tor-webwml.git

projects/en/torbrowser/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>

projects/torbrowser/design/index.html.en       2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
projects/torbrowser/design/index.html.en       3) <html xmlns="http://www.w3.org/1999/xhtml"><head><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"/></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"/>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Feb 23 2013</p></div></div><hr/></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#idp3348944">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversarygoals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversarypositioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.8. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title"><a id="idp3348944"/>1. Introduction</h2></div></div></div><p>

projects/en/torbrowser/design/index.html.en    4) 

projects/torbrowser/design/index.html.en       5) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
projects/torbrowser/design/index.html.en       6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser 2.3.25-4
projects/torbrowser/design/index.html.en       7) and Torbutton 1.5.0.

projects/en/torbrowser/design/index.html.en    8) 
projects/en/torbrowser/design/index.html.en    9)   </p><p>
projects/en/torbrowser/design/index.html.en   10) 
projects/en/torbrowser/design/index.html.en   11) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en   12) describe a reference implementation of a Private Browsing Mode that defends

projects/torbrowser/design/index.html.en      13) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en      14) adversary currently addressed by the major browsers.

projects/en/torbrowser/design/index.html.en   15) 

projects/torbrowser/design/index.html.en      16)   </p><div class="sect2" title="1.1. Browser Component Overview"><div class="titlepage"><div><div><h3 class="title"><a id="components"/>1.1. Browser Component Overview</h3></div></div></div><p>

projects/torbrowser/design/index.html.en      17) 

projects/torbrowser/design/index.html.en      18) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/">Mozilla's Extended
projects/torbrowser/design/index.html.en      19) Support Release (ESR) Firefox branch</a>. We have a <a class="link" href="#firefox-patches" title="4.8. Description of Firefox Patches">series of patches</a> against this browser to
projects/torbrowser/design/index.html.en      20) enhance privacy and security. Browser behavior is additionally augmented
projects/torbrowser/design/index.html.en      21) through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/master">Torbutton
projects/torbrowser/design/index.html.en      22) extension</a>, though we are in the process of moving this
projects/torbrowser/design/index.html.en      23) functionality into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js">change
projects/torbrowser/design/index.html.en      24) a number of Firefox preferences</a> from their defaults.

projects/torbrowser/design/index.html.en      25) 

projects/torbrowser/design/index.html.en      26)    </p><p>

projects/en/torbrowser/design/index.html.en   27) 

projects/torbrowser/design/index.html.en      28) To help protect against potential Tor Exit Node eavesdroppers, we include
projects/torbrowser/design/index.html.en      29) <a class="ulink" href="https://www.eff.org/https-everywhere">HTTPS-Everywhere</a>. To
projects/torbrowser/design/index.html.en      30) provide users with optional defense-in-depth against Javascript and other
projects/torbrowser/design/index.html.en      31) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/">NoScript</a>. To protect against
projects/torbrowser/design/index.html.en      32) PDF-based Tor proxy bypass and to improve usability, we include the <a class="ulink" href="https://addons.mozilla.org/en-us/firefox/addon/pdfjs/">PDF.JS</a>
projects/torbrowser/design/index.html.en      33) extension. We also modify <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/extension-overrides.js">several
projects/torbrowser/design/index.html.en      34) extension preferences</a> from their defaults.

projects/en/torbrowser/design/index.html.en   35) 

projects/torbrowser/design/index.html.en      36)    </p></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title"><a id="DesignRequirements"/>2. Design Requirements and Philosophy</h2></div></div></div><p>

projects/en/torbrowser/design/index.html.en   37) 
projects/en/torbrowser/design/index.html.en   38) The Tor Browser Design Requirements are meant to describe the properties of a

projects/torbrowser/design/index.html.en      39) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en      40) adversaries. 

projects/en/torbrowser/design/index.html.en   41) 
projects/en/torbrowser/design/index.html.en   42)   </p><p>
projects/en/torbrowser/design/index.html.en   43) 
projects/en/torbrowser/design/index.html.en   44) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the

projects/torbrowser/design/index.html.en      45) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en      46) similar privacy proxies safely. Privacy requirements are the set of properties

projects/torbrowser/design/index.html.en      47) that cause us to prefer one browser over another. 

projects/en/torbrowser/design/index.html.en   48) 
projects/en/torbrowser/design/index.html.en   49)   </p><p>
projects/en/torbrowser/design/index.html.en   50) 

projects/torbrowser/design/index.html.en      51) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en      52) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en      53) browser distribution.
projects/torbrowser/design/index.html.en      54) 
projects/torbrowser/design/index.html.en      55)   </p><p>
projects/torbrowser/design/index.html.en      56) 
projects/torbrowser/design/index.html.en      57)       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en      58)       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
projects/torbrowser/design/index.html.en      59)       "OPTIONAL" in this document are to be interpreted as described in

projects/torbrowser/design/index.html.en      60)       <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt">RFC 2119</a>.

projects/en/torbrowser/design/index.html.en   61) 

projects/torbrowser/design/index.html.en      62)   </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"/>2.1. Security Requirements</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en   63) 
projects/en/torbrowser/design/index.html.en   64) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en   65) of Tor. Violations in these properties typically result in serious risk for

projects/torbrowser/design/index.html.en      66) the user in terms of immediate deanonymization and/or observability. With

projects/torbrowser/design/index.html.en      67) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en      68) in order for Tor to support the use of a particular browser.

projects/en/torbrowser/design/index.html.en   69) 

projects/torbrowser/design/index.html.en      70)    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy

projects/torbrowser/design/index.html.en      71) Obedience</strong></span></a><p>The browser

projects/torbrowser/design/index.html.en      72) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State

projects/torbrowser/design/index.html.en      73) Separation</strong></span></a><p>The browser MUST NOT provide any stored state to the content window

projects/en/torbrowser/design/index.html.en   74) from other browsers or other browsing modes, including shared state from
projects/en/torbrowser/design/index.html.en   75) plugins, machine identifiers, and TLS session state.

projects/torbrowser/design/index.html.en      76) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk

projects/torbrowser/design/index.html.en      77) Avoidance</strong></span></a><p>

projects/torbrowser/design/index.html.en      78) 
projects/torbrowser/design/index.html.en      79) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en      80) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en      81) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en      82) store their browsing history information to disk.
projects/torbrowser/design/index.html.en      83) 

projects/torbrowser/design/index.html.en      84) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data

projects/torbrowser/design/index.html.en      85) Isolation</strong></span></a><p>

projects/torbrowser/design/index.html.en      86) 

projects/torbrowser/design/index.html.en      87) The components involved in providing private browsing MUST be self-contained,

projects/torbrowser/design/index.html.en      88) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en      89) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en      90) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en      91) of private browsing to disk outside of the application's control. The user

projects/torbrowser/design/index.html.en      92) must be able to ensure that secure deletion of the software is sufficient to

projects/torbrowser/design/index.html.en      93) remove evidence of the use of the software. All exceptions and shortcomings

projects/torbrowser/design/index.html.en      94) due to operating system behavior MUST be wiped by an uninstaller. However, due

projects/torbrowser/design/index.html.en      95) to permissions issues with access to swap, implementations MAY choose to leave

projects/torbrowser/design/index.html.en      96) it out of scope, and/or leave it to the Operating System/platform to implement
projects/torbrowser/design/index.html.en      97) ephemeral-keyed encrypted swap.

projects/en/torbrowser/design/index.html.en   98) 

projects/torbrowser/design/index.html.en      99) </p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"/>2.2. Privacy Requirements</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  100) 
projects/en/torbrowser/design/index.html.en  101) The privacy requirements are primarily concerned with reducing linkability:

projects/torbrowser/design/index.html.en     102) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en     103) on another site without their knowledge or explicit consent. With respect to

projects/torbrowser/design/index.html.en     104) browser support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en     105) to prefer one browser over another. 

projects/en/torbrowser/design/index.html.en  106) 

projects/torbrowser/design/index.html.en     107)    </p><p>
projects/torbrowser/design/index.html.en     108) 
projects/torbrowser/design/index.html.en     109) For the purposes of the unlinkability requirements of this section as well as

projects/torbrowser/design/index.html.en     110) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation

projects/torbrowser/design/index.html.en     111) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the
projects/torbrowser/design/index.html.en     112) second-level DNS name.  For example, for mail.google.com, the origin would be
projects/torbrowser/design/index.html.en     113) google.com. Implementations MAY, at their option, restrict the url bar origin

projects/torbrowser/design/index.html.en     114) to be the entire fully qualified domain name.

projects/torbrowser/design/index.html.en     115) 

projects/torbrowser/design/index.html.en     116)    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin

projects/torbrowser/design/index.html.en     117) Identifier Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  118) 

projects/torbrowser/design/index.html.en     119) User activity on one url bar origin MUST NOT be linkable to their activity in

projects/torbrowser/design/index.html.en     120) any other url bar origin by any third party automatically or without user
projects/torbrowser/design/index.html.en     121) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en     122) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en     123) requirement does not apply to linkable information the user manually submits

projects/torbrowser/design/index.html.en     124) to sites, or due to information submitted during manual link traversal. This

projects/torbrowser/design/index.html.en     125) functionality SHOULD NOT interfere with interactive, click-driven federated
projects/torbrowser/design/index.html.en     126) login in a substantial way.

projects/en/torbrowser/design/index.html.en  127) 

projects/torbrowser/design/index.html.en     128)   </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin

projects/torbrowser/design/index.html.en     129) Fingerprinting Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  130) 

projects/torbrowser/design/index.html.en     131) User activity on one url bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     132) any other url bar origin by any third party. This property specifically applies to

projects/en/torbrowser/design/index.html.en  133) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en  134) 

projects/torbrowser/design/index.html.en     135)   </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><span class="command"><strong>Long-Term

projects/torbrowser/design/index.html.en     136) Unlinkability</strong></span></a><p>

projects/en/torbrowser/design/index.html.en  137) 

projects/torbrowser/design/index.html.en     138) The browser SHOULD provide an obvious, easy way to remove all of its

projects/torbrowser/design/index.html.en     139) authentication tokens and browser state and obtain a fresh identity.
projects/torbrowser/design/index.html.en     140) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en     141) upon browser restart, except at user option.

projects/en/torbrowser/design/index.html.en  142) 

projects/torbrowser/design/index.html.en     143)   </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"/>2.3. Philosophy</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  144) 
projects/en/torbrowser/design/index.html.en  145) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en  146) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en  147) 

projects/torbrowser/design/index.html.en     148)    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>

projects/en/torbrowser/design/index.html.en  149) 
projects/en/torbrowser/design/index.html.en  150) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en  151) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en  152) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en  153) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en  154) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en  155) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en  156) 
projects/en/torbrowser/design/index.html.en  157)       </p><p>
projects/en/torbrowser/design/index.html.en  158) 

projects/torbrowser/design/index.html.en     159) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">failures

projects/en/torbrowser/design/index.html.en  160) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en  161) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en  162) in the face of accumulating tabs from multiple states crossed with the current
projects/en/torbrowser/design/index.html.en  163) tor-state of the browser. 
projects/en/torbrowser/design/index.html.en  164) 
projects/en/torbrowser/design/index.html.en  165)       </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en  166) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en  167) 
projects/en/torbrowser/design/index.html.en  168) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en  169) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en  170) 
projects/en/torbrowser/design/index.html.en  171)       </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en  172) 
projects/en/torbrowser/design/index.html.en  173) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en  174) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en  175) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en  176) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en  177) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en  178) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en  179) 
projects/en/torbrowser/design/index.html.en  180)       </p><p>
projects/en/torbrowser/design/index.html.en  181) 
projects/en/torbrowser/design/index.html.en  182) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en  183) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en  184) placeholders), and/or be sandboxed to restrict the types of system calls they
projects/en/torbrowser/design/index.html.en  185) can execute. If the user decides to craft an exemption to allow a plugin to be

projects/torbrowser/design/index.html.en     186) used, it MUST only apply to the top level url bar domain, and not to all sites,

projects/torbrowser/design/index.html.en     187) to reduce cross-origin fingerprinting linkability.

