/index.html.en      1091) Despite multiple discussions with Google, we were unable to come to a solution
torbutton/en/design/index.html.en      1092) or any form of compromise that would reduce the number of captchas and
torbutton/en/design/index.html.en      1093) outright bans seen by Tor users issuing regular queries.
torbutton/en/design/index.html.en      1094) 
torbutton/en/design/index.html.en      1095) </p><p>
torbutton/en/design/index.html.en      1096) As a result, we've implemented this option as an <a class="ulink" href="https://developer.mozilla.org/en/XUL_School/Intercepting_Page_Loads#HTTP_Observers" target="_top">'http-on-modify-request'</a>
torbutton/en/design/index.html.en      1097) http observer to optionally redirect banned or captcha-triggering Google
torbutton/en/design/index.html.en      1098) queries to search engines that do not rate limit Tor users. The current

torbutton/en/design/index.html.en      1099) options are duckduckgo.com, ixquick.com, bing.com, yahoo.com and scroogle.org. These are

torbutton/en/design/index.html.en      1100) encoded in the preferences

torbutton/en/design/index.html.en      1101) <span class="command"><strong>extensions.torbutton.redir_url.[1-5]</strong></span>.

torbutton/en/design/index.html.en      1102) 

torbutton/en/design/index.html.en      1103) </p></div><div class="sect3" title="Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706601"></a>Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</h4></div></div></div><p>Options:

torbutton/en/design/index.html.en      1104) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.jar_certs</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.jar_ca_certs</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en      1105) </p><p>
torbutton/en/design/index.html.en      1106) 
torbutton/en/design/index.html.en      1107) These settings govern if Torbutton attempts to isolate the user's SSL
torbutton/en/design/index.html.en      1108) certificates into separate jars for each Tor state. This isolation is

torbutton/en/design/index.html.en      1109) implemented in <code class="function">torbutton_jar_certs()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>,

torbutton/en/design/index.html.en      1110) which calls <code class="function">torbutton_jar_cert_type()</code> and
torbutton/en/design/index.html.en      1111) <code class="function">torbutton_unjar_cert_type()</code> for each certificate type in
torbutton/en/design/index.html.en      1112) the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/nsscertcache;1" target="_top">@mozilla.org/security/nsscertcache;1</a>.
torbutton/en/design/index.html.en      1113) Certificates are deleted from and imported to the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/x509certdb;1" target="_top">@mozilla.org/security/x509certdb;1</a>.
torbutton/en/design/index.html.en      1114) </p><p>
torbutton/en/design/index.html.en      1115) The first time this pref is used, a backup of the user's certificates is
torbutton/en/design/index.html.en      1116) created in their profile directory under the name
torbutton/en/design/index.html.en      1117) <code class="filename">cert8.db.bak</code>. This file can be copied back to
torbutton/en/design/index.html.en      1118) <code class="filename">cert8.db</code> to fully restore the original state of the
torbutton/en/design/index.html.en      1119) user's certificates in the event of any error.
torbutton/en/design/index.html.en      1120) </p><p>
torbutton/en/design/index.html.en      1121) Since exit nodes and malicious sites can insert content elements sourced to
torbutton/en/design/index.html.en      1122) specific SSL sites to query if a user has a certain certificate,
torbutton/en/design/index.html.en      1123) this setting helps to satisfy the <a class="link" href="#state">State
torbutton/en/design/index.html.en      1124) Separation</a> requirement of Torbutton. Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Firefox Bug
torbutton/en/design/index.html.en      1125) 435159</a> prevents it from functioning correctly in the event of rapid Tor toggle, so it
torbutton/en/design/index.html.en      1126) is currently not exposed via the preferences UI.
torbutton/en/design/index.html.en      1127) 

torbutton/en/design/index.html.en      1128) </p></div></div></div><div class="sect1" title="6. Relevant Firefox Bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="FirefoxBugs"></a>6. Relevant Firefox Bugs</h2></div></div></div><p>

