87df89e20fef80e51e4db2e39afe0334e9522731
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en       2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Georg</span> <span class="surname">Koppen</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gk#torproject org">gk#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">February 19th, 2018</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idm29">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idm1164">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idm1196">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idm1203">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idm1246">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm29"></a>1. Introduction</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    3) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en       4) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en       5) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en       6) 7.0.11.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    7) 
projects/en/torbrowser/design/index.html.en    8)   </p><p>
projects/en/torbrowser/design/index.html.en    9) 
projects/en/torbrowser/design/index.html.en   10) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en   11) describe a reference implementation of a Private Browsing Mode that defends
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      12) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en      13) adversary currently addressed by the major browsers.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   14) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      15)   </p><p>
projects/torbrowser/design/index.html.en      16) 
projects/torbrowser/design/index.html.en      17) For more practical information regarding Tor Browser development, please
projects/torbrowser/design/index.html.en      18) consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor
projects/torbrowser/design/index.html.en      19) Browser Hacking Guide</a>.
projects/torbrowser/design/index.html.en      20) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      21)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      22) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      23) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      24) Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a>
projects/torbrowser/design/index.html.en      25) against this browser to enhance privacy and security. Browser behavior is
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      26) additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      27) extension</a>, though we are in the process of moving this functionality
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en      28) into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.5.2esr-7.0-2" target="_top">change
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      29) a number of Firefox preferences</a> from their defaults.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      30) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      31)    </p><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      32) Tor process management and configuration is accomplished through the <a class="ulink" href="https://gitweb.torproject.org/tor-launcher.git" target="_top">Tor Launcher</a>
projects/torbrowser/design/index.html.en      33) addon, which provides the initial Tor configuration splash screen and
projects/torbrowser/design/index.html.en      34) bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      35) Instantbird, and XULRunner.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      36) 
projects/torbrowser/design/index.html.en      37)    </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   38) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      39) To help protect against potential Tor Exit Node eavesdroppers, we include
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      40) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en      41) provide users with optional defense-in-depth against JavaScript and other
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en      42) potential exploit vectors, we also include <a class="ulink" href="https://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      43) extension preferences</a> from their defaults.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   44) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      45)    </p><p>
projects/torbrowser/design/index.html.en      46) 
projects/torbrowser/design/index.html.en      47) To provide censorship circumvention in areas where the public Tor network is
projects/torbrowser/design/index.html.en      48) blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en      49) Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs3proxy,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en      50) Obfs4proxy</a>,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      51) <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en      52) and <a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      53) 
projects/torbrowser/design/index.html.en      54)    </p></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   55) 
projects/en/torbrowser/design/index.html.en   56) The Tor Browser Design Requirements are meant to describe the properties of a
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      57) Private Browsing Mode that defends against both network and local forensic
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en      58) adversaries.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   59) 
projects/en/torbrowser/design/index.html.en   60)   </p><p>
projects/en/torbrowser/design/index.html.en   61) 
projects/en/torbrowser/design/index.html.en   62) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      63) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en      64) similar privacy proxies safely. Privacy requirements are the set of properties
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en      65) that cause us to prefer one browser over another.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   66) 
projects/en/torbrowser/design/index.html.en   67)   </p><p>
projects/en/torbrowser/design/index.html.en   68) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      69) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en      70) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en      71) browser distribution.
projects/torbrowser/design/index.html.en      72) 
projects/torbrowser/design/index.html.en      73)   </p><p>
projects/torbrowser/design/index.html.en      74) 
projects/torbrowser/design/index.html.en      75)       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en      76)       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
projects/torbrowser/design/index.html.en      77)       "OPTIONAL" in this document are to be interpreted as described in
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      78)       <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   79) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      80)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   81) 
projects/en/torbrowser/design/index.html.en   82) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en   83) of Tor. Violations in these properties typically result in serious risk for
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      84) the user in terms of immediate deanonymization and/or observability. With
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en      85) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en      86) in order for Tor to support the use of a particular browser.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   87) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      88)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      89) Obedience</strong></span></a><p>The browser
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      90) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      91) Separation</strong></span></a><p>
projects/torbrowser/design/index.html.en      92) 
projects/torbrowser/design/index.html.en      93) The browser MUST NOT provide the content window with any state from any other
projects/torbrowser/design/index.html.en      94) browsers or any non-Tor browsing modes. This includes shared state from
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      95) independent plugins, and shared state from operating system implementations of
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      96) TLS and other support libraries.
projects/torbrowser/design/index.html.en      97) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      98) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      99) Avoidance</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     100) 
projects/torbrowser/design/index.html.en     101) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en     102) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en     103) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en     104) store their browsing history information to disk.
projects/torbrowser/design/index.html.en     105) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     106) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     107) Isolation</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     108) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     109) The components involved in providing private browsing MUST be self-contained,
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     110) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en     111) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en     112) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en     113) of private browsing to disk outside of the application's control. The user
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     114) must be able to ensure that secure deletion of the software is sufficient to
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     115) remove evidence of the use of the software. All exceptions and shortcomings
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     116) due to operating system behavior MUST be wiped by an uninstaller. However, due
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     117) to permissions issues with access to swap, implementations MAY choose to leave
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     118) it out of scope, and/or leave it to the operating system/platform to implement
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     119) ephemeral-keyed encrypted swap.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  120) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     121) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  122) 
projects/en/torbrowser/design/index.html.en  123) The privacy requirements are primarily concerned with reducing linkability:
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     124) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en     125) on another site without their knowledge or explicit consent. With respect to
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     126) browser support, privacy requirements are the set of properties that cause us
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     127) to prefer one browser over another.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  128) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     129)    </p><p>
projects/torbrowser/design/index.html.en     130) 
projects/torbrowser/design/index.html.en     131) For the purposes of the unlinkability requirements of this section as well as
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     132) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     133) section</a>, a <span class="command"><strong>URL bar origin</strong></span> means at least the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     134) second-level DNS name.  For example, for mail.google.com, the origin would be
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     135) google.com. Implementations MAY, at their option, restrict the URL bar origin
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     136) to be the entire fully qualified domain name.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     137) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     138)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     139) Identifier Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  140) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     141) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     142) any other URL bar origin by any third party automatically or without user
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     143) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en     144) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en     145) requirement does not apply to linkable information the user manually submits
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     146) to sites, or due to information submitted during manual link traversal. This
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     147) functionality SHOULD NOT interfere with interactive, click-driven federated
projects/torbrowser/design/index.html.en     148) login in a substantial way.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  149) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     150)   </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     151) Fingerprinting Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  152) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     153) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     154) any other URL bar origin by any third party. This property specifically applies to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  155) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en  156) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     157)   </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><span class="command"><strong>Long-Term
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     158) Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  159) 
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     160) The browser MUST provide an obvious, easy way for the user to remove all of
projects/torbrowser/design/index.html.en     161) its authentication tokens and browser state and obtain a fresh identity.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     162) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en     163) upon browser restart, except at user option.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  164) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     165)   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  166) 
projects/en/torbrowser/design/index.html.en  167) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en  168) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en  169) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     170)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  171) 
projects/en/torbrowser/design/index.html.en  172) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en  173) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en  174) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en  175) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en  176) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en  177) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en  178) 
projects/en/torbrowser/design/index.html.en  179)       </p><p>
projects/en/torbrowser/design/index.html.en  180) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     181) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  182) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en  183) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en  184) in the face of accumulating tabs from multiple states crossed with the current
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     185) Tor-state of the browser.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  186) 
projects/en/torbrowser/design/index.html.en  187)       </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en  188) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en  189) 
projects/en/torbrowser/design/index.html.en  190) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en  191) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en  192) 
projects/en/torbrowser/design/index.html.en  193)       </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en  194) 
projects/en/torbrowser/design/index.html.en  195) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en  196) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en  197) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en  198) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en  199) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en  200) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en  201) 
projects/en/torbrowser/design/index.html.en  202)       </p><p>
projects/en/torbrowser/design/index.html.en  203) 
projects/en/torbrowser/design/index.html.en  204) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en  205) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en  206) placeholders), and/or be sandboxed to restrict the types of system calls they
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     207) can execute. If the user agent allows the user to craft an exemption to allow
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     208) a plugin to be used automatically, it must only apply to the top level URL bar
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     209) domain, and not to all sites, to reduce cross-origin fingerprinting
projects/torbrowser/design/index.html.en     210) linkability.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  211) 
projects/en/torbrowser/design/index.html.en  212)        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en  213) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     214) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     215) failure of Torbutton</a> was the options panel. Each option
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  216) that detectably alters browser behavior can be used as a fingerprinting tool.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     217) Similarly, all extensions <a class="ulink" href="https://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     218) disabled in the mode</a> except as an opt-in basis. We should not load
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     219) system-wide and/or operating system provided addons or plugins.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  220) 
projects/en/torbrowser/design/index.html.en  221)      </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     222) Instead of global browser privacy options, privacy decisions should be made
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     223) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     224) URL bar origin</a> to eliminate the possibility of linkability
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     225) between domains. For example, when a plugin object (or a JavaScript access of
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  226) window.plugins) is present in a page, the user should be given the choice of
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     227) allowing that plugin object for that URL bar origin only. The same
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     228) goes for exemptions to third party cookie policy, geolocation, and any other
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  229) privacy permissions.
projects/en/torbrowser/design/index.html.en  230)      </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     231) If the user has indicated they wish to record local history storage, these
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     232) permissions can be written to disk. Otherwise, they should remain memory-only.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  233)      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en  234) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     235) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     236) Plus</a>, <a class="ulink" href="https://requestpolicy.com/" target="_top">Request Policy</a>,
projects/torbrowser/design/index.html.en     237) <a class="ulink" href="https://www.ghostery.com/about-ghostery/" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="https://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  238) avoided. We believe that these addons do not add any real privacy to a proper
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     239) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     240) should be focused on general solutions that prevent tracking by all third
projects/torbrowser/design/index.html.en     241) parties, rather than a list of specific URLs or hosts.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     242)      </p><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     243) Implementing filter-based blocking directly into the browser, such as done with
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     244) <a class="ulink" href="https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     245) Firefox' Tracking Protection</a>, does not alleviate the concerns mentioned
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     246) in the previous paragraph. There is still just a list containing specific
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     247) URLs and hosts which, in this case, are
projects/torbrowser/design/index.html.en     248) <a class="ulink" href="https://services.disconnect.me/disconnect-plaintext.json" target="_top">
projects/torbrowser/design/index.html.en     249) assembled</a> by <a class="ulink" href="https://disconnect.me/trackerprotection" target="_top">
projects/torbrowser/design/index.html.en     250) Disconnect</a> and <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">adapted</a> by Mozilla.
projects/torbrowser/design/index.html.en     251)      </p><p>
projects/torbrowser/design/index.html.en     252) Trying to resort to <a class="ulink" href="https://jonathanmayer.org/papers_data/bau13.pdf" target="_top">filter methods based on
projects/torbrowser/design/index.html.en     253) machine learning</a> does not solve the problem either: they don't provide
projects/torbrowser/design/index.html.en     254) a general solution to the tracking problem as they are working probabilistically.
projects/torbrowser/design/index.html.en     255) Even with a precision rate at 99% and a false positive rate at 0.1% trackers
projects/torbrowser/design/index.html.en     256) would be missed and sites would be wrongly blocked.
