tor-webwml.git

projects/en/torbrowser/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>
projects/en/torbrowser/design/index.html.en    2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

projects/torbrowser/design/index.html.en       3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Dec 28 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2619754">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2619754"></a>1. Introduction</h2></div></div></div><p>

projects/en/torbrowser/design/index.html.en    4) 
projects/en/torbrowser/design/index.html.en    5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
projects/en/torbrowser/design/index.html.en    6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
projects/en/torbrowser/design/index.html.en    7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing
projects/en/torbrowser/design/index.html.en    8) procedures</a> of the Tor Browser. It is

projects/torbrowser/design/index.html.en       9) current as of Tor Browser 2.2.35-1 and Torbutton 1.4.5.

projects/en/torbrowser/design/index.html.en   10) 
projects/en/torbrowser/design/index.html.en   11)   </p><p>
projects/en/torbrowser/design/index.html.en   12) 
projects/en/torbrowser/design/index.html.en   13) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en   14) describe a reference implementation of a Private Browsing Mode that defends

projects/torbrowser/design/index.html.en      15) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en      16) adversary currently addressed by the major browsers.

projects/en/torbrowser/design/index.html.en   17) 
projects/en/torbrowser/design/index.html.en   18)   </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en   19) 
projects/en/torbrowser/design/index.html.en   20) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/en/torbrowser/design/index.html.en   21) types that can be used to guide us towards a set of requirements for the
projects/en/torbrowser/design/index.html.en   22) Tor Browser. Let's start with the goals.
projects/en/torbrowser/design/index.html.en   23) 
projects/en/torbrowser/design/index.html.en   24)    </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
projects/en/torbrowser/design/index.html.en   25) Tor, causing the user to directly connect to an IP of the adversary's
projects/en/torbrowser/design/index.html.en   26) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/en/torbrowser/design/index.html.en   27) happily settle for the ability to correlate something a user did via Tor with
projects/en/torbrowser/design/index.html.en   28) their non-Tor activity. This can be done with cookies, cache identifiers,
projects/en/torbrowser/design/index.html.en   29) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
projects/en/torbrowser/design/index.html.en   30) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/en/torbrowser/design/index.html.en   31) The adversary may also be interested in history disclosure: the ability to
projects/en/torbrowser/design/index.html.en   32) query a user's history to see if they have issued certain censored search
projects/en/torbrowser/design/index.html.en   33) queries, or visited censored sites.
projects/en/torbrowser/design/index.html.en   34)      </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
projects/en/torbrowser/design/index.html.en   35) 
projects/en/torbrowser/design/index.html.en   36) Location information such as timezone and locality can be useful for the
projects/en/torbrowser/design/index.html.en   37) adversary to determine if a user is in fact originating from one of the
projects/en/torbrowser/design/index.html.en   38) regions they are attempting to control, or to zero-in on the geographical
projects/en/torbrowser/design/index.html.en   39) location of a particular dissident or whistleblower.
projects/en/torbrowser/design/index.html.en   40) 
projects/en/torbrowser/design/index.html.en   41)      </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
projects/en/torbrowser/design/index.html.en   42) 
projects/en/torbrowser/design/index.html.en   43) Anonymity set reduction is also useful in attempting to zero in on a
projects/en/torbrowser/design/index.html.en   44) particular individual. If the dissident or whistleblower is using a rare build
projects/en/torbrowser/design/index.html.en   45) of Firefox for an obscure operating system, this can be very useful
projects/en/torbrowser/design/index.html.en   46) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
projects/en/torbrowser/design/index.html.en   47) 
projects/en/torbrowser/design/index.html.en   48)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/en/torbrowser/design/index.html.en   49) information</strong></span><p>
projects/en/torbrowser/design/index.html.en   50) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/en/torbrowser/design/index.html.en   51) seizing the computers of all Tor users in an area (especially after narrowing
projects/en/torbrowser/design/index.html.en   52) the field by the above two pieces of information). History records and cache
projects/en/torbrowser/design/index.html.en   53) data are the primary goals here.
projects/en/torbrowser/design/index.html.en   54)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en   55) The adversary can position themselves at a number of different locations in
projects/en/torbrowser/design/index.html.en   56) order to execute their attacks.
projects/en/torbrowser/design/index.html.en   57)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en   58) The adversary can run exit nodes, or alternatively, they may control routers
projects/en/torbrowser/design/index.html.en   59) upstream of exit nodes. Both of these scenarios have been observed in the
projects/en/torbrowser/design/index.html.en   60) wild.

projects/torbrowser/design/index.html.en      61)      </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>

projects/en/torbrowser/design/index.html.en   62) The adversary can also run websites, or more likely, they can contract out

projects/torbrowser/design/index.html.en      63) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en      64) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en      65) inconceivable that ad servers may try to subvert or reduce a user's anonymity 

projects/en/torbrowser/design/index.html.en   66) through Tor for marketing purposes.
projects/en/torbrowser/design/index.html.en   67)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en   68) The adversary can also inject malicious content at the user's upstream router
projects/en/torbrowser/design/index.html.en   69) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/en/torbrowser/design/index.html.en   70) activity.
projects/en/torbrowser/design/index.html.en   71)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/en/torbrowser/design/index.html.en   72) Some users face adversaries with intermittent or constant physical access.
projects/en/torbrowser/design/index.html.en   73) Users in Internet cafes, for example, face such a threat. In addition, in
projects/en/torbrowser/design/index.html.en   74) countries where simply using tools like Tor is illegal, users may face
projects/en/torbrowser/design/index.html.en   75) confiscation of their computer equipment for excessive Tor usage or just
projects/en/torbrowser/design/index.html.en   76) general suspicion.
projects/en/torbrowser/design/index.html.en   77)      </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en   78) 
projects/en/torbrowser/design/index.html.en   79) The adversary can perform the following attacks from a number of different 
projects/en/torbrowser/design/index.html.en   80) positions to accomplish various aspects of their goals. It should be noted
projects/en/torbrowser/design/index.html.en   81) that many of these attacks (especially those involving IP address leakage) are
projects/en/torbrowser/design/index.html.en   82) often performed by accident by websites that simply have Javascript, dynamic 

projects/torbrowser/design/index.html.en      83) CSS elements, and plugins. Others are performed by ad servers seeking to

projects/en/torbrowser/design/index.html.en   84) correlate users' activity across different IP addresses, and still others are
projects/en/torbrowser/design/index.html.en   85) performed by malicious agents on the Tor network and at national firewalls.
projects/en/torbrowser/design/index.html.en   86) 

projects/torbrowser/design/index.html.en      87)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>

projects/en/torbrowser/design/index.html.en   88) 

projects/torbrowser/design/index.html.en      89) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en      90) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en      91) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en      92) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en      93) even TLS Session IDs.

projects/en/torbrowser/design/index.html.en   94) 

projects/torbrowser/design/index.html.en      95)      </p><p>

projects/en/torbrowser/design/index.html.en   96) 
projects/en/torbrowser/design/index.html.en   97) An adversary in a position to perform MITM content alteration can inject
projects/en/torbrowser/design/index.html.en   98) document content elements to both read and inject cookies for arbitrary

projects/torbrowser/design/index.html.en      99) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of

projects/en/torbrowser/design/index.html.en  100) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
projects/en/torbrowser/design/index.html.en  101) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/en/torbrowser/design/index.html.en  102) with cookies as well.
projects/en/torbrowser/design/index.html.en  103) 
projects/en/torbrowser/design/index.html.en  104)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
projects/en/torbrowser/design/index.html.en  105) attributes</strong></span><p>
projects/en/torbrowser/design/index.html.en  106) 
projects/en/torbrowser/design/index.html.en  107) There is an absurd amount of information available to websites via attributes
projects/en/torbrowser/design/index.html.en  108) of the browser. This information can be used to reduce anonymity set, or even

projects/torbrowser/design/index.html.en     109) uniquely fingerprint individual users. Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en     110) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en     111) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en     112) to linkability between visits.
projects/torbrowser/design/index.html.en     113) 
projects/torbrowser/design/index.html.en     114) </p><p>
projects/torbrowser/design/index.html.en     115) 
projects/torbrowser/design/index.html.en     116) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
projects/torbrowser/design/index.html.en     117) done</a> by the EFF uses the actual entropy - the number of identifying
projects/torbrowser/design/index.html.en     118) bits of information encoded in browser properties - as this metric. Their
projects/torbrowser/design/index.html.en     119) <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a>
projects/torbrowser/design/index.html.en     120) is definitely useful, and the metric is probably the appropriate one for

projects/en/torbrowser/design/index.html.en  121) determining how identifying a particular browser property is. However, some
projects/en/torbrowser/design/index.html.en  122) quirks of their study means that they do not extract as much information as

projects/torbrowser/design/index.html.en     123) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en     124) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en     125) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en     126) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en     127) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en     128) final.

projects/torbrowser/design/index.html.en     129) 
projects/torbrowser/design/index.html.en     130)       </p><p>
projects/torbrowser/design/index.html.en     131) 
projects/torbrowser/design/index.html.en     132) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en     133) attack vectors:
projects/torbrowser/design/index.html.en     134) 
projects/torbrowser/design/index.html.en     135)      </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
projects/torbrowser/design/index.html.en     136) 
projects/torbrowser/design/index.html.en     137) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en     138) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en     139) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en     140) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en     141) (as an extreme example).
projects/torbrowser/design/index.html.en     142) 
projects/torbrowser/design/index.html.en     143)      </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>

projects/en/torbrowser/design/index.html.en  144) 

projects/torbrowser/design/index.html.en     145) Javascript can reveal a lot of fingerprinting information. It provides DOM

projects/torbrowser/design/index.html.en     146) objects such as window.screen and window.navigator to extract information
projects/torbrowser/design/index.html.en     147) about the useragent. 
projects/torbrowser/design/index.html.en     148) 
projects/torbrowser/design/index.html.en     149) Also, Javascript can be used to query the user's timezone via the
projects/torbrowser/design/index.html.en     150) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can

projects/torbrowser/design/index.html.en     151) reveal information about the video card in use, and high precision timing

projects/torbrowser/design/index.html.en     152) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
projects/torbrowser/design/index.html.en     153) interpreter speed</a>. In the future, new JavaScript features such as
projects/torbrowser/design/index.html.en     154) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
projects/torbrowser/design/index.html.en     155) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en     156) information.