torbutton/en/design/index.html.en      1129) Future releases of Torbutton are going to be designed around supporting only
torbutton/en/design/index.html.en      1130) <a class="ulink" href="https://www.torproject.org/projects/torbrowser.html.en" target="_top">Tor
torbutton/en/design/index.html.en      1131) Browser Bundle</a>, which greatly simplifies the number and nature of Firefox
torbutton/en/design/index.html.en      1132) bugs we must fix. This allows us to abandon the complexities of <a class="link" href="#state">State
torbutton/en/design/index.html.en      1133) Separation</a> and <a class="link" href="#isolation">Network Isolation</a> requirements
torbutton/en/design/index.html.en      1134) associated with the Toggle Model.
torbutton/en/design/index.html.en      1135)   </p><div class="sect2" title="6.1. Tor Browser Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="TorBrowserBugs"></a>6.1. Tor Browser Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en      1136) The list of Firefox patches we must create to improve privacy on the
torbutton/en/design/index.html.en      1137) Tor Browser Bundle are collected in the Tor Bug Tracker under <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2871" target="_top">ticket
torbutton/en/design/index.html.en      1138) #2871</a>. These bugs are also applicable to the Toggle Model, and
torbutton/en/design/index.html.en      1139) should be considered higher priority than all Toggle Model specific bugs
torbutton/en/design/index.html.en      1140) below.
torbutton/en/design/index.html.en      1141)    </p></div><div class="sect2" title="6.2. Toggle Model Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="ToggleModelBugs"></a>6.2. Toggle Model Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en      1142) In addition to the Tor Browser bugs, the Torbutton Toggle Model suffers from
torbutton/en/design/index.html.en      1143) additional bugs specific to the need to isolate state across the toggle.
torbutton/en/design/index.html.en      1144) Toggle model bugs are considered a lower priority than the bugs against the
torbutton/en/design/index.html.en      1145) Tor Browser model.
torbutton/en/design/index.html.en      1146)    </p><div class="sect3" title="Bugs impacting security"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxSecurity"></a>Bugs impacting security</h4></div></div></div><p>

torbutton/en/design/index.html.en      1147) 
torbutton/en/design/index.html.en      1148) Torbutton has to work around a number of Firefox bugs that impact its
torbutton/en/design/index.html.en      1149) security. Most of these are mentioned elsewhere in this document, but they
torbutton/en/design/index.html.en      1150) have also been gathered here for reference. In order of decreasing severity,
torbutton/en/design/index.html.en      1151) they are:
torbutton/en/design/index.html.en      1152) 

torbutton/en/design/index.html.en      1153)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Bug 435159 -

torbutton/en/design/index.html.en      1154) nsNSSCertificateDB::DeleteCertificate has race conditions</a><p>
torbutton/en/design/index.html.en      1155) 
torbutton/en/design/index.html.en      1156) In Torbutton 1.2.0rc1, code was added to attempt to isolate SSL certificates
torbutton/en/design/index.html.en      1157) the user has installed. Unfortunately, the method call to delete a certificate
torbutton/en/design/index.html.en      1158) from the current certificate database acts lazily: it only sets a variable
torbutton/en/design/index.html.en      1159) that marks a cert for deletion later, and it is not cleared if that
torbutton/en/design/index.html.en      1160) certificate is re-added. This means that if the Tor state is toggled quickly,
torbutton/en/design/index.html.en      1161) that certificate could remain present until it is re-inserted (causing an
torbutton/en/design/index.html.en      1162) error dialog), and worse, it would still be deleted after that.  The lack of
torbutton/en/design/index.html.en      1163) this functionality is considered a Torbutton security bug because cert
torbutton/en/design/index.html.en      1164) isolation is considered a <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en      1165) feature.
torbutton/en/design/index.html.en      1166) 