projects/torbrowser/design/index.html.en     257)      </p><p>
projects/torbrowser/design/index.html.en     258) Filter-based solutions in general can also introduce strange breakage and cause
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     259) usability nightmares. For instance, there is a trend to observe that websites
projects/torbrowser/design/index.html.en     260) start <a class="ulink" href="https://petsymposium.org/2017/papers/issue3/paper25-2017-3-source.pdf" target="_top">
projects/torbrowser/design/index.html.en     261) detecting filer extensions and block access to content</a> on them. Coping
projects/torbrowser/design/index.html.en     262) with this fallout easily leads to just <a class="ulink" href="https://github.com/mozilla-services/shavar-list-exceptions" target="_top">whitelisting
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     263) </a>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     264) the affected domains, hoping that this helps, defeating the purpose of the
projects/torbrowser/design/index.html.en     265) filter in the first place. Filters will also fail to do their job if an
projects/torbrowser/design/index.html.en     266) adversary simply registers a new domain or <a class="ulink" href="https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     267) creates a new URL path</a>. Worse still, the unique filter sets that each
projects/torbrowser/design/index.html.en     268) user creates or installs will provide a wealth of fingerprinting targets.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  269)       </p><p>
projects/en/torbrowser/design/index.html.en  270) 
projects/en/torbrowser/design/index.html.en  271) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en  272) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en  273) terms of demonstrating that we are providing privacy through a sound design
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     274) alone, as well as damage the acceptance of Tor users by sites that support
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  275) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en  276) 
projects/en/torbrowser/design/index.html.en  277)       </p><p>
projects/en/torbrowser/design/index.html.en  278) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en  279) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en  280)       </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en  281) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en  282) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en  283) their proper deployment or privacy realization. However, we will likely disable
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     284) high-risk features pending analysis, audit, and mitigation.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     285)       </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     286) 
projects/torbrowser/design/index.html.en     287) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/torbrowser/design/index.html.en     288) types that can be used to illustrate the design requirements for the
projects/torbrowser/design/index.html.en     289) Tor Browser. Let's start with the goals.
projects/torbrowser/design/index.html.en     290) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     291)    </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     292) Tor, causing the user to directly connect to an IP of the adversary's
projects/torbrowser/design/index.html.en     293) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/torbrowser/design/index.html.en     294) happily settle for the ability to correlate something a user did via Tor with
projects/torbrowser/design/index.html.en     295) their non-Tor activity. This can be done with cookies, cache identifiers,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     296) JavaScript events, and even CSS. Sometimes the fact that a user uses Tor may
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     297) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/torbrowser/design/index.html.en     298) The adversary may also be interested in history disclosure: the ability to
projects/torbrowser/design/index.html.en     299) query a user's history to see if they have issued certain censored search
projects/torbrowser/design/index.html.en     300) queries, or visited censored sites.
projects/torbrowser/design/index.html.en     301)      </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p>
projects/torbrowser/design/index.html.en     302) 
projects/torbrowser/design/index.html.en     303) The primary goal of the advertising networks is to know that the user who
projects/torbrowser/design/index.html.en     304) visited siteX.com is the same user that visited siteY.com to serve them
projects/torbrowser/design/index.html.en     305) targeted ads. The advertising networks become our adversary insofar as they
projects/torbrowser/design/index.html.en     306) attempt to perform this correlation without the user's explicit consent.
projects/torbrowser/design/index.html.en     307) 
projects/torbrowser/design/index.html.en     308)      </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p>
projects/torbrowser/design/index.html.en     309) 
projects/torbrowser/design/index.html.en     310) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     311) to gather identifying information on a particular individual without the use
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     312) of tracking identifiers. If the dissident's or whistleblower's timezone is
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     313) available, and they are using a rare build of Firefox for an obscure operating
projects/torbrowser/design/index.html.en     314) system, and they have a specific display resolution only used on one type of
projects/torbrowser/design/index.html.en     315) laptop, this can be very useful information for tracking them down, or at
projects/torbrowser/design/index.html.en     316) least <a class="link" href="#fingerprinting">tracking their activities</a>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     317) 
projects/torbrowser/design/index.html.en     318)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/torbrowser/design/index.html.en     319) information</strong></span><p>
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     320) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     321) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/torbrowser/design/index.html.en     322) seizing the computers of all Tor users in an area (especially after narrowing
projects/torbrowser/design/index.html.en     323) the field by the above two pieces of information). History records and cache
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     324) data are the primary goals here. Secondary goals may include confirming
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     325) on-disk identifiers (such as hostname and disk-logged spoofed MAC address
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     326) history) obtained by other means.
projects/torbrowser/design/index.html.en     327) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     328)      </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     329) The adversary can position themselves at a number of different locations in
projects/torbrowser/design/index.html.en     330) order to execute their attacks.
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     331)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     332) The adversary can run exit nodes, or alternatively, they may control routers
projects/torbrowser/design/index.html.en     333) upstream of exit nodes. Both of these scenarios have been observed in the
projects/torbrowser/design/index.html.en     334) wild.
projects/torbrowser/design/index.html.en     335)      </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
projects/torbrowser/design/index.html.en     336) The adversary can also run websites, or more likely, they can contract out
projects/torbrowser/design/index.html.en     337) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en     338) some users, the adversary may be the ad servers themselves. It is not
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     339) inconceivable that ad servers may try to subvert or reduce a user's anonymity
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     340) through Tor for marketing purposes.
projects/torbrowser/design/index.html.en     341)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en     342) The adversary can also inject malicious content at the user's upstream router
projects/torbrowser/design/index.html.en     343) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/torbrowser/design/index.html.en     344) activity.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     345)      </p><p>
projects/torbrowser/design/index.html.en     346) 
projects/torbrowser/design/index.html.en     347) Additionally, at this position the adversary can block Tor, or attempt to
projects/torbrowser/design/index.html.en     348) recognize the traffic patterns of specific web pages at the entrance to the Tor
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     349) network.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     350) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     351)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/torbrowser/design/index.html.en     352) Some users face adversaries with intermittent or constant physical access.
projects/torbrowser/design/index.html.en     353) Users in Internet cafes, for example, face such a threat. In addition, in
projects/torbrowser/design/index.html.en     354) countries where simply using tools like Tor is illegal, users may face
projects/torbrowser/design/index.html.en     355) confiscation of their computer equipment for excessive Tor usage or just
projects/torbrowser/design/index.html.en     356) general suspicion.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     357)      </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     358) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     359) The adversary can perform the following attacks from a number of different
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     360) positions to accomplish various aspects of their goals. It should be noted
projects/torbrowser/design/index.html.en     361) that many of these attacks (especially those involving IP address leakage) are
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     362) often performed by accident by websites that simply have JavaScript, dynamic
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     363) CSS elements, and plugins. Others are performed by ad servers seeking to
projects/torbrowser/design/index.html.en     364) correlate users' activity across different IP addresses, and still others are
projects/torbrowser/design/index.html.en     365) performed by malicious agents on the Tor network and at national firewalls.
projects/torbrowser/design/index.html.en     366) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     367)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     368) 
projects/torbrowser/design/index.html.en     369) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en     370) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en     371) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en     372) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en     373) even TLS Session IDs.
projects/torbrowser/design/index.html.en     374) 
projects/torbrowser/design/index.html.en     375)      </p><p>
projects/torbrowser/design/index.html.en     376) 
projects/torbrowser/design/index.html.en     377) An adversary in a position to perform MITM content alteration can inject
projects/torbrowser/design/index.html.en     378) document content elements to both read and inject cookies for arbitrary
projects/torbrowser/design/index.html.en     379) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     380) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     381) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/torbrowser/design/index.html.en     382) with cookies as well.
projects/torbrowser/design/index.html.en     383) 
projects/torbrowser/design/index.html.en     384)      </p><p>
projects/torbrowser/design/index.html.en     385) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     386) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlinkability</a> design requirements.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     387) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     388)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     389) attributes</strong></span><p>
projects/torbrowser/design/index.html.en     390) 
projects/torbrowser/design/index.html.en     391) There is an absurd amount of information available to websites via attributes
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     392) of the browser. This information can be used to reduce the anonymity set, or
projects/torbrowser/design/index.html.en     393) even uniquely fingerprint individual users. Attacks of this nature are
projects/torbrowser/design/index.html.en     394) typically aimed at tracking users across sites without their consent, in an
projects/torbrowser/design/index.html.en     395) attempt to subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     396) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlinkability</a> design requirements.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     397) 
projects/torbrowser/design/index.html.en     398) </p><p>
projects/torbrowser/design/index.html.en     399) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     400) Fingerprinting is an intimidating problem to attempt to tackle, especially
projects/torbrowser/design/index.html.en     401) without a metric to determine or at least intuitively understand and estimate
projects/torbrowser/design/index.html.en     402) which features will most contribute to linkability between visits.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     403) 
projects/torbrowser/design/index.html.en     404) </p><p>
projects/torbrowser/design/index.html.en     405) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     406) The <a class="ulink" href="https://panopticlick.eff.org/about" target="_top">Panopticlick study
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     407) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     408) entropy</a> - the number of identifying bits of information encoded in
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     409) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     410) definitely useful, and the metric is probably the appropriate one for
projects/torbrowser/design/index.html.en     411) determining how identifying a particular browser property is. However, some
projects/torbrowser/design/index.html.en     412) quirks of their study means that they do not extract as much information as
projects/torbrowser/design/index.html.en     413) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en     414) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en     415) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en     416) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en     417) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en     418) final.
projects/torbrowser/design/index.html.en     419) 
projects/torbrowser/design/index.html.en     420)       </p><p>
projects/torbrowser/design/index.html.en     421) 
projects/torbrowser/design/index.html.en     422) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en     423) attack vectors:
projects/torbrowser/design/index.html.en     424) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     425)      </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     426) 
projects/torbrowser/design/index.html.en     427) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en     428) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en     429) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en     430) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en     431) (as an extreme example).
projects/torbrowser/design/index.html.en     432) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     433)      </p></li><li class="listitem"><span class="command"><strong>Inserting JavaScript</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     434) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     435) JavaScript can reveal a lot of fingerprinting information. It provides DOM
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     436) objects such as window.screen and window.navigator to extract information
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     437) about the user agent.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     438) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     439) Also, JavaScript can be used to query the user's timezone via the
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     440) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     441) reveal information about the video card in use, and high precision timing
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     442) information can be used to <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf" target="_top">fingerprint the CPU and
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     443) interpreter speed</a>. JavaScript features such as
projects/torbrowser/design/index.html.en     444) <a class="ulink" href="https://www.w3.org/TR/resource-timing/" target="_top">Resource Timing</a>
projects/torbrowser/design/index.html.en     445) may leak an unknown amount of network timing related information. And, moreover,
projects/torbrowser/design/index.html.en     446) JavaScript is able to
projects/torbrowser/design/index.html.en     447) <a class="ulink" href="https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf" target="_top">
projects/torbrowser/design/index.html.en     448) extract</a>
projects/torbrowser/design/index.html.en     449) <a class="ulink" href="https://www.cosic.esat.kuleuven.be/fpdetective/" target="_top">available</a>
projects/torbrowser/design/index.html.en     450) <a class="ulink" href="https://hal.inria.fr/hal-01285470v2/document" target="_top">fonts</a> on a
projects/torbrowser/design/index.html.en     451) device with high precision.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     452) 
projects/torbrowser/design/index.html.en     453)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en     454) 
projects/torbrowser/design/index.html.en     455) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en     456) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en     457) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en     458) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en     459) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en     460) store unique identifiers that are more difficult to clear than standard
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     461) cookies.  <a class="ulink" href="https://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     462) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en     463) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     464) settings of the browser.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     465) 
projects/torbrowser/design/index.html.en     466) 
projects/torbrowser/design/index.html.en     467)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en     468) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     469) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     470) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en     471) widget size, display type, DPI, user agent type, and other information that
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     472) was formerly available only to JavaScript.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     473) 
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     474)      </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en     475) 
projects/torbrowser/design/index.html.en     476) Website traffic fingerprinting is an attempt by the adversary to recognize the
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     477) encrypted traffic patterns of specific websites. In the case of Tor, this
projects/torbrowser/design/index.html.en     478) attack would take place between the user and the Guard node, or at the Guard
projects/torbrowser/design/index.html.en     479) node itself.