projects/en/torbrowser/design/index.html.en  157) 
projects/en/torbrowser/design/index.html.en  158) 

projects/torbrowser/design/index.html.en     159) 
projects/torbrowser/design/index.html.en     160)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en     161) 
projects/torbrowser/design/index.html.en     162) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en     163) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en     164) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en     165) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en     166) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en     167) store unique identifiers that are more difficult to clear than standard
projects/torbrowser/design/index.html.en     168) cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
projects/torbrowser/design/index.html.en     169) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en     170) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en     171) settings of the browser. 
projects/torbrowser/design/index.html.en     172) 
projects/torbrowser/design/index.html.en     173) 
projects/torbrowser/design/index.html.en     174)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en     175) 
projects/torbrowser/design/index.html.en     176) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
projects/torbrowser/design/index.html.en     177) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en     178) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en     179) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en     180) 
projects/torbrowser/design/index.html.en     181)      </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or

projects/en/torbrowser/design/index.html.en  182) OS</strong></span><p>
projects/en/torbrowser/design/index.html.en  183) 
projects/en/torbrowser/design/index.html.en  184) Last, but definitely not least, the adversary can exploit either general
projects/en/torbrowser/design/index.html.en  185) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/en/torbrowser/design/index.html.en  186) install malware and surveillance software. An adversary with physical access
projects/en/torbrowser/design/index.html.en  187) can perform similar actions. Regrettably, this last attack capability is
projects/en/torbrowser/design/index.html.en  188) outside of our ability to defend against, but it is worth mentioning for
projects/en/torbrowser/design/index.html.en  189) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails
projects/en/torbrowser/design/index.html.en  190) system</a> however can provide some limited defenses against this
projects/en/torbrowser/design/index.html.en  191) adversary.
projects/en/torbrowser/design/index.html.en  192) 
projects/en/torbrowser/design/index.html.en  193)      </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
projects/en/torbrowser/design/index.html.en  194) 
projects/en/torbrowser/design/index.html.en  195) The Tor Browser Design Requirements are meant to describe the properties of a

projects/torbrowser/design/index.html.en     196) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en     197) adversaries. 

projects/en/torbrowser/design/index.html.en  198) 
projects/en/torbrowser/design/index.html.en  199)   </p><p>
projects/en/torbrowser/design/index.html.en  200) 
projects/en/torbrowser/design/index.html.en  201) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the

projects/torbrowser/design/index.html.en     202) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en     203) similar privacy proxies safely. Privacy requirements are the set of properties

projects/torbrowser/design/index.html.en     204) that cause us to prefer one browser over another. 

projects/en/torbrowser/design/index.html.en  205) 
projects/en/torbrowser/design/index.html.en  206)   </p><p>
projects/en/torbrowser/design/index.html.en  207) 

projects/torbrowser/design/index.html.en     208) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en     209) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en     210) browser distribution.
projects/torbrowser/design/index.html.en     211) 
projects/torbrowser/design/index.html.en     212)   </p><p>
projects/torbrowser/design/index.html.en     213) 
projects/torbrowser/design/index.html.en     214)       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en     215)       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
projects/torbrowser/design/index.html.en     216)       "OPTIONAL" in this document are to be interpreted as described in
projects/torbrowser/design/index.html.en     217)       <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.

projects/en/torbrowser/design/index.html.en  218) 
projects/en/torbrowser/design/index.html.en  219)   </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  220) 
projects/en/torbrowser/design/index.html.en  221) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en  222) of Tor. Violations in these properties typically result in serious risk for

projects/torbrowser/design/index.html.en     223) the user in terms of immediate deanonymization and/or observability. With

projects/torbrowser/design/index.html.en     224) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en     225) in order for Tor to support the use of a particular browser.

projects/en/torbrowser/design/index.html.en  226) 

projects/torbrowser/design/index.html.en     227)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="3.1. Proxy Obedience"><span class="command"><strong>Proxy
projects/torbrowser/design/index.html.en     228) Obedience</strong></span></a><p>The browser
projects/torbrowser/design/index.html.en     229) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="3.2. State Separation"><span class="command"><strong>State
projects/torbrowser/design/index.html.en     230) Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window

projects/en/torbrowser/design/index.html.en  231) from other browsers or other browsing modes, including shared state from
projects/en/torbrowser/design/index.html.en  232) plugins, machine identifiers, and TLS session state.

projects/torbrowser/design/index.html.en     233) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance"><span class="command"><strong>Disk
projects/torbrowser/design/index.html.en     234) Avoidance</strong></span></a><p>

projects/torbrowser/design/index.html.en     235) 
projects/torbrowser/design/index.html.en     236) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en     237) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en     238) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en     239) store their browsing history information to disk.
projects/torbrowser/design/index.html.en     240) 

projects/torbrowser/design/index.html.en     241) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="3.4. Application Data Isolation"><span class="command"><strong>Application Data
projects/torbrowser/design/index.html.en     242) Isolation</strong></span></a><p>

projects/torbrowser/design/index.html.en     243) 

projects/torbrowser/design/index.html.en     244) The components involved in providing private browsing MUST be self-contained,

projects/torbrowser/design/index.html.en     245) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en     246) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en     247) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en     248) of private browsing to disk outside of the application's control. The user

projects/torbrowser/design/index.html.en     249) must be able to ensure that secure deletion of the software is sufficient to

projects/torbrowser/design/index.html.en     250) remove evidence of the use of the software. All exceptions and shortcomings

projects/torbrowser/design/index.html.en     251) due to operating system behavior MUST be wiped by an uninstaller. However, due

projects/torbrowser/design/index.html.en     252) to permissions issues with access to swap, implementations MAY choose to leave

projects/torbrowser/design/index.html.en     253) it out of scope, and/or leave it to the Operating System/platform to implement
projects/torbrowser/design/index.html.en     254) ephemeral-keyed encrypted swap.

projects/en/torbrowser/design/index.html.en  255) 

projects/torbrowser/design/index.html.en     256) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  257) 
projects/en/torbrowser/design/index.html.en  258) The privacy requirements are primarily concerned with reducing linkability:

projects/torbrowser/design/index.html.en     259) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en     260) on another site without their knowledge or explicit consent. With respect to

projects/torbrowser/design/index.html.en     261) browser support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en     262) to prefer one browser over another. 

projects/en/torbrowser/design/index.html.en  263) 

projects/torbrowser/design/index.html.en     264)    </p><p>
projects/torbrowser/design/index.html.en     265) 
projects/torbrowser/design/index.html.en     266) For the purposes of the unlinkability requirements of this section as well as
projects/torbrowser/design/index.html.en     267) the descriptions in the <a class="link" href="#Implementation" title="3. Implementation">implementation
projects/torbrowser/design/index.html.en     268) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the
projects/torbrowser/design/index.html.en     269) second-level DNS name.  For example, for mail.google.com, the origin would be
projects/torbrowser/design/index.html.en     270) google.com. Implementations MAY, at their option, restrict the url bar origin

projects/torbrowser/design/index.html.en     271) to be the entire fully qualified domain name.

projects/torbrowser/design/index.html.en     272) 

projects/torbrowser/design/index.html.en     273)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="3.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en     274) Identifier Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  275) 

projects/torbrowser/design/index.html.en     276) User activity on one url bar origin MUST NOT be linkable to their activity in

projects/torbrowser/design/index.html.en     277) any other url bar origin by any third party automatically or without user
projects/torbrowser/design/index.html.en     278) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en     279) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en     280) requirement does not apply to linkable information the user manually submits

projects/torbrowser/design/index.html.en     281) to sites, or due to information submitted during manual link traversal. This

projects/torbrowser/design/index.html.en     282) functionality SHOULD NOT interfere with federated login in a substantial way.

projects/en/torbrowser/design/index.html.en  283) 

projects/torbrowser/design/index.html.en     284)   </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="3.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
projects/torbrowser/design/index.html.en     285) Fingerprinting Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  286) 

projects/torbrowser/design/index.html.en     287) User activity on one url bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     288) any other url bar origin by any third party. This property specifically applies to

projects/en/torbrowser/design/index.html.en  289) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en  290) 

projects/torbrowser/design/index.html.en     291)   </p></li><li class="listitem"><a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><span class="command"><strong>Long-Term
projects/torbrowser/design/index.html.en     292) Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  293) 

projects/torbrowser/design/index.html.en     294) The browser SHOULD provide an obvious, easy way to remove all of its

projects/torbrowser/design/index.html.en     295) authentication tokens and browser state and obtain a fresh identity.
projects/torbrowser/design/index.html.en     296) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en     297) upon browser restart, except at user option.

projects/en/torbrowser/design/index.html.en  298) 
projects/en/torbrowser/design/index.html.en  299)   </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  300) 
projects/en/torbrowser/design/index.html.en  301) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en  302) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en  303) 
projects/en/torbrowser/design/index.html.en  304)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
projects/en/torbrowser/design/index.html.en  305) 
projects/en/torbrowser/design/index.html.en  306) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en  307) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en  308) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en  309) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en  310) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en  311) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en  312) 
projects/en/torbrowser/design/index.html.en  313)       </p><p>
projects/en/torbrowser/design/index.html.en  314) 
projects/en/torbrowser/design/index.html.en  315) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
projects/en/torbrowser/design/index.html.en  316) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en  317) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en  318) in the face of accumulating tabs from multiple states crossed with the current
projects/en/torbrowser/design/index.html.en  319) tor-state of the browser. 
projects/en/torbrowser/design/index.html.en  320) 
projects/en/torbrowser/design/index.html.en  321)       </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en  322) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en  323) 
projects/en/torbrowser/design/index.html.en  324) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en  325) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en  326) 
projects/en/torbrowser/design/index.html.en  327)       </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en  328) 
projects/en/torbrowser/design/index.html.en  329) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en  330) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en  331) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en  332) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en  333) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en  334) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en  335) 
projects/en/torbrowser/design/index.html.en  336)       </p><p>
projects/en/torbrowser/design/index.html.en  337) 
projects/en/torbrowser/design/index.html.en  338) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en  339) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en  340) placeholders), and/or be sandboxed to restrict the types of system calls they
projects/en/torbrowser/design/index.html.en  341) can execute. If the user decides to craft an exemption to allow a plugin to be

projects/torbrowser/design/index.html.en     342) used, it MUST only apply to the top level url bar domain, and not to all sites,

projects/en/torbrowser/design/index.html.en  343) to reduce linkability.
projects/en/torbrowser/design/index.html.en  344) 
projects/en/torbrowser/design/index.html.en  345)        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en  346) 
projects/en/torbrowser/design/index.html.en  347) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
projects/en/torbrowser/design/index.html.en  348) failure of Torbutton</a> was (and still is) the options panel. Each option
projects/en/torbrowser/design/index.html.en  349) that detectably alters browser behavior can be used as a fingerprinting tool.