projects/en/torbrowser/design/index.html.en  188) 
projects/en/torbrowser/design/index.html.en  189)        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en  190) 

projects/torbrowser/design/index.html.en     191) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100">Another
projects/torbrowser/design/index.html.en     192) failure of Torbutton</a> was the options panel. Each option

projects/en/torbrowser/design/index.html.en  193) that detectably alters browser behavior can be used as a fingerprinting tool.

projects/torbrowser/design/index.html.en     194) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html">SHOULD be

projects/torbrowser/design/index.html.en     195) disabled in the mode</a> except as an opt-in basis. We SHOULD NOT load

projects/torbrowser/design/index.html.en     196) system-wide and/or Operating System provided addons or plugins.

projects/en/torbrowser/design/index.html.en  197) 
projects/en/torbrowser/design/index.html.en  198)      </p><p>

projects/torbrowser/design/index.html.en     199) Instead of global browser privacy options, privacy decisions SHOULD be made

projects/torbrowser/design/index.html.en     200) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI">per

projects/torbrowser/design/index.html.en     201) url bar origin</a> to eliminate the possibility of linkability

projects/en/torbrowser/design/index.html.en  202) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en  203) window.plugins) is present in a page, the user should be given the choice of

projects/torbrowser/design/index.html.en     204) allowing that plugin object for that url bar origin only. The same

projects/en/torbrowser/design/index.html.en  205) goes for exemptions to third party cookie policy, geo-location, and any other
projects/en/torbrowser/design/index.html.en  206) privacy permissions.
projects/en/torbrowser/design/index.html.en  207)      </p><p>

projects/torbrowser/design/index.html.en     208) If the user has indicated they wish to record local history storage, these
projects/torbrowser/design/index.html.en     209) permissions can be written to disk. Otherwise, they MUST remain memory-only. 

projects/en/torbrowser/design/index.html.en  210)      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en  211) 

projects/torbrowser/design/index.html.en     212) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/">AdBlock
projects/torbrowser/design/index.html.en     213) Plus</a>, <a class="ulink" href="http://requestpolicy.com/">Request Policy</a>,
projects/torbrowser/design/index.html.en     214) <a class="ulink" href="http://www.ghostery.com/about">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/">Sharemenot</a> are to be

projects/en/torbrowser/design/index.html.en  215) avoided. We believe that these addons do not add any real privacy to a proper

projects/torbrowser/design/index.html.en     216) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
projects/torbrowser/design/index.html.en     217) should be focused on general solutions that prevent tracking by all
projects/torbrowser/design/index.html.en     218) third parties, rather than a list of specific URLs or hosts.
projects/torbrowser/design/index.html.en     219)      </p><p>

projects/en/torbrowser/design/index.html.en  220) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en  221) nightmares, and will also fail to do their job if an adversary simply
projects/en/torbrowser/design/index.html.en  222) registers a new domain or creates a new url path. Worse still, the unique

projects/torbrowser/design/index.html.en     223) filter sets that each user creates or installs will provide a wealth of
projects/torbrowser/design/index.html.en     224) fingerprinting targets.

projects/en/torbrowser/design/index.html.en  225)       </p><p>
projects/en/torbrowser/design/index.html.en  226) 
projects/en/torbrowser/design/index.html.en  227) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en  228) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en  229) terms of demonstrating that we are providing privacy through a sound design

projects/torbrowser/design/index.html.en     230) alone, as well as damage the acceptance of Tor users by sites that support

projects/en/torbrowser/design/index.html.en  231) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en  232) 
projects/en/torbrowser/design/index.html.en  233)       </p><p>
projects/en/torbrowser/design/index.html.en  234) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en  235) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en  236)       </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en  237) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en  238) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en  239) their proper deployment or privacy realization. However, we will likely disable

projects/torbrowser/design/index.html.en     240) high-risk features pending analysis, audit, and mitigation.

