projects/torbrowser/design/index.html.en (6ddd221f6) - tor-webwml.git

6ddd221f66fd99b523f52a4b9e5d95c85be7a1b8

Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">March 15, 2013</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="sect1"><a href="#idp2182160">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp5896048">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp2182160"></a>1. Introduction</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 4)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 5) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser projects/torbrowser/design/index.html.en 7) 2.3.25-5 and Torbutton 1.5.1.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 8) projects/en/torbrowser/design/index.html.en 9) </p><p> projects/en/torbrowser/design/index.html.en 10) projects/en/torbrowser/design/index.html.en 11) This document is also meant to serve as a set of design requirements and to projects/en/torbrowser/design/index.html.en 12) describe a reference implementation of a Private Browsing Mode that defends`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 13) against active network adversaries, in addition to the passive forensic local projects/torbrowser/design/index.html.en 14) adversary currently addressed by the major browsers.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 15)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 16) </p><div class="sect2" title="1.1. Browser Component Overview"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 17)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 18) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 19) Support Release (ESR) Firefox branch</a>. We have a <a class="link" href="#firefox-patches" title="4.9. Description of Firefox Patches">series of patches</a> against this browser to`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 20) enhance privacy and security. Browser behavior is additionally augmented`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 21) through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/master" target="_top">Torbutton`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 22) extension</a>, though we are in the process of moving this`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 23) functionality into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js" target="_top">change`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 24) a number of Firefox preferences</a> from their defaults.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 25)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 26) </p><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 27)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 28) To help protect against potential Tor Exit Node eavesdroppers, we include`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 29) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 30) provide users with optional defense-in-depth against Javascript and other`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 31) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. To protect against projects/torbrowser/design/index.html.en 32) PDF-based Tor proxy bypass and to improve usability, we include the <a class="ulink" href="https://addons.mozilla.org/en-us/firefox/addon/pdfjs/" target="_top">PDF.JS</a> projects/torbrowser/design/index.html.en 33) extension. We also modify <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/extension-overrides.js" target="_top">several
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 34) extension preferences</a> from their defaults.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 35)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 36) </p></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 37) projects/en/torbrowser/design/index.html.en 38) The Tor Browser Design Requirements are meant to describe the properties of a`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 39) Private Browsing Mode that defends against both network and local forensic projects/torbrowser/design/index.html.en 40) adversaries.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 41) projects/en/torbrowser/design/index.html.en 42) </p><p> projects/en/torbrowser/design/index.html.en 43) projects/en/torbrowser/design/index.html.en 44) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 45) minimum properties in order for a browser to be able to support Tor and projects/torbrowser/design/index.html.en 46) similar privacy proxies safely. Privacy requirements are the set of properties`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 47) that cause us to prefer one browser over another.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 48) projects/en/torbrowser/design/index.html.en 49) </p><p> projects/en/torbrowser/design/index.html.en 50)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 51) While we will endorse the use of browsers that meet the security requirements, projects/torbrowser/design/index.html.en 52) it is primarily the privacy requirements that cause us to maintain our own projects/torbrowser/design/index.html.en 53) browser distribution. projects/torbrowser/design/index.html.en 54) projects/torbrowser/design/index.html.en 55) </p><p> projects/torbrowser/design/index.html.en 56) projects/torbrowser/design/index.html.en 57) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL projects/torbrowser/design/index.html.en 58) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and projects/torbrowser/design/index.html.en 59) "OPTIONAL" in this document are to be interpreted as described in
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 60) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 61)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 62) </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 63) projects/en/torbrowser/design/index.html.en 64) The security requirements are primarily concerned with ensuring the safe use projects/en/torbrowser/design/index.html.en 65) of Tor. Violations in these properties typically result in serious risk for`
Add a couple extra sentence... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 66) the user in terms of immediate deanonymization and/or observability. With`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 67) respect to browser support, security requirements are the minimum properties projects/torbrowser/design/index.html.en 68) in order for Tor to support the use of a particular browser.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 69)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 70) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 71) Obedience</strong></span></a><p>The browser`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 72) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 73) Separation</strong></span></a><p> projects/torbrowser/design/index.html.en 74) projects/torbrowser/design/index.html.en 75) The browser MUST NOT provide the content window with any state from any other projects/torbrowser/design/index.html.en 76) browsers or any non-Tor browsing modes. This includes shared state from projects/torbrowser/design/index.html.en 77) independent plugins, and shared state from Operating System implementations of projects/torbrowser/design/index.html.en 78) TLS and other support libraries. projects/torbrowser/design/index.html.en 79)
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 80) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 81) Avoidance</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 82) projects/torbrowser/design/index.html.en 83) The browser MUST NOT write any information that is derived from or that projects/torbrowser/design/index.html.en 84) reveals browsing activity to the disk, or store it in memory beyond the projects/torbrowser/design/index.html.en 85) duration of one browsing session, unless the user has explicitly opted to projects/torbrowser/design/index.html.en 86) store their browsing history information to disk. projects/torbrowser/design/index.html.en 87)
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 88) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 89) Isolation</strong></span></a><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 90)`
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 91) The components involved in providing private browsing MUST be self-contained,`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 92) or MUST provide a mechanism for rapid, complete removal of all evidence of the projects/torbrowser/design/index.html.en 93) use of the mode. In other words, the browser MUST NOT write or cause the projects/torbrowser/design/index.html.en 94) operating system to write <span class="emphasis"><em>any information</em></span> about the use projects/torbrowser/design/index.html.en 95) of private browsing to disk outside of the application's control. The user
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 96) must be able to ensure that secure deletion of the software is sufficient to`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 97) remove evidence of the use of the software. All exceptions and shortcomings`
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 98) due to operating system behavior MUST be wiped by an uninstaller. However, due`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 99) to permissions issues with access to swap, implementations MAY choose to leave`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 100) it out of scope, and/or leave it to the Operating System/platform to implement projects/torbrowser/design/index.html.en 101) ephemeral-keyed encrypted swap.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 102)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 103) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 104) projects/en/torbrowser/design/index.html.en 105) The privacy requirements are primarily concerned with reducing linkability:`
Add a couple extra sentence... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 106) the ability for a user's activity on one site to be linked with their activity projects/torbrowser/design/index.html.en 107) on another site without their knowledge or explicit consent. With respect to`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 108) browser support, privacy requirements are the set of properties that cause us projects/torbrowser/design/index.html.en 109) to prefer one browser over another.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 110)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 111) </p><p> projects/torbrowser/design/index.html.en 112) projects/torbrowser/design/index.html.en 113) For the purposes of the unlinkability requirements of this section as well as`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 114) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 115) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the projects/torbrowser/design/index.html.en 116) second-level DNS name. For example, for mail.google.com, the origin would be projects/torbrowser/design/index.html.en 117) google.com. Implementations MAY, at their option, restrict the url bar origin`
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 118) to be the entire fully qualified domain name.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 119)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 120) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 121) Identifier Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 122)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 123) User activity on one url bar origin MUST NOT be linkable to their activity in`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 124) any other url bar origin by any third party automatically or without user projects/torbrowser/design/index.html.en 125) interaction or approval. This requirement specifically applies to linkability projects/torbrowser/design/index.html.en 126) from stored browser identifiers, authentication tokens, and shared state. The projects/torbrowser/design/index.html.en 127) requirement does not apply to linkable information the user manually submits`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 128) to sites, or due to information submitted during manual link traversal. This`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 129) functionality SHOULD NOT interfere with interactive, click-driven federated projects/torbrowser/design/index.html.en 130) login in a substantial way.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 131)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 132) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 133) Fingerprinting Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 134)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 135) User activity on one url bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 136) any other url bar origin by any third party. This property specifically applies to`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 137) linkability from fingerprinting browser behavior. projects/en/torbrowser/design/index.html.en 138)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 139) </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 140) Unlinkability</strong></span></a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 141)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 142) The browser MUST provide an obvious, easy way for the user to remove all of projects/torbrowser/design/index.html.en 143) its authentication tokens and browser state and obtain a fresh identity.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 144) Additionally, the browser SHOULD clear linkable state by default automatically projects/torbrowser/design/index.html.en 145) upon browser restart, except at user option.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 146)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 147) </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 148) projects/en/torbrowser/design/index.html.en 149) In addition to the above design requirements, the technology decisions about projects/en/torbrowser/design/index.html.en 150) Tor Browser are also guided by some philosophical positions about technology. projects/en/torbrowser/design/index.html.en 151)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 152) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 153) projects/en/torbrowser/design/index.html.en 154) The existing way that the user expects to use a browser must be preserved. If projects/en/torbrowser/design/index.html.en 155) the user has to maintain a different mental model of how the sites they are projects/en/torbrowser/design/index.html.en 156) using behave depending on tab, browser state, or anything else that would not projects/en/torbrowser/design/index.html.en 157) normally be what they experience in their default browser, the user will projects/en/torbrowser/design/index.html.en 158) inevitably be confused. They will make mistakes and reduce their privacy as a projects/en/torbrowser/design/index.html.en 159) result. Worse, they may just stop using the browser, assuming it is broken. projects/en/torbrowser/design/index.html.en 160) projects/en/torbrowser/design/index.html.en 161) </p><p> projects/en/torbrowser/design/index.html.en 162)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 163) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 164) of Torbutton</a>: Even if users managed to install everything properly, projects/en/torbrowser/design/index.html.en 165) the toggle model was too hard for the average user to understand, especially projects/en/torbrowser/design/index.html.en 166) in the face of accumulating tabs from multiple states crossed with the current`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 167) Tor-state of the browser.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 168) projects/en/torbrowser/design/index.html.en 169) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to projects/en/torbrowser/design/index.html.en 170) break sites</strong></span><p> projects/en/torbrowser/design/index.html.en 171) projects/en/torbrowser/design/index.html.en 172) In general, we try to find solutions to privacy issues that will not induce projects/en/torbrowser/design/index.html.en 173) site breakage, though this is not always possible. projects/en/torbrowser/design/index.html.en 174) projects/en/torbrowser/design/index.html.en 175) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p> projects/en/torbrowser/design/index.html.en 176) projects/en/torbrowser/design/index.html.en 177) Even if plugins always properly used the browser proxy settings (which none of projects/en/torbrowser/design/index.html.en 178) them do) and could not be induced to bypass them (which all of them can), the projects/en/torbrowser/design/index.html.en 179) activities of closed-source plugins are very difficult to audit and control. projects/en/torbrowser/design/index.html.en 180) They can obtain and transmit all manner of system information to websites, projects/en/torbrowser/design/index.html.en 181) often have their own identifier storage for tracking users, and also projects/en/torbrowser/design/index.html.en 182) contribute to fingerprinting. projects/en/torbrowser/design/index.html.en 183) projects/en/torbrowser/design/index.html.en 184) </p><p> projects/en/torbrowser/design/index.html.en 185) projects/en/torbrowser/design/index.html.en 186) Therefore, if plugins are to be enabled in private browsing modes, they must projects/en/torbrowser/design/index.html.en 187) be restricted from running automatically on every page (via click-to-play projects/en/torbrowser/design/index.html.en 188) placeholders), and/or be sandboxed to restrict the types of system calls they
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 189) can execute. If the user agent allows the user to craft an exemption to allow projects/torbrowser/design/index.html.en 190) a plugin to be used automatically, it must only apply to the top level url bar projects/torbrowser/design/index.html.en 191) domain, and not to all sites, to reduce cross-origin fingerprinting projects/torbrowser/design/index.html.en 192) linkability.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 193) projects/en/torbrowser/design/index.html.en 194) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p> projects/en/torbrowser/design/index.html.en 195)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 196) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 197) failure of Torbutton</a> was the options panel. Each option`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 198) that detectably alters browser behavior can be used as a fingerprinting tool.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 199) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be projects/torbrowser/design/index.html.en 200) disabled in the mode</a> except as an opt-in basis. We should not load`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 201) system-wide and/or Operating System provided addons or plugins.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 202) projects/en/torbrowser/design/index.html.en 203) </p><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 204) Instead of global browser privacy options, privacy decisions should be made`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 205) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 206) url bar origin</a> to eliminate the possibility of linkability`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 207) between domains. For example, when a plugin object (or a Javascript access of projects/en/torbrowser/design/index.html.en 208) window.plugins) is present in a page, the user should be given the choice of`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 209) allowing that plugin object for that url bar origin only. The same`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 210) goes for exemptions to third party cookie policy, geo-location, and any other projects/en/torbrowser/design/index.html.en 211) privacy permissions. projects/en/torbrowser/design/index.html.en 212) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 213) If the user has indicated they wish to record local history storage, these`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 214) permissions can be written to disk. Otherwise, they should remain memory-only.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 215) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p> projects/en/torbrowser/design/index.html.en 216)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 217) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock projects/torbrowser/design/index.html.en 218) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>, projects/torbrowser/design/index.html.en 219) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 220) avoided. We believe that these addons do not add any real privacy to a proper`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 221) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts projects/torbrowser/design/index.html.en 222) should be focused on general solutions that prevent tracking by all projects/torbrowser/design/index.html.en 223) third parties, rather than a list of specific URLs or hosts. projects/torbrowser/design/index.html.en 224) </p><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 225) Filter-based addons can also introduce strange breakage and cause usability projects/en/torbrowser/design/index.html.en 226) nightmares, and will also fail to do their job if an adversary simply projects/en/torbrowser/design/index.html.en 227) registers a new domain or creates a new url path. Worse still, the unique`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 228) filter sets that each user creates or installs will provide a wealth of projects/torbrowser/design/index.html.en 229) fingerprinting targets.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 230) </p><p> projects/en/torbrowser/design/index.html.en 231) projects/en/torbrowser/design/index.html.en 232) As a general matter, we are also generally opposed to shipping an always-on Ad projects/en/torbrowser/design/index.html.en 233) blocker with Tor Browser. We feel that this would damage our credibility in projects/en/torbrowser/design/index.html.en 234) terms of demonstrating that we are providing privacy through a sound design`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 235) alone, as well as damage the acceptance of Tor users by sites that support`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 236) themselves through advertising revenue. projects/en/torbrowser/design/index.html.en 237) projects/en/torbrowser/design/index.html.en 238) </p><p> projects/en/torbrowser/design/index.html.en 239) Users are free to install these addons if they wish, but doing projects/en/torbrowser/design/index.html.en 240) so is not recommended, as it will alter the browser request fingerprint. projects/en/torbrowser/design/index.html.en 241) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p> projects/en/torbrowser/design/index.html.en 242) We believe that if we do not stay current with the support of new web projects/en/torbrowser/design/index.html.en 243) technologies, we cannot hope to substantially influence or be involved in projects/en/torbrowser/design/index.html.en 244) their proper deployment or privacy realization. However, we will likely disable
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 245) high-risk features pending analysis, audit, and mitigation.`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 246) </p></li></ol></div></div></div><div class="sect1" title="3. Adversary Model"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 247) projects/torbrowser/design/index.html.en 248) A Tor web browser adversary has a number of goals, capabilities, and attack projects/torbrowser/design/index.html.en 249) types that can be used to illustrate the design requirements for the projects/torbrowser/design/index.html.en 250) Tor Browser. Let's start with the goals. projects/torbrowser/design/index.html.en 251)`
TBB design doc: Make sectio... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 252) </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 253) Tor, causing the user to directly connect to an IP of the adversary's projects/torbrowser/design/index.html.en 254) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely projects/torbrowser/design/index.html.en 255) happily settle for the ability to correlate something a user did via Tor with projects/torbrowser/design/index.html.en 256) their non-Tor activity. This can be done with cookies, cache identifiers, projects/torbrowser/design/index.html.en 257) javascript events, and even CSS. Sometimes the fact that a user uses Tor may projects/torbrowser/design/index.html.en 258) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p> projects/torbrowser/design/index.html.en 259) The adversary may also be interested in history disclosure: the ability to projects/torbrowser/design/index.html.en 260) query a user's history to see if they have issued certain censored search projects/torbrowser/design/index.html.en 261) queries, or visited censored sites. projects/torbrowser/design/index.html.en 262) </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p> projects/torbrowser/design/index.html.en 263) projects/torbrowser/design/index.html.en 264) The primary goal of the advertising networks is to know that the user who projects/torbrowser/design/index.html.en 265) visited siteX.com is the same user that visited siteY.com to serve them projects/torbrowser/design/index.html.en 266) targeted ads. The advertising networks become our adversary insofar as they projects/torbrowser/design/index.html.en 267) attempt to perform this correlation without the user's explicit consent. projects/torbrowser/design/index.html.en 268) projects/torbrowser/design/index.html.en 269) </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p> projects/torbrowser/design/index.html.en 270) projects/torbrowser/design/index.html.en 271) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 272) to gather identifying information on a particular individual without the use projects/torbrowser/design/index.html.en 273) of tracking identifiers. If the dissident or whistleblower's timezone is projects/torbrowser/design/index.html.en 274) available, and they are using a rare build of Firefox for an obscure operating projects/torbrowser/design/index.html.en 275) system, and they have a specific display resolution only used on one type of projects/torbrowser/design/index.html.en 276) laptop, this can be very useful information for tracking them down, or at projects/torbrowser/design/index.html.en 277) least <a class="link" href="#fingerprinting">tracking their activities</a>.