projects/torbrowser/design/index.html.en     350) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be

projects/torbrowser/design/index.html.en     351) disabled in the mode</a> except as an opt-in basis. We SHOULD NOT load

projects/en/torbrowser/design/index.html.en  352) system-wide addons or plugins.
projects/en/torbrowser/design/index.html.en  353) 
projects/en/torbrowser/design/index.html.en  354)      </p><p>

projects/torbrowser/design/index.html.en     355) Instead of global browser privacy options, privacy decisions SHOULD be made

projects/en/torbrowser/design/index.html.en  356) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per

projects/torbrowser/design/index.html.en     357) url bar origin</a> to eliminate the possibility of linkability

projects/en/torbrowser/design/index.html.en  358) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en  359) window.plugins) is present in a page, the user should be given the choice of

projects/torbrowser/design/index.html.en     360) allowing that plugin object for that url bar origin only. The same

projects/en/torbrowser/design/index.html.en  361) goes for exemptions to third party cookie policy, geo-location, and any other
projects/en/torbrowser/design/index.html.en  362) privacy permissions.
projects/en/torbrowser/design/index.html.en  363)      </p><p>
projects/en/torbrowser/design/index.html.en  364) If the user has indicated they do not care about local history storage, these
projects/en/torbrowser/design/index.html.en  365) permissions can be written to disk. Otherwise, they should remain memory-only. 
projects/en/torbrowser/design/index.html.en  366)      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en  367) 
projects/en/torbrowser/design/index.html.en  368) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock

projects/torbrowser/design/index.html.en     369) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>,
projects/torbrowser/design/index.html.en     370) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be

projects/en/torbrowser/design/index.html.en  371) avoided. We believe that these addons do not add any real privacy to a proper
projects/en/torbrowser/design/index.html.en  372) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are
projects/en/torbrowser/design/index.html.en  373) prevented from tracking users between sites by the implementation.
projects/en/torbrowser/design/index.html.en  374) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en  375) nightmares, and will also fail to do their job if an adversary simply
projects/en/torbrowser/design/index.html.en  376) registers a new domain or creates a new url path. Worse still, the unique

projects/torbrowser/design/index.html.en     377) filter sets that each user creates or installs will provide a wealth of
projects/torbrowser/design/index.html.en     378) fingerprinting targets.

projects/en/torbrowser/design/index.html.en  379) 
projects/en/torbrowser/design/index.html.en  380)       </p><p>
projects/en/torbrowser/design/index.html.en  381) 
projects/en/torbrowser/design/index.html.en  382) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en  383) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en  384) terms of demonstrating that we are providing privacy through a sound design
projects/en/torbrowser/design/index.html.en  385) alone, as well as damage the acceptance of Tor users by sites who support
projects/en/torbrowser/design/index.html.en  386) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en  387) 
projects/en/torbrowser/design/index.html.en  388)       </p><p>
projects/en/torbrowser/design/index.html.en  389) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en  390) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en  391)       </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en  392) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en  393) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en  394) their proper deployment or privacy realization. However, we will likely disable

projects/torbrowser/design/index.html.en     395) high-risk features pending analysis, audit, and mitigation.

projects/en/torbrowser/design/index.html.en  396)       </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p>

projects/torbrowser/design/index.html.en     397) 
projects/torbrowser/design/index.html.en     398) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en     399) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en     400) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en     401) implementation is then described for that property.
projects/torbrowser/design/index.html.en     402) 
projects/torbrowser/design/index.html.en     403)   </p><p>
projects/torbrowser/design/index.html.en     404) 
projects/torbrowser/design/index.html.en     405) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en     406) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en     407) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en     408) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en     409) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
projects/torbrowser/design/index.html.en     410) are typically linked for these cases.
projects/torbrowser/design/index.html.en     411) 

projects/en/torbrowser/design/index.html.en  412)   </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  413) 
projects/en/torbrowser/design/index.html.en  414) Proxy obedience is assured through the following:
projects/en/torbrowser/design/index.html.en  415)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings
projects/en/torbrowser/design/index.html.en  416)  <p>
projects/en/torbrowser/design/index.html.en  417)   The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a
projects/en/torbrowser/design/index.html.en  418) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
projects/en/torbrowser/design/index.html.en  419) <span class="command"><strong>network.proxy.socks_version</strong></span>, and
projects/en/torbrowser/design/index.html.en  420) <span class="command"><strong>network.proxy.socks_port</strong></span>.

projects/torbrowser/design/index.html.en     421)  </p><p>
projects/torbrowser/design/index.html.en     422) 
projects/torbrowser/design/index.html.en     423) We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP,
projects/torbrowser/design/index.html.en     424) gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity,
projects/torbrowser/design/index.html.en     425) including HTML5 audio and video objects, addon updates, wifi geolocation
projects/torbrowser/design/index.html.en     426) queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark
projects/torbrowser/design/index.html.en     427) updates. We have also verified that IPv6 connections are not attempted,
projects/torbrowser/design/index.html.en     428) through the proxy or otherwise (Tor does not yet support IPv6). We have also
projects/torbrowser/design/index.html.en     429) verified that external protocol helpers, such as smb urls and other custom
projects/torbrowser/design/index.html.en     430) protocol handers are all blocked.
projects/torbrowser/design/index.html.en     431) 
projects/torbrowser/design/index.html.en     432)  </p><p>
projects/torbrowser/design/index.html.en     433) 
projects/torbrowser/design/index.html.en     434) Numerous other third parties have also reviewed and <a class="link" href="#SingleStateTesting" title="5.1. Single state testing">tested</a> the proxy settings
projects/torbrowser/design/index.html.en     435) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>. 
projects/torbrowser/design/index.html.en     436) 

projects/en/torbrowser/design/index.html.en  437)  </p></li><li class="listitem">Disabling plugins

projects/torbrowser/design/index.html.en     438) 
projects/torbrowser/design/index.html.en     439)  <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes

projects/en/torbrowser/design/index.html.en  440) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en  441) browser proxy settings.
projects/en/torbrowser/design/index.html.en  442)  </p><p>
projects/en/torbrowser/design/index.html.en  443) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en  444) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
projects/en/torbrowser/design/index.html.en  445) as disabled. Additionally, we set
projects/en/torbrowser/design/index.html.en  446) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of
projects/en/torbrowser/design/index.html.en  447) supported mime types for all currently installed plugins.
projects/en/torbrowser/design/index.html.en  448)  </p><p>
projects/en/torbrowser/design/index.html.en  449) In addition, to prevent any unproxied activity by plugins at load time, we

projects/torbrowser/design/index.html.en     450) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except

projects/en/torbrowser/design/index.html.en  451) for Flash and Gnash</a>.
projects/en/torbrowser/design/index.html.en  452) 

projects/torbrowser/design/index.html.en     453)  </p><p>
projects/torbrowser/design/index.html.en     454) 
projects/torbrowser/design/index.html.en     455) Finally, even if the user alters their browser settings to re-enable the Flash
projects/torbrowser/design/index.html.en     456) plugin, we have configured NoScript to provide click-to-play placeholders, so
projects/torbrowser/design/index.html.en     457) that only desired objects will be loaded, and only after user confirmation.
projects/torbrowser/design/index.html.en     458) 

projects/en/torbrowser/design/index.html.en  459)  </p></li><li class="listitem">External App Blocking
projects/en/torbrowser/design/index.html.en  460)   <p>
projects/en/torbrowser/design/index.html.en  461) External apps, if launched automatically, can be induced to load files that
projects/en/torbrowser/design/index.html.en  462) perform network activity. In order to prevent this, Torbutton installs a
projects/en/torbrowser/design/index.html.en  463) component to 

projects/torbrowser/design/index.html.en     464) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">

projects/en/torbrowser/design/index.html.en  465) provide the user with a popup</a> whenever the browser attempts to
projects/en/torbrowser/design/index.html.en  466) launch a helper app. 

projects/torbrowser/design/index.html.en     467) 
projects/torbrowser/design/index.html.en     468) Additionally, due primarily to an issue with Ubuntu Unity, url-based drag and drop is
projects/torbrowser/design/index.html.en     469) filtered by this component. Unity was pre-fetching URLs without using the
projects/torbrowser/design/index.html.en     470) browser's proxy settings during a drag action, even if the drop was ultimately
projects/torbrowser/design/index.html.en     471) canceled by the user.

projects/en/torbrowser/design/index.html.en  472)   </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  473) Tor Browser State is separated from existing browser state through use of a
projects/en/torbrowser/design/index.html.en  474) custom Firefox profile. Furthermore, plugins are disabled, which prevents
projects/en/torbrowser/design/index.html.en  475) Flash cookies from leaking from a pre-existing Flash directory.

projects/torbrowser/design/index.html.en     476)    </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2652153"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/torbrowser/design/index.html.en     477) Tor Browser MUST (at user option) prevent all disk records of browser activity.

projects/en/torbrowser/design/index.html.en  478) The user should be able to optionally enable URL history and other history
projects/en/torbrowser/design/index.html.en  479) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
projects/en/torbrowser/design/index.html.en  480) preferences interface</a>, we will likely just enable Private Browsing
projects/en/torbrowser/design/index.html.en  481) mode by default to handle this goal.