projects/torbrowser/design/index.html.en     480)      </p><p> The most comprehensive study of the statistical properties of this
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     481) attack against Tor was done by <a class="ulink" href="https://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     482) et al</a>. Unfortunately, the publication bias in academia has encouraged
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     483) the production of
projects/torbrowser/design/index.html.en     484) <a class="ulink" href="https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks" target="_top">a
projects/torbrowser/design/index.html.en     485) number of follow-on attack papers claiming "improved" success rates</a>, in
projects/torbrowser/design/index.html.en     486) some cases even claiming to completely invalidate any attempt at defense. These
projects/torbrowser/design/index.html.en     487) "improvements" are actually enabled primarily by taking a number of shortcuts
projects/torbrowser/design/index.html.en     488) (such as classifying only very small numbers of web pages, neglecting to publish
projects/torbrowser/design/index.html.en     489) ROC curves or at least false positive rates, and/or omitting the effects of
projects/torbrowser/design/index.html.en     490) dataset size on their results). Despite these subsequent "improvements", we are
projects/torbrowser/design/index.html.en     491) skeptical of the efficacy of this attack in a real world scenario,
projects/torbrowser/design/index.html.en     492) <span class="emphasis"><em>especially</em></span> in the face of any defenses.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     493) 
projects/torbrowser/design/index.html.en     494)      </p><p>
projects/torbrowser/design/index.html.en     495) 
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     496) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of
projects/torbrowser/design/index.html.en     497) categories to classify</a> while maintaining a limit on reliable feature
projects/torbrowser/design/index.html.en     498) information you can extract, you eventually run out of descriptive feature
projects/torbrowser/design/index.html.en     499) information, and either true positive accuracy goes down or the false positive
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     500) rate goes up. This error is called the <a class="ulink" href="https://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     501) in your hypothesis space</a>. In fact, even for unbiased hypothesis
projects/torbrowser/design/index.html.en     502) spaces, the number of training examples required to achieve a reasonable error
projects/torbrowser/design/index.html.en     503) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     504) function of the complexity of the categories</a> you need to classify.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     505) 
projects/torbrowser/design/index.html.en     506)      </p><p>
projects/torbrowser/design/index.html.en     507) 
projects/torbrowser/design/index.html.en     508) 
projects/torbrowser/design/index.html.en     509) In the case of this attack, the key factors that increase the classification
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     510) complexity (and thus hinder a real world adversary who attempts this attack)
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     511) are large numbers of dynamically generated pages, partially cached content,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     512) and also the non-web activity of the entire Tor network. This yields an
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     513) effective number of "web pages" many orders of magnitude larger than even <a class="ulink" href="https://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     514) "Open World" scenario</a>, which suffered continuous near-constant decline
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     515) in the true positive rate as the "Open World" size grew (see figure 4). This
projects/torbrowser/design/index.html.en     516) large level of classification complexity is further confounded by a noisy and
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     517) low resolution featureset - one which is also relatively easy for the defender
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     518) to manipulate at low cost.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     519) 
projects/torbrowser/design/index.html.en     520)      </p><p>
projects/torbrowser/design/index.html.en     521) 
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     522) To make matters worse for a real-world adversary, the ocean of Tor Internet
projects/torbrowser/design/index.html.en     523) activity (at least, when compared to a lab setting) makes it a certainty that
projects/torbrowser/design/index.html.en     524) an adversary attempting examine large amounts of Tor traffic will ultimately
projects/torbrowser/design/index.html.en     525) be overwhelmed by false positives (even after making heavy tradeoffs on the
projects/torbrowser/design/index.html.en     526) ROC curve to minimize false positives to below 0.01%). This problem is known
projects/torbrowser/design/index.html.en     527) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     528) Fallacy</a>, and it is the primary reason that anomaly and activity
projects/torbrowser/design/index.html.en     529) classification-based IDS and antivirus systems have failed to materialize in
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     530) the marketplace (despite early success in academic literature).
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     531) 
projects/torbrowser/design/index.html.en     532)      </p><p>
projects/torbrowser/design/index.html.en     533) 
projects/torbrowser/design/index.html.en     534) Still, we do not believe that these issues are enough to dismiss the attack
projects/torbrowser/design/index.html.en     535) outright. But we do believe these factors make it both worthwhile and
projects/torbrowser/design/index.html.en     536) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy
projects/torbrowser/design/index.html.en     537) light-weight defenses</a> that reduce the accuracy of this attack by
projects/torbrowser/design/index.html.en     538) further contributing noise to hinder successful feature extraction.
projects/torbrowser/design/index.html.en     539) 
projects/torbrowser/design/index.html.en     540)      </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     541) OS</strong></span><p>
projects/torbrowser/design/index.html.en     542) 
projects/torbrowser/design/index.html.en     543) Last, but definitely not least, the adversary can exploit either general
projects/torbrowser/design/index.html.en     544) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/torbrowser/design/index.html.en     545) install malware and surveillance software. An adversary with physical access
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     546) can perform similar actions.
projects/torbrowser/design/index.html.en     547) 
projects/torbrowser/design/index.html.en     548)     </p><p>
projects/torbrowser/design/index.html.en     549) 
projects/torbrowser/design/index.html.en     550) For the purposes of the browser itself, we limit the scope of this adversary
projects/torbrowser/design/index.html.en     551) to one that has passive forensic access to the disk after browsing activity
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     552) has taken place. This adversary motivates our
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     553) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     554) 
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     555)     </p><p>
projects/torbrowser/design/index.html.en     556) 
projects/torbrowser/design/index.html.en     557) An adversary with arbitrary code execution typically has more power, though.
projects/torbrowser/design/index.html.en     558) It can be quite hard to really significantly limit the capabilities of such an
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     559) adversary. <a class="ulink" href="https://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     560) provide some defense against this adversary through the use of readonly media
projects/torbrowser/design/index.html.en     561) and frequent reboots, but even this can be circumvented on machines without
projects/torbrowser/design/index.html.en     562) Secure Boot through the use of BIOS rootkits.
projects/torbrowser/design/index.html.en     563) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     564)      </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     565) 
projects/torbrowser/design/index.html.en     566) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en     567) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en     568) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en     569) implementation is then described for that property.
projects/torbrowser/design/index.html.en     570) 
projects/torbrowser/design/index.html.en     571)   </p><p>
projects/torbrowser/design/index.html.en     572) 
projects/torbrowser/design/index.html.en     573) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en     574) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en     575) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en     576) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     577) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     578) are typically linked for these cases.
projects/torbrowser/design/index.html.en     579) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     580)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  581) 
projects/en/torbrowser/design/index.html.en  582) Proxy obedience is assured through the following:
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     583)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Firefox proxy settings, patches, and build flags</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     584) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     585) Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.5.2esr-7.0-2" target="_top">Firefox
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     586) preferences file</a> sets the Firefox proxy settings to use Tor directly
projects/torbrowser/design/index.html.en     587) as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     588) <span class="command"><strong>network.proxy.socks_version</strong></span>,
projects/torbrowser/design/index.html.en     589) <span class="command"><strong>network.proxy.socks_port</strong></span>, and
projects/torbrowser/design/index.html.en     590) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     591) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     592)  </p><p>
projects/torbrowser/design/index.html.en     593) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     594) To prevent proxy bypass by WebRTC calls, we disable WebRTC at compile time
projects/torbrowser/design/index.html.en     595) with the <span class="command"><strong>--disable-webrtc</strong></span> configure switch, as well
projects/torbrowser/design/index.html.en     596) as set the pref <span class="command"><strong>media.peerconnection.enabled</strong></span> to false.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     597) 
projects/torbrowser/design/index.html.en     598)  </p><p>
projects/torbrowser/design/index.html.en     599) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     600) We also patch Firefox in order to provide several defense-in-depth mechanisms
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     601) for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=35ce9974e034c0374fb3c8e00e9eb0231c4f3378" target="_top">patch
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     602) the DNS service</a> to prevent any browser or addon DNS resolution, and we
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     603) also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=ee28d8f27fdb1e47481987535c7da70095042ee2" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     604) remove the DNS lookup for the profile lock signature</a>. Furhermore, we
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     605) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=ffba8d1b84431b4024d5012b326cbcb986047f27" target="_top">patch
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     606) OCSP and PKIX code</a> to prevent any use of the non-proxied command-line
projects/torbrowser/design/index.html.en     607) tool utility functions from being functional while linked in to the browser.
projects/torbrowser/design/index.html.en     608) In both cases, we could find no direct paths to these routines in the browser,
projects/torbrowser/design/index.html.en     609) but it seemed better safe than sorry.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     610) 
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     611)  </p><p>
projects/torbrowser/design/index.html.en     612) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     613) For further defense-in-depth we disable WebIDE because it can bypass proxy
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     614) settings for remote debugging, and also because it downloads extensions we
projects/torbrowser/design/index.html.en     615) have not reviewed. We
projects/torbrowser/design/index.html.en     616) are doing this by setting
projects/torbrowser/design/index.html.en     617) <span class="command"><strong>devtools.webide.autoinstallADBHelper</strong></span>,
projects/torbrowser/design/index.html.en     618) <span class="command"><strong>devtools.webide.autoinstallFxdtAdapters</strong></span>,
projects/torbrowser/design/index.html.en     619) <span class="command"><strong>devtools.webide.enabled</strong></span>, and
projects/torbrowser/design/index.html.en     620) <span class="command"><strong>devtools.appmanager.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en     621) Moreover, we removed the Roku Screen Sharing and screencaster code with a
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     622) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=055bdffbef68bc8d5e8005b3c7dd2f5d99da1163" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     623) Firefox patch</a> as these features can bypass proxy settings as well.
projects/torbrowser/design/index.html.en     624)  </p><p>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     625) Further down on our road to proxy safety we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=7222d02638689a64d7297b8e5c202f9c37547523" target="_top">
projects/torbrowser/design/index.html.en     626) disable the network tickler</a> as it has the capability to send UDP
projects/torbrowser/design/index.html.en     627) traffic and we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=5bc957b4f635a659f9aecaa374972ecca7f770a8" target="_top">
projects/torbrowser/design/index.html.en     628) disable mDNS support</a>, since mDNS uses UDP packets as well. We also disable
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     629) Mozilla's TCPSocket by setting
projects/torbrowser/design/index.html.en     630) <span class="command"><strong>dom.mozTCPSocket.enabled</strong></span> to <span class="command"><strong>false</strong></span>. We
projects/torbrowser/design/index.html.en     631) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18866" target="_top">intend to
projects/torbrowser/design/index.html.en     632) rip out</a> the TCPSocket code in the future to have an even more solid
projects/torbrowser/design/index.html.en     633) guarantee that it won't be used by accident.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     634)  </p><p>
projects/torbrowser/design/index.html.en     635) Finally, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=55bd129f081bd37ae9e72ae32434fbb56ff4e446" target="_top">
projects/torbrowser/design/index.html.en     636) remove</a> potentially unsafe Rust code.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     637)  </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     638) During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     639) code audits</a> to verify that there were no system calls or XPCOM
projects/torbrowser/design/index.html.en     640) activity in the source tree that did not use the browser proxy settings.
projects/torbrowser/design/index.html.en     641)  </p><p>
projects/torbrowser/design/index.html.en     642) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     643) We have verified that these settings and patches properly proxy HTTPS, OCSP,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     644) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all JavaScript
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     645) activity, including HTML5 audio and video objects, addon updates, WiFi
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     646) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     647) WebSockets, and live bookmark updates. We have also verified that external
projects/torbrowser/design/index.html.en     648) protocol helpers, such as SMB URLs and other custom protocol handlers are all
projects/torbrowser/design/index.html.en     649) blocked.
projects/torbrowser/design/index.html.en     650)  </p></li><li class="listitem"><span class="command"><strong>Disabling plugins</strong></span><p>
projects/torbrowser/design/index.html.en     651) Plugins, like Flash, have the ability to make arbitrary OS system calls and
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     652) <a class="ulink" href="https://ip-check.info/" target="_top">bypass proxy settings</a>. This includes
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  653) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en  654) browser proxy settings.
projects/en/torbrowser/design/index.html.en  655)  </p><p>
projects/en/torbrowser/design/index.html.en  656) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en  657) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     658) as disabled. This block can be undone through both the Torbutton Security UI,
projects/torbrowser/design/index.html.en     659) and the Firefox Plugin Preferences.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  660)  </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     661) If the user does enable plugins in this way, plugin-handled objects are still
projects/torbrowser/design/index.html.en     662) restricted from automatic load through Firefox's click-to-play preference
projects/torbrowser/design/index.html.en     663) <span class="command"><strong>plugins.click_to_play</strong></span>.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     664)  </p><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     665) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     666) In addition, to reduce any unproxied activity by arbitrary plugins at load
projects/torbrowser/design/index.html.en     667) time, and to reduce the fingerprintability of the installed plugin list, we
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     668) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=95a0100fd8ac0fdbe9f517e9b7ea86d6b77ec2c9" target="_top">
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     669) prevent the load of any plugins except for Flash and Gnash</a>. Even for
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     670) Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=39f5a767c0c082b1e4a001cf685a6efb31bd62c6" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     671) prevent loading them into the address space</a> until they are explicitly
projects/torbrowser/design/index.html.en     672) enabled.