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 278) projects/torbrowser/design/index.html.en 279) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk projects/torbrowser/design/index.html.en 280) information</strong></span><p> projects/torbrowser/design/index.html.en 281) In some cases, the adversary may opt for a heavy-handed approach, such as projects/torbrowser/design/index.html.en 282) seizing the computers of all Tor users in an area (especially after narrowing projects/torbrowser/design/index.html.en 283) the field by the above two pieces of information). History records and cache projects/torbrowser/design/index.html.en 284) data are the primary goals here.
TBB design doc: Make sectio... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 285) </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 286) The adversary can position themselves at a number of different locations in projects/torbrowser/design/index.html.en 287) order to execute their attacks.`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 288) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 289) The adversary can run exit nodes, or alternatively, they may control routers projects/torbrowser/design/index.html.en 290) upstream of exit nodes. Both of these scenarios have been observed in the projects/torbrowser/design/index.html.en 291) wild. projects/torbrowser/design/index.html.en 292) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p> projects/torbrowser/design/index.html.en 293) The adversary can also run websites, or more likely, they can contract out projects/torbrowser/design/index.html.en 294) ad space from a number of different ad servers and inject content that way. For projects/torbrowser/design/index.html.en 295) some users, the adversary may be the ad servers themselves. It is not projects/torbrowser/design/index.html.en 296) inconceivable that ad servers may try to subvert or reduce a user's anonymity projects/torbrowser/design/index.html.en 297) through Tor for marketing purposes. projects/torbrowser/design/index.html.en 298) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p> projects/torbrowser/design/index.html.en 299) The adversary can also inject malicious content at the user's upstream router projects/torbrowser/design/index.html.en 300) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor projects/torbrowser/design/index.html.en 301) activity.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 302) </p><p> projects/torbrowser/design/index.html.en 303) projects/torbrowser/design/index.html.en 304) Additionally, at this position the adversary can block Tor, or attempt to projects/torbrowser/design/index.html.en 305) recognize the traffic patterns of specific web pages at the entrance to the Tor projects/torbrowser/design/index.html.en 306) network. projects/torbrowser/design/index.html.en 307)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 308) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p> projects/torbrowser/design/index.html.en 309) Some users face adversaries with intermittent or constant physical access. projects/torbrowser/design/index.html.en 310) Users in Internet cafes, for example, face such a threat. In addition, in projects/torbrowser/design/index.html.en 311) countries where simply using tools like Tor is illegal, users may face projects/torbrowser/design/index.html.en 312) confiscation of their computer equipment for excessive Tor usage or just projects/torbrowser/design/index.html.en 313) general suspicion.
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 314) </p></li></ol></div></div><div class="sect2" title="3.3. Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 315) projects/torbrowser/design/index.html.en 316) The adversary can perform the following attacks from a number of different projects/torbrowser/design/index.html.en 317) positions to accomplish various aspects of their goals. It should be noted projects/torbrowser/design/index.html.en 318) that many of these attacks (especially those involving IP address leakage) are projects/torbrowser/design/index.html.en 319) often performed by accident by websites that simply have Javascript, dynamic projects/torbrowser/design/index.html.en 320) CSS elements, and plugins. Others are performed by ad servers seeking to projects/torbrowser/design/index.html.en 321) correlate users' activity across different IP addresses, and still others are projects/torbrowser/design/index.html.en 322) performed by malicious agents on the Tor network and at national firewalls. projects/torbrowser/design/index.html.en 323)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 324) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 325) projects/torbrowser/design/index.html.en 326) The browser contains multiple facilities for storing identifiers that the projects/torbrowser/design/index.html.en 327) adversary creates for the purposes of tracking users. These identifiers are projects/torbrowser/design/index.html.en 328) most obviously cookies, but also include HTTP auth, DOM storage, cached projects/torbrowser/design/index.html.en 329) scripts and other elements with embedded identifiers, client certificates, and projects/torbrowser/design/index.html.en 330) even TLS Session IDs. projects/torbrowser/design/index.html.en 331) projects/torbrowser/design/index.html.en 332) </p><p> projects/torbrowser/design/index.html.en 333) projects/torbrowser/design/index.html.en 334) An adversary in a position to perform MITM content alteration can inject projects/torbrowser/design/index.html.en 335) document content elements to both read and inject cookies for arbitrary projects/torbrowser/design/index.html.en 336) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 337) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 338) sidejacking</a>. In addition, the ad networks of course perform tracking projects/torbrowser/design/index.html.en 339) with cookies as well. projects/torbrowser/design/index.html.en 340) projects/torbrowser/design/index.html.en 341) </p><p> projects/torbrowser/design/index.html.en 342) projects/torbrowser/design/index.html.en 343) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlikability</a> design requirements. projects/torbrowser/design/index.html.en 344)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 345) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 346) attributes</strong></span><p> projects/torbrowser/design/index.html.en 347) projects/torbrowser/design/index.html.en 348) There is an absurd amount of information available to websites via attributes projects/torbrowser/design/index.html.en 349) of the browser. This information can be used to reduce anonymity set, or even projects/torbrowser/design/index.html.en 350) uniquely fingerprint individual users. Attacks of this nature are typically projects/torbrowser/design/index.html.en 351) aimed at tracking users across sites without their consent, in an attempt to projects/torbrowser/design/index.html.en 352) subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin projects/torbrowser/design/index.html.en 353) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlikability</a> design requirements. projects/torbrowser/design/index.html.en 354) projects/torbrowser/design/index.html.en 355) </p><p> projects/torbrowser/design/index.html.en 356) projects/torbrowser/design/index.html.en 357) Fingerprinting is an intimidating projects/torbrowser/design/index.html.en 358) problem to attempt to tackle, especially without a metric to determine or at projects/torbrowser/design/index.html.en 359) least intuitively understand and estimate which features will most contribute projects/torbrowser/design/index.html.en 360) to linkability between visits. projects/torbrowser/design/index.html.en 361) projects/torbrowser/design/index.html.en 362) </p><p> projects/torbrowser/design/index.html.en 363)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 364) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study projects/torbrowser/design/index.html.en 365) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 366) entropy</a> - the number of identifying bits of information encoded in`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 367) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 368) definitely useful, and the metric is probably the appropriate one for projects/torbrowser/design/index.html.en 369) determining how identifying a particular browser property is. However, some projects/torbrowser/design/index.html.en 370) quirks of their study means that they do not extract as much information as projects/torbrowser/design/index.html.en 371) they could from display information: they only use desktop resolution and do projects/torbrowser/design/index.html.en 372) not attempt to infer the size of toolbars. In the other direction, they may be projects/torbrowser/design/index.html.en 373) over-counting in some areas, as they did not compute joint entropy over projects/torbrowser/design/index.html.en 374) multiple attributes that may exhibit a high degree of correlation. Also, new projects/torbrowser/design/index.html.en 375) browser features are added regularly, so the data should not be taken as projects/torbrowser/design/index.html.en 376) final. projects/torbrowser/design/index.html.en 377) projects/torbrowser/design/index.html.en 378) </p><p> projects/torbrowser/design/index.html.en 379) projects/torbrowser/design/index.html.en 380) Despite the uncertainty, all fingerprinting attacks leverage the following projects/torbrowser/design/index.html.en 381) attack vectors: projects/torbrowser/design/index.html.en 382)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 383) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 384) projects/torbrowser/design/index.html.en 385) Properties of the user's request behavior comprise the bulk of low-hanging projects/torbrowser/design/index.html.en 386) fingerprinting targets. These include: User agent, Accept-* headers, pipeline projects/torbrowser/design/index.html.en 387) usage, and request ordering. Additionally, the use of custom filters such as projects/torbrowser/design/index.html.en 388) AdBlock and other privacy filters can be used to fingerprint request patterns projects/torbrowser/design/index.html.en 389) (as an extreme example). projects/torbrowser/design/index.html.en 390) projects/torbrowser/design/index.html.en 391) </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p> projects/torbrowser/design/index.html.en 392) projects/torbrowser/design/index.html.en 393) Javascript can reveal a lot of fingerprinting information. It provides DOM projects/torbrowser/design/index.html.en 394) objects such as window.screen and window.navigator to extract information projects/torbrowser/design/index.html.en 395) about the useragent. projects/torbrowser/design/index.html.en 396) projects/torbrowser/design/index.html.en 397) Also, Javascript can be used to query the user's timezone via the
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 398) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 399) reveal information about the video card in use, and high precision timing`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 400) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 401) interpreter speed</a>. In the future, new JavaScript features such as`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 402) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 403) Timing</a> may leak an unknown amount of network timing related projects/torbrowser/design/index.html.en 404) information. projects/torbrowser/design/index.html.en 405) projects/torbrowser/design/index.html.en 406) projects/torbrowser/design/index.html.en 407) projects/torbrowser/design/index.html.en 408) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p> projects/torbrowser/design/index.html.en 409) projects/torbrowser/design/index.html.en 410) The Panopticlick project found that the mere list of installed plugins (in projects/torbrowser/design/index.html.en 411) navigator.plugins) was sufficient to provide a large degree of projects/torbrowser/design/index.html.en 412) fingerprintability. Additionally, plugins are capable of extracting font lists, projects/torbrowser/design/index.html.en 413) interface addresses, and other machine information that is beyond what the projects/torbrowser/design/index.html.en 414) browser would normally provide to content. In addition, plugins can be used to projects/torbrowser/design/index.html.en 415) store unique identifiers that are more difficult to clear than standard
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 416) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 417) cookies</a> fall into this category, but there are likely numerous other projects/torbrowser/design/index.html.en 418) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy projects/torbrowser/design/index.html.en 419) settings of the browser. projects/torbrowser/design/index.html.en 420) projects/torbrowser/design/index.html.en 421) projects/torbrowser/design/index.html.en 422) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p> projects/torbrowser/design/index.html.en 423)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 424) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 425) queries</a> can be inserted to gather information about the desktop size, projects/torbrowser/design/index.html.en 426) widget size, display type, DPI, user agent type, and other information that projects/torbrowser/design/index.html.en 427) was formerly available only to Javascript. projects/torbrowser/design/index.html.en 428)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 429) </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p> projects/torbrowser/design/index.html.en 430) projects/torbrowser/design/index.html.en 431) Website traffic fingerprinting is an attempt by the adversary to recognize the`