projects/torbrowser/design/index.html.en     482)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2650204"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en  483) For now, Tor Browser blocks write access to the disk through Torbutton
projects/en/torbrowser/design/index.html.en  484) using several Firefox preferences. 
projects/en/torbrowser/design/index.html.en  485) 
projects/en/torbrowser/design/index.html.en  486) 
projects/en/torbrowser/design/index.html.en  487) 
projects/en/torbrowser/design/index.html.en  488) The set of prefs is:
projects/en/torbrowser/design/index.html.en  489) <span class="command"><strong>dom.storage.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en  490) <span class="command"><strong>browser.cache.memory.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  491) <span class="command"><strong>network.http.use-cache</strong></span>,
projects/en/torbrowser/design/index.html.en  492) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  493) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  494) <span class="command"><strong>general.open_location.last_url</strong></span>,
projects/en/torbrowser/design/index.html.en  495) <span class="command"><strong>places.history.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en  496) <span class="command"><strong>browser.formfill.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  497) <span class="command"><strong>signon.rememberSignons</strong></span>,
projects/en/torbrowser/design/index.html.en  498) <span class="command"><strong>browser.download.manager.retention</strong></span>,
projects/en/torbrowser/design/index.html.en  499) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>.
projects/en/torbrowser/design/index.html.en  500)     </blockquote></div></div><p>
projects/en/torbrowser/design/index.html.en  501) In addition, three Firefox patches are needed to prevent disk writes, even if
projects/en/torbrowser/design/index.html.en  502) Private Browsing Mode is enabled. We need to
projects/en/torbrowser/design/index.html.en  503) 

projects/torbrowser/design/index.html.en     504) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent

projects/en/torbrowser/design/index.html.en  505) the permissions manager from recording HTTPS STS state</a>,

projects/torbrowser/design/index.html.en     506) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent

projects/en/torbrowser/design/index.html.en  507) intermediate SSL certificates from being recorded</a>, and

projects/torbrowser/design/index.html.en     508) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent

projects/en/torbrowser/design/index.html.en  509) the content preferences service from recording site zoom</a>.
projects/en/torbrowser/design/index.html.en  510) 
projects/en/torbrowser/design/index.html.en  511) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the
projects/en/torbrowser/design/index.html.en  512) Firefox Patches section</a>.
projects/en/torbrowser/design/index.html.en  513) 
projects/en/torbrowser/design/index.html.en  514)    </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  515) 
projects/en/torbrowser/design/index.html.en  516) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en  517) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en  518) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en  519) computer.
projects/en/torbrowser/design/index.html.en  520) 

projects/torbrowser/design/index.html.en     521)    </p><p>FIXME: sjmurdoch, Erinn: explain what magic we do to satisfy this,

projects/en/torbrowser/design/index.html.en  522) and/or what additional work or auditing needs to be done.

projects/torbrowser/design/index.html.en     523)    </p></div><div class="sect2" title="3.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  524) 
projects/en/torbrowser/design/index.html.en  525) The Tor Browser MUST prevent a user's activity on one site from being linked
projects/en/torbrowser/design/index.html.en  526) to their activity on another site. When this goal cannot yet be met with an
projects/en/torbrowser/design/index.html.en  527) existing web technology, that technology or functionality is disabled. Our
projects/en/torbrowser/design/index.html.en  528) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary
projects/en/torbrowser/design/index.html.en  529) technologies, and instead simply alter them in ways that allows them to
projects/en/torbrowser/design/index.html.en  530) function in a backwards-compatible way while avoiding linkability. Users
projects/en/torbrowser/design/index.html.en  531) should be able to use federated login of various kinds to explicitly inform
projects/en/torbrowser/design/index.html.en  532) sites who they are, but that information should not transparently allow a
projects/en/torbrowser/design/index.html.en  533) third party to record their activity from site to site without their prior
projects/en/torbrowser/design/index.html.en  534) consent.
projects/en/torbrowser/design/index.html.en  535) 
projects/en/torbrowser/design/index.html.en  536)    </p><p>
projects/en/torbrowser/design/index.html.en  537) 
projects/en/torbrowser/design/index.html.en  538) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en  539) linkability, but also in terms of simplified privacy UI. If all stored browser

projects/torbrowser/design/index.html.en     540) state and permissions become associated with the url bar origin, the six or
projects/torbrowser/design/index.html.en     541) seven different pieces of privacy UI governing these identifiers and

projects/en/torbrowser/design/index.html.en  542) permissions can become just one piece of UI. For instance, a window that lists

projects/torbrowser/design/index.html.en     543) the url bar origin for which browser state exists, possibly with a
projects/torbrowser/design/index.html.en     544) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en     545) An example of this simplification can be seen in Figure 1.

projects/en/torbrowser/design/index.html.en  546) 

projects/torbrowser/design/index.html.en     547)    </p><div class="figure"><a id="id2634370"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>

projects/en/torbrowser/design/index.html.en  548) 
projects/en/torbrowser/design/index.html.en  549) On the left is the standard Firefox cookie manager. On the right is a mock-up

projects/torbrowser/design/index.html.en     550) of how isolating identifiers to the URL bar origin might simplify the privacy

projects/en/torbrowser/design/index.html.en  551) UI for all data - not just cookies. Both windows represent the set of

projects/torbrowser/design/index.html.en     552) Cookies accumulated after visiting just five sites, but the window on the

projects/en/torbrowser/design/index.html.en  553) right has the option of also representing history, DOM Storage, HTTP Auth,
projects/en/torbrowser/design/index.html.en  554) search form history, login values, and so on within a context menu for each
projects/en/torbrowser/design/index.html.en  555) site.
projects/en/torbrowser/design/index.html.en  556) 
projects/en/torbrowser/design/index.html.en  557) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies
projects/en/torbrowser/design/index.html.en  558)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  559) 

projects/torbrowser/design/index.html.en     560) All cookies MUST be double-keyed to the url bar origin and third-party
projects/torbrowser/design/index.html.en     561) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
projects/torbrowser/design/index.html.en     562) that contains a prototype patch, but it lacks UI, and does not apply to modern
projects/torbrowser/design/index.html.en     563) Firefoxes.

projects/en/torbrowser/design/index.html.en  564) 
projects/en/torbrowser/design/index.html.en  565)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  566) 
projects/en/torbrowser/design/index.html.en  567) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en  568) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en  569) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that

projects/torbrowser/design/index.html.en     570) third party content continue to function, but we believe the requirement for 

projects/en/torbrowser/design/index.html.en  571) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en  572) 
projects/en/torbrowser/design/index.html.en  573)      </p></li><li class="listitem">Cache
projects/en/torbrowser/design/index.html.en  574)      <p>

projects/torbrowser/design/index.html.en     575) 
projects/torbrowser/design/index.html.en     576) Cache is isolated to the url bar origin by using a technique pioneered by
projects/torbrowser/design/index.html.en     577) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the

projects/en/torbrowser/design/index.html.en  578) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>

projects/torbrowser/design/index.html.en     579) attribute that Firefox uses internally to prevent improper caching and reuse
projects/torbrowser/design/index.html.en     580) of HTTP POST data.  
projects/torbrowser/design/index.html.en     581) 

projects/en/torbrowser/design/index.html.en  582)      </p><p>

projects/torbrowser/design/index.html.en     583) 

projects/en/torbrowser/design/index.html.en  584) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the

projects/torbrowser/design/index.html.en     585) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts
projects/torbrowser/design/index.html.en     586) with OCSP relying the cacheKey property for reuse of POST requests</a>, we

projects/torbrowser/design/index.html.en     587) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0005-Add-a-string-based-cacheKey.patch" target="_top">patch

projects/torbrowser/design/index.html.en     588) Firefox to provide a cacheDomain cache attribute</a>. We use the fully
projects/torbrowser/design/index.html.en     589) qualified url bar domain as input to this field.
projects/torbrowser/design/index.html.en     590) 

projects/en/torbrowser/design/index.html.en  591)      </p><p>
projects/en/torbrowser/design/index.html.en  592) 

projects/torbrowser/design/index.html.en     593)  Furthermore, we chose a different
projects/torbrowser/design/index.html.en     594) isolation scheme than the Stanford implementation. First, we decoupled the
projects/torbrowser/design/index.html.en     595) cache isolation from the third party cookie attribute. Second, we use several
projects/torbrowser/design/index.html.en     596) mechanisms to attempt to determine the actual location attribute of the
projects/torbrowser/design/index.html.en     597) top-level window (to obtain the url bar FQDN) used to load the page, as
projects/torbrowser/design/index.html.en     598) opposed to relying solely on the referer property.

projects/en/torbrowser/design/index.html.en  599) 
projects/en/torbrowser/design/index.html.en  600)      </p><p>

projects/torbrowser/design/index.html.en     601) 

projects/en/torbrowser/design/index.html.en  602) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original

projects/torbrowser/design/index.html.en     603) Stanford test cases</a> are expected to fail. Functionality can still be
projects/torbrowser/design/index.html.en     604) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and
projects/torbrowser/design/index.html.en     605) viewing the key used for each cache entry. Each third party element should
projects/torbrowser/design/index.html.en     606) have an additional "domain=string" property prepended, which will list the
projects/torbrowser/design/index.html.en     607) FQDN that was used to source the third party element.
projects/torbrowser/design/index.html.en     608) 

projects/en/torbrowser/design/index.html.en  609)      </p></li><li class="listitem">HTTP Auth
projects/en/torbrowser/design/index.html.en  610)      <p>
projects/en/torbrowser/design/index.html.en  611) 
projects/en/torbrowser/design/index.html.en  612) HTTP authentication tokens are removed for third party elements using the
projects/en/torbrowser/design/index.html.en  613) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
projects/en/torbrowser/design/index.html.en  614) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent

projects/torbrowser/design/index.html.en     615) linkability between domains</a>.  We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch

projects/en/torbrowser/design/index.html.en  616) Firefox to cause the headers to get added early enough</a> to allow the
projects/en/torbrowser/design/index.html.en  617) observer to modify it.
projects/en/torbrowser/design/index.html.en  618) 
projects/en/torbrowser/design/index.html.en  619)      </p></li><li class="listitem">DOM Storage
projects/en/torbrowser/design/index.html.en  620)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  621) 

projects/torbrowser/design/index.html.en     622) DOM storage for third party domains MUST be isolated to the url bar origin,

projects/en/torbrowser/design/index.html.en  623) to prevent linkability between sites.
projects/en/torbrowser/design/index.html.en  624) 
projects/en/torbrowser/design/index.html.en  625)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  626) 
projects/en/torbrowser/design/index.html.en  627) Because it is isolated to third party domain as opposed to top level url bar

projects/torbrowser/design/index.html.en     628) origin, we entirely disable DOM storage as a stopgap to ensure unlinkability.