projects/torbrowser/design/index.html.en     673)  </p><p>
projects/torbrowser/design/index.html.en     674) With <a class="ulink" href="https://wiki.mozilla.org/GeckoMediaPlugins" target="_top">Gecko Media
projects/torbrowser/design/index.html.en     675) Plugins</a> (GMPs) a second type of plugins is available. They are mainly
projects/torbrowser/design/index.html.en     676) third party codecs and <a class="ulink" href="https://www.w3.org/TR/encrypted-media/" target="_top">EME</a>
projects/torbrowser/design/index.html.en     677) content decryption modules. We currently disable these plugins as they either
projects/torbrowser/design/index.html.en     678) can't be built reproducibly or are binary blobs which we are not allowed to
projects/torbrowser/design/index.html.en     679) audit (or both). For the EME case we use the <span class="command"><strong>--disable-eme</strong></span>
projects/torbrowser/design/index.html.en     680) configure switch and set
projects/torbrowser/design/index.html.en     681) <span class="command"><strong>browser.eme.ui.enabled</strong></span>,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     682) <span class="command"><strong>media.gmp-eme-adobe.visible</strong></span>,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     683) <span class="command"><strong>media.gmp-eme-adobe.enabled</strong></span>,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     684) <span class="command"><strong>media.gmp-widevinecdm.visible</strong></span>,
projects/torbrowser/design/index.html.en     685) <span class="command"><strong>media.gmp-widevinecdm.enabled</strong></span>,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     686) <span class="command"><strong>media.eme.enabled</strong></span>, and
projects/torbrowser/design/index.html.en     687) <span class="command"><strong>media.eme.apiVisible</strong></span> to <span class="command"><strong>false</strong></span> to indicate
projects/torbrowser/design/index.html.en     688) to the user that this feature is disabled. For GMPs in general we make sure that
projects/torbrowser/design/index.html.en     689) the external server is not even pinged for updates/downloads in the first place
projects/torbrowser/design/index.html.en     690) by setting <span class="command"><strong>media.gmp-manager.url.override</strong></span> to
projects/torbrowser/design/index.html.en     691) <span class="command"><strong>data:text/plain,</strong></span> and avoid any UI with <span class="command"><strong>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     692)   media.gmp-provider.enabled</strong></span> set to <span class="command"><strong>false</strong></span>. Moreover,
projects/torbrowser/design/index.html.en     693) we disable GMP downloads via local fallback by setting
projects/torbrowser/design/index.html.en     694) <span class="command"><strong>media.gmp-manager.updateEnabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en     695) To reduce our attack surface we exclude the ClearKey EME system, too.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     696) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     697)  </p></li><li class="listitem"><span class="command"><strong>External App Blocking and Drag Event Filtering</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     698) 
projects/torbrowser/design/index.html.en     699) External apps can be induced to load files that perform network activity.
projects/torbrowser/design/index.html.en     700) Unfortunately, there are cases where such apps can be launched automatically
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     701) with little to no user input. In order to prevent this, we ship <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=d179d8a4861199e203934ecc36dd6d8ade549dfa" target="_top">
projects/torbrowser/design/index.html.en     702) Firefox</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=99173c3a5f83d9ac44091a72c5570efd296dff8f" target="_top">patches</a> and Torbutton installs a component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     703) provide the user with a popup</a> whenever the browser attempts to launch
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     704) a helper application.
projects/torbrowser/design/index.html.en     705) 
projects/torbrowser/design/index.html.en     706)   </p><p>
projects/torbrowser/design/index.html.en     707) 
projects/torbrowser/design/index.html.en     708) Furthermore, we ship a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=d75b79f6fa920e6a1e3043005dfd50060ea70e57" target="_top">patch for Linux users</a> that makes
projects/torbrowser/design/index.html.en     709) sure sftp:// and smb:// URLs are not passed along to the operating system as this
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     710) can lead to proxy bypasses on systems that have GIO/GnomeVFS support. And proxy
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     711) bypass risks due to file:// URLs should be mitigated for macOS and Linux users
projects/torbrowser/design/index.html.en     712) by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=8db44df10d1d82850e8b4cfe81ac3b5fce32a663" target="_top">
projects/torbrowser/design/index.html.en     713) two</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=a8e1fcc8678aa1583f73ef231c99f77cf17196d9" target="_top">
projects/torbrowser/design/index.html.en     714) further patches</a>.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     715) 
projects/torbrowser/design/index.html.en     716)   </p><p>
projects/torbrowser/design/index.html.en     717) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     718) Additionally, modern desktops now preemptively fetch any URLs in Drag and
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     719) Drop events as soon as the drag is initiated. This download happens
projects/torbrowser/design/index.html.en     720) independent of the browser's Tor settings, and can be triggered by something
projects/torbrowser/design/index.html.en     721) as simple as holding the mouse button down for slightly too long while
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     722) clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     723) Torbutton</a> before the OS downloads the URLs the events contained.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     724) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     725)   </p></li><li class="listitem"><span class="command"><strong>Disabling system extensions and clearing the addon whitelist</strong></span><p>
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     726) 
projects/torbrowser/design/index.html.en     727) Firefox addons can perform arbitrary activity on your computer, including
projects/torbrowser/design/index.html.en     728) bypassing Tor. It is for this reason we disable the addon whitelist
projects/torbrowser/design/index.html.en     729) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted
projects/torbrowser/design/index.html.en     730) before installing addons regardless of the source. We also exclude
projects/torbrowser/design/index.html.en     731) system-level addons from the browser through the use of
projects/torbrowser/design/index.html.en     732) <span class="command"><strong>extensions.enabledScopes</strong></span> and
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     733) <span class="command"><strong>extensions.autoDisableScopes</strong></span>. Furthermore, we set
projects/torbrowser/design/index.html.en     734) <span class="command"><strong>extensions.systemAddon.update.url</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en     735) extensions.hotfix.id</strong></span> to an empty string in order
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     736) to avoid the risk of getting extensions installed by Mozilla into Tor Browser,
projects/torbrowser/design/index.html.en     737) and remove unused system extensions with a
projects/torbrowser/design/index.html.en     738) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=4d90fcf15e328ca369751011ad0a9c0c1ba2f153" target="_top">
projects/torbrowser/design/index.html.en     739) Firefox patch</a>.
projects/torbrowser/design/index.html.en     740) In order to make it harder for users to accidentally install extensions which
projects/torbrowser/design/index.html.en     741) Mozilla presents to them on the <span class="emphasis"><em>about:addons</em></span> page, we hide
projects/torbrowser/design/index.html.en     742) the <span class="emphasis"><em>Get Addons</em></span> option on it by setting
projects/torbrowser/design/index.html.en     743) <span class="command"><strong>extensions.getAddons.showPane</strong></span> to <span class="command"><strong>false</strong></span>.
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     744) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     745)   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     746) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  747) Tor Browser State is separated from existing browser state through use of a
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     748) custom Firefox profile, and by setting the $HOME environment variable to the
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     749) root of the bundle's directory. The browser also does not load any
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     750) system-wide extensions (through the use of
projects/torbrowser/design/index.html.en     751) <span class="command"><strong>extensions.enabledScopes</strong></span> and
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     752) <span class="command"><strong>extensions.autoDisableScopes</strong></span>). Furthermore, plugins are
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     753) disabled, which prevents Flash cookies from leaking from a pre-existing Flash
projects/torbrowser/design/index.html.en     754) directory.
projects/torbrowser/design/index.html.en     755) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     756)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm372"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     757) 
projects/torbrowser/design/index.html.en     758) The User Agent MUST (at user option) prevent all disk records of browser activity.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     759) The user SHOULD be able to optionally enable URL history and other history
projects/torbrowser/design/index.html.en     760) features if they so desire.
projects/torbrowser/design/index.html.en     761) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     762)     </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm375"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     763)      We are working towards this goal through several mechanisms. First, we set
projects/torbrowser/design/index.html.en     764)      the Firefox Private Browsing preference
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     765)      <span class="command"><strong>browser.privatebrowsing.autostart</strong></span> to <span class="command"><strong>true</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     766)      We also had to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>, to prevent HTML5 videos from being written to the OS temporary directory, which happened regardless of the private browsing mode setting.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     767)      Finally, we set <span class="command"><strong>security.nocertdb</strong></span> to <span class="command"><strong>true</strong></span>
projects/torbrowser/design/index.html.en     768)      to make the intermediate certificate store memory-only.
projects/torbrowser/design/index.html.en     769)    </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     770)      Moreover, we prevent text leaking from the web console to the /tmp
projects/torbrowser/design/index.html.en     771)      directory with a direct <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=48b68533d113c5998d19d4e5acfb8967ba2d5f5b" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en     772)    </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     773) 
projects/torbrowser/design/index.html.en     774) As an additional defense-in-depth measure, we set
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  775) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  776) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  777) <span class="command"><strong>signon.rememberSignons</strong></span>,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     778) <span class="command"><strong>browser.formfill.enable</strong></span> to <span class="command"><strong>true</strong></span>,
projects/torbrowser/design/index.html.en     779) <span class="command"><strong>browser.download.manager.retention</strong></span> to <span class="command"><strong>1</strong></span>,
projects/torbrowser/design/index.html.en     780) and both <span class="command"><strong>browser.sessionstore.privacy_level</strong></span> and
projects/torbrowser/design/index.html.en     781) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span> to <span class="command"><strong>2</strong></span>.  Many
projects/torbrowser/design/index.html.en     782) of these preferences are likely redundant with
projects/torbrowser/design/index.html.en     783) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span> enabled, but we have not
projects/torbrowser/design/index.html.en     784) done the auditing work to ensure that yet.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  785) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     786)    </blockquote></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  787) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     788) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&amp;status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  789) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     790) Tor Browser MUST NOT cause any information to be written outside of the bundle
projects/torbrowser/design/index.html.en     791) directory. This is to ensure that the user is able to completely and
projects/torbrowser/design/index.html.en     792) safely remove it without leaving other traces of Tor usage on their computer.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  793) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     794)    </p><p>
projects/torbrowser/design/index.html.en     795) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     796) To ensure Tor Browser directory isolation, we set
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     797) <span class="command"><strong>browser.download.useDownloadDir</strong></span>,
projects/torbrowser/design/index.html.en     798) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
projects/torbrowser/design/index.html.en     799) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     800) $HOME environment variable to be the Tor Browser extraction directory.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     801)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  802) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     803) The Cross-Origin Identifier Unlinkability design requirement is satisfied
projects/torbrowser/design/index.html.en     804) through first party isolation of all browser identifier sources. First party
projects/torbrowser/design/index.html.en     805) isolation means that all identifier sources and browser state are scoped
projects/torbrowser/design/index.html.en     806) (isolated) using the URL bar domain. This scoping is performed in
projects/torbrowser/design/index.html.en     807) combination with any additional third party scope. When first party isolation
projects/torbrowser/design/index.html.en     808) is used with explicit identifier storage that already has a constrained third
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     809) party scope (such as cookies and DOM storage), this approach is
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     810) referred to as "double-keying".