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 432) encrypted traffic patterns of specific websites. In the case of Tor, this projects/torbrowser/design/index.html.en 433) attack would take place between the user and the Guard node, or at the Guard projects/torbrowser/design/index.html.en 434) node itself. projects/torbrowser/design/index.html.en 435) </p><p> The most comprehensive study of the statistical properties of this projects/torbrowser/design/index.html.en 436) attack against Tor was done by <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 437) et al</a>. Unfortunately, the publication bias in academia has encouraged projects/torbrowser/design/index.html.en 438) the production of a number of follow-on attack papers claiming "improved"`
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 439) success rates, in some cases even claiming to completely invalidate any projects/torbrowser/design/index.html.en 440) attempt at defense. These "improvements" are actually enabled primarily by projects/torbrowser/design/index.html.en 441) taking a number of shortcuts (such as classifying only very small numbers of projects/torbrowser/design/index.html.en 442) web pages, neglecting to publish ROC curves or at least false positive rates, projects/torbrowser/design/index.html.en 443) and/or omitting the effects of dataset size on their results). Despite these projects/torbrowser/design/index.html.en 444) subsequent "improvements", we are skeptical of the efficacy of this attack in projects/torbrowser/design/index.html.en 445) a real world scenario, <span class="emphasis"><em>especially</em></span> in the face of any
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 446) defenses.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 447) projects/torbrowser/design/index.html.en 448) </p><p> projects/torbrowser/design/index.html.en 449)`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 450) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of projects/torbrowser/design/index.html.en 451) categories to classify</a> while maintaining a limit on reliable feature projects/torbrowser/design/index.html.en 452) information you can extract, you eventually run out of descriptive feature projects/torbrowser/design/index.html.en 453) information, and either true positive accuracy goes down or the false positive projects/torbrowser/design/index.html.en 454) rate goes up. This error is called the <a class="ulink" href="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias projects/torbrowser/design/index.html.en 455) in your hypothesis space</a>. In fact, even for unbiased hypothesis projects/torbrowser/design/index.html.en 456) spaces, the number of training examples required to achieve a reasonable error projects/torbrowser/design/index.html.en 457) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 458) function of the complexity of the categories</a> you need to classify.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 459) projects/torbrowser/design/index.html.en 460) </p><p> projects/torbrowser/design/index.html.en 461) projects/torbrowser/design/index.html.en 462) projects/torbrowser/design/index.html.en 463) In the case of this attack, the key factors that increase the classification`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 464) complexity (and thus hinder a real world adversary who attempts this attack)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 465) are large numbers of dynamically generated pages, partially cached content,`
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 466) and also the non-web activity of entire Tor network. This yields an effective projects/torbrowser/design/index.html.en 467) number of "web pages" many orders of magnitude larger than even <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's projects/torbrowser/design/index.html.en 468) "Open World" scenario</a>, which suffered continous near-constant decline projects/torbrowser/design/index.html.en 469) in the true positive rate as the "Open World" size grew (see figure 4). This projects/torbrowser/design/index.html.en 470) large level of classification complexity is further confounded by a noisy and
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 471) low resolution featureset - one which is also relatively easy for the defender`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 472) to manipulate at low cost.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 473) projects/torbrowser/design/index.html.en 474) </p><p> projects/torbrowser/design/index.html.en 475)`
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 476) To make matters worse for a real-world adversary, the ocean of Tor Internet projects/torbrowser/design/index.html.en 477) activity (at least, when compared to a lab setting) makes it a certainty that projects/torbrowser/design/index.html.en 478) an adversary attempting examine large amounts of Tor traffic will ultimately projects/torbrowser/design/index.html.en 479) be overwhelmed by false positives (even after making heavy tradeoffs on the projects/torbrowser/design/index.html.en 480) ROC curve to minimize false positives to below 0.01%). This problem is known projects/torbrowser/design/index.html.en 481) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 482) Fallacy</a>, and it is the primary reason that anomaly and activity projects/torbrowser/design/index.html.en 483) classification-based IDS and antivirus systems have failed to materialize in`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 484) the marketplace (despite early success in academic literature).`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 485) projects/torbrowser/design/index.html.en 486) </p><p> projects/torbrowser/design/index.html.en 487) projects/torbrowser/design/index.html.en 488) Still, we do not believe that these issues are enough to dismiss the attack projects/torbrowser/design/index.html.en 489) outright. But we do believe these factors make it both worthwhile and projects/torbrowser/design/index.html.en 490) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy projects/torbrowser/design/index.html.en 491) light-weight defenses</a> that reduce the accuracy of this attack by projects/torbrowser/design/index.html.en 492) further contributing noise to hinder successful feature extraction. projects/torbrowser/design/index.html.en 493) projects/torbrowser/design/index.html.en 494) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 495) OS</strong></span><p> projects/torbrowser/design/index.html.en 496) projects/torbrowser/design/index.html.en 497) Last, but definitely not least, the adversary can exploit either general projects/torbrowser/design/index.html.en 498) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to projects/torbrowser/design/index.html.en 499) install malware and surveillance software. An adversary with physical access`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 500) can perform similar actions. projects/torbrowser/design/index.html.en 501) projects/torbrowser/design/index.html.en 502) </p><p> projects/torbrowser/design/index.html.en 503) projects/torbrowser/design/index.html.en 504) For the purposes of the browser itself, we limit the scope of this adversary projects/torbrowser/design/index.html.en 505) to one that has passive forensic access to the disk after browsing activity projects/torbrowser/design/index.html.en 506) has taken place. This adversary motivates our
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 507) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 508)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 509) </p><p> projects/torbrowser/design/index.html.en 510) projects/torbrowser/design/index.html.en 511) An adversary with arbitrary code execution typically has more power, though. projects/torbrowser/design/index.html.en 512) It can be quite hard to really significantly limit the capabilities of such an projects/torbrowser/design/index.html.en 513) adversary. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can projects/torbrowser/design/index.html.en 514) provide some defense against this adversary through the use of readonly media projects/torbrowser/design/index.html.en 515) and frequent reboots, but even this can be circumvented on machines without projects/torbrowser/design/index.html.en 516) Secure Boot through the use of BIOS rootkits. projects/torbrowser/design/index.html.en 517)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 518) </p></li></ol></div></div></div><div class="sect1" title="4. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 519) projects/torbrowser/design/index.html.en 520) The Implementation section is divided into subsections, each of which projects/torbrowser/design/index.html.en 521) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>. projects/torbrowser/design/index.html.en 522) Each subsection is divided into specific web technologies or properties. The projects/torbrowser/design/index.html.en 523) implementation is then described for that property. projects/torbrowser/design/index.html.en 524) projects/torbrowser/design/index.html.en 525) </p><p> projects/torbrowser/design/index.html.en 526) projects/torbrowser/design/index.html.en 527) In some cases, the implementation meets the design requirements in a non-ideal projects/torbrowser/design/index.html.en 528) way (for example, by disabling features). In rare cases, there may be no projects/torbrowser/design/index.html.en 529) implementation at all. Both of these cases are denoted by differentiating projects/torbrowser/design/index.html.en 530) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 531) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>`
Update TBB design doc w/ an... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 532) are typically linked for these cases. projects/torbrowser/design/index.html.en 533)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 534) </p><div class="sect2" title="4.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 535) projects/en/torbrowser/design/index.html.en 536) Proxy obedience is assured through the following:`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 537) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox proxy settings, patches, and build flags`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 538) <p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 539) Our <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js" target="_top">Firefox`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 540) preferences file</a> sets the Firefox proxy settings to use Tor directly as a`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 541) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 542) <span class="command"><strong>network.proxy.socks_version</strong></span>, projects/torbrowser/design/index.html.en 543) <span class="command"><strong>network.proxy.socks_port</strong></span>, and projects/torbrowser/design/index.html.en 544) <span class="command"><strong>network.dns.disablePrefetch</strong></span>. projects/torbrowser/design/index.html.en 545) </p><p> projects/torbrowser/design/index.html.en 546)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 547) We also patch Firefox in order to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch" target="_top">prevent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 548) a DNS leak due to a WebSocket rate-limiting check</a>. As stated in the projects/torbrowser/design/index.html.en 549) patch, we believe the direct DNS resolution performed by this check is in`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 550) violation of the W3C standard, but <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=751465" target="_top">this DNS proxy leak`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 551) remains present in stock Firefox releases</a>. projects/torbrowser/design/index.html.en 552) projects/torbrowser/design/index.html.en 553) </p><p> projects/torbrowser/design/index.html.en 554) projects/torbrowser/design/index.html.en 555) During the transition to Firefox 17-ESR, a code audit was undertaken to verify projects/torbrowser/design/index.html.en 556) that there were no system calls or XPCOM activity in the source tree that did projects/torbrowser/design/index.html.en 557) not use the browser proxy settings. The only violation we found was that projects/torbrowser/design/index.html.en 558) WebRTC was capable of creating UDP sockets and was compiled in by default. We projects/torbrowser/design/index.html.en 559) subsequently disabled it using the Firefox build option projects/torbrowser/design/index.html.en 560) <span class="command"><strong>--disable-webrtc</strong></span>. projects/torbrowser/design/index.html.en 561)
Comments from Georg + proxy... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 562) </p><p> projects/torbrowser/design/index.html.en 563)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 564) We have verified that these settings and patches properly proxy HTTPS, OCSP, projects/torbrowser/design/index.html.en 565) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all javascript projects/torbrowser/design/index.html.en 566) activity, including HTML5 audio and video objects, addon updates, wifi projects/torbrowser/design/index.html.en 567) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, projects/torbrowser/design/index.html.en 568) WebSockets, and live bookmark updates. We have also verified that IPv6 projects/torbrowser/design/index.html.en 569) connections are not attempted, through the proxy or otherwise (Tor does not projects/torbrowser/design/index.html.en 570) yet support IPv6). We have also verified that external protocol helpers, such projects/torbrowser/design/index.html.en 571) as smb urls and other custom protocol handlers are all blocked.