torbutton/en/design/index.html.en      1167)       </p></li><li class="listitem">Give more visibility into and control over TLS
torbutton/en/design/index.html.en      1168) negotiation
torbutton/en/design/index.html.en      1169)      <p>
torbutton/en/design/index.html.en      1170) 
torbutton/en/design/index.html.en      1171) There are several <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2482" target="_top">TLS issues
torbutton/en/design/index.html.en      1172) impacting Torbutton security</a>. It is not clear if these should be one
torbutton/en/design/index.html.en      1173) Firefox bug or several, but in particular we need better control over various
torbutton/en/design/index.html.en      1174) aspects of TLS connections. Firefox currently provides no observer capable of
torbutton/en/design/index.html.en      1175) extracting TLS parameters or certificates early enough to cancel a TLS
torbutton/en/design/index.html.en      1176) request. We would like to be able to provide <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a> users with
torbutton/en/design/index.html.en      1177) the ability to <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission" target="_top">have
torbutton/en/design/index.html.en      1178) their certificates audited</a> by a <a class="ulink" href="http://www.networknotary.org/" target="_top">Perspectives</a>-style set of
torbutton/en/design/index.html.en      1179) notaries. The problem with this is that the API observer points do not exist
torbutton/en/design/index.html.en      1180) for any Firefox addon to actually block authentication token submission over a
torbutton/en/design/index.html.en      1181) TLS channel, so every addon to date (including Perspectives) is actually
torbutton/en/design/index.html.en      1182) providing users with notification *after* their authentication tokens have
torbutton/en/design/index.html.en      1183) already been compromised. This obviously needs to be fixed.

torbutton/en/design/index.html.en      1184)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=122752" target="_top">Bug 122752 - SOCKS

torbutton/en/design/index.html.en      1185) Username/Password Support</a><p>
torbutton/en/design/index.html.en      1186) We need <a class="ulink" href="https://developer.mozilla.org/en/nsIProxyInfo" target="_top">Firefox

torbutton/en/design/index.html.en      1187) APIs</a> or about:config settings to control the SOCKS Username and

torbutton/en/design/index.html.en      1188) Password fields. The reason why we need this support is to utilize an (as yet
torbutton/en/design/index.html.en      1189) unimplemented) scheme to separate Tor traffic based <a class="ulink" href="https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/171-separate-streams.txt" target="_top">on
torbutton/en/design/index.html.en      1190) SOCKS username/password</a>.
torbutton/en/design/index.html.en      1191)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Bug 409737 -

torbutton/en/design/index.html.en      1192) javascript.enabled and docShell.allowJavascript do not disable all event
torbutton/en/design/index.html.en      1193) handlers</a><p>
torbutton/en/design/index.html.en      1194) 
torbutton/en/design/index.html.en      1195) This bug allows pages to execute javascript via addEventListener and perhaps
torbutton/en/design/index.html.en      1196) other callbacks. In order to prevent this bug from enabling an attacker to
torbutton/en/design/index.html.en      1197) break the <a class="link" href="#isolation">Network Isolation</a> requirement,
torbutton/en/design/index.html.en      1198) Torbutton 1.1.13 began blocking popups and history manipulation from different
torbutton/en/design/index.html.en      1199) Tor states.  So long as there are no ways to open popups or redirect the user
torbutton/en/design/index.html.en      1200) to a new page, the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton content
torbutton/en/design/index.html.en      1201) policy</a> should block Javascript network access. However, if there are
torbutton/en/design/index.html.en      1202) ways to open popups or perform redirects such that Torbutton cannot block
torbutton/en/design/index.html.en      1203) them, pages may still have free reign to break that requirement and reveal a
torbutton/en/design/index.html.en      1204) user's original IP address.
torbutton/en/design/index.html.en      1205) 
torbutton/en/design/index.html.en      1206)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448743" target="_top">Bug 448743 -
torbutton/en/design/index.html.en      1207) Decouple general.useragent.locale from spoofing of navigator.language</a><p>
torbutton/en/design/index.html.en      1208) 
torbutton/en/design/index.html.en      1209) Currently, Torbutton spoofs the <span class="command"><strong>navigator.language</strong></span>

torbutton/en/design/index.html.en      1210) attribute via <a class="link" href="#jshooks" title="Hook Dangerous Javascript">Javascript hooks</a>. Unfortunately,