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  811) 
projects/en/torbrowser/design/index.html.en  812)    </p><p>
projects/en/torbrowser/design/index.html.en  813) 
projects/en/torbrowser/design/index.html.en  814) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en  815) linkability, but also in terms of simplified privacy UI. If all stored browser
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     816) state and permissions become associated with the URL bar origin, the six or
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     817) seven different pieces of privacy UI governing these identifiers and
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  818) permissions can become just one piece of UI. For instance, a window that lists
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     819) the URL bar origin for which browser state exists, possibly with a
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     820) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en     821) An example of this simplification can be seen in Figure 1.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  822) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     823)    </p><div class="figure"><a id="idm410"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  824) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     825) This example UI is a mock-up of how isolating identifiers to the URL bar
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     826) domain can simplify the privacy UI for all data - not just cookies. Once
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     827) browser identifiers and site permissions operate on a URL bar basis, the same
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     828) privacy window can represent browsing history, DOM Storage, HTTP Auth, search
projects/torbrowser/design/index.html.en     829) form history, login values, and so on within a context menu for each site.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  830) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     831) </div></div></div><br class="figure-break" /><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm417"></a>Identifier Unlinkability Defenses in the Tor Browser</h4></div></div></div><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     832) 
projects/torbrowser/design/index.html.en     833) Unfortunately, many aspects of browser state can serve as identifier storage,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     834) and no other browser vendor or standards body had invested the effort to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     835) enumerate or otherwise deal with these vectors for third party tracking. As
projects/torbrowser/design/index.html.en     836) such, we have had to enumerate and isolate these identifier sources on a
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     837) piecemeal basis. This has gotten better lately with Mozilla stepping up and
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     838) helping us with uplifting our patches, and with contributing their own patches where we
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     839) lacked proper fixes. However, we are not done yet with our unlinkability defense
projects/torbrowser/design/index.html.en     840) as new identifier sources are still getting added to the web platform. Here is
projects/torbrowser/design/index.html.en     841) the list that we have discovered and dealt with to date:
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  842) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     843)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     844) 
projects/torbrowser/design/index.html.en     845) All cookies MUST be double-keyed to the URL bar origin and third-party
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     846) origin.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  847) 
projects/en/torbrowser/design/index.html.en  848)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  849) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     850) Double-keying cookies should just work by setting <span class="command"><strong>privacy.firstparty.isolate
projects/torbrowser/design/index.html.en     851) </strong></span> to <span class="command"><strong>true</strong></span>. However,
projects/torbrowser/design/index.html.en     852) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/21905" target="_top">we have not
projects/torbrowser/design/index.html.en     853) audited that</a> yet and there is still the
projects/torbrowser/design/index.html.en     854) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/10353" target="_top">UI part
projects/torbrowser/design/index.html.en     855) missing for managing cookies in Private Browsing Mode</a>. We therefore
projects/torbrowser/design/index.html.en     856) opted to keep third-party cookies disabled for now by setting
projects/torbrowser/design/index.html.en     857) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to <span class="command"><strong>1</strong></span>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  858) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     859)      </p></li><li class="listitem"><span class="command"><strong>Cache</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     860)         All cache entries MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en     861)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     862) We isolate the content and image cache to the URL bar domain by setting
projects/torbrowser/design/index.html.en     863) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     864) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     865)       </p><p>
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     866) Furthermore there is the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage" target="_top">
projects/torbrowser/design/index.html.en     867) CacheStorage API</a>. That one is currently not available in Tor Browser as
projects/torbrowser/design/index.html.en     868) we do not allow third party cookies and are in Private Browsing Mode by default.
projects/torbrowser/design/index.html.en     869) As the cache entries are written to disk the CacheStorage API
projects/torbrowser/design/index.html.en     870) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1173467" target="_top">got disabled</a>
projects/torbrowser/design/index.html.en     871) in that mode in Firefox, similar to how IndexedDB is handled. There are
projects/torbrowser/design/index.html.en     872) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1117808" target="_top">thoughts</a>
projects/torbrowser/design/index.html.en     873) about enabling it by providing a memory-only database but that is still work
projects/torbrowser/design/index.html.en     874) in progress. But even if users are leaving the Private Browsing Mode and are
projects/torbrowser/design/index.html.en     875) enabling third party cookies the storage is isolated to the URL bar domain by
projects/torbrowser/design/index.html.en     876) <span class="command"><strong>privacy.firstparty.isolate</strong></span> set to <span class="command"><strong>true</strong></span>.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     877)       </p><p>
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     878) Finally, we have the asm.js cache. The cache entry of the script is (among
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     879) others things, like type of CPU, build ID, source characters of the asm.js
projects/torbrowser/design/index.html.en     880) module etc.) keyed <a class="ulink" href="https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-compilation-and-startup-performance/" target="_top">to the origin of the script</a>.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     881) Lacking a good solution for binding it to the URL bar domain instead we decided
projects/torbrowser/design/index.html.en     882) to disable asm.js for the time being by setting
projects/torbrowser/design/index.html.en     883) <span class="command"><strong>javascript.options.asmjs</strong></span> to <span class="command"><strong>false</strong></span>. It
projects/torbrowser/design/index.html.en     884) remains to be seen whether keying the cache entry e.g. to the source characters
projects/torbrowser/design/index.html.en     885) of the asm.js module helps to avoid using it for cross-origin tracking of users.
projects/torbrowser/design/index.html.en     886) We did not investigate that yet.
projects/torbrowser/design/index.html.en     887)       </p></li><li class="listitem"><span class="command"><strong>HTTP Authentication</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  888) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     889) HTTP Authorization headers can be used to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     890) third party tracking identifiers</a>. To prevent this, we set
projects/torbrowser/design/index.html.en     891) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     892) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     893)       </p></li><li class="listitem"><span class="command"><strong>DOM Storage</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  894) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     895) DOM storage for third party domains MUST be isolated to the URL bar domain,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     896) to prevent linkability between sites. We achieve this by setting
projects/torbrowser/design/index.html.en     897) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  898) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     899)       </p></li><li class="listitem"><span class="command"><strong>IndexedDB Storage</strong></span><p>
projects/torbrowser/design/index.html.en     900) 
projects/torbrowser/design/index.html.en     901) IndexedDB storage for third party domains MUST be isolated to the URL bar
projects/torbrowser/design/index.html.en     902) domain, to prevent linkability between sites. By default
projects/torbrowser/design/index.html.en     903) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API" target="_top">
projects/torbrowser/design/index.html.en     904) IndexedDB storage</a> is disabled as Tor Browser is using Firefox's Private
projects/torbrowser/design/index.html.en     905) Browsing Mode and does not allow third party cookies. There are
projects/torbrowser/design/index.html.en     906) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=781982" target="_top">thoughts</a>
projects/torbrowser/design/index.html.en     907) about enabling this API in Private Browsing Mode as well but that is still work
projects/torbrowser/design/index.html.en     908) in progress. However, if users are leaving this mode and are enabling third
projects/torbrowser/design/index.html.en     909) party cookies, isolation to the URL bar is achieved, though, by
projects/torbrowser/design/index.html.en     910) <span class="command"><strong>privacy.firstparty.isolate</strong></span> set to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en     911) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     912)       </p></li><li class="listitem"><span class="command"><strong>Flash cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     913) 
projects/torbrowser/design/index.html.en     914) Users should be able to click-to-play flash objects from trusted sites. To
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     915) make this behavior unlinkable, we wish to include a settings file for all
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     916) platforms that disables flash cookies using the <a class="ulink" href="https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     917) settings manager</a>.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     918) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     919)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     920) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     921) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     922) difficulties</a> causing Flash player to use this settings
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     923) file on Windows, so Flash remains difficult to enable.
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     924) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     925)       </p></li><li class="listitem"><span class="command"><strong>SSL+TLS session resumption</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  926) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     927) TLS session resumption tickets and SSL Session IDs MUST be limited to the URL
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     928) bar domain.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  929) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     930)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  931) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     932) We disable TLS Session Tickets and SSL Session IDs by
projects/torbrowser/design/index.html.en     933) setting <span class="command"><strong>security.ssl.disable_session_identifiers</strong></span> to
projects/torbrowser/design/index.html.en     934) <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en     935) To compensate for the increased round trip latency from disabling
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     936) these performance optimizations, we also enable
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     937) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     938) False Start</a> via the Firefox Pref
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     939) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     940) However, URL bar domain isolation should be working both for session tickets and
projects/torbrowser/design/index.html.en     941) session IDs but we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/17252" target="_top">
projects/torbrowser/design/index.html.en     942) have not verified that yet</a>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     943) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     944)       </p></li><li class="listitem"><span class="command"><strong>Tor circuit and HTTP connection linkability</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     945) 
projects/torbrowser/design/index.html.en     946) Tor circuits and HTTP connections from a third party in one URL bar origin
projects/torbrowser/design/index.html.en     947) MUST NOT be reused for that same third party in another URL bar origin.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     948) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     949)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     950) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     951) The isolation functionality is provided by a Torbutton component that <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/domain-isolator.js" target="_top">sets
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     952) the SOCKS username and password for each request</a>. The Tor client has
projects/torbrowser/design/index.html.en     953) logic to prevent connections with different SOCKS usernames and passwords from
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     954) using the same Tor circuit. Firefox has existing logic to ensure that
projects/torbrowser/design/index.html.en     955) connections with SOCKS proxies do not re-use existing HTTP Keep-Alive
projects/torbrowser/design/index.html.en     956) connections unless the proxy settings match.
projects/torbrowser/design/index.html.en     957) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1200802" target="_top">We extended
projects/torbrowser/design/index.html.en     958) this logic</a> to cover SOCKS username and password authentication,
projects/torbrowser/design/index.html.en     959) providing us with HTTP Keep-Alive unlinkability.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     960) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     961)       </p><p>
projects/torbrowser/design/index.html.en     962) 
projects/torbrowser/design/index.html.en     963) While the vast majority of web requests adheres to the circuit and connection
projects/torbrowser/design/index.html.en     964) unlinkability requirement there are still corner cases we
projects/torbrowser/design/index.html.en     965) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=8661822237c56d543d5c9117c8a4708c402a110f" target="_top">
projects/torbrowser/design/index.html.en     966)   need to treat separately</a> or that
projects/torbrowser/design/index.html.en     967) <a class="ulink" href="" target="_top">lack a fix altogether</a>.
projects/torbrowser/design/index.html.en     968)       </p></li><li class="listitem"><span class="command"><strong>SharedWorkers</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     969) 
projects/torbrowser/design/index.html.en     970) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     971) are a special form of JavaScript Worker threads that have a shared scope between
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     972) all threads from the same Javascript origin. They MUST be isolated to the URL
projects/torbrowser/design/index.html.en     973) bar domain. I.e. a SharedWorker launched from a third party from one URL bar
projects/torbrowser/design/index.html.en     974) domain MUST NOT have access to the objects created by that same third party
projects/torbrowser/design/index.html.en     975) loaded under another URL bar domain. This functionality is provided by setting
projects/torbrowser/design/index.html.en     976) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     977) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     978)       </p></li><li class="listitem"><span class="command"><strong>blob: URIs (URL.createObjectURL)</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     979) 
projects/torbrowser/design/index.html.en     980) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>
projects/torbrowser/design/index.html.en     981) API allows a site to load arbitrary content into a random UUID that is stored
projects/torbrowser/design/index.html.en     982) in the user's browser, and this content can be accessed via a URL of the form
projects/torbrowser/design/index.html.en     983) <span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the
projects/torbrowser/design/index.html.en     984) web. While this UUID value is neither under control of the site nor
projects/torbrowser/design/index.html.en     985) predictable, it can still be used to tag a set of users that are of high
projects/torbrowser/design/index.html.en     986) interest to an adversary.