Comments from Georg + proxy... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 572) projects/torbrowser/design/index.html.en 573) </p><p> projects/torbrowser/design/index.html.en 574)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 575) Numerous other third parties have also reviewed and tested the proxy settings`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 576) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/" target="_top">decloak.net</a>.`
Comments from Georg + proxy... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 577)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 578) </p></li><li class="listitem">Disabling plugins`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 579)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 580) <p>Plugins have the ability to make arbitrary OS system calls and <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 581) the ability to make UDP sockets and send arbitrary data independent of the projects/en/torbrowser/design/index.html.en 582) browser proxy settings. projects/en/torbrowser/design/index.html.en 583) </p><p> projects/en/torbrowser/design/index.html.en 584) Torbutton disables plugins by using the projects/en/torbrowser/design/index.html.en 585) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 586) as disabled. This block can be undone through both the Torbutton Security UI, projects/torbrowser/design/index.html.en 587) and the Firefox Plugin Preferences.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 588) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 589) If the user does enable plugins in this way, plugin-handled objects are still projects/torbrowser/design/index.html.en 590) restricted from automatic load through Firefox's click-to-play preference projects/torbrowser/design/index.html.en 591) <span class="command"><strong>plugins.click_to_play</strong></span>.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 592) </p><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 593) In addition, to reduce any unproxied activity by arbitrary plugins at load projects/torbrowser/design/index.html.en 594) time, and to reduce the fingerprintability of the installed plugin list, we`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 595) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 596) for Flash and Gnash</a>.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 597)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 598) </p></li><li class="listitem">External App Blocking and Drag Event Filtering`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 599) <p>`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 600) projects/torbrowser/design/index.html.en 601) External apps can be induced to load files that perform network activity. projects/torbrowser/design/index.html.en 602) Unfortunately, there are cases where such apps can be launched automatically projects/torbrowser/design/index.html.en 603) with little to no user input. In order to prevent this, Torbutton installs a projects/torbrowser/design/index.html.en 604) component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top"> projects/torbrowser/design/index.html.en 605) provide the user with a popup</a> whenever the browser attempts to launch projects/torbrowser/design/index.html.en 606) a helper app. projects/torbrowser/design/index.html.en 607) projects/torbrowser/design/index.html.en 608) </p><p> projects/torbrowser/design/index.html.en 609) projects/torbrowser/design/index.html.en 610) Additionally, modern desktops now pre-emptively fetch any URLs in Drag and projects/torbrowser/design/index.html.en 611) Drop events as soon as the drag is initiated. This download happens projects/torbrowser/design/index.html.en 612) independent of the browser's Tor settings, and can be triggered by something projects/torbrowser/design/index.html.en 613) as simple as holding the mouse button down for slightly too long while projects/torbrowser/design/index.html.en 614) clicking on an image link. We had to patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0018-Emit-observer-event-to-filter-the-Drag-Drop-url-list.patch" target="_top">emit projects/torbrowser/design/index.html.en 615) an observer event during dragging</a> to allow us to filter the drag projects/torbrowser/design/index.html.en 616) events from Torbutton before the OS downloads the URLs the events contained. projects/torbrowser/design/index.html.en 617)
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 618) </p></li><li class="listitem">Disabling system extensions and clearing the addon whitelist projects/torbrowser/design/index.html.en 619) <p> projects/torbrowser/design/index.html.en 620) projects/torbrowser/design/index.html.en 621) Firefox addons can perform arbitrary activity on your computer, including projects/torbrowser/design/index.html.en 622) bypassing Tor. It is for this reason we disable the addon whitelist projects/torbrowser/design/index.html.en 623) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted projects/torbrowser/design/index.html.en 624) before installing addons regardless of the source. We also exclude projects/torbrowser/design/index.html.en 625) system-level addons from the browser through the use of projects/torbrowser/design/index.html.en 626) <span class="command"><strong>extensions.enabledScopes</strong></span> and projects/torbrowser/design/index.html.en 627) <span class="command"><strong>extensions.autoDisableScopes</strong></span>. projects/torbrowser/design/index.html.en 628)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 629) </p></li></ol></div></div><div class="sect2" title="4.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 630)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 631) Tor Browser State is separated from existing browser state through use of a`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 632) custom Firefox profile, and by setting the $HOME environment variable to the projects/torbrowser/design/index.html.en 633) root of the bundle's directory. The browser also does not load any projects/torbrowser/design/index.html.en 634) system-wide extensions (through the use of projects/torbrowser/design/index.html.en 635) <span class="command"><strong>extensions.enabledScopes</strong></span> and projects/torbrowser/design/index.html.en 636) <span class="command"><strong>extensions.autoDisableScopes</strong></span>. Furthermore, plugins are projects/torbrowser/design/index.html.en 637) disabled, which prevents Flash cookies from leaking from a pre-existing Flash projects/torbrowser/design/index.html.en 638) directory. projects/torbrowser/design/index.html.en 639) projects/torbrowser/design/index.html.en 640) </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5639136"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 641) projects/torbrowser/design/index.html.en 642) The User Agent MUST (at user option) prevent all disk records of browser activity.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 643) The user should be able to optionally enable URL history and other history`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 644) features if they so desire.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 645)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 646) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5640496"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 647)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 648) We achieve this goal through several mechanisms. First, we set the Firefox projects/torbrowser/design/index.html.en 649) Private Browsing preference projects/torbrowser/design/index.html.en 650) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if projects/torbrowser/design/index.html.en 651) Private Browsing Mode is enabled. We need to`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 652)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 653) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 654) the permissions manager from recording HTTPS STS state</a>,`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 655) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 656) intermediate SSL certificates from being recorded</a>,`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 657) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch" target="_top">prevent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 658) download history from being recorded</a>, and`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 659) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 660) the content preferences service from recording site zoom</a>. projects/torbrowser/design/index.html.en 661)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 662) For more details on these patches, <a class="link" href="#firefox-patches" title="4.9. Description of Firefox Patches">see the`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 663) Firefox Patches section</a>. projects/torbrowser/design/index.html.en 664) projects/torbrowser/design/index.html.en 665) </blockquote></div><div class="blockquote"><blockquote class="blockquote"> projects/torbrowser/design/index.html.en 666) projects/torbrowser/design/index.html.en 667) As an additional defense-in-depth measure, we set the following preferences:`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 668) <span class="command"><strong></strong></span>,`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 669) <span class="command"><strong>browser.cache.disk.enable</strong></span>, projects/en/torbrowser/design/index.html.en 670) <span class="command"><strong>browser.cache.offline.enable</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 671) <span class="command"><strong>dom.indexedDB.enabled</strong></span>, projects/torbrowser/design/index.html.en 672) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 673) <span class="command"><strong>signon.rememberSignons</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 674) <span class="command"><strong>browser.formfill.enable</strong></span>,`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 675) <span class="command"><strong>browser.download.manager.retention</strong></span>,`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 676) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>, projects/torbrowser/design/index.html.en 677) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these projects/torbrowser/design/index.html.en 678) preferences are likely redundant with projects/torbrowser/design/index.html.en 679) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the projects/torbrowser/design/index.html.en 680) auditing work to ensure that yet.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 681)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 682) </blockquote></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 683)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 684) Torbutton also <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/components/tbSessionStore.js" target="_top">contains`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 685) code</a> to prevent the Firefox session store from writing to disk. projects/torbrowser/design/index.html.en 686) </blockquote></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 687)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 688) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2" title="4.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 689) projects/en/torbrowser/design/index.html.en 690) Tor Browser Bundle MUST NOT cause any information to be written outside of the projects/en/torbrowser/design/index.html.en 691) bundle directory. This is to ensure that the user is able to completely and projects/en/torbrowser/design/index.html.en 692) safely remove the bundle without leaving other traces of Tor usage on their projects/en/torbrowser/design/index.html.en 693) computer. projects/en/torbrowser/design/index.html.en 694)
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 695) </p><p> projects/torbrowser/design/index.html.en 696) projects/torbrowser/design/index.html.en 697) To ensure TBB directory isolation, we set projects/torbrowser/design/index.html.en 698) <span class="command"><strong>browser.download.useDownloadDir</strong></span>, projects/torbrowser/design/index.html.en 699) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and projects/torbrowser/design/index.html.en 700) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the projects/torbrowser/design/index.html.en 701) $HOME environment variable to be the TBB extraction directory.
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 702) </p></div><div class="sect2" title="4.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 703) projects/en/torbrowser/design/index.html.en 704) The Tor Browser MUST prevent a user's activity on one site from being linked projects/en/torbrowser/design/index.html.en 705) to their activity on another site. When this goal cannot yet be met with an projects/en/torbrowser/design/index.html.en 706) existing web technology, that technology or functionality is disabled. Our projects/en/torbrowser/design/index.html.en 707) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary projects/en/torbrowser/design/index.html.en 708) technologies, and instead simply alter them in ways that allows them to projects/en/torbrowser/design/index.html.en 709) function in a backwards-compatible way while avoiding linkability. Users projects/en/torbrowser/design/index.html.en 710) should be able to use federated login of various kinds to explicitly inform projects/en/torbrowser/design/index.html.en 711) sites who they are, but that information should not transparently allow a projects/en/torbrowser/design/index.html.en 712) third party to record their activity from site to site without their prior projects/en/torbrowser/design/index.html.en 713) consent. projects/en/torbrowser/design/index.html.en 714) projects/en/torbrowser/design/index.html.en 715) </p><p> projects/en/torbrowser/design/index.html.en 716) projects/en/torbrowser/design/index.html.en 717) The benefit of this approach comes not only in the form of reduced projects/en/torbrowser/design/index.html.en 718) linkability, but also in terms of simplified privacy UI. If all stored browser
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 719) state and permissions become associated with the url bar origin, the six or projects/torbrowser/design/index.html.en 720) seven different pieces of privacy UI governing these identifiers and`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 721) permissions can become just one piece of UI. For instance, a window that lists`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 722) the url bar origin for which browser state exists, possibly with a projects/torbrowser/design/index.html.en 723) context-menu option to drill down into specific types of state or permissions. projects/torbrowser/design/index.html.en 724) An example of this simplification can be seen in Figure 1.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 725)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 726) </p><div class="figure"><a id="idp5664576"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 727)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 728) This example UI is a mock-up of how isolating identifiers to the URL bar projects/torbrowser/design/index.html.en 729) origin can simplify the privacy UI for all data - not just cookies. Once projects/torbrowser/design/index.html.en 730) browser identifiers and site permissions operate on a url bar basis, the same projects/torbrowser/design/index.html.en 731) privacy window can represent browsing history, DOM Storage, HTTP Auth, search projects/torbrowser/design/index.html.en 732) form history, login values, and so on within a context menu for each site.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 733)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 734) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 735) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 736)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 737) All cookies MUST be double-keyed to the url bar origin and third-party`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 738) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 739) that contains a prototype patch, but it lacks UI, and does not apply to modern projects/torbrowser/design/index.html.en 740) Firefoxes.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 741) projects/en/torbrowser/design/index.html.en 742) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 743) projects/en/torbrowser/design/index.html.en 744) As a stopgap to satisfy our design requirement of unlinkability, we currently projects/en/torbrowser/design/index.html.en 745) entirely disable 3rd party cookies by setting projects/en/torbrowser/design/index.html.en 746) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
Comments from Georg + proxy... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 747) third party content continue to function, but we believe the requirement for`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 748) unlinkability trumps that desire. projects/en/torbrowser/design/index.html.en 749) projects/en/torbrowser/design/index.html.en 750) </p></li><li class="listitem">Cache projects/en/torbrowser/design/index.html.en 751) <p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 752) projects/torbrowser/design/index.html.en 753) Cache is isolated to the url bar origin by using a technique pioneered by`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 754) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the projects/torbrowser/design/index.html.en 755) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 756) attribute that Firefox uses internally to prevent improper caching and reuse projects/torbrowser/design/index.html.en 757) of HTTP POST data. projects/torbrowser/design/index.html.en 758)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 759) </p><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 760)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 761) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the projects/torbrowser/design/index.html.en 762) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 763) with OCSP relying the cacheKey property for reuse of POST requests</a>, we`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 764) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch" target="_top">patch`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 765) Firefox to provide a cacheDomain cache attribute</a>. We use the fully`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 766) qualified url bar domain as input to this field, to avoid the complexities projects/torbrowser/design/index.html.en 767) of heuristically determining the second-level DNS name.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 768)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 769) </p><p> projects/en/torbrowser/design/index.html.en 770)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 771) Furthermore, we chose a different projects/torbrowser/design/index.html.en 772) isolation scheme than the Stanford implementation. First, we decoupled the projects/torbrowser/design/index.html.en 773) cache isolation from the third party cookie attribute. Second, we use several projects/torbrowser/design/index.html.en 774) mechanisms to attempt to determine the actual location attribute of the projects/torbrowser/design/index.html.en 775) top-level window (to obtain the url bar FQDN) used to load the page, as
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 776) opposed to relying solely on the Referer property.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 777) projects/en/torbrowser/design/index.html.en 778) </p><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 779)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 780) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 781) Stanford test cases</a> are expected to fail. Functionality can still be`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 782) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 783) viewing the key used for each cache entry. Each third party element should projects/torbrowser/design/index.html.en 784) have an additional "domain=string" property prepended, which will list the projects/torbrowser/design/index.html.en 785) FQDN that was used to source the third party element. projects/torbrowser/design/index.html.en 786)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 787) </p><p> projects/torbrowser/design/index.html.en 788) projects/torbrowser/design/index.html.en 789) Additionally, because the image cache is a separate entity from the content`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 790) cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch" target="_top">isolate`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 791) this cache per url bar domain</a>. projects/torbrowser/design/index.html.en 792)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 793) </p></li><li class="listitem">HTTP Auth projects/en/torbrowser/design/index.html.en 794) <p> projects/en/torbrowser/design/index.html.en 795) projects/en/torbrowser/design/index.html.en 796) HTTP authentication tokens are removed for third party elements using the`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 797) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request projects/torbrowser/design/index.html.en 798) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 799) linkability between domains</a>.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 800) </p></li><li class="listitem">DOM Storage`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 801) <p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 802)`
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 803) DOM storage for third party domains MUST be isolated to the url bar origin,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 804) to prevent linkability between sites. This functionality is provided through a`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 805) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch" target="_top">patch`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 806) to Firefox</a>.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 807)`
Describe our efforts agains... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 808) </p></li><li class="listitem">Flash cookies projects/torbrowser/design/index.html.en 809) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 810) projects/torbrowser/design/index.html.en 811) Users should be able to click-to-play flash objects from trusted sites. To projects/torbrowser/design/index.html.en 812) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 813) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 814) settings manager</a>.`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 815)`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 816) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 817)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 818) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 819) difficulties</a> causing Flash player to use this settings`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 820) file on Windows, so Flash remains difficult to enable.`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 821)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 822) </p></li><li class="listitem">SSL+TLS session resumption, HTTP Keep-Alive and SPDY`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 823) <p><span class="command"><strong>Design Goal:</strong></span>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 824)`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 825) TLS session resumption tickets and SSL Session IDs MUST be limited to the url projects/torbrowser/design/index.html.en 826) bar origin. HTTP Keep-Alive connections from a third party in one url bar projects/torbrowser/design/index.html.en 827) origin MUST NOT be reused for that same third party in another url bar origin.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 828) projects/en/torbrowser/design/index.html.en 829) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 830)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 831) We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 832) Identity</a>, we disable TLS Session Tickets via the Firefox Pref projects/torbrowser/design/index.html.en 833) <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 834) IDs via a <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch" target="_top">patch`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 835) to Firefox</a>. To compensate for the increased round trip latency from disabling projects/torbrowser/design/index.html.en 836) these performance optimizations, we also enable`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 837) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 838) False Start</a> via the Firefox Pref projects/torbrowser/design/index.html.en 839) <span class="command"><strong>security.ssl.enable_false_start</strong></span>. projects/torbrowser/design/index.html.en 840) </p><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 841)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 842) Because of the extreme performance benefits of HTTP Keep-Alive for interactive`
Update design doc. Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 843) web apps, and because of the difficulties of conveying urlbar origin projects/torbrowser/design/index.html.en 844) information down into the Firefox HTTP layer, as a compromise we currently projects/torbrowser/design/index.html.en 845) merely reduce the HTTP Keep-Alive timeout to 20 seconds (which is measured projects/torbrowser/design/index.html.en 846) from the last packet read on the connection) using the Firefox preference projects/torbrowser/design/index.html.en 847) <span class="command"><strong>network.http.keep-alive.timeout</strong></span>. projects/torbrowser/design/index.html.en 848)
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 849) </p><p> projects/torbrowser/design/index.html.en 850) However, because SPDY can store identifiers and has extremely long keepalive projects/torbrowser/design/index.html.en 851) duration, it is disabled through the Firefox preference projects/torbrowser/design/index.html.en 852) <span class="command"><strong>network.http.spdy.enabled</strong></span>.`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 853) </p></li><li class="listitem">Automated cross-origin redirects MUST NOT store identifiers`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 854) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 855) projects/torbrowser/design/index.html.en 856) To prevent attacks aimed at subverting the Cross-Origin Identifier projects/torbrowser/design/index.html.en 857) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser`
Update design doc. Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 858) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc) projects/torbrowser/design/index.html.en 859) for cross-origin redirect intermediaries that do not prompt for user input. projects/torbrowser/design/index.html.en 860) For example, if a user clicks on a bit.ly url that redirects to a projects/torbrowser/design/index.html.en 861) doubleclick.net url that finally redirects to a cnn.com url, only cookies from projects/torbrowser/design/index.html.en 862) cnn.com should be retained after the redirect chain completes.