torbutton/en/design/index.html.en      1211) these do not work on Firefox 3. It would be ideal to have
torbutton/en/design/index.html.en      1212) a pref to set this value (something like a
torbutton/en/design/index.html.en      1213) <span class="command"><strong>general.useragent.override.locale</strong></span>),
torbutton/en/design/index.html.en      1214) to avoid fragmenting the anonymity set of users of foreign locales. This issue
torbutton/en/design/index.html.en      1215) impedes Torbutton from fully meeting its <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en      1216) requirement on Firefox 3.
torbutton/en/design/index.html.en      1217) 

torbutton/en/design/index.html.en      1218)      </p></li></ol></div></div><div class="sect3" title="Bugs blocking functionality"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxWishlist"></a>Bugs blocking functionality</h4></div></div></div><p>

torbutton/en/design/index.html.en      1219) The following bugs impact Torbutton and similar extensions' functionality.

torbutton/en/design/index.html.en      1220)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=629820" target="_top">Bug 629820 - nsIContentPolicy::shouldLoad not

torbutton/en/design/index.html.en      1221) called for web request in Firefox Mobile</a><p>
torbutton/en/design/index.html.en      1222) 
torbutton/en/design/index.html.en      1223) The new <a class="ulink" href="https://wiki.mozilla.org/Mobile/Fennec/Extensions/Electrolysis" target="_top">Electrolysis</a>
torbutton/en/design/index.html.en      1224) multiprocess system appears to have some pretty rough edge cases with respect
torbutton/en/design/index.html.en      1225) to registering XPCOM category managers such as the nsIContentPolicy, which
torbutton/en/design/index.html.en      1226) make it difficult to do a straight-forward port of Torbutton or
torbutton/en/design/index.html.en      1227) HTTPS-Everywhere to Firefox Mobile.  It probably also has similar issues with
torbutton/en/design/index.html.en      1228) wrapping existing <a class="link" href="#hookedxpcom" title="2.1. Hooked Components">Firefox XPCOM components</a>,
torbutton/en/design/index.html.en      1229) which will also cause more problems for porting Torbutton.
torbutton/en/design/index.html.en      1230) 

torbutton/en/design/index.html.en      1231)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=417869" target="_top">Bug 417869 -

torbutton/en/design/index.html.en      1232) Browser context is difficult to obtain from many XPCOM callbacks</a><p>
torbutton/en/design/index.html.en      1233) 
torbutton/en/design/index.html.en      1234) It is difficult to determine which tabbrowser many XPCOM callbacks originate
torbutton/en/design/index.html.en      1235) from, and in some cases absolutely no context information is provided at all.
torbutton/en/design/index.html.en      1236) While this doesn't have much of an effect on Torbutton, it does make writing
torbutton/en/design/index.html.en      1237) extensions that would like to do per-tab settings and content filters (such as
torbutton/en/design/index.html.en      1238) FoxyProxy) difficult to impossible to implement securely.
torbutton/en/design/index.html.en      1239) 

torbutton/en/design/index.html.en      1240)    </p></li></ol></div></div><div class="sect3" title="Low Priority Bugs"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxMiscBugs"></a>Low Priority Bugs</h4></div></div></div><p>

torbutton/en/design/index.html.en      1241) The following bugs have an effect upon Torbutton, but are superseded by more
torbutton/en/design/index.html.en      1242) practical and more easily fixable variant bugs above; or have stable, simple
torbutton/en/design/index.html.en      1243) workarounds.