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     987) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     988)       </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     989) 
projects/torbrowser/design/index.html.en     990) URIs created with URL.createObjectURL MUST be limited in scope to the first
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     991) party URL bar domain that created them. We provide the isolation in Tor
projects/torbrowser/design/index.html.en     992) Browser by setting <span class="command"><strong>privacy.firstparty.isolate</strong></span> to
projects/torbrowser/design/index.html.en     993) <span class="command"><strong>true</strong></span>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     994) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en     995)       </p></li><li class="listitem"><span class="command"><strong>SPDY and HTTP/2</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     996) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en     997) SPDY and HTTP/2 connections MUST be isolated to the URL bar domain. Furthermore,
projects/torbrowser/design/index.html.en     998) all associated means that could be used for cross-domain user tracking (alt-svc
projects/torbrowser/design/index.html.en     999) headers come to mind) MUST adhere to this design principle as well.
projects/torbrowser/design/index.html.en    1000) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1001)       </p><p><span class="command"><strong>Implementation status:</strong></span>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1002) 
projects/torbrowser/design/index.html.en    1003) SPDY and HTTP/2 are currently disabled by setting the
projects/torbrowser/design/index.html.en    1004) Firefox preferences <span class="command"><strong>network.http.spdy.enabled</strong></span>,
projects/torbrowser/design/index.html.en    1005) <span class="command"><strong>network.http.spdy.enabled.v2</strong></span>,
projects/torbrowser/design/index.html.en    1006) <span class="command"><strong>network.http.spdy.enabled.v3</strong></span>,
projects/torbrowser/design/index.html.en    1007) <span class="command"><strong>network.http.spdy.enabled.v3-1</strong></span>,
projects/torbrowser/design/index.html.en    1008) <span class="command"><strong>network.http.spdy.enabled.http2</strong></span>,
projects/torbrowser/design/index.html.en    1009) <span class="command"><strong>network.http.spdy.enabled.http2draft</strong></span>,
projects/torbrowser/design/index.html.en    1010) <span class="command"><strong>network.http.altsvc.enabled</strong></span>, and
projects/torbrowser/design/index.html.en    1011) <span class="command"><strong>network.http.altsvc.oe</strong></span> to <span class="command"><strong>false</strong></span>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1012) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1013)       </p></li><li class="listitem"><span class="command"><strong>Automated cross-origin redirects</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1014) 
projects/torbrowser/design/index.html.en    1015) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en    1016) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1017) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en    1018) for cross-origin redirect intermediaries that do not prompt for user input.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1019) For example, if a user clicks on a bit.ly URL that redirects to a
projects/torbrowser/design/index.html.en    1020) doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1021) cnn.com should be retained after the redirect chain completes.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1022) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1023)       </p><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1024) 
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1025) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en    1026) federated login systems) SHOULD still allow identifiers to persist.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1027) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1028)       </p><p><span class="command"><strong>Implementation status:</strong></span>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1029) 
projects/torbrowser/design/index.html.en    1030) There are numerous ways for the user to be redirected, and the Firefox API
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1031) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1032) open</a> to implement what we can.
projects/torbrowser/design/index.html.en    1033) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1034)       </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1035) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1036) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1037) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en 1038) for the lifespan of a browser tab. It is possible to utilize this property for
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1039) <a class="ulink" href="https://www.thomasfrank.se/sessionvars.html" target="_top">identifier
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1040) storage</a>.
projects/en/torbrowser/design/index.html.en 1041) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1042)       </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1043) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1044) In order to eliminate non-consensual linkability but still allow for sites
projects/torbrowser/design/index.html.en    1045) that utilize this property to function, we reset the window.name property of
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1046) tabs in Torbutton every time we encounter a blank Referer. This behavior
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1047) allows window.name to persist for the duration of a click-driven navigation
projects/torbrowser/design/index.html.en    1048) session, but as soon as the user enters a new URL or navigates between
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1049) HTTPS/HTTP schemes, the property is cleared.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1050) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1051)       </p></li><li class="listitem"><span class="command"><strong>Auto form-fill</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1052) 
projects/torbrowser/design/index.html.en    1053) We disable the password saving functionality in the browser as part of our
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1054) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1055) since users may decide to re-enable disk history records and password saving,
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1056) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1057) preference to false to prevent saved values from immediately populating
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1058) fields upon page load. Since JavaScript can read these values as soon as they
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1059) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en    1060) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1061)       </p></li><li class="listitem"><span class="command"><strong>HSTS and HPKP supercookies</strong></span><p>
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1062) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1063) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="https://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS</a>
projects/torbrowser/design/index.html.en    1064) <a class="ulink" href="https://www.radicalresearch.co.uk/lab/hstssupercookies/" target="_top">
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1065) supercookies</a>. Since HSTS effectively stores one bit of information per domain
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1066) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en    1067) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en    1068) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1069)       </p><p>
projects/torbrowser/design/index.html.en    1070) 
projects/torbrowser/design/index.html.en    1071) HPKP provides <a class="ulink" href="https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf" target="_top">
projects/torbrowser/design/index.html.en    1072) a mechanism for user tracking</a> across domains as well. It allows abusing the
projects/torbrowser/design/index.html.en    1073) requirement to provide a backup pin and the option to report a pin validation
projects/torbrowser/design/index.html.en    1074) failure. In a tracking scenario every user gets a unique SHA-256 value serving
projects/torbrowser/design/index.html.en    1075) as backup pin. This value is sent back after (deliberate) pin validation failures
projects/torbrowser/design/index.html.en    1076) working in fact as a cookie.
projects/torbrowser/design/index.html.en    1077) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1078)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    1079) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1080) HSTS and HPKP MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en    1081) 
projects/torbrowser/design/index.html.en    1082)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1083) 
projects/torbrowser/design/index.html.en    1084) Currently, HSTS and HPKP state is both cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>,
projects/torbrowser/design/index.html.en    1085) but we don't defend against the creation and usage of any of these supercookies
projects/torbrowser/design/index.html.en    1086) between <span class="command"><strong>New Identity</strong></span> invocations.
projects/torbrowser/design/index.html.en    1087) 
projects/torbrowser/design/index.html.en    1088)       </p></li><li class="listitem"><span class="command"><strong>Broadcast Channels</strong></span><p>
projects/torbrowser/design/index.html.en    1089) 
projects/torbrowser/design/index.html.en    1090) The BroadcastChannel API allows cross-site communication within the same
projects/torbrowser/design/index.html.en    1091) origin. However, to avoid cross-origin linkability broadcast channels MUST
projects/torbrowser/design/index.html.en    1092) instead be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en    1093) 
projects/torbrowser/design/index.html.en    1094)       </p><p>
projects/torbrowser/design/index.html.en    1095) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1096) We provide the isolation in Tor Browser by setting
projects/torbrowser/design/index.html.en    1097) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1098) 
projects/torbrowser/design/index.html.en    1099)       </p></li><li class="listitem"><span class="command"><strong>OCSP</strong></span><p>
projects/torbrowser/design/index.html.en    1100) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1101) OCSP requests go to Certificate Authorities (CAs) to check for revoked
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1102) certificates. They are sent once the browser is visiting a website via HTTPS and
projects/torbrowser/design/index.html.en    1103) no cached results are available. Thus, to avoid information leaks, e.g. to exit
projects/torbrowser/design/index.html.en    1104) relays, OCSP requests MUST go over the same circuit as the HTTPS request causing
projects/torbrowser/design/index.html.en    1105) them and MUST therefore be isolated to the URL bar domain. The resulting cache
projects/torbrowser/design/index.html.en    1106) entries MUST be bound to the URL bar domain as well. This functionality is
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1107) provided by setting <span class="command"><strong>privacy.firstparty.isolate</strong></span> to
projects/torbrowser/design/index.html.en    1108) <span class="command"><strong>true</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1109) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1110)        </p></li><li class="listitem"><span class="command"><strong>Favicons</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1111) 
projects/torbrowser/design/index.html.en    1112) When visiting a website its favicon is fetched via a request originating from
projects/torbrowser/design/index.html.en    1113) the browser itself (similar to the OCSP mechanism mentioned in the previous
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1114) section). Those requests MUST be isolated to the URL bar domain.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1115) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1116)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1117) 
projects/torbrowser/design/index.html.en    1118) Favicon requests are isolated to the URL bar domain by setting
projects/torbrowser/design/index.html.en    1119) <span class="command"><strong>privacy.firstparty.isolate</strong></span> to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en    1120) However, we need an additional
projects/torbrowser/design/index.html.en    1121) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=eaa22334adaf8f79544ee4318982e5f4990c1a6f" target="_top">Firefox patch</a>
projects/torbrowser/design/index.html.en    1122) to take care of favicons in tab list menuitems.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1123)       </p></li><li class="listitem"><span class="command"><strong>mediasource: URIs and MediaStreams</strong></span><p>
projects/torbrowser/design/index.html.en    1124) 
projects/torbrowser/design/index.html.en    1125) Much like blob URLs, mediasource: URIs and MediaStreams can be used to tag
projects/torbrowser/design/index.html.en    1126) users. Therefore, mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1127) This functionality is provided by setting <span class="command"><strong>privacy.firstparty.isolate</strong></span>
projects/torbrowser/design/index.html.en    1128) to <span class="command"><strong>true</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1129)       </p></li><li class="listitem"><span class="command"><strong>Speculative and prefetched connections</strong></span><p>
projects/torbrowser/design/index.html.en    1130) 
projects/torbrowser/design/index.html.en    1131) Firefox provides the feature to <a class="ulink" href="https://www.igvita.com/2015/08/17/eliminating-roundtrips-with-preconnect/" target="_top">connect speculatively</a> to
projects/torbrowser/design/index.html.en    1132) remote hosts if that is either indicated in the HTML file (e.g. by
projects/torbrowser/design/index.html.en    1133) <a class="ulink" href="https://w3c.github.io/resource-hints/" target="_top">link
projects/torbrowser/design/index.html.en    1134) rel="preconnect" and rel="prefetch"</a>) or otherwise deemed beneficial.
projects/torbrowser/design/index.html.en    1135) 
projects/torbrowser/design/index.html.en    1136)       </p><p>
projects/torbrowser/design/index.html.en    1137) 
projects/torbrowser/design/index.html.en    1138) Firefox does not support rel="prerender", and Mozilla has disabled speculative
projects/torbrowser/design/index.html.en    1139) connections and rel="preconnect" usage where a proxy is used (see <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18762#comment:3" target="_top"> comment
projects/torbrowser/design/index.html.en    1140) 3 in bug 18762</a> for further details). Explicit prefetching via the
projects/torbrowser/design/index.html.en    1141) rel="prefetch" attribute is still performed, however.
projects/torbrowser/design/index.html.en    1142) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1143)       </p><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1144) 
projects/torbrowser/design/index.html.en    1145) All pre-loaded links and speculative connections MUST be isolated to the URL
projects/torbrowser/design/index.html.en    1146) bar domain, if enabled. This includes isolating both Tor circuit use, as well
projects/torbrowser/design/index.html.en    1147) as the caching and associate browser state for the prefetched resource.
projects/torbrowser/design/index.html.en    1148) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1149)       </p><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1150) 
projects/torbrowser/design/index.html.en    1151) For automatic speculative connects and rel="preconnect", we leave them
projects/torbrowser/design/index.html.en    1152) disabled as per the Mozilla default for proxy settings. However, if enabled,
projects/torbrowser/design/index.html.en    1153) speculative connects will be isolated to the proper first party Tor circuit by
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1154) the same mechanism as is used for HTTP Keep-Alive. This is true for rel="prefetch"
projects/torbrowser/design/index.html.en    1155) requests as well. For rel="preconnect", we set <span class="command"><strong>privacy.firstparty.isolate</strong></span>
projects/torbrowser/design/index.html.en    1156) to <span class="command"><strong>true</strong></span>. This isolation makes both preconnecting and cache
projects/torbrowser/design/index.html.en    1157) warming via rel="prefetch" ineffective for links to domains other than the
projects/torbrowser/design/index.html.en    1158) current URL bar domain. For links to the same domain as the URL bar domain,
projects/torbrowser/design/index.html.en    1159) the full cache warming benefit is obtained. As an optimization, any
projects/torbrowser/design/index.html.en    1160) preconnecting to domains other than the current URL bar domain can thus be
projects/torbrowser/design/index.html.en    1161) disabled (perhaps with the exception of frames), but we do not do this.
projects/torbrowser/design/index.html.en    1162) We allow these requests to proceed, but we isolate them.
projects/torbrowser/design/index.html.en    1163) 
projects/torbrowser/design/index.html.en    1164)       </p></li><li class="listitem"><span class="command"><strong>Permissions API</strong></span><p>
projects/torbrowser/design/index.html.en    1165) 
projects/torbrowser/design/index.html.en    1166) The Permissions API allows a website to query the status of different
projects/torbrowser/design/index.html.en    1167) permissions. Although permissions are keyed to the origin, that is not enough to
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1168) alleviate cross-linkability concerns: the combined permission state could work
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1169) like an identifier given more and more permissions and their state being
projects/torbrowser/design/index.html.en    1170) accessible under this API.
projects/torbrowser/design/index.html.en    1171) 
projects/torbrowser/design/index.html.en    1172)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    1173) 
projects/torbrowser/design/index.html.en    1174) Permissions MUST be isolated to the URL bar domain.
projects/torbrowser/design/index.html.en    1175) 
projects/torbrowser/design/index.html.en    1176)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1177) 
projects/torbrowser/design/index.html.en    1178) Right now we provide a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=14374d30767f83923561084530b54c066bb661b4" target="_top">Firefox patch</a> that makes sure permissions are isolated to the URL bar domain.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1179) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1180)       </p></li></ol></div><p>
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1181) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1182)   </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1183) Browser fingerprinting is the act of inspecting browser behaviors and features in
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1184) an attempt to differentiate and track individual users.
projects/torbrowser/design/index.html.en    1185)   </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1186) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1187) Fingerprinting attacks are typically broken up into passive and active
projects/torbrowser/design/index.html.en    1188) vectors. Passive fingerprinting makes use of any information the browser
projects/torbrowser/design/index.html.en    1189) provides automatically to a website without any specific action on the part of
projects/torbrowser/design/index.html.en    1190) the website. Active fingerprinting makes use of any information that can be
projects/torbrowser/design/index.html.en    1191) extracted from the browser by some specific website action, usually involving
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1192) JavaScript. Some definitions of browser fingerprinting also include
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1193) supercookies and cookie-like identifier storage, but we deal with those issues
projects/torbrowser/design/index.html.en    1194) separately in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on
projects/torbrowser/design/index.html.en    1195) identifier linkability</a>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1196) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1197)     </p><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1198) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1199) For the most part, however, we do not differentiate between passive or active
projects/torbrowser/design/index.html.en    1200) fingerprinting sources, since many active fingerprinting mechanisms are very
projects/torbrowser/design/index.html.en    1201) rapid, and can be obfuscated or disguised as legitimate functionality.