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 863) projects/torbrowser/design/index.html.en 864) </p><p> projects/torbrowser/design/index.html.en 865)`
Update design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 866) Non-automated redirect chains that require user input at some step (such as projects/torbrowser/design/index.html.en 867) federated login systems) SHOULD still allow identifiers to persist.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 868)`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 869) </p><p><span class="command"><strong>Implementation status:</strong></span> projects/torbrowser/design/index.html.en 870) projects/torbrowser/design/index.html.en 871) There are numerous ways for the user to be redirected, and the Firefox API`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 872) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 873) open</a> to implement what we can. projects/torbrowser/design/index.html.en 874)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 875) </p></li><li class="listitem">window.name`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 876) <p> projects/en/torbrowser/design/index.html.en 877)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 878) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 879) a magical DOM property that for some reason is allowed to retain a persistent value projects/en/torbrowser/design/index.html.en 880) for the lifespan of a browser tab. It is possible to utilize this property for`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 881) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 882) storage</a>. projects/en/torbrowser/design/index.html.en 883) projects/en/torbrowser/design/index.html.en 884) </p><p> projects/en/torbrowser/design/index.html.en 885)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 886) In order to eliminate non-consensual linkability but still allow for sites projects/torbrowser/design/index.html.en 887) that utilize this property to function, we reset the window.name property of`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 888) tabs in Torbutton every time we encounter a blank Referer. This behavior`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 889) allows window.name to persist for the duration of a click-driven navigation projects/torbrowser/design/index.html.en 890) session, but as soon as the user enters a new URL or navigates between projects/torbrowser/design/index.html.en 891) https/http schemes, the property is cleared.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 892)`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 893) </p></li><li class="listitem">Auto form-fill projects/torbrowser/design/index.html.en 894) <p> projects/torbrowser/design/index.html.en 895) projects/torbrowser/design/index.html.en 896) We disable the password saving functionality in the browser as part of our`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 897) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 898) since users may decide to re-enable disk history records and password saving,`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 899) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>`
Update TBB design doc based... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 900) preference to false to prevent saved values from immediately populating projects/torbrowser/design/index.html.en 901) fields upon page load. Since Javascript can read these values as soon as they projects/torbrowser/design/index.html.en 902) appear, setting this preference prevents automatic linkability from stored passwords. projects/torbrowser/design/index.html.en 903) projects/torbrowser/design/index.html.en 904) </p></li><li class="listitem">HSTS supercookies projects/torbrowser/design/index.html.en 905) <p>
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 906)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 907) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS`
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 908) supercookies</a>. Since HSTS effectively stores one bit of information per domain`
Update TBB design doc based... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 909) name, an adversary in possession of numerous domains can use them to construct projects/torbrowser/design/index.html.en 910) cookies based on stored HSTS state. projects/torbrowser/design/index.html.en 911) projects/torbrowser/design/index.html.en 912) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 913) projects/torbrowser/design/index.html.en 914) There appears to be three options for us: 1. Disable HSTS entirely, and rely
Additional comments from Ge... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 915) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2. projects/torbrowser/design/index.html.en 916) Restrict the number of HSTS-enabled third parties allowed per url bar origin. projects/torbrowser/design/index.html.en 917) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon projects/torbrowser/design/index.html.en 918) the best approach.`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 919) projects/torbrowser/design/index.html.en 920) </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 921) cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 922) defend against the creation of these cookies between <span class="command"><strong>New projects/torbrowser/design/index.html.en 923) Identity</strong></span> invocations. projects/torbrowser/design/index.html.en 924) </p></li><li class="listitem">Exit node usage`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 925) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 926)`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 927) Every distinct navigation session (as defined by a non-blank Referer header)`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 928) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node projects/en/torbrowser/design/index.html.en 929) observers from linking concurrent browsing activity. projects/en/torbrowser/design/index.html.en 930) projects/en/torbrowser/design/index.html.en 931) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 932) projects/en/torbrowser/design/index.html.en 933) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 934) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 935) #3455</a> is the Torbutton ticket to make use of the new Tor projects/en/torbrowser/design/index.html.en 936) functionality. projects/en/torbrowser/design/index.html.en 937)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 938) </p></li></ol></div><p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 939) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&status=!closed" target="_top">tbb-linkability tag in our bugtracker</a> projects/torbrowser/design/index.html.en 940) </p></div><div class="sect2" title="4.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 941) projects/en/torbrowser/design/index.html.en 942) In order to properly address the fingerprinting adversary on a technical projects/en/torbrowser/design/index.html.en 943) level, we need a metric to measure linkability of the various browser`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 944) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 945) by the EFF provides us with a prototype of such a metric. The researchers projects/torbrowser/design/index.html.en 946) conducted a survey of volunteers who were asked to visit an experiment page projects/torbrowser/design/index.html.en 947) that harvested many of the above components. They then computed the Shannon projects/torbrowser/design/index.html.en 948) Entropy of the resulting distribution of each of several key attributes to projects/torbrowser/design/index.html.en 949) determine how many bits of identifying information each attribute provided.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 950) projects/en/torbrowser/design/index.html.en 951) </p><p> projects/en/torbrowser/design/index.html.en 952)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 953) Many browser features have been added since the EFF first ran their experiment projects/torbrowser/design/index.html.en 954) and collected their data. To avoid an infinite sinkhole, we reduce the efforts projects/torbrowser/design/index.html.en 955) for fingerprinting resistance by only concerning ourselves with reducing the projects/torbrowser/design/index.html.en 956) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We projects/torbrowser/design/index.html.en 957) do not believe it is possible to solve cross-browser fingerprinting issues.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 958) projects/en/torbrowser/design/index.html.en 959) </p><p> projects/en/torbrowser/design/index.html.en 960)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 961) Unfortunately, the unsolvable nature of the cross-browser fingerprinting projects/torbrowser/design/index.html.en 962) problem means that the Panopticlick test website itself is not useful for projects/torbrowser/design/index.html.en 963) evaluating the actual effectiveness of our defenses, or the fingerprinting projects/torbrowser/design/index.html.en 964) defenses of any other web browser. Because the Panopticlick dataset is based projects/torbrowser/design/index.html.en 965) on browser data spanning a number of widely deployed browsers over a number of projects/torbrowser/design/index.html.en 966) years, any fingerprinting defenses attempted by browsers today are very likely projects/torbrowser/design/index.html.en 967) to cause Panopticlick to report an <span class="emphasis"><em>increase</em></span> in projects/torbrowser/design/index.html.en 968) fingerprintability and entropy, because those defenses will stand out in sharp
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 969) contrast to historical data. We have been <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/6119" target="_top">working to convince`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 970) the EFF</a> that it is worthwhile to release the source code to projects/torbrowser/design/index.html.en 971) Panopticlick to allow us to run our own version for this reason. projects/torbrowser/design/index.html.en 972)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 973) </p><div class="sect3" title="Fingerprinting defenses in the Tor Browser"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 974) <p> projects/en/torbrowser/design/index.html.en 975) projects/en/torbrowser/design/index.html.en 976) Plugins add to fingerprinting risk via two main vectors: their mere presence in projects/en/torbrowser/design/index.html.en 977) window.navigator.plugins, as well as their internal functionality. projects/en/torbrowser/design/index.html.en 978) projects/en/torbrowser/design/index.html.en 979) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 980)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 981) All plugins that have not been specifically audited or sandboxed MUST be`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 982) disabled. To reduce linkability potential, even sandboxed plugins should not projects/en/torbrowser/design/index.html.en 983) be allowed to load objects until the user has clicked through a click-to-play projects/en/torbrowser/design/index.html.en 984) barrier. Additionally, version information should be reduced or obfuscated`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 985) until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 986) settings.sol file</a> to disable Flash cookies, and to restrict P2P projects/torbrowser/design/index.html.en 987) features that are likely to bypass proxy settings.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 988) projects/en/torbrowser/design/index.html.en 989) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 990) projects/en/torbrowser/design/index.html.en 991) Currently, we entirely disable all plugins in Tor Browser. However, as a`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 992) compromise due to the popularity of Flash, we allow users to re-enable Flash, projects/torbrowser/design/index.html.en 993) and flash objects are blocked behind a click-to-play barrier that is available projects/torbrowser/design/index.html.en 994) only after the user has specifically enabled plugins. Flash is the only plugin`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 995) available, the rest are <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">entirely`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 996) blocked from loading by a Firefox patch</a>. We also set the Firefox projects/torbrowser/design/index.html.en 997) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid projects/torbrowser/design/index.html.en 998) leaking plugin installation information. projects/torbrowser/design/index.html.en 999) projects/torbrowser/design/index.html.en 1000) </p></li><li class="listitem">HTML5 Canvas Image Extraction projects/torbrowser/design/index.html.en 1001) <p> projects/torbrowser/design/index.html.en 1002)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1003) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1004) Canvas</a> is a feature that has been added to major browsers after the projects/torbrowser/design/index.html.en 1005) EFF developed their Panopticlick study. After plugins and plugin-provided projects/torbrowser/design/index.html.en 1006) information, we believe that the HTML5 Canvas is the single largest`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1007) fingerprinting threat browsers face today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1008) studies</a> show that the Canvas can provide an easy-access fingerprinting projects/torbrowser/design/index.html.en 1009) target: The adversary simply renders WebGL, font, and named color data to a projects/torbrowser/design/index.html.en 1010) Canvas element, extracts the image buffer, and computes a hash of that image projects/torbrowser/design/index.html.en 1011) data. Subtle differences in the video card, font packs, and even font and projects/torbrowser/design/index.html.en 1012) graphics library versions allow the adversary to produce a stable, simple, projects/torbrowser/design/index.html.en 1013) high-entropy fingerprint of a computer. In fact, the hash of the rendered projects/torbrowser/design/index.html.en 1014) image can be used almost identically to a tracking cookie by the web server. projects/torbrowser/design/index.html.en 1015) projects/torbrowser/design/index.html.en 1016) </p><p> projects/torbrowser/design/index.html.en 1017)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1018) To reduce the threat from this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch" target="_top">prompt`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1019) before returning valid image data</a> to the Canvas APIs. If the user projects/torbrowser/design/index.html.en 1020) hasn't previously allowed the site in the URL bar to access Canvas image data, projects/torbrowser/design/index.html.en 1021) pure white image data is returned to the Javascript APIs. projects/torbrowser/design/index.html.en 1022) projects/torbrowser/design/index.html.en 1023) </p></li><li class="listitem">WebGL projects/torbrowser/design/index.html.en 1024) <p> projects/torbrowser/design/index.html.en 1025) projects/torbrowser/design/index.html.en 1026) WebGL is fingerprintable both through information that is exposed about the projects/torbrowser/design/index.html.en 1027) underlying driver and optimizations, as well as through performance projects/torbrowser/design/index.html.en 1028) fingerprinting. projects/torbrowser/design/index.html.en 1029) projects/torbrowser/design/index.html.en 1030) </p><p> projects/torbrowser/design/index.html.en 1031)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1032) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1033) vulnerability surface</a>, we deploy a similar strategy against WebGL as projects/torbrowser/design/index.html.en 1034) for plugins. First, WebGL Canvases have click-to-play placeholders (provided projects/torbrowser/design/index.html.en 1035) by NoScript), and do not run until authorized by the user. Second, we projects/torbrowser/design/index.html.en 1036) obfuscate driver information by setting the Firefox preferences projects/torbrowser/design/index.html.en 1037) <span class="command"><strong>webgl.disable-extensions</strong></span> and projects/torbrowser/design/index.html.en 1038) <span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information projects/torbrowser/design/index.html.en 1039) provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>, projects/torbrowser/design/index.html.en 1040) <span class="command"><strong>getSupportedExtensions()</strong></span>, and projects/torbrowser/design/index.html.en 1041) <span class="command"><strong>getExtension()</strong></span>.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 1042) projects/en/torbrowser/design/index.html.en 1043) </p></li><li class="listitem">Fonts projects/en/torbrowser/design/index.html.en 1044) <p> projects/en/torbrowser/design/index.html.en 1045) projects/en/torbrowser/design/index.html.en 1046) According to the Panopticlick study, fonts provide the most linkability when projects/en/torbrowser/design/index.html.en 1047) they are provided as an enumerable list in filesystem order, via either the projects/en/torbrowser/design/index.html.en 1048) Flash or Java plugins. However, it is still possible to use CSS and/or projects/en/torbrowser/design/index.html.en 1049) Javascript to query for the existence of specific fonts. With a large enough projects/en/torbrowser/design/index.html.en 1050) pre-built list to query, a large amount of fingerprintable information may projects/en/torbrowser/design/index.html.en 1051) still be available. projects/en/torbrowser/design/index.html.en 1052)