projects/en/torbrowser/design/index.html.en  629) 

projects/torbrowser/design/index.html.en     630)      </p></li><li class="listitem">Flash cookies
projects/torbrowser/design/index.html.en     631)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     632) 
projects/torbrowser/design/index.html.en     633) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en     634) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
projects/torbrowser/design/index.html.en     635) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
projects/torbrowser/design/index.html.en     636) settings manager</a>.

projects/torbrowser/design/index.html.en     637) 

projects/torbrowser/design/index.html.en     638)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en     639) 
projects/torbrowser/design/index.html.en     640) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
projects/torbrowser/design/index.html.en     641) difficulties</a> causing Flash player to use this settings

projects/torbrowser/design/index.html.en     642) file on Windows, so Flash remains difficult to enable.

projects/torbrowser/design/index.html.en     643) 

projects/torbrowser/design/index.html.en     644)      </p></li><li class="listitem">SSL+TLS session resumption and HTTP Keep-Alive
projects/torbrowser/design/index.html.en     645)      <p><span class="command"><strong>Design Goal:</strong></span>

projects/en/torbrowser/design/index.html.en  646) 

projects/torbrowser/design/index.html.en     647) TLS session resumption tickets and SSL Session IDs MUST be limited to the url
projects/torbrowser/design/index.html.en     648) bar origin.  HTTP Keep-Alive connections from a third party in one url bar
projects/torbrowser/design/index.html.en     649) origin MUST NOT be reused for that same third party in another url bar origin.

projects/en/torbrowser/design/index.html.en  650) 
projects/en/torbrowser/design/index.html.en  651)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  652) 

projects/torbrowser/design/index.html.en     653) We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
projects/torbrowser/design/index.html.en     654) Identity</a>, we disable TLS Session Tickets via the Firefox Pref
projects/torbrowser/design/index.html.en     655) <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session
projects/torbrowser/design/index.html.en     656) IDs via a <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0010-Disable-SSL-Session-ID-tracking.patch" target="_top">patch
projects/torbrowser/design/index.html.en     657) to Firefox</a>. To compensate for the increased round trip latency from disabling
projects/torbrowser/design/index.html.en     658) these performance optimizations, we also enable
projects/torbrowser/design/index.html.en     659) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
projects/torbrowser/design/index.html.en     660) False Start</a> via the Firefox Pref 
projects/torbrowser/design/index.html.en     661) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
projects/torbrowser/design/index.html.en     662)     </p><p>

projects/en/torbrowser/design/index.html.en  663) 

projects/torbrowser/design/index.html.en     664) Becuase of the extreme performance benefits of HTTP Keep-Alive for interactive
projects/torbrowser/design/index.html.en     665) web apps, and because of the difficulties of conveying urlbar origin
projects/torbrowser/design/index.html.en     666) information down into the Firefox HTTP layer, as a compromise we currently
projects/torbrowser/design/index.html.en     667) merely reduce the HTTP Keep-Alive timeout to 20 seconds (which is measured
projects/torbrowser/design/index.html.en     668) from the last packet read on the connection) using the Firefox preference
projects/torbrowser/design/index.html.en     669) <span class="command"><strong>network.http.keep-alive.timeout</strong></span>.
projects/torbrowser/design/index.html.en     670) 
projects/torbrowser/design/index.html.en     671)      </p></li><li class="listitem">Automated cross-origin redirects MUST NOT store identifiers

projects/torbrowser/design/index.html.en     672)     <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     673) 
projects/torbrowser/design/index.html.en     674) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en     675) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser

projects/torbrowser/design/index.html.en     676) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en     677) for cross-origin redirect intermediaries that do not prompt for user input.
projects/torbrowser/design/index.html.en     678) For example, if a user clicks on a bit.ly url that redirects to a
projects/torbrowser/design/index.html.en     679) doubleclick.net url that finally redirects to a cnn.com url, only cookies from
projects/torbrowser/design/index.html.en     680) cnn.com should be retained after the redirect chain completes.

projects/torbrowser/design/index.html.en     681) 
projects/torbrowser/design/index.html.en     682)     </p><p>
projects/torbrowser/design/index.html.en     683) 

projects/torbrowser/design/index.html.en     684) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en     685) federated login systems) SHOULD still allow identifiers to persist.

projects/torbrowser/design/index.html.en     686) 

projects/torbrowser/design/index.html.en     687)     </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en     688) 
projects/torbrowser/design/index.html.en     689) There are numerous ways for the user to be redirected, and the Firefox API
projects/torbrowser/design/index.html.en     690) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
projects/torbrowser/design/index.html.en     691) open</a> to implement what we can.
projects/torbrowser/design/index.html.en     692) 

projects/torbrowser/design/index.html.en     693)     </p></li><li class="listitem">window.name

projects/en/torbrowser/design/index.html.en  694)      <p>
projects/en/torbrowser/design/index.html.en  695) 
projects/en/torbrowser/design/index.html.en  696) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
projects/en/torbrowser/design/index.html.en  697) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en  698) for the lifespan of a browser tab. It is possible to utilize this property for
projects/en/torbrowser/design/index.html.en  699) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
projects/en/torbrowser/design/index.html.en  700) storage</a>.
projects/en/torbrowser/design/index.html.en  701) 
projects/en/torbrowser/design/index.html.en  702)      </p><p>
projects/en/torbrowser/design/index.html.en  703) 
projects/en/torbrowser/design/index.html.en  704) In order to eliminate linkability but still allow for sites that utilize this
projects/en/torbrowser/design/index.html.en  705) property to function, we reset the window.name property of tabs in Torbutton every
projects/en/torbrowser/design/index.html.en  706) time we encounter a blank referer. This behavior allows window.name to persist
projects/en/torbrowser/design/index.html.en  707) for the duration of a link-driven navigation session, but as soon as the user
projects/en/torbrowser/design/index.html.en  708) enters a new URL or navigates between https/http schemes, the property is cleared.
projects/en/torbrowser/design/index.html.en  709) 

projects/torbrowser/design/index.html.en     710)      </p></li><li class="listitem">Auto form-fill
projects/torbrowser/design/index.html.en     711)      <p>
projects/torbrowser/design/index.html.en     712) 
projects/torbrowser/design/index.html.en     713) We disable the password saving functionality in the browser as part of our
projects/torbrowser/design/index.html.en     714) <a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
projects/torbrowser/design/index.html.en     715) since users may decide to re-enable disk history records and password saving,
projects/torbrowser/design/index.html.en     716) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
projects/torbrowser/design/index.html.en     717) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en     718) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en     719) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en     720) 
projects/torbrowser/design/index.html.en     721)      </p></li><li class="listitem">HSTS supercookies
projects/torbrowser/design/index.html.en     722)       <p>

projects/torbrowser/design/index.html.en     723) 
projects/torbrowser/design/index.html.en     724) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
projects/torbrowser/design/index.html.en     725) supercookies</a>. Since HSTS effectively stores one bit of information per domain

projects/torbrowser/design/index.html.en     726) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en     727) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en     728) 
projects/torbrowser/design/index.html.en     729)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     730) 
projects/torbrowser/design/index.html.en     731) There appears to be three options for us: 1. Disable HSTS entirely, and rely

projects/torbrowser/design/index.html.en     732) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
projects/torbrowser/design/index.html.en     733) Restrict the number of HSTS-enabled third parties allowed per url bar origin.
projects/torbrowser/design/index.html.en     734) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en     735) the best approach.

projects/torbrowser/design/index.html.en     736) 
projects/torbrowser/design/index.html.en     737)       </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
projects/torbrowser/design/index.html.en     738) cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
projects/torbrowser/design/index.html.en     739) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en     740) Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en     741)       </p></li><li class="listitem">Exit node usage

projects/en/torbrowser/design/index.html.en  742)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  743) 
projects/en/torbrowser/design/index.html.en  744) Every distinct navigation session (as defined by a non-blank referer header)
projects/en/torbrowser/design/index.html.en  745) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
projects/en/torbrowser/design/index.html.en  746) observers from linking concurrent browsing activity.
projects/en/torbrowser/design/index.html.en  747) 
projects/en/torbrowser/design/index.html.en  748)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  749) 
projects/en/torbrowser/design/index.html.en  750) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
projects/en/torbrowser/design/index.html.en  751) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket
projects/en/torbrowser/design/index.html.en  752) #3455</a> is the Torbutton ticket to make use of the new Tor
projects/en/torbrowser/design/index.html.en  753) functionality.
projects/en/torbrowser/design/index.html.en  754) 

projects/torbrowser/design/index.html.en     755)      </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  756) 
projects/en/torbrowser/design/index.html.en  757) In order to properly address the fingerprinting adversary on a technical
projects/en/torbrowser/design/index.html.en  758) level, we need a metric to measure linkability of the various browser

projects/torbrowser/design/index.html.en     759) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>