torbutton/en/design/index.html.en      1244)   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">Bug 440892 -

torbutton/en/design/index.html.en      1245) network.protocol-handler.warn-external are ignored</a><p>
torbutton/en/design/index.html.en      1246) 
torbutton/en/design/index.html.en      1247) Sometime in the Firefox 3 development cycle, the preferences that governed
torbutton/en/design/index.html.en      1248) warning a user when external apps were launched got disconnected from the code
torbutton/en/design/index.html.en      1249) that does the launching. Torbutton depended on these prefs to prevent websites
torbutton/en/design/index.html.en      1250) from launching specially crafted documents and application arguments that
torbutton/en/design/index.html.en      1251) caused Proxy Bypass. We currently work around this issue by <a class="link" href="#appblocker" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js">wrapping the app launching components</a> to present a
torbutton/en/design/index.html.en      1252) popup before launching external apps while Tor is enabled. While this works,
torbutton/en/design/index.html.en      1253) it would be nice if these prefs were either fixed or removed.
torbutton/en/design/index.html.en      1254) 
torbutton/en/design/index.html.en      1255)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">Bug 437014 -
torbutton/en/design/index.html.en      1256) nsIContentPolicy::shouldLoad no longer called for favicons</a><p>
torbutton/en/design/index.html.en      1257) 
torbutton/en/design/index.html.en      1258) Firefox 3.0 stopped calling the shouldLoad call of content policy for favicon
torbutton/en/design/index.html.en      1259) loads. Torbutton had relied on this call to block favicon loads for opposite
torbutton/en/design/index.html.en      1260) Tor states. The workaround it employs for Firefox 3 is to cancel the request
torbutton/en/design/index.html.en      1261) when it arrives in the <span class="command"><strong>torbutton_http_observer</strong></span> used for
torbutton/en/design/index.html.en      1262) blocking full page plugin loads. This seems to work just fine, but is a bit
torbutton/en/design/index.html.en      1263) dirty.
torbutton/en/design/index.html.en      1264) 
torbutton/en/design/index.html.en      1265)     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">Bug 309524</a>
torbutton/en/design/index.html.en      1266) and <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">Bug
torbutton/en/design/index.html.en      1267) 380556</a> - nsIContentPolicy::shouldProcess is not called.
torbutton/en/design/index.html.en      1268)      <p>
torbutton/en/design/index.html.en      1269) 
torbutton/en/design/index.html.en      1270) This is a call that would be useful to develop a better workaround for the
torbutton/en/design/index.html.en      1271) allowPlugins issue above. If the content policy were called before a URL was
torbutton/en/design/index.html.en      1272) handed over to a plugin or helper app, it would make the workaround for the
torbutton/en/design/index.html.en      1273) above allowPlugins bug a lot cleaner. Obviously this bug is not as severe as
torbutton/en/design/index.html.en      1274) the others though, but it might be nice to have this API as a backup.
torbutton/en/design/index.html.en      1275) 
torbutton/en/design/index.html.en      1276)      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">Bug 401296 - docShell.allowPlugins
torbutton/en/design/index.html.en      1277) not honored for direct links</a> (Perhaps subset of <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=282106" target="_top">Bug 282106</a>?)
torbutton/en/design/index.html.en      1278)      <p>
torbutton/en/design/index.html.en      1279) 
torbutton/en/design/index.html.en      1280) Similar to the javascript plugin disabling attribute, the plugin disabling
torbutton/en/design/index.html.en      1281) attribute is also not perfect — it is ignored for direct links to plugin
torbutton/en/design/index.html.en      1282) handled content, as well as meta-refreshes to plugin handled content.  This
torbutton/en/design/index.html.en      1283) requires Torbutton to listen to a number of different http events to intercept
torbutton/en/design/index.html.en      1284) plugin-related mime type URLs and cancel their requests. Again, since plugins
torbutton/en/design/index.html.en      1285) are quite horrible about obeying proxy settings, loading a plugin pretty much
torbutton/en/design/index.html.en      1286) ensures a way to break the <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en      1287) requirement and reveal a user's original IP address. Torbutton's code to
torbutton/en/design/index.html.en      1288) perform this workaround has been subverted at least once already by Kyle
torbutton/en/design/index.html.en      1289) Williams.
torbutton/en/design/index.html.en      1290) 

torbutton/en/design/index.html.en      1291)      </p></li></ol></div></div></div></div><div class="sect1" title="7. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="TestPlan"></a>7. Testing</h2></div></div></div><p>