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1053) </p><p> projects/torbrowser/design/index.html.en 1054) projects/torbrowser/design/index.html.en 1055) The sure-fire way to address font linkability is to ship the browser with a projects/torbrowser/design/index.html.en 1056) font for every language, typeface, and style in use in the world, and to only projects/torbrowser/design/index.html.en 1057) use those fonts at the exclusion of system fonts. However, this set may be`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1058) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common`
Update TBB design doc based... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 1059) subset</a> may be found that provides total coverage. However, we believe projects/torbrowser/design/index.html.en 1060) that with strong url bar origin identifier isolation, a simpler approach can reduce the projects/torbrowser/design/index.html.en 1061) number of bits available to the adversary while avoiding the rendering and projects/torbrowser/design/index.html.en 1062) language issues of supporting a global font set. projects/torbrowser/design/index.html.en 1063)
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1064) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1065)`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1066) We disable plugins, which prevents font enumeration. Additionally, we limit projects/torbrowser/design/index.html.en 1067) both the number of font queries from CSS, as well as the total number of`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1068) fonts that can be used in a document <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch" target="_top">with`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1069) a Firefox patch</a>. We create two prefs,`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1070) <span class="command"><strong>browser.display.max_font_attempts</strong></span> and projects/torbrowser/design/index.html.en 1071) <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these projects/torbrowser/design/index.html.en 1072) limits are reached, the browser behaves as if`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1073) <span class="command"><strong>browser.display.use_document_fonts</strong></span> was set. We are`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1074) still working to determine optimal values for these prefs.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1075)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1076) </p><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1077)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1078) To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face" target="_top">@font-face`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1079) fonts</a> from these counts, and if a font-family CSS rule lists a remote projects/torbrowser/design/index.html.en 1080) font (in any order), we use that font instead of any of the named local fonts.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1081)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1082) </p></li><li class="listitem">Desktop resolution, CSS Media Queries, and System Colors`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1083) <p> projects/en/torbrowser/design/index.html.en 1084)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1085) Both CSS and Javascript have access to a lot of information about the screen projects/torbrowser/design/index.html.en 1086) resolution, usable desktop size, OS widget size, toolbar size, title bar size, projects/torbrowser/design/index.html.en 1087) system theme colors, and other desktop features that are not at all relevant projects/torbrowser/design/index.html.en 1088) to rendering and serve only to provide information for fingerprinting.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 1089) projects/en/torbrowser/design/index.html.en 1090) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1091) projects/en/torbrowser/design/index.html.en 1092) Our design goal here is to reduce the resolution information down to the bare projects/en/torbrowser/design/index.html.en 1093) minimum required for properly rendering inside a content window. We intend to projects/en/torbrowser/design/index.html.en 1094) report all rendering information correctly with respect to the size and projects/en/torbrowser/design/index.html.en 1095) properties of the content window, but report an effective size of 0 for all projects/en/torbrowser/design/index.html.en 1096) border material, and also report that the desktop is only as big as the projects/en/torbrowser/design/index.html.en 1097) inner content window. Additionally, new browser windows are sized such that
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1098) their content windows are one of a few fixed sizes based on the user's`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1099) desktop resolution.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1100) projects/en/torbrowser/design/index.html.en 1101) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1102)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1103) We have implemented the above strategy using a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l2004" target="_top">resize`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1104) new windows based on desktop resolution</a>. Additionally, we patch`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1105) Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch" target="_top">for projects/torbrowser/design/index.html.en 1106) window.screen</a> and <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch" target="_top">for projects/torbrowser/design/index.html.en 1107) CSS Media Queries</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch" target="_top">patch
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1108) DOM events to return content window relative points</a>. We also patch`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1109) Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch" target="_top">report`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1110) a fixed set of system colors to content window CSS</a>.`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1111)`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1112) </p><p> projects/torbrowser/design/index.html.en 1113) projects/torbrowser/design/index.html.en 1114) To further reduce resolution-based fingerprinting, we are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating projects/torbrowser/design/index.html.en 1115) zoom/viewport-based mechanisms</a> that might allow us to always report projects/torbrowser/design/index.html.en 1116) the same desktop resolution regardless of the actual size of the content projects/torbrowser/design/index.html.en 1117) window, and simply scale to make up the difference. However, the complexity projects/torbrowser/design/index.html.en 1118) and rendering impact of such a change is not yet known. projects/torbrowser/design/index.html.en 1119)
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1120) </p></li><li class="listitem">User Agent and HTTP Headers projects/torbrowser/design/index.html.en 1121) <p><span class="command"><strong>Design Goal:</strong></span>`
Update design doc to descri... Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1122)`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1123) All Tor Browser users MUST provide websites with an identical user agent and projects/torbrowser/design/index.html.en 1124) HTTP header set for a given request type. We omit the Firefox minor revision, projects/torbrowser/design/index.html.en 1125) and report a popular Windows platform. If the software is kept up to date, projects/torbrowser/design/index.html.en 1126) these headers should remain identical across the population even when updated. projects/torbrowser/design/index.html.en 1127) projects/torbrowser/design/index.html.en 1128) </p><p><span class="command"><strong>Implementation Status:</strong></span>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1129)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1130) Firefox provides several options for controlling the browser user agent string projects/torbrowser/design/index.html.en 1131) which we leverage. We also set similar prefs for controlling the projects/torbrowser/design/index.html.en 1132) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1133) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch" target="_top">remove projects/torbrowser/design/index.html.en 1134) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1135) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Timezone and clock offset`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1136) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1137)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 1138) All Tor Browser users MUST report the same timezone to websites. Currently, we projects/torbrowser/design/index.html.en 1139) choose UTC for this purpose, although an equally valid argument could be made projects/torbrowser/design/index.html.en 1140) for EDT/EST due to the large English-speaking population density (coupled with projects/torbrowser/design/index.html.en 1141) the fact that we spoof a US English user agent). Additionally, the Tor projects/torbrowser/design/index.html.en 1142) software should detect if the users clock is significantly divergent from the projects/torbrowser/design/index.html.en 1143) clocks of the relays that it connects to, and use this to reset the clock projects/torbrowser/design/index.html.en 1144) values used in Tor Browser to something reasonably accurate.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1145) projects/en/torbrowser/design/index.html.en 1146) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1147) projects/en/torbrowser/design/index.html.en 1148) We set the timezone using the TZ environment variable, which is supported on`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1149) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1150) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in projects/en/torbrowser/design/index.html.en 1151) use. projects/en/torbrowser/design/index.html.en 1152) projects/en/torbrowser/design/index.html.en 1153) </p></li><li class="listitem">Javascript performance fingerprinting projects/en/torbrowser/design/index.html.en 1154) <p> projects/en/torbrowser/design/index.html.en 1155)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1156) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 1157) fingerprinting</a> is the act of profiling the performance projects/en/torbrowser/design/index.html.en 1158) of various Javascript functions for the purpose of fingerprinting the projects/en/torbrowser/design/index.html.en 1159) Javascript engine and the CPU. projects/en/torbrowser/design/index.html.en 1160) projects/en/torbrowser/design/index.html.en 1161) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1162)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1163) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1164) mitigation approaches</a> to reduce the accuracy of performance projects/en/torbrowser/design/index.html.en 1165) fingerprinting without risking too much damage to functionality. Our current projects/en/torbrowser/design/index.html.en 1166) favorite is to reduce the resolution of the Event.timeStamp and the Javascript projects/en/torbrowser/design/index.html.en 1167) Date() object, while also introducing jitter. Our goal is to increase the`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1168) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1169) even with the default precision in most browsers, they required up to 120 projects/en/torbrowser/design/index.html.en 1170) seconds of amortization and repeated trials to get stable results from their projects/en/torbrowser/design/index.html.en 1171) feature set. We intend to work with the research community to establish the`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1172) optimum trade-off between quantization+jitter and amortization time.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1173) projects/en/torbrowser/design/index.html.en 1174) projects/en/torbrowser/design/index.html.en 1175) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1176)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1177) Currently, the only mitigation against performance fingerprinting is to`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1178) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1179) Timing</a> through the Firefox preference projects/torbrowser/design/index.html.en 1180) <span class="command"><strong>dom.enable_performance</strong></span>. projects/torbrowser/design/index.html.en 1181) projects/torbrowser/design/index.html.en 1182) </p></li><li class="listitem">Non-Uniform HTML5 API Implementations projects/torbrowser/design/index.html.en 1183) <p> projects/torbrowser/design/index.html.en 1184) projects/torbrowser/design/index.html.en 1185) At least two HTML5 features have different implementation status across the
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1186) major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery projects/torbrowser/design/index.html.en 1187) API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1188) Connection API</a>. We disable these APIs projects/torbrowser/design/index.html.en 1189) through the Firefox preferences <span class="command"><strong>dom.battery.enabled</strong></span> and projects/torbrowser/design/index.html.en 1190) <span class="command"><strong>dom.network.enabled</strong></span>.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 1191) projects/en/torbrowser/design/index.html.en 1192) </p></li><li class="listitem">Keystroke fingerprinting projects/en/torbrowser/design/index.html.en 1193) <p> projects/en/torbrowser/design/index.html.en 1194) projects/en/torbrowser/design/index.html.en 1195) Keystroke fingerprinting is the act of measuring key strike time and key projects/en/torbrowser/design/index.html.en 1196) flight time. It is seeing increasing use as a biometric. projects/en/torbrowser/design/index.html.en 1197) projects/en/torbrowser/design/index.html.en 1198) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1199) projects/en/torbrowser/design/index.html.en 1200) We intend to rely on the same mechanisms for defeating Javascript performance projects/en/torbrowser/design/index.html.en 1201) fingerprinting: timestamp quantization and jitter. projects/en/torbrowser/design/index.html.en 1202) projects/en/torbrowser/design/index.html.en 1203) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 1204) We have no implementation as of yet.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1205) </p></li></ol></div></div><p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1206) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed" target="_top">tbb-fingerprinting tag in our bugtracker</a> projects/torbrowser/design/index.html.en 1207) </p></div><div class="sect2" title="4.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1208)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1209) In order to avoid long-term linkability, we provide a "New Identity" context projects/torbrowser/design/index.html.en 1210) menu option in Torbutton. This context menu option is active if Torbutton can projects/torbrowser/design/index.html.en 1211) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1212)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1213) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5782640"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1214)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1215) All linkable identifiers and browser state MUST be cleared by this feature.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1216)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1217) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5783888"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1218)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1219) First, Torbutton disables Javascript in all open tabs and windows by using`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1220) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a> projects/torbrowser/design/index.html.en 1221) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>. projects/torbrowser/design/index.html.en 1222) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1223) We then clear the site-specific Zoom by temporarily disabling the preference`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1224) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL projects/torbrowser/design/index.html.en 1225) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL prefs (if projects/torbrowser/design/index.html.en 1226) they exist). Each tab is then closed.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1227)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1228) </p><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1229)`
TBB design doc: More review... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1230) After closing all tabs, we then emit "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>" projects/torbrowser/design/index.html.en 1231) (which instructs addons and various Firefox components to clear their session projects/torbrowser/design/index.html.en 1232) state), and then manually clear the following state: searchbox and findbox projects/torbrowser/design/index.html.en 1233) text, HTTP auth, SSL state, OCSP state, site-specific content preferences projects/torbrowser/design/index.html.en 1234) (including HSTS state), content and image cache, offline cache, Cookies, DOM projects/torbrowser/design/index.html.en 1235) storage, DOM local storage, the safe browsing key, and the Google wifi geolocation projects/torbrowser/design/index.html.en 1236) token (if it exists).