projects/en/torbrowser/design/index.html.en  760) by the EFF provides us with exactly this metric. The researchers conducted a
projects/en/torbrowser/design/index.html.en  761) survey of volunteers who were asked to visit an experiment page that harvested
projects/en/torbrowser/design/index.html.en  762) many of the above components. They then computed the Shannon Entropy of the
projects/en/torbrowser/design/index.html.en  763) resulting distribution of each of several key attributes to determine how many
projects/en/torbrowser/design/index.html.en  764) bits of identifying information each attribute provided.
projects/en/torbrowser/design/index.html.en  765) 
projects/en/torbrowser/design/index.html.en  766)    </p><p>
projects/en/torbrowser/design/index.html.en  767) 
projects/en/torbrowser/design/index.html.en  768) The study is not exhaustive, though. In particular, the test does not take in
projects/en/torbrowser/design/index.html.en  769) all aspects of resolution information. It did not calculate the size of
projects/en/torbrowser/design/index.html.en  770) widgets, window decoration, or toolbar size, which we believe may add high
projects/en/torbrowser/design/index.html.en  771) amounts of entropy. It also did not measure clock offset and other time-based
projects/en/torbrowser/design/index.html.en  772) fingerprints. Furthermore, as new browser features are added, this experiment
projects/en/torbrowser/design/index.html.en  773) should be repeated to include them.
projects/en/torbrowser/design/index.html.en  774) 
projects/en/torbrowser/design/index.html.en  775)    </p><p>
projects/en/torbrowser/design/index.html.en  776) 
projects/en/torbrowser/design/index.html.en  777) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for
projects/en/torbrowser/design/index.html.en  778) fingerprinting resistance by only concerning ourselves with reducing the
projects/en/torbrowser/design/index.html.en  779) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We
projects/en/torbrowser/design/index.html.en  780) do not believe it is productive to concern ourselves with cross-browser
projects/en/torbrowser/design/index.html.en  781) fingerprinting issues, at least not at this stage.
projects/en/torbrowser/design/index.html.en  782) 
projects/en/torbrowser/design/index.html.en  783)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
projects/en/torbrowser/design/index.html.en  784)      <p>
projects/en/torbrowser/design/index.html.en  785) 
projects/en/torbrowser/design/index.html.en  786) Plugins add to fingerprinting risk via two main vectors: their mere presence in
projects/en/torbrowser/design/index.html.en  787) window.navigator.plugins, as well as their internal functionality.
projects/en/torbrowser/design/index.html.en  788) 
projects/en/torbrowser/design/index.html.en  789)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  790) 

projects/torbrowser/design/index.html.en     791) All plugins that have not been specifically audited or sandboxed MUST be

projects/en/torbrowser/design/index.html.en  792) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en  793) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en  794) barrier.  Additionally, version information should be reduced or obfuscated
projects/en/torbrowser/design/index.html.en  795) until the plugin object is loaded.
projects/en/torbrowser/design/index.html.en  796) 
projects/en/torbrowser/design/index.html.en  797)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  798) 
projects/en/torbrowser/design/index.html.en  799) Currently, we entirely disable all plugins in Tor Browser. However, as a
projects/en/torbrowser/design/index.html.en  800) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work
projects/en/torbrowser/design/index.html.en  801) towards</a> a
projects/en/torbrowser/design/index.html.en  802) click-to-play barrier using NoScript that is available only after the user has
projects/en/torbrowser/design/index.html.en  803) specifically enabled plugins. Flash will be the only plugin available, and we
projects/en/torbrowser/design/index.html.en  804) will ship a settings.sol file to disable Flash cookies, and to restrict P2P
projects/en/torbrowser/design/index.html.en  805) features that likely bypass proxy settings.
projects/en/torbrowser/design/index.html.en  806) 
projects/en/torbrowser/design/index.html.en  807)      </p></li><li class="listitem">Fonts
projects/en/torbrowser/design/index.html.en  808)      <p>
projects/en/torbrowser/design/index.html.en  809) 
projects/en/torbrowser/design/index.html.en  810) According to the Panopticlick study, fonts provide the most linkability when
projects/en/torbrowser/design/index.html.en  811) they are provided as an enumerable list in filesystem order, via either the
projects/en/torbrowser/design/index.html.en  812) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en  813) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en  814) pre-built list to query, a large amount of fingerprintable information may
projects/en/torbrowser/design/index.html.en  815) still be available.
projects/en/torbrowser/design/index.html.en  816) 

projects/torbrowser/design/index.html.en     817)      </p><p>
projects/torbrowser/design/index.html.en     818) 
projects/torbrowser/design/index.html.en     819) The sure-fire way to address font linkability is to ship the browser with a
projects/torbrowser/design/index.html.en     820) font for every language, typeface, and style in use in the world, and to only
projects/torbrowser/design/index.html.en     821) use those fonts at the exclusion of system fonts.  However, this set may be
projects/torbrowser/design/index.html.en     822) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common
projects/torbrowser/design/index.html.en     823) subset</a> may be found that provides total coverage. However, we believe
projects/torbrowser/design/index.html.en     824) that with strong url bar origin identifier isolation, a simpler approach can reduce the
projects/torbrowser/design/index.html.en     825) number of bits available to the adversary while avoiding the rendering and
projects/torbrowser/design/index.html.en     826) language issues of supporting a global font set.
projects/torbrowser/design/index.html.en     827) 

projects/en/torbrowser/design/index.html.en  828)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  829) 

projects/torbrowser/design/index.html.en     830) We disable plugins, which prevents font enumeration. Additionally, we limit
projects/torbrowser/design/index.html.en     831) both the number of font queries from CSS, as well as the total number of 
projects/torbrowser/design/index.html.en     832) fonts that can be used in a document by patching Firefox. We create two prefs,
projects/torbrowser/design/index.html.en     833) <span class="command"><strong>browser.display.max_font_attempts</strong></span> and
projects/torbrowser/design/index.html.en     834) <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
projects/torbrowser/design/index.html.en     835) limits are reached, the browser behaves as if
projects/torbrowser/design/index.html.en     836) <span class="command"><strong>browser.display.use_document_fonts</strong></span> was reached. We are
projects/torbrowser/design/index.html.en     837) still working to determine optimal values for these prefs. 

projects/en/torbrowser/design/index.html.en  838) 
projects/en/torbrowser/design/index.html.en  839)      </p></li><li class="listitem">User Agent and HTTP Headers
projects/en/torbrowser/design/index.html.en  840)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  841) 

projects/torbrowser/design/index.html.en     842) All Tor Browser users MUST provide websites with an identical user agent and

projects/en/torbrowser/design/index.html.en  843) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/en/torbrowser/design/index.html.en  844) and report a popular Windows platform. If the software is kept up to date,
projects/en/torbrowser/design/index.html.en  845) these headers should remain identical across the population even when updated.
projects/en/torbrowser/design/index.html.en  846) 
projects/en/torbrowser/design/index.html.en  847)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  848) 
projects/en/torbrowser/design/index.html.en  849) Firefox provides several options for controlling the browser user agent string
projects/en/torbrowser/design/index.html.en  850) which we leverage. We also set similar prefs for controlling the
projects/en/torbrowser/design/index.html.en  851) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we

projects/torbrowser/design/index.html.en     852) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove

projects/en/torbrowser/design/index.html.en  853) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
projects/en/torbrowser/design/index.html.en  854) used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem">Desktop resolution and CSS Media Queries
projects/en/torbrowser/design/index.html.en  855)      <p>
projects/en/torbrowser/design/index.html.en  856) 
projects/en/torbrowser/design/index.html.en  857) Both CSS and Javascript have a lot of irrelevant information about the screen
projects/en/torbrowser/design/index.html.en  858) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and
projects/en/torbrowser/design/index.html.en  859) other desktop features that are not at all relevant to rendering and serve
projects/en/torbrowser/design/index.html.en  860) only to provide information for fingerprinting.
projects/en/torbrowser/design/index.html.en  861) 
projects/en/torbrowser/design/index.html.en  862)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  863) 
projects/en/torbrowser/design/index.html.en  864) Our design goal here is to reduce the resolution information down to the bare
projects/en/torbrowser/design/index.html.en  865) minimum required for properly rendering inside a content window. We intend to 
projects/en/torbrowser/design/index.html.en  866) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en  867) properties of the content window, but report an effective size of 0 for all
projects/en/torbrowser/design/index.html.en  868) border material, and also report that the desktop is only as big as the
projects/en/torbrowser/design/index.html.en  869) inner content window. Additionally, new browser windows are sized such that 
projects/en/torbrowser/design/index.html.en  870) their content windows are one of ~5 fixed sizes based on the user's
projects/en/torbrowser/design/index.html.en  871) desktop resolution.
projects/en/torbrowser/design/index.html.en  872) 
projects/en/torbrowser/design/index.html.en  873)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  874) 
projects/en/torbrowser/design/index.html.en  875) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript
projects/en/torbrowser/design/index.html.en  876) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize

projects/torbrowser/design/index.html.en     877) new windows based on desktop resolution</a>. Additionally, we patch
projects/torbrowser/design/index.html.en     878) Firefox to cause CSS Media Queries to use the client content window size
projects/torbrowser/design/index.html.en     879) for all desktop size related media queries.  
projects/torbrowser/design/index.html.en     880) 
projects/torbrowser/design/index.html.en     881)      </p><p>
projects/torbrowser/design/index.html.en     882) 
projects/torbrowser/design/index.html.en     883) As far as we know, this fully satisfies our design goals for desktop
projects/torbrowser/design/index.html.en     884) resolution information.

projects/en/torbrowser/design/index.html.en  885) 
projects/en/torbrowser/design/index.html.en  886)      </p></li><li class="listitem">Timezone and clock offset
projects/en/torbrowser/design/index.html.en  887)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  888) 

projects/torbrowser/design/index.html.en     889) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en     890) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en     891) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en     892) the fact that we spoof a US English user agent).  Additionally, the Tor
projects/torbrowser/design/index.html.en     893) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en     894) clocks of the relays that it connects to, and use this to reset the clock
projects/torbrowser/design/index.html.en     895) values used in Tor Browser to something reasonably accurate.