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1202) 
projects/torbrowser/design/index.html.en    1203)    </p><p>
projects/torbrowser/design/index.html.en    1204) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1205) Instead, we believe fingerprinting can only be rationally addressed if we
projects/torbrowser/design/index.html.en    1206) understand where the problem comes from, what sources of issues are the most
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1207) severe, what types of defenses are suitable for which sources, and have a
projects/torbrowser/design/index.html.en    1208) consistent strategy for designing defenses that maximizes our ability to study
projects/torbrowser/design/index.html.en    1209) defense efficacy. The following subsections address these issues from a high
projects/torbrowser/design/index.html.en    1210) level, and we then conclude with a list of our current specific defenses.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1211) 
projects/torbrowser/design/index.html.en    1212)     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p>
projects/torbrowser/design/index.html.en    1213) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1214) All browser fingerprinting issues arise from one of four primary sources:
projects/torbrowser/design/index.html.en    1215) end-user configuration details, device and hardware characteristics, operating
projects/torbrowser/design/index.html.en    1216) system vendor and version differences, and browser vendor and version
projects/torbrowser/design/index.html.en    1217) differences. Additionally, user behavior itself provides one more source of
projects/torbrowser/design/index.html.en    1218) potential fingerprinting.
projects/torbrowser/design/index.html.en    1219) 
projects/torbrowser/design/index.html.en    1220)     </p><p>
projects/torbrowser/design/index.html.en    1221) 
projects/torbrowser/design/index.html.en    1222) In order to help prioritize and inform defenses, we now list these sources in
projects/torbrowser/design/index.html.en    1223) order from most severe to least severe in terms of the amount of information
projects/torbrowser/design/index.html.en    1224) they reveal, and describe them in more detail.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1225) 
projects/torbrowser/design/index.html.en    1226)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p>
projects/torbrowser/design/index.html.en    1227) 
projects/torbrowser/design/index.html.en    1228) End-user configuration details are by far the most severe threat to
projects/torbrowser/design/index.html.en    1229) fingerprinting, as they will quickly provide enough information to uniquely
projects/torbrowser/design/index.html.en    1230) identify a user. We believe it is essential to avoid exposing platform
projects/torbrowser/design/index.html.en    1231) configuration details to website content at all costs. We also discourage
projects/torbrowser/design/index.html.en    1232) excessive fine-grained customization of Tor Browser by minimizing and
projects/torbrowser/design/index.html.en    1233) aggregating user-facing privacy and security options, as well as by
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1234) discouraging the use of additional plugins and addons. When it is necessary to
projects/torbrowser/design/index.html.en    1235) expose configuration details in the course of providing functionality, we
projects/torbrowser/design/index.html.en    1236) strive to do so only on a per-site basis via site permissions, to avoid
projects/torbrowser/design/index.html.en    1237) linkability.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1238) 
projects/torbrowser/design/index.html.en    1239)      </p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p>
projects/torbrowser/design/index.html.en    1240) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1241) Device and hardware characteristics can be determined in three ways: they can
projects/torbrowser/design/index.html.en    1242) be reported explicitly by the browser, they can be inferred through browser
projects/torbrowser/design/index.html.en    1243) functionality, or they can be extracted through statistical measurements of
projects/torbrowser/design/index.html.en    1244) system performance. We are most concerned with the cases where this
projects/torbrowser/design/index.html.en    1245) information is either directly reported or can be determined via a single use
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1246) of an API or feature, and prefer to either alter functionality to prevent
projects/torbrowser/design/index.html.en    1247) exposing the most variable aspects of these characteristics, place such
projects/torbrowser/design/index.html.en    1248) features behind site permissions, or disable them entirely.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1249) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1250)       </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1251) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1252) On the other hand, because statistical inference of system performance
projects/torbrowser/design/index.html.en    1253) requires many iterations to achieve accuracy in the face of noise and
projects/torbrowser/design/index.html.en    1254) concurrent activity, we are less concerned with this mechanism of extracting
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1255) this information. We also expect that reducing the resolution of JavaScript's
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1256) time sources will significantly increase the duration of execution required to
projects/torbrowser/design/index.html.en    1257) extract accurate results, and thus make statistical approaches both
projects/torbrowser/design/index.html.en    1258) unattractive and highly noticeable due to excessive resource consumption.
projects/torbrowser/design/index.html.en    1259) 
projects/torbrowser/design/index.html.en    1260)       </p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en    1261) 
projects/torbrowser/design/index.html.en    1262) Operating system vendor and version differences permeate many different
projects/torbrowser/design/index.html.en    1263) aspects of the browser. While it is possible to address these issues with some
projects/torbrowser/design/index.html.en    1264) effort, the relative lack of diversity in operating systems causes us to
projects/torbrowser/design/index.html.en    1265) primarily focus our efforts on passive operating system fingerprinting
projects/torbrowser/design/index.html.en    1266) mechanisms at this point in time. For the purposes of protecting user
projects/torbrowser/design/index.html.en    1267) anonymity, it is not strictly essential that the operating system be
projects/torbrowser/design/index.html.en    1268) completely concealed, though we recognize that it is useful to reduce this
projects/torbrowser/design/index.html.en    1269) differentiation ability where possible, especially for cases where the
projects/torbrowser/design/index.html.en    1270) specific version of a system can be inferred.
projects/torbrowser/design/index.html.en    1271) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1272)       </p></li><li class="listitem"><span class="command"><strong>User Behavior</strong></span><p>
projects/torbrowser/design/index.html.en    1273) 
projects/torbrowser/design/index.html.en    1274) While somewhat outside the scope of browser fingerprinting, for completeness
projects/torbrowser/design/index.html.en    1275) it is important to mention that users themselves theoretically might be
projects/torbrowser/design/index.html.en    1276) fingerprinted through their behavior while interacting with a website. This
projects/torbrowser/design/index.html.en    1277) behavior includes e.g. keystrokes, mouse movements, click speed, and writing
projects/torbrowser/design/index.html.en    1278) style. Basic vectors such as keystroke and mouse usage fingerprinting can be
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1279) mitigated by altering JavaScript's notion of time. More advanced issues like
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1280) writing style fingerprinting are the domain of <a class="ulink" href="https://github.com/psal/anonymouth/blob/master/README.md" target="_top">other tools</a>.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1281) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1282)       </p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en    1283) 
projects/torbrowser/design/index.html.en    1284) Due to vast differences in feature set and implementation behavior even
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1285) between different (<a class="ulink" href="https://tsyrklevich.net/2014/10/28/abusing-strict-transport-security/" target="_top">minor</a>)
projects/torbrowser/design/index.html.en    1286) versions of the same browser, browser vendor and version differences are simply
projects/torbrowser/design/index.html.en    1287) not possible to conceal in any realistic way. It is only possible to minimize
projects/torbrowser/design/index.html.en    1288) the differences among different installations of the same browser vendor and
projects/torbrowser/design/index.html.en    1289) version. We make no effort to mimic any other major browser vendor, and in fact
projects/torbrowser/design/index.html.en    1290) most of our fingerprinting defenses serve to differentiate Tor Browser users
projects/torbrowser/design/index.html.en    1291) from normal Firefox users. Because of this, any study that lumps browser vendor
projects/torbrowser/design/index.html.en    1292) and version differences into its analysis of the fingerprintability of a
projects/torbrowser/design/index.html.en    1293) population is largely useless for evaluating either attacks or defenses.
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1294) Unfortunately, this includes popular large-scale studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>. To gather usable data about
projects/torbrowser/design/index.html.en    1295) Tor Browser's fingerprinting defenses we launched a Google Summer of Code
projects/torbrowser/design/index.html.en    1296) project in 2016, called <a class="ulink" href="https://github.com/plaperdr/fp-central" target="_top">
projects/torbrowser/design/index.html.en    1297) FPCentral</a>, with the aim to provide us an own testbed. We set this up
projects/torbrowser/design/index.html.en    1298) during 2017 and <a class="ulink" href="https://fpcentral.tbb.torproject.org/" target="_top">have it
projects/torbrowser/design/index.html.en    1299) available now</a> for further integration into our quality assurance efforts
projects/torbrowser/design/index.html.en    1300) and possible research into improving our fingerprinting defenses and measuring
projects/torbrowser/design/index.html.en    1301) their effectiveness.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1302) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1303)       </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses-general"></a>General Fingerprinting Defenses</h4></div></div></div><p>
projects/torbrowser/design/index.html.en    1304) 
projects/torbrowser/design/index.html.en    1305) To date, the Tor Browser team has concerned itself only with developing
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1306) defenses for APIs that have already been standardized and deployed. Once an
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1307) API or feature has been standardized and widely deployed, defenses to the
projects/torbrowser/design/index.html.en    1308) associated fingerprinting issues tend to have only a few options available to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1309) compensate for the lack of up-front privacy design. In our experience, so far
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1310) these options have been limited to value spoofing, subsystem modification or
projects/torbrowser/design/index.html.en    1311) reimplementation, virtualization, site permissions, and feature removal. We
projects/torbrowser/design/index.html.en    1312) will now describe these options and the fingerprinting sources they tend to
projects/torbrowser/design/index.html.en    1313) work best with.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1314) 
projects/torbrowser/design/index.html.en    1315)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Value Spoofing</strong></span><p>
projects/torbrowser/design/index.html.en    1316) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1317) Value spoofing can be used for simple cases where the browser provides some
projects/torbrowser/design/index.html.en    1318) aspect of the user's configuration details, devices, hardware, or operating
projects/torbrowser/design/index.html.en    1319) system directly to a website. It becomes less useful when the fingerprinting
projects/torbrowser/design/index.html.en    1320) method relies on behavior to infer aspects of the hardware or operating system,
projects/torbrowser/design/index.html.en    1321) rather than obtain them directly.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1322) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1323)      </p></li><li class="listitem"><span class="command"><strong>Subsystem Modification or Reimplementation</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1324) 
projects/torbrowser/design/index.html.en    1325) In cases where simple spoofing is not enough to properly conceal underlying
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1326) device characteristics or operating system details, the underlying subsystem
projects/torbrowser/design/index.html.en    1327) that provides the functionality for a feature or API may need to be modified
projects/torbrowser/design/index.html.en    1328) or completely reimplemented. This is most common in cases where customizable
projects/torbrowser/design/index.html.en    1329) or version-specific aspects of the user's operating system are visible through
projects/torbrowser/design/index.html.en    1330) the browser's featureset or APIs, usually because the browser directly exposes
projects/torbrowser/design/index.html.en    1331) OS-provided implementations of underlying features. In these cases, such
projects/torbrowser/design/index.html.en    1332) OS-provided implementations must be replaced by a generic implementation, or
projects/torbrowser/design/index.html.en    1333) at least modified by an implementation wrapper layer that makes effort to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1334) conceal any user-customized aspects of the system.