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1237)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1238) </p><p>`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1239)`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1240) After the state is cleared, we then close all remaining HTTP keep-alive projects/torbrowser/design/index.html.en 1241) connections and then send the NEWNYM signal to the Tor control port to cause a projects/torbrowser/design/index.html.en 1242) new circuit to be created. projects/torbrowser/design/index.html.en 1243) </p><p> projects/torbrowser/design/index.html.en 1244) Finally, a fresh browser window is opened, and the current browser window is`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1245) closed (this does not spawn a new Firefox process, only a new window).`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1246) </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"> projects/torbrowser/design/index.html.en 1247) If the user chose to "protect" any cookies by using the Torbutton Cookie projects/torbrowser/design/index.html.en 1248) Protections UI, those cookies are not cleared as part of the above.`
TBB design doc: Make sectio... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1249) </blockquote></div></div></div><div class="sect2" title="4.8. Other Security Measures"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1250) projects/torbrowser/design/index.html.en 1251) In addition to the above mechanisms that are devoted to preserving privacy projects/torbrowser/design/index.html.en 1252) while browsing, we also have a number of technical mechanisms to address other projects/torbrowser/design/index.html.en 1253) privacy and security issues. projects/torbrowser/design/index.html.en 1254) projects/torbrowser/design/index.html.en 1255) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p> projects/torbrowser/design/index.html.en 1256) projects/torbrowser/design/index.html.en 1257) <a class="link" href="#website-traffic-fingerprinting">Website Traffic projects/torbrowser/design/index.html.en 1258) Fingerprinting</a> is a statistical attack to attempt to recognize specific projects/torbrowser/design/index.html.en 1259) encrypted website activity. projects/torbrowser/design/index.html.en 1260)
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1261) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5797920"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1262)`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1263) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1264) for classification. This mechanism would either impact the true and false projects/torbrowser/design/index.html.en 1265) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of webpages projects/torbrowser/design/index.html.en 1266) that could be classified at a given accuracy rate. projects/torbrowser/design/index.html.en 1267) projects/torbrowser/design/index.html.en 1268) </p><p> projects/torbrowser/design/index.html.en 1269) projects/torbrowser/design/index.html.en 1270) Ideally, this mechanism would be as light-weight as possible, and would be projects/torbrowser/design/index.html.en 1271) tunable in terms of overhead. We suspect that it may even be possible to projects/torbrowser/design/index.html.en 1272) deploy a mechanism that reduces feature extraction resolution without any projects/torbrowser/design/index.html.en 1273) network overhead. In the no-overhead category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and projects/torbrowser/design/index.html.en 1274) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1275) use of HTTP pipelining and/or SPDY</a>. projects/torbrowser/design/index.html.en 1276) In the tunable/low-overhead`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1277) category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/ShWa-Timing06.pdf" target="_top">Adaptive projects/torbrowser/design/index.html.en 1278) Padding</a> and <a class="ulink" href="http://www.cs.sunysb.edu/~xcai/fp.pdf" target="_top"> projects/torbrowser/design/index.html.en 1279) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such projects/torbrowser/design/index.html.en 1280) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1281) network, making them also effectively no-overhead.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1282)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1283) </p></blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5804816"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1284) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch" target="_top">randomize projects/torbrowser/design/index.html.en 1285) pipeline order and depth</a>. Unfortunately, pipelining is very fragile. projects/torbrowser/design/index.html.en 1286) Many sites do not support it, and even sites that advertise support for projects/torbrowser/design/index.html.en 1287) pipelining may simply return error codes for successive requests, effectively projects/torbrowser/design/index.html.en 1288) forcing the browser into non-pipelined behavior. Firefox also has code to back projects/torbrowser/design/index.html.en 1289) off and reduce or eliminate the pipeline if this happens. These projects/torbrowser/design/index.html.en 1290) shortcomings and fallback behaviors are the primary reason that Google
TBB Design Doc: Mention use... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1291) developed SPDY as opposed simply extending HTTP to improve pipelining. It projects/torbrowser/design/index.html.en 1292) turns out that we could actually deploy exit-side proxies that allow us to projects/torbrowser/design/index.html.en 1293) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xxx-using-spdy.txt" target="_top">use projects/torbrowser/design/index.html.en 1294) SPDY from the client to the exit node</a>. This would make our defense not projects/torbrowser/design/index.html.en 1295) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1296) projects/torbrowser/design/index.html.en 1297) </p><p> projects/torbrowser/design/index.html.en 1298)`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1299) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1300) research prototype</a> to help evaluate what could be done in the best`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1301) case with full server support. Unfortunately, the bias in favor of compelling projects/torbrowser/design/index.html.en 1302) attack papers has caused academia to ignore this request thus far, instead projects/torbrowser/design/index.html.en 1303) publishing only cursory (yet "devastating") evaluations that fail to provide projects/torbrowser/design/index.html.en 1304) even simple statistics such as the rates of actual pipeline utilization during projects/torbrowser/design/index.html.en 1305) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can projects/torbrowser/design/index.html.en 1306) accept that our defense might fail to work as well as others (in fact we projects/torbrowser/design/index.html.en 1307) expect it), but unfortunately the very same shortcuts that provide excellent projects/torbrowser/design/index.html.en 1308) attack results also allow the conclusion that all defenses are broken forever. projects/torbrowser/design/index.html.en 1309) So sadly, we are still left in the dark on this point.
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1310) projects/torbrowser/design/index.html.en 1311) </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p> projects/torbrowser/design/index.html.en 1312) projects/torbrowser/design/index.html.en 1313) In order to inform the user when their Tor Browser is out of date, we perform a`
TBB design doc: Clarify web... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1314) privacy-preserving update check asynchronously in the background. The`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1315) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a> projects/torbrowser/design/index.html.en 1316) and searches that version list for the current value for the local preference projects/torbrowser/design/index.html.en 1317) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is projects/torbrowser/design/index.html.en 1318) present in the recommended version list, the check is considered to have projects/torbrowser/design/index.html.en 1319) succeeded and the user is up to date. If not, it is considered to have failed projects/torbrowser/design/index.html.en 1320) and an update is needed. The check is triggered upon browser launch, new projects/torbrowser/design/index.html.en 1321) window, and new tab, but is rate limited so as to happen no more frequently projects/torbrowser/design/index.html.en 1322) than once every 1.5 hours. projects/torbrowser/design/index.html.en 1323) projects/torbrowser/design/index.html.en 1324) </p><p> projects/torbrowser/design/index.html.en 1325) projects/torbrowser/design/index.html.en 1326) If the check fails, we cache this fact, and update the Torbutton graphic to projects/torbrowser/design/index.html.en 1327) display a flashing warning icon and insert a menu option that provides a link projects/torbrowser/design/index.html.en 1328) to our download page. Additionally, we reset the value for the browser projects/torbrowser/design/index.html.en 1329) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&small=1&uptodate=0" target="_top">page that projects/torbrowser/design/index.html.en 1330) informs the user</a> that their browser is out of projects/torbrowser/design/index.html.en 1331) date. projects/torbrowser/design/index.html.en 1332) projects/torbrowser/design/index.html.en 1333) </p></li></ol></div></div><div class="sect2" title="4.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>4.9. Description of Firefox Patches</h3></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1334)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1335) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/current-patches/firefox" target="_top">current-patches directory of the torbrowser git repository</a>. They are:`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1336)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1337) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch" target="_top">Block`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1338) Components.interfaces</a><p> projects/torbrowser/design/index.html.en 1339) projects/torbrowser/design/index.html.en 1340) In order to reduce fingerprinting, we block access to this interface from projects/torbrowser/design/index.html.en 1341) content script. Components.interfaces can be used for fingerprinting the projects/torbrowser/design/index.html.en 1342) platform, OS, and Firebox version, but not much else. projects/torbrowser/design/index.html.en 1343)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1344) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch" target="_top">Make`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1345) Permissions Manager memory only</a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1346) projects/en/torbrowser/design/index.html.en 1347) This patch exposes a pref 'permissions.memory_only' that properly isolates the projects/en/torbrowser/design/index.html.en 1348) permissions manager to memory, which is responsible for all user specified`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1349) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>`
Update TBB design doc based... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1350) policy from visited sites.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1351) projects/en/torbrowser/design/index.html.en 1352) The pref does successfully clear the permissions manager memory if toggled. It projects/en/torbrowser/design/index.html.en 1353) does not need to be set in prefs.js, and can be handled by Torbutton. projects/en/torbrowser/design/index.html.en 1354)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1355) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">Make`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1356) Intermediate Cert Store memory-only</a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1357)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 1358) The intermediate certificate store records the intermediate SSL certificates projects/torbrowser/design/index.html.en 1359) the browser has seen to date. Because these intermediate certificates are used projects/torbrowser/design/index.html.en 1360) by a limited number of domains (and in some cases, only a single domain), projects/torbrowser/design/index.html.en 1361) the intermediate certificate store can serve as a low-resolution record of projects/torbrowser/design/index.html.en 1362) browsing history.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 1363) projects/en/torbrowser/design/index.html.en 1364) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 1365) projects/en/torbrowser/design/index.html.en 1366) As an additional design goal, we would like to later alter this patch to allow this projects/en/torbrowser/design/index.html.en 1367) information to be cleared from memory. The implementation does not currently projects/en/torbrowser/design/index.html.en 1368) allow this. projects/en/torbrowser/design/index.html.en 1369)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1370) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch" target="_top">Add`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1371) a string-based cacheKey property for domain isolation</a><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1372)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1373) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the projects/torbrowser/design/index.html.en 1374) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1375) unknown conflicts with OCSP</a>, we had to patch projects/torbrowser/design/index.html.en 1376) Firefox to provide a cacheDomain cache attribute. We use the url bar`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1377) FQDN as input to this field.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1378)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1379) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch" target="_top">Block`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1380) all plugins except flash</a><p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1381) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1382) @mozilla.org/extensions/blocklist;1</a> service, because we projects/en/torbrowser/design/index.html.en 1383) actually want to stop plugins from ever entering the browser's process space projects/en/torbrowser/design/index.html.en 1384) and/or executing code (for example, AV plugins that collect statistics/analyze`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1385) URLs, magical toolbars that phone home or "help" the user, Skype buttons that`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1386) ruin our day, and censorship filters). Hence we rolled our own.`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1387) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch" target="_top">Make content-prefs service memory only</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1388) This patch prevents random URLs from being inserted into content-prefs.sqlite in`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1389) the profile directory as content prefs change (includes site-zoom and perhaps projects/en/torbrowser/design/index.html.en 1390) other site prefs?).`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1391) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0007-Make-Tor-Browser-exit-when-not-launched-from-Vidalia.patch" target="_top">Make Tor Browser exit when not launched from Vidalia</a><p>`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1392) projects/torbrowser/design/index.html.en 1393) It turns out that on Windows 7 and later systems, the Taskbar attempts to projects/torbrowser/design/index.html.en 1394) automatically learn the most frequent apps used by the user, and it recognizes`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1395) Tor Browser as a separate app from Vidalia. This can cause users to try to projects/torbrowser/design/index.html.en 1396) launch Tor Browser without Vidalia or a Tor instance running. Worse, the Tor`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1397) Browser will automatically find their default Firefox profile, and properly projects/torbrowser/design/index.html.en 1398) connect directly without using Tor. This patch is a simple hack to cause Tor projects/torbrowser/design/index.html.en 1399) Browser to immediately exit in this case. projects/torbrowser/design/index.html.en 1400)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1401) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch" target="_top">Disable SSL Session ID tracking</a><p>`
Update TBB design doc. Mike Perry authored 12 years ago	projects/torbrowser/design/index.html.en 1402) projects/torbrowser/design/index.html.en 1403) This patch is a simple 1-line hack to prevent SSL connections from caching projects/torbrowser/design/index.html.en 1404) (and then later transmitting) their Session IDs. There was no preference to projects/torbrowser/design/index.html.en 1405) govern this behavior, so we had to hack it by altering the SSL new connection projects/torbrowser/design/index.html.en 1406) defaults. projects/torbrowser/design/index.html.en 1407)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1408) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0009-Provide-an-observer-event-to-close-persistent-connec.patch" target="_top">Provide an observer event to close persistent connections</a><p>`