torbutton/en/design/index.html.en      1292) 
torbutton/en/design/index.html.en      1293) The purpose of this section is to cover all the known ways that Tor browser
torbutton/en/design/index.html.en      1294) security can be subverted from a penetration testing perspective. The hope
torbutton/en/design/index.html.en      1295) is that it will be useful both for creating a "Tor Safety Check"
torbutton/en/design/index.html.en      1296) page, and for developing novel tests and actively attacking Torbutton with the
torbutton/en/design/index.html.en      1297) goal of finding vulnerabilities in either it or the Mozilla components,
torbutton/en/design/index.html.en      1298) interfaces and settings upon which it relies.
torbutton/en/design/index.html.en      1299) 
torbutton/en/design/index.html.en      1300)   </p><div class="sect2" title="7.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>7.1. Single state testing</h3></div></div></div><p>
torbutton/en/design/index.html.en      1301) 
torbutton/en/design/index.html.en      1302) Torbutton is a complicated piece of software. During development, changes to
torbutton/en/design/index.html.en      1303) one component can affect a whole slough of unrelated features.  A number of
torbutton/en/design/index.html.en      1304) aggregated test suites exist that can be used to test for regressions in
torbutton/en/design/index.html.en      1305) Torbutton and to help aid in the development of Torbutton-like addons and
torbutton/en/design/index.html.en      1306) other privacy modifications of other browsers. Some of these test suites exist
torbutton/en/design/index.html.en      1307) as a single automated page, while others are a series of pages you must visit
torbutton/en/design/index.html.en      1308) individually. They are provided here for reference and future regression
torbutton/en/design/index.html.en      1309) testing, and also in the hope that some brave soul will one day decide to
torbutton/en/design/index.html.en      1310) combine them into a comprehensive automated test suite.
torbutton/en/design/index.html.en      1311) 

docs/torbutton/en/design/index.html.en 1312)      </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Decloak.net (defunct)<p>