projects/torbrowser/design/index.html.en     241)       </p></li></ol></div></div></div><div class="sect1" title="3. Adversary Model"><div class="titlepage"><div><div><h2 class="title"><a id="adversary"/>3. Adversary Model</h2></div></div></div><p>
projects/torbrowser/design/index.html.en     242) 
projects/torbrowser/design/index.html.en     243) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/torbrowser/design/index.html.en     244) types that can be used to illustrate the design requirements for the
projects/torbrowser/design/index.html.en     245) Tor Browser. Let's start with the goals.
projects/torbrowser/design/index.html.en     246) 
projects/torbrowser/design/index.html.en     247)    </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversarygoals"/>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
projects/torbrowser/design/index.html.en     248) Tor, causing the user to directly connect to an IP of the adversary's
projects/torbrowser/design/index.html.en     249) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/torbrowser/design/index.html.en     250) happily settle for the ability to correlate something a user did via Tor with
projects/torbrowser/design/index.html.en     251) their non-Tor activity. This can be done with cookies, cache identifiers,
projects/torbrowser/design/index.html.en     252) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
projects/torbrowser/design/index.html.en     253) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/torbrowser/design/index.html.en     254) The adversary may also be interested in history disclosure: the ability to
projects/torbrowser/design/index.html.en     255) query a user's history to see if they have issued certain censored search
projects/torbrowser/design/index.html.en     256) queries, or visited censored sites.
projects/torbrowser/design/index.html.en     257)      </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
projects/torbrowser/design/index.html.en     258) 
projects/torbrowser/design/index.html.en     259) Location information such as timezone and locality can be useful for the
projects/torbrowser/design/index.html.en     260) adversary to determine if a user is in fact originating from one of the
projects/torbrowser/design/index.html.en     261) regions they are attempting to control, or to zero-in on the geographical
projects/torbrowser/design/index.html.en     262) location of a particular dissident or whistleblower.
projects/torbrowser/design/index.html.en     263) 
projects/torbrowser/design/index.html.en     264)      </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p>
projects/torbrowser/design/index.html.en     265) 
projects/torbrowser/design/index.html.en     266) The primary goal of the advertising networks is to know that the user who
projects/torbrowser/design/index.html.en     267) visited siteX.com is the same user that visited siteY.com to serve them
projects/torbrowser/design/index.html.en     268) targeted ads. The advertising networks become our adversary insofar as they
projects/torbrowser/design/index.html.en     269) attempt to perform this correlation without the user's explicit consent.
projects/torbrowser/design/index.html.en     270) 
projects/torbrowser/design/index.html.en     271)      </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p>
projects/torbrowser/design/index.html.en     272) 
projects/torbrowser/design/index.html.en     273) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
projects/torbrowser/design/index.html.en     274) to zero in on a particular individual without the use of tracking identifiers.
projects/torbrowser/design/index.html.en     275) If the dissident or whistleblower is using a rare build of Firefox for an
projects/torbrowser/design/index.html.en     276) obscure operating system, this can be very useful information for tracking
projects/torbrowser/design/index.html.en     277) them down, or at least <a class="link" href="#fingerprinting">tracking their
projects/torbrowser/design/index.html.en     278) activities</a>.
projects/torbrowser/design/index.html.en     279) 
projects/torbrowser/design/index.html.en     280)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/torbrowser/design/index.html.en     281) information</strong></span><p>
projects/torbrowser/design/index.html.en     282) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/torbrowser/design/index.html.en     283) seizing the computers of all Tor users in an area (especially after narrowing
projects/torbrowser/design/index.html.en     284) the field by the above two pieces of information). History records and cache
projects/torbrowser/design/index.html.en     285) data are the primary goals here.
projects/torbrowser/design/index.html.en     286)      </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversarypositioning"/>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
projects/torbrowser/design/index.html.en     287) The adversary can position themselves at a number of different locations in
projects/torbrowser/design/index.html.en     288) order to execute their attacks.
projects/torbrowser/design/index.html.en     289)     </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en     290) The adversary can run exit nodes, or alternatively, they may control routers
projects/torbrowser/design/index.html.en     291) upstream of exit nodes. Both of these scenarios have been observed in the
projects/torbrowser/design/index.html.en     292) wild.
projects/torbrowser/design/index.html.en     293)      </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
projects/torbrowser/design/index.html.en     294) The adversary can also run websites, or more likely, they can contract out
projects/torbrowser/design/index.html.en     295) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en     296) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en     297) inconceivable that ad servers may try to subvert or reduce a user's anonymity 
projects/torbrowser/design/index.html.en     298) through Tor for marketing purposes.
projects/torbrowser/design/index.html.en     299)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en     300) The adversary can also inject malicious content at the user's upstream router
projects/torbrowser/design/index.html.en     301) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/torbrowser/design/index.html.en     302) activity.
projects/torbrowser/design/index.html.en     303)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/torbrowser/design/index.html.en     304) Some users face adversaries with intermittent or constant physical access.
projects/torbrowser/design/index.html.en     305) Users in Internet cafes, for example, face such a threat. In addition, in
projects/torbrowser/design/index.html.en     306) countries where simply using tools like Tor is illegal, users may face
projects/torbrowser/design/index.html.en     307) confiscation of their computer equipment for excessive Tor usage or just
projects/torbrowser/design/index.html.en     308) general suspicion.
projects/torbrowser/design/index.html.en     309)      </p></li></ol></div></div><div class="sect2" title="3.3. Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"/>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
projects/torbrowser/design/index.html.en     310) 
projects/torbrowser/design/index.html.en     311) The adversary can perform the following attacks from a number of different 
projects/torbrowser/design/index.html.en     312) positions to accomplish various aspects of their goals. It should be noted
projects/torbrowser/design/index.html.en     313) that many of these attacks (especially those involving IP address leakage) are
projects/torbrowser/design/index.html.en     314) often performed by accident by websites that simply have Javascript, dynamic 
projects/torbrowser/design/index.html.en     315) CSS elements, and plugins. Others are performed by ad servers seeking to
projects/torbrowser/design/index.html.en     316) correlate users' activity across different IP addresses, and still others are
projects/torbrowser/design/index.html.en     317) performed by malicious agents on the Tor network and at national firewalls.
projects/torbrowser/design/index.html.en     318) 
projects/torbrowser/design/index.html.en     319)     </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
projects/torbrowser/design/index.html.en     320) 
projects/torbrowser/design/index.html.en     321) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en     322) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en     323) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en     324) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en     325) even TLS Session IDs.
projects/torbrowser/design/index.html.en     326) 
projects/torbrowser/design/index.html.en     327)      </p><p>
projects/torbrowser/design/index.html.en     328) 
projects/torbrowser/design/index.html.en     329) An adversary in a position to perform MITM content alteration can inject
projects/torbrowser/design/index.html.en     330) document content elements to both read and inject cookies for arbitrary
projects/torbrowser/design/index.html.en     331) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
projects/torbrowser/design/index.html.en     332) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html">active
projects/torbrowser/design/index.html.en     333) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/torbrowser/design/index.html.en     334) with cookies as well.
projects/torbrowser/design/index.html.en     335) 
projects/torbrowser/design/index.html.en     336)      </p><p>
projects/torbrowser/design/index.html.en     337) 
projects/torbrowser/design/index.html.en     338) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlikability</a> design requirements.
projects/torbrowser/design/index.html.en     339) 
projects/torbrowser/design/index.html.en     340)      </p></li><li class="listitem"><a id="fingerprinting"/><span class="command"><strong>Fingerprint users based on browser
projects/torbrowser/design/index.html.en     341) attributes</strong></span><p>
projects/torbrowser/design/index.html.en     342) 
projects/torbrowser/design/index.html.en     343) There is an absurd amount of information available to websites via attributes
projects/torbrowser/design/index.html.en     344) of the browser. This information can be used to reduce anonymity set, or even
projects/torbrowser/design/index.html.en     345) uniquely fingerprint individual users. Attacks of this nature are typically
projects/torbrowser/design/index.html.en     346) aimed at tracking users across sites without their consent, in an attempt to
projects/torbrowser/design/index.html.en     347) subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
projects/torbrowser/design/index.html.en     348) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlikability</a> design requirements.
projects/torbrowser/design/index.html.en     349) 
projects/torbrowser/design/index.html.en     350) </p><p>
projects/torbrowser/design/index.html.en     351) 
projects/torbrowser/design/index.html.en     352) Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en     353) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en     354) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en     355) to linkability between visits.
projects/torbrowser/design/index.html.en     356) 
projects/torbrowser/design/index.html.en     357) </p><p>
projects/torbrowser/design/index.html.en     358) 
projects/torbrowser/design/index.html.en     359) The <a class="ulink" href="https://panopticlick.eff.org/about.php">Panopticlick study
projects/torbrowser/design/index.html.en     360) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29">Shannon
projects/torbrowser/design/index.html.en     361) entropy</a> - the number of identifying bits of information encoded in
projects/torbrowser/design/index.html.en     362) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data">result data</a> is
projects/torbrowser/design/index.html.en     363) definitely useful, and the metric is probably the appropriate one for
projects/torbrowser/design/index.html.en     364) determining how identifying a particular browser property is. However, some
projects/torbrowser/design/index.html.en     365) quirks of their study means that they do not extract as much information as
projects/torbrowser/design/index.html.en     366) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en     367) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en     368) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en     369) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en     370) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en     371) final.
projects/torbrowser/design/index.html.en     372) 
projects/torbrowser/design/index.html.en     373)       </p><p>
projects/torbrowser/design/index.html.en     374) 
projects/torbrowser/design/index.html.en     375) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en     376) attack vectors:
projects/torbrowser/design/index.html.en     377) 
projects/torbrowser/design/index.html.en     378)      </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
projects/torbrowser/design/index.html.en     379) 
projects/torbrowser/design/index.html.en     380) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en     381) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en     382) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en     383) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en     384) (as an extreme example).
projects/torbrowser/design/index.html.en     385) 
projects/torbrowser/design/index.html.en     386)      </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
projects/torbrowser/design/index.html.en     387) 
projects/torbrowser/design/index.html.en     388) Javascript can reveal a lot of fingerprinting information. It provides DOM
projects/torbrowser/design/index.html.en     389) objects such as window.screen and window.navigator to extract information
projects/torbrowser/design/index.html.en     390) about the useragent. 
projects/torbrowser/design/index.html.en     391) 
projects/torbrowser/design/index.html.en     392) Also, Javascript can be used to query the user's timezone via the
projects/torbrowser/design/index.html.en     393) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13">WebGL</a> can
projects/torbrowser/design/index.html.en     394) reveal information about the video card in use, and high precision timing
projects/torbrowser/design/index.html.en     395) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">fingerprint the CPU and
projects/torbrowser/design/index.html.en     396) interpreter speed</a>. In the future, new JavaScript features such as
projects/torbrowser/design/index.html.en     397) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/">Resource
projects/torbrowser/design/index.html.en     398) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en     399) information.
projects/torbrowser/design/index.html.en     400) 
projects/torbrowser/design/index.html.en     401) 
projects/torbrowser/design/index.html.en     402) 
projects/torbrowser/design/index.html.en     403)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en     404) 
projects/torbrowser/design/index.html.en     405) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en     406) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en     407) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en     408) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en     409) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en     410) store unique identifiers that are more difficult to clear than standard
projects/torbrowser/design/index.html.en     411) cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html">Flash-based
projects/torbrowser/design/index.html.en     412) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en     413) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en     414) settings of the browser. 
projects/torbrowser/design/index.html.en     415) 
projects/torbrowser/design/index.html.en     416) 
projects/torbrowser/design/index.html.en     417)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en     418) 
projects/torbrowser/design/index.html.en     419) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries">CSS media
projects/torbrowser/design/index.html.en     420) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en     421) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en     422) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en     423) 
projects/torbrowser/design/index.html.en     424)      </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
projects/torbrowser/design/index.html.en     425) OS</strong></span><p>
projects/torbrowser/design/index.html.en     426) 
projects/torbrowser/design/index.html.en     427) Last, but definitely not least, the adversary can exploit either general
projects/torbrowser/design/index.html.en     428) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/torbrowser/design/index.html.en     429) install malware and surveillance software. An adversary with physical access
projects/torbrowser/design/index.html.en     430) can perform similar actions. Regrettably, this last attack capability is
projects/torbrowser/design/index.html.en     431) outside of the browser's ability to defend against, but it is worth mentioning
projects/torbrowser/design/index.html.en     432) for completeness. In fact, <a class="ulink" href="http://tails.boum.org/contribute/design/">The Tails system</a> can
projects/torbrowser/design/index.html.en     433) provide some defense against this adversary, and it does include the Tor
projects/torbrowser/design/index.html.en     434) Browser.
projects/torbrowser/design/index.html.en     435) 
projects/torbrowser/design/index.html.en     436)      </p></li></ol></div></div></div><div class="sect1" title="4. Implementation"><div class="titlepage"><div><div><h2 class="title"><a id="Implementation"/>4. Implementation</h2></div></div></div><p>

projects/torbrowser/design/index.html.en     437) 
projects/torbrowser/design/index.html.en     438) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en     439) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en     440) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en     441) implementation is then described for that property.
projects/torbrowser/design/index.html.en     442) 
projects/torbrowser/design/index.html.en     443)   </p><p>
projects/torbrowser/design/index.html.en     444) 
projects/torbrowser/design/index.html.en     445) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en     446) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en     447) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en     448) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation

projects/torbrowser/design/index.html.en     449) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report">Tor bug tracker</a>

projects/torbrowser/design/index.html.en     450) are typically linked for these cases.
projects/torbrowser/design/index.html.en     451) 

projects/torbrowser/design/index.html.en     452)   </p><div class="sect2" title="4.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"/>4.1. Proxy Obedience</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  453) 
projects/en/torbrowser/design/index.html.en  454) Proxy obedience is assured through the following:

projects/torbrowser/design/index.html.en     455)    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Firefox proxy settings, patches, and build flags

projects/en/torbrowser/design/index.html.en  456)  <p>

projects/torbrowser/design/index.html.en     457) Our <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/build-scripts/config/pound_tor.js">Firefox
projects/torbrowser/design/index.html.en     458) preferences file</a> sets the Firefox proxy settings to use Tor directly as a

projects/en/torbrowser/design/index.html.en  459) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,

projects/torbrowser/design/index.html.en     460) <span class="command"><strong>network.proxy.socks_version</strong></span>,
projects/torbrowser/design/index.html.en     461) <span class="command"><strong>network.proxy.socks_port</strong></span>, and
projects/torbrowser/design/index.html.en     462) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
projects/torbrowser/design/index.html.en     463)  </p><p>
projects/torbrowser/design/index.html.en     464) 
projects/torbrowser/design/index.html.en     465) We also patch Firefox in order to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch">prevent
projects/torbrowser/design/index.html.en     466) a DNS leak due to a WebSocket rate-limiting check</a>. As stated in the
projects/torbrowser/design/index.html.en     467) patch, we believe the direct DNS resolution performed by this check is in
projects/torbrowser/design/index.html.en     468) violation of the W3C standard, but <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=751465">this DNS proxy leak
projects/torbrowser/design/index.html.en     469) remains present in stock Firefox releases</a>.
projects/torbrowser/design/index.html.en     470) 
projects/torbrowser/design/index.html.en     471)  </p><p>
projects/torbrowser/design/index.html.en     472) 
projects/torbrowser/design/index.html.en     473) During the transition to Firefox 17-ESR, a code audit was undertaken to verify
projects/torbrowser/design/index.html.en     474) that there were no system calls or XPCOM activity in the source tree that did
projects/torbrowser/design/index.html.en     475) not use the browser proxy settings. The only violation we found was that
projects/torbrowser/design/index.html.en     476) WebRTC was capable of creating UDP sockets and was compiled in by default. We
projects/torbrowser/design/index.html.en     477) subsequently disabled it using the Firefox build option
projects/torbrowser/design/index.html.en     478) <span class="command"><strong>--disable-webrtc</strong></span>.
projects/torbrowser/design/index.html.en     479) 

projects/torbrowser/design/index.html.en     480)  </p><p>
projects/torbrowser/design/index.html.en     481) 

projects/torbrowser/design/index.html.en     482) We have verified that these settings and patches properly proxy HTTPS, OCSP,
projects/torbrowser/design/index.html.en     483) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all javascript
projects/torbrowser/design/index.html.en     484) activity, including HTML5 audio and video objects, addon updates, wifi
projects/torbrowser/design/index.html.en     485) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
projects/torbrowser/design/index.html.en     486) WebSockets, and live bookmark updates. We have also verified that IPv6
projects/torbrowser/design/index.html.en     487) connections are not attempted, through the proxy or otherwise (Tor does not
projects/torbrowser/design/index.html.en     488) yet support IPv6). We have also verified that external protocol helpers, such
projects/torbrowser/design/index.html.en     489) as smb urls and other custom protocol handlers are all blocked.

projects/torbrowser/design/index.html.en     490) 
projects/torbrowser/design/index.html.en     491)  </p><p>
projects/torbrowser/design/index.html.en     492) 

projects/torbrowser/design/index.html.en     493) Numerous other third parties have also reviewed and tested the proxy settings
projects/torbrowser/design/index.html.en     494) and have provided test cases based on their work. See in particular <a class="ulink" href="http://decloak.net/">decloak.net</a>. 