projects/en/torbrowser/design/index.html.en  896) 
projects/en/torbrowser/design/index.html.en  897)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  898) 
projects/en/torbrowser/design/index.html.en  899) We set the timezone using the TZ environment variable, which is supported on
projects/en/torbrowser/design/index.html.en  900) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock
projects/en/torbrowser/design/index.html.en  901) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
projects/en/torbrowser/design/index.html.en  902) use.
projects/en/torbrowser/design/index.html.en  903) 
projects/en/torbrowser/design/index.html.en  904)      </p></li><li class="listitem">Javascript performance fingerprinting
projects/en/torbrowser/design/index.html.en  905)      <p>
projects/en/torbrowser/design/index.html.en  906) 
projects/en/torbrowser/design/index.html.en  907) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
projects/en/torbrowser/design/index.html.en  908) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en  909) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en  910) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en  911) 
projects/en/torbrowser/design/index.html.en  912)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  913) 
projects/en/torbrowser/design/index.html.en  914) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
projects/en/torbrowser/design/index.html.en  915) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en  916) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en  917) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
projects/en/torbrowser/design/index.html.en  918) Date() object, while also introducing jitter. Our goal is to increase the
projects/en/torbrowser/design/index.html.en  919) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that
projects/en/torbrowser/design/index.html.en  920) even with the default precision in most browsers, they required up to 120
projects/en/torbrowser/design/index.html.en  921) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en  922) feature set. We intend to work with the research community to establish the

projects/torbrowser/design/index.html.en     923) optimum trade-off between quantization+jitter and amortization time.

projects/en/torbrowser/design/index.html.en  924) 
projects/en/torbrowser/design/index.html.en  925) 
projects/en/torbrowser/design/index.html.en  926)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  927) 
projects/en/torbrowser/design/index.html.en  928) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en  929) 
projects/en/torbrowser/design/index.html.en  930)      </p></li><li class="listitem">Keystroke fingerprinting
projects/en/torbrowser/design/index.html.en  931)      <p>
projects/en/torbrowser/design/index.html.en  932) 
projects/en/torbrowser/design/index.html.en  933) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en  934) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en  935) 
projects/en/torbrowser/design/index.html.en  936)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  937) 
projects/en/torbrowser/design/index.html.en  938) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en  939) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en  940) 
projects/en/torbrowser/design/index.html.en  941)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  942) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en  943)      </p></li><li class="listitem">WebGL
projects/en/torbrowser/design/index.html.en  944)      <p>
projects/en/torbrowser/design/index.html.en  945) 
projects/en/torbrowser/design/index.html.en  946) WebGL is fingerprintable both through information that is exposed about the
projects/en/torbrowser/design/index.html.en  947) underlying driver and optimizations, as well as through performance
projects/en/torbrowser/design/index.html.en  948) fingerprinting.
projects/en/torbrowser/design/index.html.en  949) 
projects/en/torbrowser/design/index.html.en  950)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  951) 
projects/en/torbrowser/design/index.html.en  952) Because of the large amount of potential fingerprinting vectors, we intend to
projects/en/torbrowser/design/index.html.en  953) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases
projects/en/torbrowser/design/index.html.en  954) will have click-to-play placeholders, and will not run until authorized by the
projects/en/torbrowser/design/index.html.en  955) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver
projects/en/torbrowser/design/index.html.en  956) information</a> by hooking
projects/en/torbrowser/design/index.html.en  957) <span class="command"><strong>getParameter()</strong></span>,
projects/en/torbrowser/design/index.html.en  958) <span class="command"><strong>getSupportedExtensions()</strong></span>,
projects/en/torbrowser/design/index.html.en  959) <span class="command"><strong>getExtension()</strong></span>, and
projects/en/torbrowser/design/index.html.en  960) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal,
projects/en/torbrowser/design/index.html.en  961) driver-neutral information.
projects/en/torbrowser/design/index.html.en  962) 
projects/en/torbrowser/design/index.html.en  963)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  964) 
projects/en/torbrowser/design/index.html.en  965) Currently we simply disable WebGL. 
projects/en/torbrowser/design/index.html.en  966) 
projects/en/torbrowser/design/index.html.en  967)      </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  968) In order to avoid long-term linkability, we provide a "New Identity" context
projects/en/torbrowser/design/index.html.en  969) menu option in Torbutton.

projects/torbrowser/design/index.html.en     970)    </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2637889"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en  971) 

projects/torbrowser/design/index.html.en     972) All linkable identifiers and browser state MUST be cleared by this feature.

projects/en/torbrowser/design/index.html.en  973) 

projects/torbrowser/design/index.html.en     974)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2630536"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/torbrowser/design/index.html.en     975) 
projects/torbrowser/design/index.html.en     976) First, Torbutton disables all open tabs and windows by tagging them and
projects/torbrowser/design/index.html.en     977) blocking them via the nsIContentPolicy, and then closes each tab and
projects/torbrowser/design/index.html.en     978) window. The extra step for blocking tabs is done as a precaution to ensure
projects/torbrowser/design/index.html.en     979) that any asynchronous Javascript is in fact properly disabled. After closing
projects/torbrowser/design/index.html.en     980) all of the windows, we then clear the following state: OCSP (by toggling
projects/torbrowser/design/index.html.en     981) security.OCSP.enabled), cache, site-specific zoom and content preferences,
projects/torbrowser/design/index.html.en     982) Cookies, DOM storage, safe browsing key, the Google wifi geolocation token (if
projects/torbrowser/design/index.html.en     983) exists), HTTP auth, SSL Session IDs, HSTS state, close all remaining HTTP
projects/torbrowser/design/index.html.en     984) keep-alive connections, and clear the last opened URL field (via the pref
projects/torbrowser/design/index.html.en     985) general.open_location.last_url).  After clearing the browser state, we then

projects/torbrowser/design/index.html.en     986) send the NEWNYM signal to the Tor control port to cause a new circuit to be
projects/torbrowser/design/index.html.en     987) created.
projects/torbrowser/design/index.html.en     988) 

projects/torbrowser/design/index.html.en     989)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     990) Additionally, the user is allowed to "protect" cookies of their choosing from
projects/torbrowser/design/index.html.en     991) deletion during New Identity by using the Torbutton Cookie Protections UI to
projects/torbrowser/design/index.html.en     992) protect the cookies they would like to keep across New Identity invocations.

projects/en/torbrowser/design/index.html.en  993)     </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en  994) Some content types are too invasive and/or too opaque for us to properly
projects/en/torbrowser/design/index.html.en  995) eliminate their linkability properties. For these content types, we use
projects/en/torbrowser/design/index.html.en  996) NoScript to provide click-to-play placeholders that do not activate the
projects/en/torbrowser/design/index.html.en  997) content until the user clicks on it. This will eliminate the ability for an
projects/en/torbrowser/design/index.html.en  998) adversary to use such content types to link users in a dragnet fashion across
projects/en/torbrowser/design/index.html.en  999) arbitrary sites.
projects/en/torbrowser/design/index.html.en 1000)    </p><p>
projects/en/torbrowser/design/index.html.en 1001) Currently, the content types isolated in this way include Flash, WebGL, and
projects/en/torbrowser/design/index.html.en 1002) audio and video objects.
projects/en/torbrowser/design/index.html.en 1003)    </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p>

projects/torbrowser/design/index.html.en    1004) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.2:/src/current-patches/firefox" target="_top">current-patches directory of the torbrowser git repository</a>. They are:

projects/en/torbrowser/design/index.html.en 1005)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod
projects/en/torbrowser/design/index.html.en 1006)      <p>
projects/en/torbrowser/design/index.html.en 1007) 
projects/en/torbrowser/design/index.html.en 1008) In order to reduce fingerprinting, we block access to these two interfaces
projects/en/torbrowser/design/index.html.en 1009) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript
projects/en/torbrowser/design/index.html.en 1010) hooks</a>,
projects/en/torbrowser/design/index.html.en 1011) and Components.interfaces can be used for fingerprinting the platform, OS, and
projects/en/torbrowser/design/index.html.en 1012) Firebox version, but not much else.
projects/en/torbrowser/design/index.html.en 1013) 
projects/en/torbrowser/design/index.html.en 1014)      </p></li><li class="listitem">Make Permissions Manager memory only
projects/en/torbrowser/design/index.html.en 1015)      <p>
projects/en/torbrowser/design/index.html.en 1016) 
projects/en/torbrowser/design/index.html.en 1017) This patch exposes a pref 'permissions.memory_only' that properly isolates the
projects/en/torbrowser/design/index.html.en 1018) permissions manager to memory, which is responsible for all user specified

projects/torbrowser/design/index.html.en    1019) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
projects/torbrowser/design/index.html.en    1020) policy from visited sites.

projects/en/torbrowser/design/index.html.en 1021) 
projects/en/torbrowser/design/index.html.en 1022) The pref does successfully clear the permissions manager memory if toggled. It
projects/en/torbrowser/design/index.html.en 1023) does not need to be set in prefs.js, and can be handled by Torbutton.
projects/en/torbrowser/design/index.html.en 1024) 
projects/en/torbrowser/design/index.html.en 1025)      </p></li><li class="listitem">Make Intermediate Cert Store memory-only
projects/en/torbrowser/design/index.html.en 1026)      <p>
projects/en/torbrowser/design/index.html.en 1027) 

projects/torbrowser/design/index.html.en    1028) The intermediate certificate store records the intermediate SSL certificates
projects/torbrowser/design/index.html.en    1029) the browser has seen to date. Because these intermediate certificates are used 
projects/torbrowser/design/index.html.en    1030) by a limited number of domains (and in some cases, only a single domain),
projects/torbrowser/design/index.html.en    1031) the intermediate certificate store can serve as a low-resolution record of
projects/torbrowser/design/index.html.en    1032) browsing history.