torbutton/en/design/index.html.en      1313) 
torbutton/en/design/index.html.en      1314) Decloak.net is the canonical source of plugin and external-application based
torbutton/en/design/index.html.en      1315) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
torbutton/en/design/index.html.en      1316) use to test their anonymity systems.
torbutton/en/design/index.html.en      1317) 
torbutton/en/design/index.html.en      1318)        </p></li><li class="listitem"><a class="ulink" href="https://www.jondos.de/en/anontest" target="_top">JonDos
torbutton/en/design/index.html.en      1319) AnonTest</a><p>
torbutton/en/design/index.html.en      1320) 
torbutton/en/design/index.html.en      1321) The <a class="ulink" href="https://www.jondos.de" target="_top">JonDos people</a> also provide an
torbutton/en/design/index.html.en      1322) anonymity tester. It is more focused on HTTP headers than plugin bypass, and
torbutton/en/design/index.html.en      1323) points out a couple of headers Torbutton could do a better job with
torbutton/en/design/index.html.en      1324) obfuscating.
torbutton/en/design/index.html.en      1325) 
torbutton/en/design/index.html.en      1326)        </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
torbutton/en/design/index.html.en      1327) 
torbutton/en/design/index.html.en      1328) Browserspy.dk provides a tremendous collection of browser fingerprinting and
torbutton/en/design/index.html.en      1329) general privacy tests. Unfortunately they are only available one page at a
torbutton/en/design/index.html.en      1330) time, and there is not really solid feedback on good vs bad behavior in
torbutton/en/design/index.html.en      1331) the test results.
torbutton/en/design/index.html.en      1332) 
torbutton/en/design/index.html.en      1333)        </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
torbutton/en/design/index.html.en      1334) Analyzer</a><p>
torbutton/en/design/index.html.en      1335) 
torbutton/en/design/index.html.en      1336) The Privacy Analyzer provides a dump of all sorts of browser attributes and
torbutton/en/design/index.html.en      1337) settings that it detects, including some information on your origin IP
torbutton/en/design/index.html.en      1338) address. Its page layout and lack of good vs bad test result feedback makes it
torbutton/en/design/index.html.en      1339) not as useful as a user-facing testing tool, but it does provide some
torbutton/en/design/index.html.en      1340) interesting checks in a single page.
torbutton/en/design/index.html.en      1341) 
torbutton/en/design/index.html.en      1342)        </p></li><li class="listitem"><a class="ulink" href="http://ha.ckers.org/mr-t/" target="_top">Mr. T</a><p>
torbutton/en/design/index.html.en      1343) 
torbutton/en/design/index.html.en      1344) Mr. T is a collection of browser fingerprinting and deanonymization exploits
torbutton/en/design/index.html.en      1345) discovered by the <a class="ulink" href="http://ha.ckers.org" target="_top">ha.ckers.org</a> crew
torbutton/en/design/index.html.en      1346) and others. It is also not as user friendly as some of the above tests, but it
torbutton/en/design/index.html.en      1347) is a useful collection.
torbutton/en/design/index.html.en      1348) 
torbutton/en/design/index.html.en      1349)        </p></li><li class="listitem">Gregory Fleischer's <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">Torbutton</a> and
torbutton/en/design/index.html.en      1350) <a class="ulink" href="http://pseudo-flaw.net/content/defcon/dc-17-demos/d.html" target="_top">Defcon
torbutton/en/design/index.html.en      1351) 17</a> Test Cases
torbutton/en/design/index.html.en      1352)        <p>
torbutton/en/design/index.html.en      1353) 
torbutton/en/design/index.html.en      1354) Gregory Fleischer has been hacking and testing Firefox and Torbutton privacy
torbutton/en/design/index.html.en      1355) issues for the past 2 years. He has an excellent collection of all his test
torbutton/en/design/index.html.en      1356) cases that can be used for regression testing. In his Defcon work, he
torbutton/en/design/index.html.en      1357) demonstrates ways to infer Firefox version based on arcane browser properties.
torbutton/en/design/index.html.en      1358) We are still trying to determine the best way to address some of those test
torbutton/en/design/index.html.en      1359) cases.
torbutton/en/design/index.html.en      1360) 
torbutton/en/design/index.html.en      1361)        </p></li><li class="listitem"><a class="ulink" href="https://torcheck.xenobite.eu/index.php" target="_top">Xenobite's
torbutton/en/design/index.html.en      1362) TorCheck Page</a><p>
torbutton/en/design/index.html.en      1363) 
torbutton/en/design/index.html.en      1364) This page checks to ensure you are using a valid Tor exit node and checks for
torbutton/en/design/index.html.en      1365) some basic browser properties related to privacy. It is not very fine-grained
torbutton/en/design/index.html.en      1366) or complete, but it is automated and could be turned into something useful
torbutton/en/design/index.html.en      1367) with a bit of work.
torbutton/en/design/index.html.en      1368) 
torbutton/en/design/index.html.en      1369)        </p></li></ol></div><p>

torbutton/en/design/index.html.en      1370)     </p></div><div class="sect2" title="7.2. Multi-state testing"><div class="titlepage"><div><div><h3 class="title"><a id="id2707624"></a>7.2. Multi-state testing</h3></div></div></div><p>

torbutton/en/design/index.html.en      1371) 
torbutton/en/design/index.html.en      1372) The tests in this section are geared towards a page that would instruct the
torbutton/en/design/index.html.en      1373) user to toggle their Tor state after the fetch and perform some operations:
torbutton/en/design/index.html.en      1374) mouseovers, stray clicks, and potentially reloads.
torbutton/en/design/index.html.en      1375) 

torbutton/en/design/index.html.en      1376)    </p><div class="sect3" title="Cookies and Cache Correlation"><div class="titlepage"><div><div><h4 class="title"><a id="id2707636"></a>Cookies and Cache Correlation</h4></div></div></div><p>