projects/torbrowser/design/index.html.en     495) 

projects/en/torbrowser/design/index.html.en  496)  </p></li><li class="listitem">Disabling plugins

projects/torbrowser/design/index.html.en     497) 

projects/torbrowser/design/index.html.en     498)  <p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/">bypass proxy settings</a>. This includes

projects/en/torbrowser/design/index.html.en  499) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en  500) browser proxy settings.
projects/en/torbrowser/design/index.html.en  501)  </p><p>
projects/en/torbrowser/design/index.html.en  502) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en  503) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags

projects/torbrowser/design/index.html.en     504) as disabled. This block can be undone through both the Torbutton Security UI,
projects/torbrowser/design/index.html.en     505) and the Firefox Plugin Preferences.

projects/en/torbrowser/design/index.html.en  506)  </p><p>

projects/torbrowser/design/index.html.en     507) If the user does enable plugins in this way, plugin-handled objects are still
projects/torbrowser/design/index.html.en     508) restricted from automatic load through Firefox's click-to-play preference
projects/torbrowser/design/index.html.en     509) <span class="command"><strong>plugins.click_to_play</strong></span>.

projects/torbrowser/design/index.html.en     510)  </p><p>

projects/torbrowser/design/index.html.en     511) In addition, to reduce any unproxied activity by arbitrary plugins at load
projects/torbrowser/design/index.html.en     512) time, and to reduce the fingerprintability of the installed plugin list, we
projects/torbrowser/design/index.html.en     513) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">prevent the load of any plugins except
projects/torbrowser/design/index.html.en     514) for Flash and Gnash</a>.

projects/torbrowser/design/index.html.en     515) 

projects/en/torbrowser/design/index.html.en  516)  </p></li><li class="listitem">External App Blocking
projects/en/torbrowser/design/index.html.en  517)   <p>
projects/en/torbrowser/design/index.html.en  518) External apps, if launched automatically, can be induced to load files that
projects/en/torbrowser/design/index.html.en  519) perform network activity. In order to prevent this, Torbutton installs a
projects/en/torbrowser/design/index.html.en  520) component to 

projects/torbrowser/design/index.html.en     521) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js">

projects/en/torbrowser/design/index.html.en  522) provide the user with a popup</a> whenever the browser attempts to
projects/en/torbrowser/design/index.html.en  523) launch a helper app. 

projects/torbrowser/design/index.html.en     524) 

projects/torbrowser/design/index.html.en     525) Additionally, due to an issue with Ubuntu Unity, url-based drag and drop is

projects/torbrowser/design/index.html.en     526) filtered by this component. Unity was pre-fetching URLs without using the
projects/torbrowser/design/index.html.en     527) browser's proxy settings during a drag action, even if the drop was ultimately

projects/torbrowser/design/index.html.en     528) canceled by the user. A similar issue was discovered on Mac OS.
projects/torbrowser/design/index.html.en     529)   </p></li></ol></div></div><div class="sect2" title="4.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"/>4.2. State Separation</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  530) Tor Browser State is separated from existing browser state through use of a
projects/en/torbrowser/design/index.html.en  531) custom Firefox profile. Furthermore, plugins are disabled, which prevents
projects/en/torbrowser/design/index.html.en  532) Flash cookies from leaking from a pre-existing Flash directory.

projects/torbrowser/design/index.html.en     533)    </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"/>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5523344"/>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     534) 
projects/torbrowser/design/index.html.en     535) The User Agent MUST (at user option) prevent all disk records of browser activity.

projects/en/torbrowser/design/index.html.en  536) The user should be able to optionally enable URL history and other history

projects/torbrowser/design/index.html.en     537) features if they so desire. 

projects/en/torbrowser/design/index.html.en  538) 

projects/torbrowser/design/index.html.en     539)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5524704"/>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en  540) 

projects/torbrowser/design/index.html.en     541) We achieve this goal through several mechanisms. First, we set the Firefox
projects/torbrowser/design/index.html.en     542) Private Browsing preference
projects/torbrowser/design/index.html.en     543) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if
projects/torbrowser/design/index.html.en     544) Private Browsing Mode is enabled. We need to

projects/en/torbrowser/design/index.html.en  545) 

projects/torbrowser/design/index.html.en     546) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">prevent
projects/torbrowser/design/index.html.en     547) the permissions manager from recording HTTPS STS state</a>,
projects/torbrowser/design/index.html.en     548) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">prevent
projects/torbrowser/design/index.html.en     549) intermediate SSL certificates from being recorded</a>,
projects/torbrowser/design/index.html.en     550) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0013-Make-Download-manager-memory-only.patch">prevent
projects/torbrowser/design/index.html.en     551) download history from being recorded</a>, and
projects/torbrowser/design/index.html.en     552) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">prevent
projects/torbrowser/design/index.html.en     553) the content preferences service from recording site zoom</a>.
projects/torbrowser/design/index.html.en     554) 
projects/torbrowser/design/index.html.en     555) For more details on these patches, <a class="link" href="#firefox-patches" title="4.8. Description of Firefox Patches">see the
projects/torbrowser/design/index.html.en     556) Firefox Patches section</a>.
projects/torbrowser/design/index.html.en     557) 
projects/torbrowser/design/index.html.en     558)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     559) 
projects/torbrowser/design/index.html.en     560) As an additional defense-in-depth measure, we set the following preferences:
projects/torbrowser/design/index.html.en     561) <span class="command"><strong/></span>,

projects/en/torbrowser/design/index.html.en  562) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  563) <span class="command"><strong>browser.cache.offline.enable</strong></span>,

projects/torbrowser/design/index.html.en     564) <span class="command"><strong>dom.indexedDB.enabled</strong></span>,
projects/torbrowser/design/index.html.en     565) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,

projects/en/torbrowser/design/index.html.en  566) <span class="command"><strong>signon.rememberSignons</strong></span>,

projects/torbrowser/design/index.html.en     567) <span class="command"><strong>browser.formfill.enable</strong></span>,

projects/en/torbrowser/design/index.html.en  568) <span class="command"><strong>browser.download.manager.retention</strong></span>,

projects/torbrowser/design/index.html.en     569) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>,
projects/torbrowser/design/index.html.en     570) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these
projects/torbrowser/design/index.html.en     571) preferences are likely redundant with
projects/torbrowser/design/index.html.en     572) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the
projects/torbrowser/design/index.html.en     573) auditing work to ensure that yet.

projects/en/torbrowser/design/index.html.en  574) 

projects/torbrowser/design/index.html.en     575)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en  576) 

projects/torbrowser/design/index.html.en     577) Torbutton also <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/components/tbSessionStore.js">contains
projects/torbrowser/design/index.html.en     578) code</a> to prevent the Firefox session store from writing to disk.
projects/torbrowser/design/index.html.en     579)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en  580) 

projects/torbrowser/design/index.html.en     581) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&amp;status=!closed">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2" title="4.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"/>4.4. Application Data Isolation</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  582) 
projects/en/torbrowser/design/index.html.en  583) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en  584) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en  585) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en  586) computer.
projects/en/torbrowser/design/index.html.en  587) 

projects/torbrowser/design/index.html.en     588)    </p><p>
projects/torbrowser/design/index.html.en     589) 
projects/torbrowser/design/index.html.en     590) To ensure TBB directory isolation, we set
projects/torbrowser/design/index.html.en     591) <span class="command"><strong>browser.download.useDownloadDir</strong></span>,
projects/torbrowser/design/index.html.en     592) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
projects/torbrowser/design/index.html.en     593) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
projects/torbrowser/design/index.html.en     594) $HOME environment variable to be the TBB extraction directory.
projects/torbrowser/design/index.html.en     595)    </p></div><div class="sect2" title="4.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"/>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  596) 
projects/en/torbrowser/design/index.html.en  597) The Tor Browser MUST prevent a user's activity on one site from being linked
projects/en/torbrowser/design/index.html.en  598) to their activity on another site. When this goal cannot yet be met with an
projects/en/torbrowser/design/index.html.en  599) existing web technology, that technology or functionality is disabled. Our
projects/en/torbrowser/design/index.html.en  600) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary
projects/en/torbrowser/design/index.html.en  601) technologies, and instead simply alter them in ways that allows them to
projects/en/torbrowser/design/index.html.en  602) function in a backwards-compatible way while avoiding linkability. Users
projects/en/torbrowser/design/index.html.en  603) should be able to use federated login of various kinds to explicitly inform
projects/en/torbrowser/design/index.html.en  604) sites who they are, but that information should not transparently allow a
projects/en/torbrowser/design/index.html.en  605) third party to record their activity from site to site without their prior
projects/en/torbrowser/design/index.html.en  606) consent.
projects/en/torbrowser/design/index.html.en  607) 
projects/en/torbrowser/design/index.html.en  608)    </p><p>
projects/en/torbrowser/design/index.html.en  609) 
projects/en/torbrowser/design/index.html.en  610) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en  611) linkability, but also in terms of simplified privacy UI. If all stored browser

projects/torbrowser/design/index.html.en     612) state and permissions become associated with the url bar origin, the six or
projects/torbrowser/design/index.html.en     613) seven different pieces of privacy UI governing these identifiers and

projects/en/torbrowser/design/index.html.en  614) permissions can become just one piece of UI. For instance, a window that lists

projects/torbrowser/design/index.html.en     615) the url bar origin for which browser state exists, possibly with a
projects/torbrowser/design/index.html.en     616) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en     617) An example of this simplification can be seen in Figure 1.

projects/en/torbrowser/design/index.html.en  618) 

projects/torbrowser/design/index.html.en     619)    </p><div class="figure"><a id="idp5548704"/><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" style="text-align: center"><img src="NewCookieManager.png" style="text-align: middle" alt="Improving the Privacy UI"/></div><div class="caption"><p/>

projects/en/torbrowser/design/index.html.en  620) 

projects/torbrowser/design/index.html.en     621) This example UI is a mock-up of how isolating identifiers to the URL bar
projects/torbrowser/design/index.html.en     622) origin can simplify the privacy UI for all data - not just cookies. Once
projects/torbrowser/design/index.html.en     623) browser identifiers and site permissions operate on a url bar basis, the same
projects/torbrowser/design/index.html.en     624) privacy window can represent browsing history, DOM Storage, HTTP Auth, search
projects/torbrowser/design/index.html.en     625) form history, login values, and so on within a context menu for each site.

projects/en/torbrowser/design/index.html.en  626) 

projects/torbrowser/design/index.html.en     627) </div></div></div><br class="figure-break"/><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Cookies

projects/en/torbrowser/design/index.html.en  628)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  629) 

projects/torbrowser/design/index.html.en     630) All cookies MUST be double-keyed to the url bar origin and third-party

projects/torbrowser/design/index.html.en     631) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965">Mozilla bug</a>

projects/torbrowser/design/index.html.en     632) that contains a prototype patch, but it lacks UI, and does not apply to modern
projects/torbrowser/design/index.html.en     633) Firefoxes.