Update TBB design doc. Mike Perry authored 12 years ago	`projects/torbrowser/design/index.html.en 1409) projects/torbrowser/design/index.html.en 1410) This patch creates an observer event in the HTTP connection manager to close projects/torbrowser/design/index.html.en 1411) all keep-alive connections that still happen to be open. This event is emitted`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1412) by the <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New Identity</a> button. projects/torbrowser/design/index.html.en 1413)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1414) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch" target="_top">Limit Device and System Specific Media Queries</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1415)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1416) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/Media_queries" target="_top">CSS`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1417) Media Queries</a> have a fingerprinting capability approaching that of projects/torbrowser/design/index.html.en 1418) Javascript. This patch causes such Media Queries to evaluate as if the device projects/torbrowser/design/index.html.en 1419) resolution was equal to the content window resolution. projects/torbrowser/design/index.html.en 1420)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1421) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch" target="_top">Limit the number of fonts per document</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1422)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1423) Font availability can be <a class="ulink" href="http://flippingtypical.com/" target="_top">queried by`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1424) CSS and Javascript</a> and is a fingerprinting vector. This patch limits projects/torbrowser/design/index.html.en 1425) the number of times CSS and Javascript can cause font-family rules to projects/torbrowser/design/index.html.en 1426) evaluate. Remote @font-face fonts are exempt from the limits imposed by this projects/torbrowser/design/index.html.en 1427) patch, and remote fonts are given priority over local fonts whenever both`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1428) appear in the same font-family rule. We do this by explicitly altering the projects/torbrowser/design/index.html.en 1429) nsRuleNode rule represenation itself to remove the local font families before projects/torbrowser/design/index.html.en 1430) the rule hits the font renderer.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1431)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1432) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0012-Rebrand-Firefox-to-TorBrowser.patch" target="_top">Rebrand Firefox to Tor Browser</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1433) projects/torbrowser/design/index.html.en 1434) This patch updates our branding in compliance with Mozilla's trademark policy. projects/torbrowser/design/index.html.en 1435)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1436) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch" target="_top">Make Download Manager Memory Only</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1437) projects/torbrowser/design/index.html.en 1438) This patch prevents disk leaks from the download manager. The original projects/torbrowser/design/index.html.en 1439) behavior is to write the download history to disk and then delete it, even if projects/torbrowser/design/index.html.en 1440) you disable download history from your Firefox preferences. projects/torbrowser/design/index.html.en 1441)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1442) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0014-Add-DDG-and-StartPage-to-Omnibox.patch" target="_top">Add DDG and StartPage to Omnibox</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1443) projects/torbrowser/design/index.html.en 1444) This patch adds DuckDuckGo and StartPage to the Search Box, and sets our projects/torbrowser/design/index.html.en 1445) default search engine to StartPage. We deployed this patch due to excessive projects/torbrowser/design/index.html.en 1446) Captchas and complete 403 bans from Google. projects/torbrowser/design/index.html.en 1447)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1448) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0015-Make-nsICacheService.EvictEntries-synchronous.patch" target="_top">Make nsICacheService.EvictEntries() Synchronous</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1449) projects/torbrowser/design/index.html.en 1450) This patch eliminates a race condition with "New Identity". Without it, projects/torbrowser/design/index.html.en 1451) cache-based Evercookies survive for up to a minute after clearing the cache projects/torbrowser/design/index.html.en 1452) on some platforms. projects/torbrowser/design/index.html.en 1453)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1454) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch" target="_top">Prevent WebSockets DNS Leak</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1455) projects/torbrowser/design/index.html.en 1456) This patch prevents a DNS leak when using WebSockets. It also prevents other projects/torbrowser/design/index.html.en 1457) similar types of DNS leaks. projects/torbrowser/design/index.html.en 1458)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1459) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch" target="_top">Randomize HTTP pipeline order and depth</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1460) As an`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1461) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1462) defense against Website Traffic Fingerprinting</a>, we patch the standard projects/torbrowser/design/index.html.en 1463) HTTP pipelining code to randomize the number of requests in a projects/torbrowser/design/index.html.en 1464) pipeline, as well as their order.`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1465) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0018-Emit-observer-event-to-filter-the-Drag-Drop-url-list.patch" target="_top">Emit projects/torbrowser/design/index.html.en 1466) an observer event to filter the Drag and Drop URL list</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1467)`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1468) This patch allows us to block external Drag and Drop events from Torbutton.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1469) We need to block Drag and Drop because Mac OS and Ubuntu both immediately load projects/torbrowser/design/index.html.en 1470) any URLs they find in your drag buffer before you even drop them (without`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1471) using your browser's proxy settings, of course). This can lead to proxy bypass projects/torbrowser/design/index.html.en 1472) during user activity that is as basic as holding down the mouse button for projects/torbrowser/design/index.html.en 1473) slightly too long while clicking on an image link.`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1474)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1475) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0019-Add-mozIThirdPartyUtil.getFirstPartyURI-API.patch" target="_top">Add mozIThirdPartyUtil.getFirstPartyURI() API</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1476) projects/torbrowser/design/index.html.en 1477) This patch provides an API that allows us to more easily isolate identifiers projects/torbrowser/design/index.html.en 1478) to the URL bar domain. projects/torbrowser/design/index.html.en 1479)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1480) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch" target="_top">Add canvas image extraction prompt</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1481) projects/torbrowser/design/index.html.en 1482) This patch prompts the user before returning canvas image data. Canvas image projects/torbrowser/design/index.html.en 1483) data can be used to create an extremely stable, high-entropy fingerprint based projects/torbrowser/design/index.html.en 1484) on the unique rendering behavior of video cards, OpenGL behavior, projects/torbrowser/design/index.html.en 1485) system fonts, and supporting library versions. projects/torbrowser/design/index.html.en 1486)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1487) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch" target="_top">Return client window coordinates for mouse events</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1488) projects/torbrowser/design/index.html.en 1489) This patch causes mouse events to return coordinates relative to the content projects/torbrowser/design/index.html.en 1490) window instead of the desktop. projects/torbrowser/design/index.html.en 1491)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1492) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch" target="_top">Do not expose physical screen info to window.screen</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1493) projects/torbrowser/design/index.html.en 1494) This patch causes window.screen to return the display resolution size of the projects/torbrowser/design/index.html.en 1495) content window instead of the desktop resolution size. projects/torbrowser/design/index.html.en 1496)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1497) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch" target="_top">Do not expose system colors to CSS or canvas</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1498) projects/torbrowser/design/index.html.en 1499) This patch prevents CSS and Javascript from discovering your desktop color projects/torbrowser/design/index.html.en 1500) scheme and/or theme. projects/torbrowser/design/index.html.en 1501)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1502) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch" target="_top">Isolate the Image Cache per url bar domain</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1503) projects/torbrowser/design/index.html.en 1504) This patch prevents cached images from being used to store third party tracking projects/torbrowser/design/index.html.en 1505) identifiers. projects/torbrowser/design/index.html.en 1506)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1507) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0025-nsIHTTPChannel.redirectTo-API.patch" target="_top">nsIHTTPChannel.redirectTo() API</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1508) projects/torbrowser/design/index.html.en 1509) This patch provides HTTPS-Everywhere with an API to perform redirections more projects/torbrowser/design/index.html.en 1510) securely and without addon conflicts. projects/torbrowser/design/index.html.en 1511)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1512) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch" target="_top">Isolate DOM Storage to first party URI</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1513) projects/torbrowser/design/index.html.en 1514) This patch prevents DOM Storage from being used to store third party tracking projects/torbrowser/design/index.html.en 1515) identifiers. projects/torbrowser/design/index.html.en 1516)`
Update TBB design doc based... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1517) </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0027-Remove-This-plugin-is-disabled-barrier.patch" target="_top">Remove projects/torbrowser/design/index.html.en 1518) "This plugin is disabled" barrier</a><p> projects/torbrowser/design/index.html.en 1519) projects/torbrowser/design/index.html.en 1520) This patch removes a barrier that was informing users that plugins were projects/torbrowser/design/index.html.en 1521) disabled and providing them with a link to enable them. We felt this was poor projects/torbrowser/design/index.html.en 1522) user experience, especially since the barrier was displayed even for sites projects/torbrowser/design/index.html.en 1523) with dual Flash+HTML5 video players, such as YouTube. projects/torbrowser/design/index.html.en 1524)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1525) </p></li></ol></div></div></div><div class="appendix" title="A. Towards Transparency in Navigation Tracking"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1526) projects/torbrowser/design/index.html.en 1527) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based projects/torbrowser/design/index.html.en 1528) upon the assumption that link-click navigation indicates user consent to projects/torbrowser/design/index.html.en 1529) tracking between the linking site and the destination site. While this projects/torbrowser/design/index.html.en 1530) definition is sufficient to allow us to eliminate cross-site third party projects/torbrowser/design/index.html.en 1531) tracking with only minimal site breakage, it is our long-term goal to further projects/torbrowser/design/index.html.en 1532) reduce cross-origin click navigation tracking to mechanisms that are projects/torbrowser/design/index.html.en 1533) detectable by attentive users, so they can alert the general public if projects/torbrowser/design/index.html.en 1534) cross-origin click navigation tracking is happening where it should not be. projects/torbrowser/design/index.html.en 1535) projects/torbrowser/design/index.html.en 1536) </p><p> projects/torbrowser/design/index.html.en 1537) projects/torbrowser/design/index.html.en 1538) In an ideal world, the mechanisms of tracking that can be employed during a projects/torbrowser/design/index.html.en 1539) link click would be limited to the contents of URL parameters and other projects/torbrowser/design/index.html.en 1540) properties that are fully visible to the user before they click. However, the projects/torbrowser/design/index.html.en 1541) entrenched nature of certain archaic web features make it impossible for us to projects/torbrowser/design/index.html.en 1542) achieve this transparency goal by ourselves without substantial site breakage. projects/torbrowser/design/index.html.en 1543) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation projects/torbrowser/design/index.html.en 1544) Wishlist</a> of archaic web technologies that are currently being (ab)used projects/torbrowser/design/index.html.en 1545) to facilitate federated login and other legitimate click-driven cross-domain projects/torbrowser/design/index.html.en 1546) activity but that can one day be replaced with more privacy friendly, projects/torbrowser/design/index.html.en 1547) auditable alternatives. projects/torbrowser/design/index.html.en 1548) projects/torbrowser/design/index.html.en 1549) </p><p> projects/torbrowser/design/index.html.en 1550) projects/torbrowser/design/index.html.en 1551) Because the total elimination of side channels during cross-origin navigation projects/torbrowser/design/index.html.en 1552) will undoubtedly break federated login as well as destroy ad revenue, we projects/torbrowser/design/index.html.en 1553) also describe auditable alternatives and promising web draft standards that would projects/torbrowser/design/index.html.en 1554) preserve this functionality while still providing transparency when tracking is projects/torbrowser/design/index.html.en 1555) occurring. projects/torbrowser/design/index.html.en 1556)
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1557) </p><div class="sect1" title="A.1. Deprecation Wishlist"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">The Referer Header`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1558) <p> projects/torbrowser/design/index.html.en 1559)`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1560) We haven't disabled or restricted the Referer ourselves because of the projects/torbrowser/design/index.html.en 1561) non-trivial number of sites that rely on the Referer header to "authenticate"`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1562) image requests and deep-link navigation on their sites. Furthermore, there projects/torbrowser/design/index.html.en 1563) seems to be no real privacy benefit to taking this action by itself in a`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1564) vacuum, because many sites have begun encoding Referer URL information into`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1565) GET parameters when they need it to cross http to https scheme transitions. projects/torbrowser/design/index.html.en 1566) Google's +1 buttons are the best example of this activity. projects/torbrowser/design/index.html.en 1567) projects/torbrowser/design/index.html.en 1568) </p><p> projects/torbrowser/design/index.html.en 1569) projects/torbrowser/design/index.html.en 1570) Because of the availability of these other explicit vectors, we believe the`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1571) main risk of the Referer header is through inadvertent and/or covert data`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1572) leakage. In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1573) personal data</a> is inadvertently leaked to third parties through the projects/torbrowser/design/index.html.en 1574) source URL parameters. projects/torbrowser/design/index.html.en 1575) projects/torbrowser/design/index.html.en 1576) </p><p> projects/torbrowser/design/index.html.en 1577) projects/torbrowser/design/index.html.en 1578) We believe the Referer header should be made explicit. If a site wishes to projects/torbrowser/design/index.html.en 1579) transmit its URL to third party content elements during load or during
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1580) link-click, it should have to specify this as a property of the associated HTML projects/torbrowser/design/index.html.en 1581) tag. With an explicit property, it would then be possible for the user agent to`
TBB design doc: More review... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1582) inform the user if they are about to click on a link that will transmit Referer`
Update TBB design doc based... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1583) information (perhaps through something as subtle as a different color in the projects/torbrowser/design/index.html.en 1584) lower toolbar for the destination URL). This same UI notification can also be projects/torbrowser/design/index.html.en 1585) used for links with the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes" target="_top">"ping"</a>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1586) attribute. projects/torbrowser/design/index.html.en 1587) projects/torbrowser/design/index.html.en 1588) </p></li><li class="listitem">window.name projects/torbrowser/design/index.html.en 1589) <p>`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1590) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1591) a DOM property that for some reason is allowed to retain a persistent value projects/torbrowser/design/index.html.en 1592) for the lifespan of a browser tab. It is possible to utilize this property for`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1593) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier`
Update design doc with FF17... Mike Perry authored 11 years ago	projects/torbrowser/design/index.html.en 1594) storage</a> during click navigation. This is sometimes used for additional projects/torbrowser/design/index.html.en 1595) XSRF protection and federated login. projects/torbrowser/design/index.html.en 1596) </p><p> projects/torbrowser/design/index.html.en 1597) projects/torbrowser/design/index.html.en 1598) It's our opinion that the contents of window.name should not be preserved for projects/torbrowser/design/index.html.en 1599) cross-origin navigation, but doing so may break federated login for some sites. projects/torbrowser/design/index.html.en 1600) projects/torbrowser/design/index.html.en 1601) </p></li><li class="listitem">Javascript link rewriting projects/torbrowser/design/index.html.en 1602) <p> projects/torbrowser/design/index.html.en 1603) projects/torbrowser/design/index.html.en 1604) In general, it should not be possible for onclick handlers to alter the projects/torbrowser/design/index.html.en 1605) navigation destination of 'a' tags, silently transform them into POST projects/torbrowser/design/index.html.en 1606) requests, or otherwise create situations where a user believes they are projects/torbrowser/design/index.html.en 1607) clicking on a link leading to one URL that ends up on another. This projects/torbrowser/design/index.html.en 1608) functionality is deceptive and is frequently a vector for malware and phishing projects/torbrowser/design/index.html.en 1609) attacks. Unfortunately, many legitimate sites also employ such transparent projects/torbrowser/design/index.html.en 1610) link rewriting, and blanket disabling this functionality ourselves will simply projects/torbrowser/design/index.html.en 1611) cause Tor Browser to fail to navigate properly on these sites. projects/torbrowser/design/index.html.en 1612) projects/torbrowser/design/index.html.en 1613) </p><p> projects/torbrowser/design/index.html.en 1614) projects/torbrowser/design/index.html.en 1615) Automated cross-origin redirects are one form of this behavior that is
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1616) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1617) ourselves</a>, as they are comparatively rare and can be handled with site projects/torbrowser/design/index.html.en 1618) permissions. projects/torbrowser/design/index.html.en 1619)`
TBB design doc: Fix typos,... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1620) </p></li></ol></div></div><div class="sect1" title="A.2. Promising Standards"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp5896048"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1621) projects/torbrowser/design/index.html.en 1622) Web-Send is a browser-based link sharing and federated login widget that is projects/torbrowser/design/index.html.en 1623) designed to operate without relying on third-party tracking or abusing other`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1624) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,`
Update design doc with FF17... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1625) especially if used as a "Like button" replacement. projects/torbrowser/design/index.html.en 1626)`
TBB design doc: Fix charset... Mike Perry authored 11 years ago	`projects/torbrowser/design/index.html.en 1627) </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>`