torbutton/en/design/index.html.en      1377) The most obvious test is to set a cookie, ask the user to toggle tor, and then
torbutton/en/design/index.html.en      1378) have them reload the page. The cookie should no longer be set if they are
torbutton/en/design/index.html.en      1379) using the default Torbutton settings. In addition, it is possible to leverage
torbutton/en/design/index.html.en      1380) the cache to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en      1381) identifiers</a>. The default settings of Torbutton should also protect
torbutton/en/design/index.html.en      1382) against these from persisting across Tor Toggle.
torbutton/en/design/index.html.en      1383) 

torbutton/en/design/index.html.en      1384)     </p></div><div class="sect3" title="Javascript timers and event handlers"><div class="titlepage"><div><div><h4 class="title"><a id="id2707658"></a>Javascript timers and event handlers</h4></div></div></div><p>

torbutton/en/design/index.html.en      1385) 
torbutton/en/design/index.html.en      1386) Javascript can set timers and register event handlers in the hopes of fetching
torbutton/en/design/index.html.en      1387) URLs after the user has toggled Torbutton. 

torbutton/en/design/index.html.en      1388)     </p></div><div class="sect3" title="CSS Popups and non-script Dynamic Content"><div class="titlepage"><div><div><h4 class="title"><a id="id2707671"></a>CSS Popups and non-script Dynamic Content</h4></div></div></div><p>

torbutton/en/design/index.html.en      1389) 
torbutton/en/design/index.html.en      1390) Even if Javascript is disabled, CSS is still able to 
torbutton/en/design/index.html.en      1391) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">create popup-like
torbutton/en/design/index.html.en      1392) windows</a>
torbutton/en/design/index.html.en      1393) via the 'onmouseover' CSS attribute, which can cause arbitrary browser
torbutton/en/design/index.html.en      1394) activity as soon as the mouse enters into the content window. It is also
torbutton/en/design/index.html.en      1395) possible for meta-refresh tags to set timers long enough to make it likely
torbutton/en/design/index.html.en      1396) that the user has toggled Tor before fetching content.
torbutton/en/design/index.html.en      1397) 
torbutton/en/design/index.html.en      1398)     </p></div></div><div class="sect2" title="7.3. Active testing (aka How to Hack Torbutton)"><div class="titlepage"><div><div><h3 class="title"><a id="HackTorbutton"></a>7.3. Active testing (aka How to Hack Torbutton)</h3></div></div></div><p>
torbutton/en/design/index.html.en      1399) 
torbutton/en/design/index.html.en      1400) The idea behind active testing is to discover vulnerabilities in Torbutton to
torbutton/en/design/index.html.en      1401) bypass proxy settings, run script in an opposite Tor state, store unique
torbutton/en/design/index.html.en      1402) identifiers, leak location information, or otherwise violate <a class="link" href="#requirements" title="1.2. Torbutton Requirements">its requirements</a>. Torbutton has ventured out
torbutton/en/design/index.html.en      1403) into a strange and new security landscape. It depends on Firefox mechanisms
torbutton/en/design/index.html.en      1404) that haven't necessarily been audited for security, certainly not for the
torbutton/en/design/index.html.en      1405) threat model that Torbutton seeks to address. As such, it and the interfaces
torbutton/en/design/index.html.en      1406) it depends upon still need a 'trial by fire' typical of new technologies. This
torbutton/en/design/index.html.en      1407) section of the document was written with the intention of making that period
torbutton/en/design/index.html.en      1408) as fast as possible. Please help us get through this period by considering
torbutton/en/design/index.html.en      1409) these attacks, playing with them, and reporting what you find (and potentially
torbutton/en/design/index.html.en      1410) submitting the test cases back to be run in the standard batch of Torbutton
torbutton/en/design/index.html.en      1411) tests.
torbutton/en/design/index.html.en      1412) 

torbutton/en/design/index.html.en      1413)    </p><div class="sect3" title="Some suggested vectors to investigate"><div class="titlepage"><div><div><h4 class="title"><a id="id2707726"></a>Some suggested vectors to investigate</h4></div></div></div><p>