projects/en/torbrowser/design/index.html.en  634) 
projects/en/torbrowser/design/index.html.en  635)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  636) 
projects/en/torbrowser/design/index.html.en  637) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en  638) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en  639) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that

projects/torbrowser/design/index.html.en     640) third party content continue to function, but we believe the requirement for 

projects/en/torbrowser/design/index.html.en  641) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en  642) 
projects/en/torbrowser/design/index.html.en  643)      </p></li><li class="listitem">Cache
projects/en/torbrowser/design/index.html.en  644)      <p>

projects/torbrowser/design/index.html.en     645) 
projects/torbrowser/design/index.html.en     646) Cache is isolated to the url bar origin by using a technique pioneered by

projects/torbrowser/design/index.html.en     647) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/">SafeCache</a>. The technique re-uses the
projects/torbrowser/design/index.html.en     648) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel">nsICachingChannel.cacheKey</a>

projects/torbrowser/design/index.html.en     649) attribute that Firefox uses internally to prevent improper caching and reuse
projects/torbrowser/design/index.html.en     650) of HTTP POST data.  
projects/torbrowser/design/index.html.en     651) 

projects/en/torbrowser/design/index.html.en  652)      </p><p>

projects/torbrowser/design/index.html.en     653) 

projects/torbrowser/design/index.html.en     654) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666">increase the
projects/torbrowser/design/index.html.en     655) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754">solve conflicts

projects/torbrowser/design/index.html.en     656) with OCSP relying the cacheKey property for reuse of POST requests</a>, we

projects/torbrowser/design/index.html.en     657) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch">patch

projects/torbrowser/design/index.html.en     658) Firefox to provide a cacheDomain cache attribute</a>. We use the fully
projects/torbrowser/design/index.html.en     659) qualified url bar domain as input to this field.
projects/torbrowser/design/index.html.en     660) 

projects/en/torbrowser/design/index.html.en  661)      </p><p>
projects/en/torbrowser/design/index.html.en  662) 

projects/torbrowser/design/index.html.en     663)  Furthermore, we chose a different
projects/torbrowser/design/index.html.en     664) isolation scheme than the Stanford implementation. First, we decoupled the
projects/torbrowser/design/index.html.en     665) cache isolation from the third party cookie attribute. Second, we use several
projects/torbrowser/design/index.html.en     666) mechanisms to attempt to determine the actual location attribute of the
projects/torbrowser/design/index.html.en     667) top-level window (to obtain the url bar FQDN) used to load the page, as
projects/torbrowser/design/index.html.en     668) opposed to relying solely on the referer property.

projects/en/torbrowser/design/index.html.en  669) 
projects/en/torbrowser/design/index.html.en  670)      </p><p>

projects/torbrowser/design/index.html.en     671) 

projects/torbrowser/design/index.html.en     672) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html">the original

projects/torbrowser/design/index.html.en     673) Stanford test cases</a> are expected to fail. Functionality can still be

projects/torbrowser/design/index.html.en     674) verified by navigating to <a class="ulink" href="about:cache">about:cache</a> and

projects/torbrowser/design/index.html.en     675) viewing the key used for each cache entry. Each third party element should
projects/torbrowser/design/index.html.en     676) have an additional "domain=string" property prepended, which will list the
projects/torbrowser/design/index.html.en     677) FQDN that was used to source the third party element.
projects/torbrowser/design/index.html.en     678) 

projects/torbrowser/design/index.html.en     679)      </p><p>
projects/torbrowser/design/index.html.en     680) 
projects/torbrowser/design/index.html.en     681) Additionally, because the image cache is a separate entity from the content
projects/torbrowser/design/index.html.en     682) cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0024-Isolate-the-Image-Cache-per-url-bar-domain.patch">isolate
projects/torbrowser/design/index.html.en     683) this cache per url bar domain</a>.
projects/torbrowser/design/index.html.en     684) 

projects/en/torbrowser/design/index.html.en  685)      </p></li><li class="listitem">HTTP Auth
projects/en/torbrowser/design/index.html.en  686)      <p>
projects/en/torbrowser/design/index.html.en  687) 
projects/en/torbrowser/design/index.html.en  688) HTTP authentication tokens are removed for third party elements using the

projects/torbrowser/design/index.html.en     689) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers">http-on-modify-request
projects/torbrowser/design/index.html.en     690) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">silent
projects/torbrowser/design/index.html.en     691) linkability between domains</a>. 

projects/en/torbrowser/design/index.html.en  692)      </p></li><li class="listitem">DOM Storage

projects/torbrowser/design/index.html.en     693)      <p>

projects/en/torbrowser/design/index.html.en  694) 

projects/torbrowser/design/index.html.en     695) DOM storage for third party domains MUST be isolated to the url bar origin,

projects/torbrowser/design/index.html.en     696) to prevent linkability between sites. This functionality is provided through a
projects/torbrowser/design/index.html.en     697) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0026-Isolate-DOM-storage-to-first-party-URI.patch">patch
projects/torbrowser/design/index.html.en     698) to Firefox</a>.

projects/en/torbrowser/design/index.html.en  699) 

projects/torbrowser/design/index.html.en     700)      </p></li><li class="listitem">Flash cookies
projects/torbrowser/design/index.html.en     701)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     702) 
projects/torbrowser/design/index.html.en     703) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en     704) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash

projects/torbrowser/design/index.html.en     705) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html">Flash

projects/torbrowser/design/index.html.en     706) settings manager</a>.

projects/torbrowser/design/index.html.en     707) 

projects/torbrowser/design/index.html.en     708)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en     709) 

projects/torbrowser/design/index.html.en     710) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974">having

projects/torbrowser/design/index.html.en     711) difficulties</a> causing Flash player to use this settings

projects/torbrowser/design/index.html.en     712) file on Windows, so Flash remains difficult to enable.

projects/torbrowser/design/index.html.en     713) 

projects/torbrowser/design/index.html.en     714)      </p></li><li class="listitem">SSL+TLS session resumption, HTTP Keep-Alive and SPDY

projects/torbrowser/design/index.html.en     715)      <p><span class="command"><strong>Design Goal:</strong></span>

projects/en/torbrowser/design/index.html.en  716) 

projects/torbrowser/design/index.html.en     717) TLS session resumption tickets and SSL Session IDs MUST be limited to the url
projects/torbrowser/design/index.html.en     718) bar origin.  HTTP Keep-Alive connections from a third party in one url bar
projects/torbrowser/design/index.html.en     719) origin MUST NOT be reused for that same third party in another url bar origin.

projects/en/torbrowser/design/index.html.en  720) 
projects/en/torbrowser/design/index.html.en  721)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  722) 

projects/torbrowser/design/index.html.en     723) We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New

projects/torbrowser/design/index.html.en     724) Identity</a>, we disable TLS Session Tickets via the Firefox Pref
projects/torbrowser/design/index.html.en     725) <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session

projects/torbrowser/design/index.html.en     726) IDs via a <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch">patch

projects/torbrowser/design/index.html.en     727) to Firefox</a>. To compensate for the increased round trip latency from disabling
projects/torbrowser/design/index.html.en     728) these performance optimizations, we also enable

projects/torbrowser/design/index.html.en     729) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00">TLS

projects/torbrowser/design/index.html.en     730) False Start</a> via the Firefox Pref 
projects/torbrowser/design/index.html.en     731) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
projects/torbrowser/design/index.html.en     732)     </p><p>

projects/en/torbrowser/design/index.html.en  733) 

projects/torbrowser/design/index.html.en     734) Because of the extreme performance benefits of HTTP Keep-Alive for interactive

projects/torbrowser/design/index.html.en     735) web apps, and because of the difficulties of conveying urlbar origin
projects/torbrowser/design/index.html.en     736) information down into the Firefox HTTP layer, as a compromise we currently
projects/torbrowser/design/index.html.en     737) merely reduce the HTTP Keep-Alive timeout to 20 seconds (which is measured
projects/torbrowser/design/index.html.en     738) from the last packet read on the connection) using the Firefox preference
projects/torbrowser/design/index.html.en     739) <span class="command"><strong>network.http.keep-alive.timeout</strong></span>.
projects/torbrowser/design/index.html.en     740) 

projects/torbrowser/design/index.html.en     741)      </p><p>
projects/torbrowser/design/index.html.en     742) However, because SPDY can store identifiers and has extremely long keepalive
projects/torbrowser/design/index.html.en     743) duration, it is disabled through the Firefox preference
projects/torbrowser/design/index.html.en     744) <span class="command"><strong>network.http.spdy.enabled</strong></span>.

projects/torbrowser/design/index.html.en     745)      </p></li><li class="listitem">Automated cross-origin redirects MUST NOT store identifiers

projects/torbrowser/design/index.html.en     746)     <p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     747) 
projects/torbrowser/design/index.html.en     748) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en     749) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser

projects/torbrowser/design/index.html.en     750) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en     751) for cross-origin redirect intermediaries that do not prompt for user input.
projects/torbrowser/design/index.html.en     752) For example, if a user clicks on a bit.ly url that redirects to a
projects/torbrowser/design/index.html.en     753) doubleclick.net url that finally redirects to a cnn.com url, only cookies from
projects/torbrowser/design/index.html.en     754) cnn.com should be retained after the redirect chain completes.

projects/torbrowser/design/index.html.en     755) 
projects/torbrowser/design/index.html.en     756)     </p><p>
projects/torbrowser/design/index.html.en     757) 

projects/torbrowser/design/index.html.en     758) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en     759) federated login systems) SHOULD still allow identifiers to persist.

projects/torbrowser/design/index.html.en     760) 

projects/torbrowser/design/index.html.en     761)     </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en     762) 
projects/torbrowser/design/index.html.en     763) There are numerous ways for the user to be redirected, and the Firefox API

projects/torbrowser/design/index.html.en     764) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600">trac bug

projects/torbrowser/design/index.html.en     765) open</a> to implement what we can.
projects/torbrowser/design/index.html.en     766) 

projects/torbrowser/design/index.html.en     767)     </p></li><li class="listitem">window.name

projects/en/torbrowser/design/index.html.en  768)      <p>
projects/en/torbrowser/design/index.html.en  769) 

projects/torbrowser/design/index.html.en     770) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name">window.name</a> is

projects/en/torbrowser/design/index.html.en  771) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en  772) for the lifespan of a browser tab. It is possible to utilize this property for

projects/torbrowser/design/index.html.en     773) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html">identifier

projects/en/torbrowser/design/index.html.en  774) storage</a>.
projects/en/torbrowser/design/index.html.en  775) 
projects/en/torbrowser/design/index.html.en  776)      </p><p>
projects/en/torbrowser/design/index.html.en  777) 

projects/torbrowser/design/index.html.en     778) In order to eliminate non-consensual linkability but still allow for sites
projects/torbrowser/design/index.html.en     779) that utilize this property to function, we reset the window.name property of
projects/torbrowser/design/index.html.en     780) tabs in Torbutton every time we encounter a blank referer. This behavior
projects/torbrowser/design/index.html.en     781) allows window.name to persist for the duration of a click-driven navigation
projects/torbrowser/design/index.html.en     782) session, but as soon as the user enters a new URL or navigates between
projects/torbrowser/design/index.html.en     783) https/http schemes, the property is cleared.