projects/en/torbrowser/design/index.html.en 1033) 
projects/en/torbrowser/design/index.html.en 1034)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1035) 
projects/en/torbrowser/design/index.html.en 1036) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 1037) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 1038) allow this.
projects/en/torbrowser/design/index.html.en 1039) 
projects/en/torbrowser/design/index.html.en 1040)      </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires
projects/en/torbrowser/design/index.html.en 1041)      <p>
projects/en/torbrowser/design/index.html.en 1042) 
projects/en/torbrowser/design/index.html.en 1043) This patch provides a trivial modification to allow us to properly remove HTTP
projects/en/torbrowser/design/index.html.en 1044) auth for third parties. This patch allows us to defend against an adversary
projects/en/torbrowser/design/index.html.en 1045) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP
projects/en/torbrowser/design/index.html.en 1046) auth to silently track users between domains</a>.
projects/en/torbrowser/design/index.html.en 1047) 
projects/en/torbrowser/design/index.html.en 1048)      </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation
projects/en/torbrowser/design/index.html.en 1049)      <p>
projects/en/torbrowser/design/index.html.en 1050) 
projects/en/torbrowser/design/index.html.en 1051) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
projects/en/torbrowser/design/index.html.en 1052) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
projects/en/torbrowser/design/index.html.en 1053) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch

projects/torbrowser/design/index.html.en    1054) Firefox to provide a cacheDomain cache attribute</a>. We use the url bar
projects/torbrowser/design/index.html.en    1055) FQDN as input to this field.

projects/en/torbrowser/design/index.html.en 1056) 
projects/en/torbrowser/design/index.html.en 1057)      </p></li><li class="listitem">Randomize HTTP pipeline order and depth
projects/en/torbrowser/design/index.html.en 1058)      <p>
projects/en/torbrowser/design/index.html.en 1059) As an 
projects/en/torbrowser/design/index.html.en 1060) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
projects/en/torbrowser/design/index.html.en 1061) defense against Website Traffic Fingerprinting</a>, we patch the standard
projects/en/torbrowser/design/index.html.en 1062) HTTP pipelining code to randomize the number of requests in a
projects/en/torbrowser/design/index.html.en 1063) pipeline, as well as their order.
projects/en/torbrowser/design/index.html.en 1064)      </p></li><li class="listitem">Block all plugins except flash
projects/en/torbrowser/design/index.html.en 1065)      <p>
projects/en/torbrowser/design/index.html.en 1066) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">
projects/en/torbrowser/design/index.html.en 1067) @mozilla.org/extensions/blocklist;1</a> service, because we
projects/en/torbrowser/design/index.html.en 1068) actually want to stop plugins from ever entering the browser's process space
projects/en/torbrowser/design/index.html.en 1069) and/or executing code (for example, AV plugins that collect statistics/analyze
projects/en/torbrowser/design/index.html.en 1070) URLs, magical toolbars that phone home or "help" the user, skype buttons that
projects/en/torbrowser/design/index.html.en 1071) ruin our day, and censorship filters). Hence we rolled our own.
projects/en/torbrowser/design/index.html.en 1072)      </p></li><li class="listitem">Make content-prefs service memory only
projects/en/torbrowser/design/index.html.en 1073)      <p>
projects/en/torbrowser/design/index.html.en 1074) This patch prevents random URLs from being inserted into content-prefs.sqllite in
projects/en/torbrowser/design/index.html.en 1075) the profile directory as content prefs change (includes site-zoom and perhaps
projects/en/torbrowser/design/index.html.en 1076) other site prefs?).

projects/torbrowser/design/index.html.en    1077)      </p></li><li class="listitem">Make Tor Browser exit when not launched from Vidalia
projects/torbrowser/design/index.html.en    1078)      <p>
projects/torbrowser/design/index.html.en    1079) 
projects/torbrowser/design/index.html.en    1080) It turns out that on Windows 7 and later systems, the Taskbar attempts to
projects/torbrowser/design/index.html.en    1081) automatically learn the most frequent apps used by the user, and it recognizes
projects/torbrowser/design/index.html.en    1082) Tor Browser as a seperate app from Vidalia. This can cause users to try to
projects/torbrowser/design/index.html.en    1083) launch Tor Brower without Vidalia or a Tor instance running. Worse, the Tor
projects/torbrowser/design/index.html.en    1084) Browser will automatically find their default Firefox profile, and properly
projects/torbrowser/design/index.html.en    1085) connect directly without using Tor. This patch is a simple hack to cause Tor
projects/torbrowser/design/index.html.en    1086) Browser to immediately exit in this case.
projects/torbrowser/design/index.html.en    1087) 
projects/torbrowser/design/index.html.en    1088)      </p></li><li class="listitem">Disable SSL Session ID tracking
projects/torbrowser/design/index.html.en    1089)      <p>
projects/torbrowser/design/index.html.en    1090) 
projects/torbrowser/design/index.html.en    1091) This patch is a simple 1-line hack to prevent SSL connections from caching
projects/torbrowser/design/index.html.en    1092) (and then later transmitting) their Session IDs. There was no preference to
projects/torbrowser/design/index.html.en    1093) govern this behavior, so we had to hack it by altering the SSL new connection
projects/torbrowser/design/index.html.en    1094) defaults.
projects/torbrowser/design/index.html.en    1095) 
projects/torbrowser/design/index.html.en    1096)      </p></li><li class="listitem">Provide an observer event to close persistent connections
projects/torbrowser/design/index.html.en    1097)      <p>
projects/torbrowser/design/index.html.en    1098) 
projects/torbrowser/design/index.html.en    1099) This patch creates an observer event in the HTTP connection manager to close
projects/torbrowser/design/index.html.en    1100) all keep-alive connections that still happen to be open. This event is emitted
projects/torbrowser/design/index.html.en    1101) by the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a> button.
projects/torbrowser/design/index.html.en    1102) 

projects/torbrowser/design/index.html.en    1103)      </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2611402"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2611409"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2611419"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>

projects/en/torbrowser/design/index.html.en 1104) 
projects/en/torbrowser/design/index.html.en 1105) The purpose of this section is to cover all the known ways that Tor browser
projects/en/torbrowser/design/index.html.en 1106) security can be subverted from a penetration testing perspective. The hope
projects/en/torbrowser/design/index.html.en 1107) is that it will be useful both for creating a "Tor Safety Check"
projects/en/torbrowser/design/index.html.en 1108) page, and for developing novel tests and actively attacking Torbutton with the
projects/en/torbrowser/design/index.html.en 1109) goal of finding vulnerabilities in either it or the Mozilla components,
projects/en/torbrowser/design/index.html.en 1110) interfaces and settings upon which it relies.
projects/en/torbrowser/design/index.html.en 1111) 
projects/en/torbrowser/design/index.html.en 1112)   </p><div class="sect2" title="5.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>5.1. Single state testing</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 1113) 
projects/en/torbrowser/design/index.html.en 1114) Torbutton is a complicated piece of software. During development, changes to
projects/en/torbrowser/design/index.html.en 1115) one component can affect a whole slough of unrelated features.  A number of
projects/en/torbrowser/design/index.html.en 1116) aggregated test suites exist that can be used to test for regressions in
projects/en/torbrowser/design/index.html.en 1117) Torbutton and to help aid in the development of Torbutton-like addons and
projects/en/torbrowser/design/index.html.en 1118) other privacy modifications of other browsers. Some of these test suites exist
projects/en/torbrowser/design/index.html.en 1119) as a single automated page, while others are a series of pages you must visit
projects/en/torbrowser/design/index.html.en 1120) individually. They are provided here for reference and future regression
projects/en/torbrowser/design/index.html.en 1121) testing, and also in the hope that some brave soul will one day decide to
projects/en/torbrowser/design/index.html.en 1122) combine them into a comprehensive automated test suite.
projects/en/torbrowser/design/index.html.en 1123) 
projects/en/torbrowser/design/index.html.en 1124)      </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
projects/en/torbrowser/design/index.html.en 1125) 
projects/en/torbrowser/design/index.html.en 1126) Decloak.net is the canonical source of plugin and external-application based
projects/en/torbrowser/design/index.html.en 1127) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
projects/en/torbrowser/design/index.html.en 1128) use to test their anonymity systems.
projects/en/torbrowser/design/index.html.en 1129) 
projects/en/torbrowser/design/index.html.en 1130)        </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p>
projects/en/torbrowser/design/index.html.en 1131) 
projects/en/torbrowser/design/index.html.en 1132) Deanonymizer.com is another automated test suite that tests for proxy bypass
projects/en/torbrowser/design/index.html.en 1133) and other information disclosure vulnerabilities. It is maintained by Kyle
projects/en/torbrowser/design/index.html.en 1134) Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a>
projects/en/torbrowser/design/index.html.en 1135) and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>.
projects/en/torbrowser/design/index.html.en 1136) 

projects/torbrowser/design/index.html.en    1137)        </p></li><li class="listitem"><a class="ulink" href="https://ip-check.info" target="_top">JonDos

projects/en/torbrowser/design/index.html.en 1138) AnonTest</a><p>
projects/en/torbrowser/design/index.html.en 1139) 

projects/torbrowser/design/index.html.en    1140) The <a class="ulink" href="https://anonymous-proxy-servers.net/" target="_top">JonDos people</a> also provide an
projects/torbrowser/design/index.html.en    1141) anonymity tester. It is more focused on HTTP headers and behaviors than plugin bypass, and

projects/en/torbrowser/design/index.html.en 1142) points out a couple of headers Torbutton could do a better job with
projects/en/torbrowser/design/index.html.en 1143) obfuscating.
projects/en/torbrowser/design/index.html.en 1144) 
projects/en/torbrowser/design/index.html.en 1145)        </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
projects/en/torbrowser/design/index.html.en 1146) 
projects/en/torbrowser/design/index.html.en 1147) Browserspy.dk provides a tremendous collection of browser fingerprinting and
projects/en/torbrowser/design/index.html.en 1148) general privacy tests. Unfortunately they are only available one page at a
projects/en/torbrowser/design/index.html.en 1149) time, and there is not really solid feedback on good vs bad behavior in
projects/en/torbrowser/design/index.html.en 1150) the test results.
projects/en/torbrowser/design/index.html.en 1151) 
projects/en/torbrowser/design/index.html.en 1152)        </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
projects/en/torbrowser/design/index.html.en 1153) Analyzer</a><p>
projects/en/torbrowser/design/index.html.en 1154) 
projects/en/torbrowser/design/index.html.en 1155) The Privacy Analyzer provides a dump of all sorts of browser attributes and

projects/torbrowser/design/index.html.en    1156) settings that it detects, including some information on your original IP