projects/en/torbrowser/design/index.html.en  784) 

projects/torbrowser/design/index.html.en     785)      </p></li><li class="listitem">Auto form-fill
projects/torbrowser/design/index.html.en     786)      <p>
projects/torbrowser/design/index.html.en     787) 
projects/torbrowser/design/index.html.en     788) We disable the password saving functionality in the browser as part of our

projects/torbrowser/design/index.html.en     789) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,

projects/torbrowser/design/index.html.en     790) since users may decide to re-enable disk history records and password saving,

projects/torbrowser/design/index.html.en     791) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms">signon.autofillForms</a>

projects/torbrowser/design/index.html.en     792) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en     793) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en     794) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en     795) 
projects/torbrowser/design/index.html.en     796)      </p></li><li class="listitem">HSTS supercookies
projects/torbrowser/design/index.html.en     797)       <p>

projects/torbrowser/design/index.html.en     798) 

projects/torbrowser/design/index.html.en     799) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html">HSTS

projects/torbrowser/design/index.html.en     800) supercookies</a>. Since HSTS effectively stores one bit of information per domain

projects/torbrowser/design/index.html.en     801) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en     802) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en     803) 
projects/torbrowser/design/index.html.en     804)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     805) 
projects/torbrowser/design/index.html.en     806) There appears to be three options for us: 1. Disable HSTS entirely, and rely

projects/torbrowser/design/index.html.en     807) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
projects/torbrowser/design/index.html.en     808) Restrict the number of HSTS-enabled third parties allowed per url bar origin.
projects/torbrowser/design/index.html.en     809) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en     810) the best approach.

projects/torbrowser/design/index.html.en     811) 
projects/torbrowser/design/index.html.en     812)       </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is

projects/torbrowser/design/index.html.en     813) cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't

projects/torbrowser/design/index.html.en     814) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en     815) Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en     816)       </p></li><li class="listitem">Exit node usage

projects/en/torbrowser/design/index.html.en  817)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  818) 
projects/en/torbrowser/design/index.html.en  819) Every distinct navigation session (as defined by a non-blank referer header)
projects/en/torbrowser/design/index.html.en  820) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
projects/en/torbrowser/design/index.html.en  821) observers from linking concurrent browsing activity.
projects/en/torbrowser/design/index.html.en  822) 
projects/en/torbrowser/design/index.html.en  823)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  824) 
projects/en/torbrowser/design/index.html.en  825) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha

projects/torbrowser/design/index.html.en     826) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455">Ticket

projects/en/torbrowser/design/index.html.en  827) #3455</a> is the Torbutton ticket to make use of the new Tor
projects/en/torbrowser/design/index.html.en  828) functionality.
projects/en/torbrowser/design/index.html.en  829) 

projects/torbrowser/design/index.html.en     830)      </p></li></ol></div><p>
projects/torbrowser/design/index.html.en     831) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed">tbb-linkability tag in our bugtracker</a>
projects/torbrowser/design/index.html.en     832)   </p></div><div class="sect2" title="4.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"/>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en  833) 
projects/en/torbrowser/design/index.html.en  834) In order to properly address the fingerprinting adversary on a technical
projects/en/torbrowser/design/index.html.en  835) level, we need a metric to measure linkability of the various browser

projects/torbrowser/design/index.html.en     836) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php">The Panopticlick Project</a>
projects/torbrowser/design/index.html.en     837) by the EFF provides us with a prototype of such a metric. The researchers
projects/torbrowser/design/index.html.en     838) conducted a survey of volunteers who were asked to visit an experiment page
projects/torbrowser/design/index.html.en     839) that harvested many of the above components. They then computed the Shannon
projects/torbrowser/design/index.html.en     840) Entropy of the resulting distribution of each of several key attributes to
projects/torbrowser/design/index.html.en     841) determine how many bits of identifying information each attribute provided.

projects/en/torbrowser/design/index.html.en  842) 
projects/en/torbrowser/design/index.html.en  843)    </p><p>
projects/en/torbrowser/design/index.html.en  844) 

projects/torbrowser/design/index.html.en     845) Many browser features have been added since the EFF first ran their experiment
projects/torbrowser/design/index.html.en     846) and collected their data. To avoid an infinite sinkhole, we reduce the efforts
projects/torbrowser/design/index.html.en     847) for fingerprinting resistance by only concerning ourselves with reducing the
projects/torbrowser/design/index.html.en     848) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We
projects/torbrowser/design/index.html.en     849) do not believe it is possible to solve cross-browser fingerprinting issues.

projects/en/torbrowser/design/index.html.en  850) 
projects/en/torbrowser/design/index.html.en  851)    </p><p>
projects/en/torbrowser/design/index.html.en  852) 

projects/torbrowser/design/index.html.en     853) Unfortunately, the unsolvable nature of the cross-browser fingerprinting
projects/torbrowser/design/index.html.en     854) problem means that the Panopticlick test website itself is not useful for
projects/torbrowser/design/index.html.en     855) evaluating the actual effectiveness of our defenses, or the fingerprinting
projects/torbrowser/design/index.html.en     856) defenses of any other web browser. Because the Panopticlick dataset is based
projects/torbrowser/design/index.html.en     857) on browser data spanning a number of widely deployed browsers over a number of
projects/torbrowser/design/index.html.en     858) years, any fingerprinting defenses attempted by browsers today are very likely
projects/torbrowser/design/index.html.en     859) to cause Panopticlick to report an <span class="emphasis"><em>increase</em></span> in
projects/torbrowser/design/index.html.en     860) fingerprintability and entropy, because those defenses will stand out in sharp
projects/torbrowser/design/index.html.en     861) contrast to historical data. We have been <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/6119">working to convince
projects/torbrowser/design/index.html.en     862) the EFF</a> that it is worthwhile to release the source code to
projects/torbrowser/design/index.html.en     863) Panopticlick to allow us to run our own version for this reason.
projects/torbrowser/design/index.html.en     864) 
projects/torbrowser/design/index.html.en     865)    </p><div class="sect3" title="Fingerprinting defenses in the Tor Browser"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"/>Fingerprinting defenses in the Tor Browser</h4></div></div></div><div class="orderedlist"><ol class="orderedlist"><li class="listitem">Plugins

projects/en/torbrowser/design/index.html.en  866)      <p>
projects/en/torbrowser/design/index.html.en  867) 
projects/en/torbrowser/design/index.html.en  868) Plugins add to fingerprinting risk via two main vectors: their mere presence in
projects/en/torbrowser/design/index.html.en  869) window.navigator.plugins, as well as their internal functionality.
projects/en/torbrowser/design/index.html.en  870) 
projects/en/torbrowser/design/index.html.en  871)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  872) 

projects/torbrowser/design/index.html.en     873) All plugins that have not been specifically audited or sandboxed MUST be

projects/en/torbrowser/design/index.html.en  874) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en  875) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en  876) barrier.  Additionally, version information should be reduced or obfuscated

projects/torbrowser/design/index.html.en     877) until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974">provide a
projects/torbrowser/design/index.html.en     878) settings.sol file</a> to disable Flash cookies, and to restrict P2P
projects/torbrowser/design/index.html.en     879) features that are likely to bypass proxy settings.

projects/en/torbrowser/design/index.html.en  880) 
projects/en/torbrowser/design/index.html.en  881)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  882) 
projects/en/torbrowser/design/index.html.en  883) Currently, we entirely disable all plugins in Tor Browser. However, as a

projects/torbrowser/design/index.html.en     884) compromise due to the popularity of Flash, we allow users to re-enable Flash,
projects/torbrowser/design/index.html.en     885) and flash objects are blocked behind a click-to-play barrier that is available
projects/torbrowser/design/index.html.en     886) only after the user has specifically enabled plugins. Flash is the only plugin
projects/torbrowser/design/index.html.en     887) available, the rest are <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">entirely
projects/torbrowser/design/index.html.en     888) blocked from loading by a Firefox patch</a>. We also set the Firefox
projects/torbrowser/design/index.html.en     889) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
projects/torbrowser/design/index.html.en     890) leaking plugin installation information.
projects/torbrowser/design/index.html.en     891) 
projects/torbrowser/design/index.html.en     892)      </p></li><li class="listitem">HTML5 Canvas Image Extraction
projects/torbrowser/design/index.html.en     893)      <p>
projects/torbrowser/design/index.html.en     894) 
projects/torbrowser/design/index.html.en     895) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas">HTML5
projects/torbrowser/design/index.html.en     896) Canvas</a> is a feature that has been added to major browsers after the
projects/torbrowser/design/index.html.en     897) EFF developed their Panopticlick study. After plugins and plugin-provided
projects/torbrowser/design/index.html.en     898) information, we believe that the HTML5 Canvas is the single largest
projects/torbrowser/design/index.html.en     899) fingerprinting threat browsers face today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf">Initial
projects/torbrowser/design/index.html.en     900) studies</a> show that the Canvas can provide an easy-access fingerprinting
projects/torbrowser/design/index.html.en     901) target: The adversary simply renders WebGL, font, and named color data to a
projects/torbrowser/design/index.html.en     902) Canvas element, extracts the image buffer, and computes a hash of that image
projects/torbrowser/design/index.html.en     903) data. Subtle differences in the video card, font packs, and even font and
projects/torbrowser/design/index.html.en     904) graphics library versions allow the adversary to produce a stable, simple,
projects/torbrowser/design/index.html.en     905) high-entropy fingerprint of a computer. In fact, the hash of the rendered
projects/torbrowser/design/index.html.en     906) image can be used almost identically to a tracking cookie by the web server.
projects/torbrowser/design/index.html.en     907) 
projects/torbrowser/design/index.html.en     908)      </p><p>
projects/torbrowser/design/index.html.en     909) 
projects/torbrowser/design/index.html.en     910) To reduce the threat from this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0020-Add-canvas-image-extraction-prompt.patch">prompt
projects/torbrowser/design/index.html.en     911) before returning valid image data</a> to the Canvas APIs. If the user
projects/torbrowser/design/index.html.en     912) hasn't previously allowed the site in the URL bar to access Canvas image data,
projects/torbrowser/design/index.html.en     913) pure white image data is returned to the Javascript APIs.
projects/torbrowser/design/index.html.en     914) 
projects/torbrowser/design/index.html.en     915)      </p></li><li class="listitem">WebGL
projects/torbrowser/design/index.html.en     916)      <p>
projects/torbrowser/design/index.html.en     917) 
projects/torbrowser/design/index.html.en     918) WebGL is fingerprintable both through information that is exposed about the
projects/torbrowser/design/index.html.en     919) underlying driver and optimizations, as well as through performance
projects/torbrowser/design/index.html.en     920) fingerprinting.
projects/torbrowser/design/index.html.en     921) 
projects/torbrowser/design/index.html.en     922)      </p><p>
projects/torbrowser/design/index.html.en     923) 
projects/torbrowser/design/index.html.en     924) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/">previously unexposed
projects/torbrowser/design/index.html.en     925) vulnerability surface</a>, we deploy a similar strategy against WebGL as
projects/torbrowser/design/index.html.en     926) for plugins. First, WebGL Canvases have click-to-play placeholders (provided
projects/torbrowser/design/index.html.en     927) by NoScript), and do not run until authorized by the user. Second, we
projects/torbrowser/design/index.html.en     928) obfuscate driver information by setting the Firefox preferences
projects/torbrowser/design/index.html.en     929) <span class="command"><strong>webgl.disable-extensions</strong></span> and
projects/torbrowser/design/index.html.en     930) <span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information
projects/torbrowser/design/index.html.en     931) provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,
projects/torbrowser/design/index.html.en     932) <span class="command"><strong>getSupportedExtensions()</strong></span>, and
projects/torbrowser/design/index.html.en     933) <span class="command"><strong>getExtension()</strong></span>.

projects/en/torbrowser/design/index.html.en  934) 
projects/en/torbrowser/design/index.html.en  935)      </p></li><li class="listitem">Fonts
projects/en/torbrowser/design/index.html.en  936)      <p>
projects/en/torbrowser/design/index.html.en  937) 
projects/en/torbrowser/design/index.html.en  938) According to the Panopticlick study, fonts provide the most linkability when
projects/en/torbrowser/design/index.html.en  939) they are provided as an enumerable list in filesystem order, via either the
projects/en/torbrowser/design/index.html.en  940) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en  941) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en  942) pre-built list to query, a large amount of fingerprintable information may
projects/en/torbrowser/design/index.html.en  943) still be available.
projects/en/torbrowser/design/index.html.en  944) 

projects/torbrowser/design/index.html.en     945)      </p><p>
projects/torbrowser/design/index.html.en     946) 
projects/torbrowser/design/index.html.en     947) The sure-fire way to address font linkability is to ship the browser with a
projects/torbrowser/design/index.html.en     948) font for every language, typeface, and style in use in the world, and to only
projects/torbrowser/design/index.html.en     949) use those fonts at the exclusion of system fonts.  However, this set may be

projects/torbrowser/design/index.html.en     950) impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts">common

projects/torbrowser/design/index.html.en     951) subset</a> may be found that provides total coverage. However, we believe
projects/torbrowser/design/index.html.en     952) that with strong url bar origin identifier isolation, a simpler approach can reduce the
projects/torbrowser/design/index.html.en     953) number of bits available to the adversary while avoiding the rendering and
projects/torbrowser/design/index.html.en     954) language issues of supporting a global font set.
projects/torbrowser/design/index.html.en     955) 

projects/en/torbrowser/design/index.html.en  956)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  957) 

projects/torbrowser/design/index.html.en     958) We disable plugins, which prevents font enumeration. Additionally, we limit
projects/torbrowser/design/index.html.en     959) both the number of font queries from CSS, as well as the total number of 

projects/torbrowser/design/index.html.en     960) fonts that can be used in a document <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch">with
projects/torbrowser/design/index.html.en     961) a Firefox patch</a>. We create two prefs,

projects/torbrowser/design/index.html.en     962) <span class="command"><strong>browser.display.max_font_attempts</strong></span> and
projects/torbrowser/design/index.html.en     963) <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
projects/torbrowser/design/index.html.en     964) limits are reached, the browser behaves as if
projects/torbrowser/design/index.html.en     965) <span class="command"><strong>browser.display.use_document_fonts</strong></span> was reached. We are

projects/torbrowser/design/index.html.en     966) still working to determine optimal values for these prefs.

projects/en/torbrowser/design/index.html.en  967) 

projects/torbrowser/design/index.html.en     968)      </p><p>

projects/en/torbrowser/design/index.html.en  969) 

projects/torbrowser/design/index.html.en     970) To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face">@font-face
projects/torbrowser/design/index.html.en     971) fonts</a> from these counts, and if a font-family CSS rule lists a remote
projects/torbrowser/design/index.html.en     972) font (in any order), we use that font instead of any of the named local fonts.

projects/en/torbrowser/design/index.html.en  973) 

projects/torbrowser/design/index.html.en     974)      </p></li><li class="listitem">Desktop resolution, CSS Media Queries, and System Colors

projects/en/torbrowser/design/index.html.en  975)      <p>
projects/en/torbrowser/design/index.html.en  976) 

projects/torbrowser/design/index.html.en     977) Both CSS and Javascript have access to a lot of information about the screen
projects/torbrowser/design/index.html.en     978) resolution, usable desktop size, OS widget size, toolbar size, title bar size,
projects/torbrowser/design/index.html.en     979) system theme colors, and other desktop features that are not at all relevant
projects/torbrowser/design/index.html.en     980) to rendering and serve only to provide information for fingerprinting.

projects/en/torbrowser/design/index.html.en  981) 
projects/en/torbrowser/design/index.html.en  982)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en  983) 
projects/en/torbrowser/design/index.html.en  984) Our design goal here is to reduce the resolution information down to the bare
projects/en/torbrowser/design/index.html.en  985) minimum required for properly rendering inside a content window. We intend to 
projects/en/torbrowser/design/index.html.en  986) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en  987) properties of the content window, but report an effective size of 0 for all
projects/en/torbrowser/design/index.html.en  988) border material, and also report that the desktop is only as big as the
projects/en/torbrowser/design/index.html.en  989) inner content window. Additionally, new browser windows are sized such that 

projects/torbrowser/design/index.html.en     990) their content windows are one of a few fixed sizes based on the user's

projects/en/torbrowser/design/index.html.en  991) desktop resolution.
projects/en/torbrowser/design/index.html.en  992) 
projects/en/torbrowser/design/index.html.en  993)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  994) 

projects/torbrowser/design/index.html.en     995) We have implemented the above strategy using a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l2004">resize

projects/torbrowser/design/index.html.en     996) new windows based on desktop resolution</a>. Additionally, we patch

projects/torbrowser/design/index.html.en     997) Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0022-Do-not-expose-physical-screen-info.-via-window-and-w.patch">for
projects/torbrowser/design/index.html.en     998) window.screen</a> and <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0010-Limit-device-and-system-specific-CSS-Media-Queries.patch">for
projects/torbrowser/design/index.html.en     999) CSS Media Queries</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0021-Return-client-window-coordinates-for-mouse-event-scr.patch">patch
projects/torbrowser/design/index.html.en    1000) DOM events to return content window relative points</a>. We also patch
projects/torbrowser/design/index.html.en    1001) Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0023-Do-not-expose-system-colors-to-CSS-or-canvas.patch">report
projects/torbrowser/design/index.html.en    1002) a fixed set of system colors to content window CSS</a>.

projects/torbrowser/design/index.html.en    1003) 

projects/torbrowser/design/index.html.en    1004)      </p></li><li class="listitem">User Agent and HTTP Headers
projects/torbrowser/design/index.html.en    1005)      <p><span class="command"><strong>Design Goal:</strong></span>

projects/torbrowser/design/index.html.en    1006) 

projects/torbrowser/design/index.html.en    1007) All Tor Browser users MUST provide websites with an identical user agent and
projects/torbrowser/design/index.html.en    1008) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/torbrowser/design/index.html.en    1009) and report a popular Windows platform. If the software is kept up to date,
projects/torbrowser/design/index.html.en    1010) these headers should remain identical across the population even when updated.
projects/torbrowser/design/index.html.en    1011) 
projects/torbrowser/design/index.html.en    1012)      </p><p><span class="command"><strong>Implementation Status:</strong></span>

projects/en/torbrowser/design/index.html.en 1013) 

projects/torbrowser/design/index.html.en    1014) Firefox provides several options for controlling the browser user agent string
projects/torbrowser/design/index.html.en    1015) which we leverage. We also set similar prefs for controlling the
projects/torbrowser/design/index.html.en    1016) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
projects/torbrowser/design/index.html.en    1017) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch">remove
projects/torbrowser/design/index.html.en    1018) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html">can be
projects/torbrowser/design/index.html.en    1019) used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem">Timezone and clock offset

projects/en/torbrowser/design/index.html.en 1020)      <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1021) 

projects/torbrowser/design/index.html.en    1022) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en    1023) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en    1024) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en    1025) the fact that we spoof a US English user agent).  Additionally, the Tor
projects/torbrowser/design/index.html.en    1026) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en    1027) clocks of the relays that it connects to, and use this to reset the clock
projects/torbrowser/design/index.html.en    1028) values used in Tor Browser to something reasonably accurate.

projects/en/torbrowser/design/index.html.en 1029) 
projects/en/torbrowser/design/index.html.en 1030)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1031) 
projects/en/torbrowser/design/index.html.en 1032) We set the timezone using the TZ environment variable, which is supported on

projects/torbrowser/design/index.html.en    1033) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652">obtain a clock

projects/en/torbrowser/design/index.html.en 1034) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
projects/en/torbrowser/design/index.html.en 1035) use.
projects/en/torbrowser/design/index.html.en 1036) 
projects/en/torbrowser/design/index.html.en 1037)      </p></li><li class="listitem">Javascript performance fingerprinting
projects/en/torbrowser/design/index.html.en 1038)      <p>
projects/en/torbrowser/design/index.html.en 1039) 

projects/torbrowser/design/index.html.en    1040) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">Javascript performance

projects/en/torbrowser/design/index.html.en 1041) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en 1042) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en 1043) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en 1044) 
projects/en/torbrowser/design/index.html.en 1045)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1046) 

projects/torbrowser/design/index.html.en    1047) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059">several potential

projects/en/torbrowser/design/index.html.en 1048) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 1049) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en 1050) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
projects/en/torbrowser/design/index.html.en 1051) Date() object, while also introducing jitter. Our goal is to increase the

projects/torbrowser/design/index.html.en    1052) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf">Mowery et al</a> found that

projects/en/torbrowser/design/index.html.en 1053) even with the default precision in most browsers, they required up to 120
projects/en/torbrowser/design/index.html.en 1054) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 1055) feature set. We intend to work with the research community to establish the

projects/torbrowser/design/index.html.en    1056) optimum trade-off between quantization+jitter and amortization time.

projects/en/torbrowser/design/index.html.en 1057) 
projects/en/torbrowser/design/index.html.en 1058) 
projects/en/torbrowser/design/index.html.en 1059)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1060) 

projects/torbrowser/design/index.html.en    1061) Currently, the only mitigation against performance fingerprinting is to
projects/torbrowser/design/index.html.en    1062) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/">Navigation
projects/torbrowser/design/index.html.en    1063) Timing</a> through the Firefox preference
projects/torbrowser/design/index.html.en    1064) <span class="command"><strong>dom.enable_performance</strong></span>.
projects/torbrowser/design/index.html.en    1065) 
projects/torbrowser/design/index.html.en    1066)      </p></li><li class="listitem">Non-Uniform HTML5 API Implementations
projects/torbrowser/design/index.html.en    1067)      <p>
projects/torbrowser/design/index.html.en    1068) 
projects/torbrowser/design/index.html.en    1069) At least two HTML5 features have different implementation status across the
projects/torbrowser/design/index.html.en    1070) major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery">Battery
projects/torbrowser/design/index.html.en    1071) API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection">Network
projects/torbrowser/design/index.html.en    1072) Connection API</a>. We disable these APIs
projects/torbrowser/design/index.html.en    1073) through the Firefox preferences <span class="command"><strong>dom.battery.enabled</strong></span> and
projects/torbrowser/design/index.html.en    1074) <span class="command"><strong>dom.network.enabled</strong></span>. 

projects/en/torbrowser/design/index.html.en 1075) 
projects/en/torbrowser/design/index.html.en 1076)      </p></li><li class="listitem">Keystroke fingerprinting
projects/en/torbrowser/design/index.html.en 1077)      <p>
projects/en/torbrowser/design/index.html.en 1078) 
projects/en/torbrowser/design/index.html.en 1079) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 1080) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 1081) 
projects/en/torbrowser/design/index.html.en 1082)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1083) 
projects/en/torbrowser/design/index.html.en 1084) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en 1085) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 1086) 
projects/en/torbrowser/design/index.html.en 1087)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1088) We have no implementation as of yet.

projects/torbrowser/design/index.html.en    1089)      </p></li></ol></div></div><p>
projects/torbrowser/design/index.html.en    1090) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed">tbb-fingerprinting tag in our bugtracker</a>
projects/torbrowser/design/index.html.en    1091)   </p></div><div class="sect2" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"/>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en 1092) 

projects/torbrowser/design/index.html.en    1093) In order to avoid long-term linkability, we provide a "New Identity" context
projects/torbrowser/design/index.html.en    1094) menu option in Torbutton. This context menu option is active if Torbutton can
projects/torbrowser/design/index.html.en    1095) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.

projects/en/torbrowser/design/index.html.en 1096) 

projects/torbrowser/design/index.html.en    1097)    </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5665856"/>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

projects/en/torbrowser/design/index.html.en 1098) 

projects/torbrowser/design/index.html.en    1099) All linkable identifiers and browser state MUST be cleared by this feature.

projects/en/torbrowser/design/index.html.en 1100) 

projects/torbrowser/design/index.html.en    1101)     </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5667104"/>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

projects/en/torbrowser/design/index.html.en 1102) 

projects/torbrowser/design/index.html.en    1103) First, Torbutton disables Javascript in all open tabs and windows by using
projects/torbrowser/design/index.html.en    1104) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes">browser.docShell.allowJavascript</a>
projects/torbrowser/design/index.html.en    1105) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29">nsIDOMWindowUtil.suppressEventHandling()</a>.
projects/torbrowser/design/index.html.en    1106) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
projects/torbrowser/design/index.html.en    1107) We then clear the site-specific Zoom by temporarily disabling the preference
projects/torbrowser/design/index.html.en    1108) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wiki token
projects/torbrowser/design/index.html.en    1109) URL and the last opened URL prefs (if they exist). Each tab is then closed.

projects/en/torbrowser/design/index.html.en 1110) 

projects/torbrowser/design/index.html.en    1111)      </p><p>

projects/en/torbrowser/design/index.html.en 1112) 

projects/torbrowser/design/index.html.en    1113) After closing all tabs, we then clear the following state: searchbox and
projects/torbrowser/design/index.html.en    1114) findbox text, HTTP auth, SSL state, OCSP state, site-specific content
projects/torbrowser/design/index.html.en    1115) preferences (including HSTS state), content and image cache, Cookies, DOM
projects/torbrowser/design/index.html.en    1116) storage, safe browsing key, and the Google wifi geolocation token (if it
projects/torbrowser/design/index.html.en    1117) exists). 

projects/en/torbrowser/design/index.html.en 1118) 

projects/torbrowser/design/index.html.en    1119)      </p><p>

projects/torbrowser/design/index.html.en    1120) 

projects/torbrowser/design/index.html.en    1121) After the state is cleared, we then close all remaining HTTP keep-alive
projects/torbrowser/design/index.html.en    1122) connections and then send the NEWNYM signal to the Tor control port to cause a
projects/torbrowser/design/index.html.en    1123) new circuit to be created.
projects/torbrowser/design/index.html.en    1124)      </p><p>
projects/torbrowser/design/index.html.en    1125) Finally, a fresh browser window is opened, and the current browser window is
projects/torbrowser/design/index.html.en    1126) closed.
projects/torbrowser/design/index.html.en    1127)      </p></blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en    1128) If the user chose to "protect" any cookies by using the Torbutton Cookie
projects/torbrowser/design/index.html.en    1129) Protections UI, those cookies are not cleared as part of the above.
projects/torbrowser/design/index.html.en    1130)     </blockquote></div></div></div><div class="sect2" title="4.8. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"/>4.8. Description of Firefox Patches</h3></div></div></div><p>

projects/en/torbrowser/design/index.html.en 1131) 

projects/torbrowser/design/index.html.en    1132) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/current-patches/firefox">current-patches directory of the torbrowser git repository</a>. They are:

projects/en/torbrowser/design/index.html.en 1133) 

projects/torbrowser/design/index.html.en    1134)    </p><div class="orderedlist"><ol class="orderedlist"><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0001-Block-Components.interfaces-from-content.patch">Block
projects/torbrowser/design/index.html.en    1135) Components.interfaces</a><p>
projects/torbrowser/design/index.html.en    1136) 
projects/torbrowser/design/index.html.en    1137) In order to reduce fingerprinting, we block access to this interface from
projects/torbrowser/design/index.html.en    1138) content script. Components.interfaces can be used for fingerprinting the
projects/torbrowser/design/index.html.en    1139) platform, OS, and Firebox version, but not much else.
projects/torbrowser/design/index.html.en    1140) 
projects/torbrowser/design/index.html.en    1141)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0002-Make-Permissions-Manager-memory-only.patch">Make
projects/torbrowser/design/index.html.en    1142) Permissions Manager memory only</a><p>

projects/en/torbrowser/design/index.html.en 1143) 
projects/en/torbrowser/design/index.html.en 1144) This patch exposes a pref 'permissions.memory_only' that properly isolates the
projects/en/torbrowser/design/index.html.en 1145) permissions manager to memory, which is responsible for all user specified

projects/torbrowser/design/index.html.en    1146) site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security">HSTS</a>

projects/torbrowser/design/index.html.en    1147) policy from visited sites.

projects/en/torbrowser/design/index.html.en 1148) 
projects/en/torbrowser/design/index.html.en 1149) The pref does successfully clear the permissions manager memory if toggled. It
projects/en/torbrowser/design/index.html.en 1150) does not need to be set in prefs.js, and can be handled by Torbutton.
projects/en/torbrowser/design/index.html.en 1151) 

projects/torbrowser/design/index.html.en    1152)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0003-Make-Intermediate-Cert-Store-memory-only.patch">Make
projects/torbrowser/design/index.html.en    1153) Intermediate Cert Store memory-only</a><p>

projects/en/torbrowser/design/index.html.en 1154) 

projects/torbrowser/design/index.html.en    1155) The intermediate certificate store records the intermediate SSL certificates
projects/torbrowser/design/index.html.en    1156) the browser has seen to date. Because these intermediate certificates are used 
projects/torbrowser/design/index.html.en    1157) by a limited number of domains (and in some cases, only a single domain),
projects/torbrowser/design/index.html.en    1158) the intermediate certificate store can serve as a low-resolution record of
projects/torbrowser/design/index.html.en    1159) browsing history.

projects/en/torbrowser/design/index.html.en 1160) 
projects/en/torbrowser/design/index.html.en 1161)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1162) 
projects/en/torbrowser/design/index.html.en 1163) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 1164) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 1165) allow this.
projects/en/torbrowser/design/index.html.en 1166) 

projects/torbrowser/design/index.html.en    1167)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0004-Add-a-string-based-cacheKey.patch">Add
projects/torbrowser/design/index.html.en    1168) a string-based cacheKey property for domain isolation</a><p>

projects/en/torbrowser/design/index.html.en 1169) 

projects/torbrowser/design/index.html.en    1170) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666">increase the
projects/torbrowser/design/index.html.en    1171) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754">solve strange and
projects/torbrowser/design/index.html.en    1172) unknown conflicts with OCSP</a>, we had to patch
projects/torbrowser/design/index.html.en    1173) Firefox to provide a cacheDomain cache attribute. We use the url bar

projects/torbrowser/design/index.html.en    1174) FQDN as input to this field.

projects/en/torbrowser/design/index.html.en 1175) 

projects/torbrowser/design/index.html.en    1176)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch">Block
projects/torbrowser/design/index.html.en    1177) all plugins except flash</a><p>
projects/torbrowser/design/index.html.en    1178) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1">

projects/en/torbrowser/design/index.html.en 1179) @mozilla.org/extensions/blocklist;1</a> service, because we
projects/en/torbrowser/design/index.html.en 1180) actually want to stop plugins from ever entering the browser's process space
projects/en/torbrowser/design/index.html.en 1181) and/or executing code (for example, AV plugins that collect statistics/analyze

projects/torbrowser/design/index.html.en    1182) URLs, magical toolbars that phone home or "help" the user, Skype buttons that

projects/en/torbrowser/design/index.html.en 1183) ruin our day, and censorship filters). Hence we rolled our own.

projects/torbrowser/design/index.html.en    1184)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0006-Make-content-pref-service-memory-only-clearable.patch">Make content-prefs service memory only</a><p>
projects/torbrowser/design/index.html.en    1185) This patch prevents random URLs from being inserted into content-prefs.sqlite in

projects/en/torbrowser/design/index.html.en 1186) the profile directory as content prefs change (includes site-zoom and perhaps
projects/en/torbrowser/design/index.html.en 1187) other site prefs?).

projects/torbrowser/design/index.html.en    1188)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0007-Make-Tor-Browser-exit-when-not-launched-from-Vidalia.patch">Make Tor Browser exit when not launched from Vidalia</a><p>

projects/torbrowser/design/index.html.en    1189) 
projects/torbrowser/design/index.html.en    1190) It turns out that on Windows 7 and later systems, the Taskbar attempts to
projects/torbrowser/design/index.html.en    1191) automatically learn the most frequent apps used by the user, and it recognizes

projects/torbrowser/design/index.html.en    1192) Tor Browser as a separate app from Vidalia. This can cause users to try to
projects/torbrowser/design/index.html.en    1193) launch Tor Browser without Vidalia or a Tor instance running. Worse, the Tor

projects/torbrowser/design/index.html.en    1194) Browser will automatically find their default Firefox profile, and properly
projects/torbrowser/design/index.html.en    1195) connect directly without using Tor. This patch is a simple hack to cause Tor
projects/torbrowser/design/index.html.en    1196) Browser to immediately exit in this case.
projects/torbrowser/design/index.html.en    1197) 

projects/torbrowser/design/index.html.en    1198)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0008-Disable-SSL-Session-ID-tracking.patch">Disable SSL Session ID tracking</a><p>

projects/torbrowser/design/index.html.en    1199) 
projects/torbrowser/design/index.html.en    1200) This patch is a simple 1-line hack to prevent SSL connections from caching
projects/torbrowser/design/index.html.en    1201) (and then later transmitting) their Session IDs. There was no preference to
projects/torbrowser/design/index.html.en    1202) govern this behavior, so we had to hack it by altering the SSL new connection
projects/torbrowser/design/index.html.en    1203) defaults.
projects/torbrowser/design/index.html.en    1204) 

projects/torbrowser/design/index.html.en    1205)      </p></li><li class="listitem"><a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0009-Provide-an-observer-event-to-close-persistent-connec.patch">Provide an observer event to close persistent connections</a><p>

projects/torbrowser/design/index.html.en    1206) 
projects/torbrowser/design/index.html.en    1207) This patch creates an observer event in the HTTP connection manager to close
projects/torbrowser/design/index.html.en    1208) all keep-alive connections that still happen to be open. This event is emitted