projects/torbrowser/design/index.html.en    1335) 
projects/torbrowser/design/index.html.en    1336)    </p></li><li class="listitem"><span class="command"><strong>Virtualization</strong></span><p>
projects/torbrowser/design/index.html.en    1337) 
projects/torbrowser/design/index.html.en    1338) Virtualization is needed when simply reimplementing a feature in a different
projects/torbrowser/design/index.html.en    1339) way is insufficient to fully conceal the underlying behavior. This is most
projects/torbrowser/design/index.html.en    1340) common in instances of device and hardware fingerprinting, but since the
projects/torbrowser/design/index.html.en    1341) notion of time can also be virtualized, virtualization also can apply to any
projects/torbrowser/design/index.html.en    1342) instance where an accurate measurement of wall clock time is required for a
projects/torbrowser/design/index.html.en    1343) fingerprinting vector to attain high accuracy.
projects/torbrowser/design/index.html.en    1344) 
projects/torbrowser/design/index.html.en    1345)    </p></li><li class="listitem"><span class="command"><strong>Site Permissions</strong></span><p>
projects/torbrowser/design/index.html.en    1346) 
projects/torbrowser/design/index.html.en    1347) In the event that reimplementation or virtualization is too expensive in terms
projects/torbrowser/design/index.html.en    1348) of performance or engineering effort, and the relative expected usage of a
projects/torbrowser/design/index.html.en    1349) feature is rare, site permissions can be used to prevent the usage of a
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1350) feature for cross-site tracking. Unfortunately, site permissions become less
projects/torbrowser/design/index.html.en    1351) effective once a feature is already widely overused and abused by many
projects/torbrowser/design/index.html.en    1352) websites, since warning fatigue typically sets in for most users after just a
projects/torbrowser/design/index.html.en    1353) few permission requests.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1354) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1355)    </p></li><li class="listitem"><span class="command"><strong>Feature or Functionality Removal</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1356) 
projects/torbrowser/design/index.html.en    1357) Due to the current bias in favor of invasive APIs that expose the maximum
projects/torbrowser/design/index.html.en    1358) amount of platform information, some features and APIs are simply not
projects/torbrowser/design/index.html.en    1359) salvageable in their current form. When such invasive features serve only a
projects/torbrowser/design/index.html.en    1360) narrow domain or use case, or when there are alternate ways of accomplishing
projects/torbrowser/design/index.html.en    1361) the same task, these features and/or certain aspects of their functionality
projects/torbrowser/design/index.html.en    1362) may be simply removed.
projects/torbrowser/design/index.html.en    1363) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1364)    </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm660"></a>Strategies for Defense: Randomization versus Uniformity</h4></div></div></div><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1365) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1366) When applying a form of defense to a specific fingerprinting vector or source,
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1367) there are two general strategies available: either the implementation for all
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1368) users of a single browser version can be made to behave as uniformly as
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1369) possible, or the user agent can attempt to randomize its behavior so that
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1370) each interaction between a user and a site provides a different fingerprint.
projects/torbrowser/design/index.html.en    1371) 
projects/torbrowser/design/index.html.en    1372)     </p><p>
projects/torbrowser/design/index.html.en    1373) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1374) Although <a class="ulink" href="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr1-1.pdf" target="_top">
projects/torbrowser/design/index.html.en    1375) some research suggests</a> that randomization can be effective, so far
projects/torbrowser/design/index.html.en    1376) striving for uniformity has generally proved to be a better strategy for Tor
projects/torbrowser/design/index.html.en    1377) Browser for the following reasons:
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1378) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1379)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Evaluation and measurement difficulties</strong></span><p>
projects/torbrowser/design/index.html.en    1380) 
projects/torbrowser/design/index.html.en    1381) The fact that randomization causes behaviors to differ slightly with every
projects/torbrowser/design/index.html.en    1382) site visit makes it appealing at first glance, but this same property makes it
projects/torbrowser/design/index.html.en    1383) very difficult to objectively measure its effectiveness. By contrast, an
projects/torbrowser/design/index.html.en    1384) implementation that strives for uniformity is very simple to evaluate. Despite
projects/torbrowser/design/index.html.en    1385) their current flaws, a properly designed version of <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> or <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a> could report the entropy and
projects/torbrowser/design/index.html.en    1386) uniqueness rates for all users of a single user agent version, without the
projects/torbrowser/design/index.html.en    1387) need for complicated statistics about the variance of the measured behaviors.
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1388) <a class="ulink" href="https://fpcentral.tbb.torproject.org/fp" target="_top">FPCentral</a> is trying
projects/torbrowser/design/index.html.en    1389) to achieve that for Tor Browser by providing feedback on acceptable browser
projects/torbrowser/design/index.html.en    1390) properties and giving guidance on possible improvements.
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1391)       </p><p>
projects/torbrowser/design/index.html.en    1392) 
projects/torbrowser/design/index.html.en    1393) Randomization (especially incomplete randomization) may also provide a false
projects/torbrowser/design/index.html.en    1394) sense of security. When a fingerprinting attempt makes naive use of randomized
projects/torbrowser/design/index.html.en    1395) information, a fingerprint will appear unstable, but may not actually be
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1396) sufficiently randomized to impede a dedicated adversary. Sophisticated
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1397) fingerprinting mechanisms may either ignore randomized information, or
projects/torbrowser/design/index.html.en    1398) incorporate knowledge of the distribution and range of randomized values into
projects/torbrowser/design/index.html.en    1399) the creation of a more stable fingerprint (by either removing the randomness,
projects/torbrowser/design/index.html.en    1400) modeling it, or averaging it out).
projects/torbrowser/design/index.html.en    1401) 
projects/torbrowser/design/index.html.en    1402)       </p></li><li class="listitem"><span class="command"><strong>Randomization is not a shortcut</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1403) 
projects/torbrowser/design/index.html.en    1404) While many end-user configuration details that the browser currently exposes
projects/torbrowser/design/index.html.en    1405) may be safely replaced by false information, randomization of these details
projects/torbrowser/design/index.html.en    1406) must be just as exhaustive as an approach that seeks to make these behaviors
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1407) uniform. When confronting either strategy, the adversary can still make use of
projects/torbrowser/design/index.html.en    1408) any details which have not been altered to be either sufficiently uniform or
projects/torbrowser/design/index.html.en    1409) sufficiently random.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1410) 
projects/torbrowser/design/index.html.en    1411)      </p><p>
projects/torbrowser/design/index.html.en    1412) 
projects/torbrowser/design/index.html.en    1413) Furthermore, the randomization approach seems to break down when it is applied
projects/torbrowser/design/index.html.en    1414) to deeper issues where underlying system functionality is directly exposed. In
projects/torbrowser/design/index.html.en    1415) particular, it is not clear how to randomize the capabilities of hardware
projects/torbrowser/design/index.html.en    1416) attached to a computer in such a way that it either convincingly behaves like
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1417) other hardware, or such that the exact properties of the hardware that vary
projects/torbrowser/design/index.html.en    1418) from user to user are sufficiently randomized. Similarly, truly concealing
projects/torbrowser/design/index.html.en    1419) operating system version differences through randomization may require
projects/torbrowser/design/index.html.en    1420) multiple reimplementations of the underlying operating system functionality to
projects/torbrowser/design/index.html.en    1421) ensure that every operating system version is covered by the range of possible
projects/torbrowser/design/index.html.en    1422) behaviors.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1423) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1424)      </p></li><li class="listitem"><span class="command"><strong>Usability issues</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1425) 
projects/torbrowser/design/index.html.en    1426) When randomization is introduced to features that affect site behavior, it can
projects/torbrowser/design/index.html.en    1427) be very distracting for this behavior to change between visits of a given
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1428) site. For the simplest cases, this will lead to minor visual nuisances.
projects/torbrowser/design/index.html.en    1429) However, when this information affects reported functionality or hardware
projects/torbrowser/design/index.html.en    1430) characteristics, sometimes a site will function one way on one visit, and
projects/torbrowser/design/index.html.en    1431) another way on a subsequent visit.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1432) 
projects/torbrowser/design/index.html.en    1433)       </p></li><li class="listitem"><span class="command"><strong>Performance costs</strong></span><p>
projects/torbrowser/design/index.html.en    1434) 
projects/torbrowser/design/index.html.en    1435) Randomizing involves performance costs. This is especially true if the
projects/torbrowser/design/index.html.en    1436) fingerprinting surface is large (like in a modern browser) and one needs more
projects/torbrowser/design/index.html.en    1437) elaborate randomizing strategies (including randomized virtualization) to
projects/torbrowser/design/index.html.en    1438) ensure that the randomization fully conceals the true behavior. Many calls to
projects/torbrowser/design/index.html.en    1439) a cryptographically secure random number generator during the course of a page
projects/torbrowser/design/index.html.en    1440) load will both serve to exhaust available entropy pools, as well as lead to
projects/torbrowser/design/index.html.en    1441) increased computation while loading a page.
projects/torbrowser/design/index.html.en    1442) 
projects/torbrowser/design/index.html.en    1443)       </p></li><li class="listitem"><span class="command"><strong>Increased vulnerability surface</strong></span><p>
projects/torbrowser/design/index.html.en    1444) 
projects/torbrowser/design/index.html.en    1445) Improper randomization might introduce a new fingerprinting vector, as the
projects/torbrowser/design/index.html.en    1446) process of generating the values for the fingerprintable attributes could be
projects/torbrowser/design/index.html.en    1447) itself susceptible to side-channel attacks, analysis, or exploitation.
projects/torbrowser/design/index.html.en    1448) 
projects/torbrowser/design/index.html.en    1449)       </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Specific Fingerprinting Defenses in the Tor Browser</h4></div></div></div><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1450) 
projects/torbrowser/design/index.html.en    1451) The following defenses are listed roughly in order of most severe
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1452) fingerprinting threat first. This ordering is based on the above intuition
projects/torbrowser/design/index.html.en    1453) that user configurable aspects of the computer are the most severe source of
projects/torbrowser/design/index.html.en    1454) fingerprintability, followed by device characteristics and hardware, and then
projects/torbrowser/design/index.html.en    1455) finally operating system vendor and version information.
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1456) 
projects/torbrowser/design/index.html.en    1457)    </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1458) 
projects/torbrowser/design/index.html.en    1459) Where our actual implementation differs from an ideal solution, we separately
projects/torbrowser/design/index.html.en    1460) describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en    1461) Status</strong></span>.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1462) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1463)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Plugins</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1464) 
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1465) Plugins add to fingerprinting risk via two main vectors: their mere presence
projects/torbrowser/design/index.html.en    1466) in window.navigator.plugins (because they are optional, end-user installed
projects/torbrowser/design/index.html.en    1467) third party software), as well as their internal functionality.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1468) 
projects/en/torbrowser/design/index.html.en 1469)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1470) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1471) All plugins that have not been specifically audited or sandboxed MUST be
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1472) disabled. To reduce linkability potential, even sandboxed plugins SHOULD NOT
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1473) be allowed to load objects until the user has clicked through a click-to-play
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1474) barrier. Additionally, version information SHOULD be reduced or obfuscated
projects/torbrowser/design/index.html.en    1475) until the plugin object is loaded. For Flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1476) settings.sol file</a> to disable Flash cookies, and to restrict P2P
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1477) features that are likely to bypass proxy settings. We'd also like to restrict
projects/torbrowser/design/index.html.en    1478) access to fonts and other system information (such as IP address and MAC
projects/torbrowser/design/index.html.en    1479) address) in such a sandbox.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1480) 
projects/en/torbrowser/design/index.html.en 1481)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1482) 
projects/en/torbrowser/design/index.html.en 1483) Currently, we entirely disable all plugins in Tor Browser. However, as a
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1484) compromise due to the popularity of Flash, we allow users to re-enable Flash,
projects/torbrowser/design/index.html.en    1485) and flash objects are blocked behind a click-to-play barrier that is available
projects/torbrowser/design/index.html.en    1486) only after the user has specifically enabled plugins. Flash is the only plugin
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1487) available, the rest are entirely
projects/torbrowser/design/index.html.en    1488) blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience
projects/torbrowser/design/index.html.en    1489) section</a>. We also set the Firefox
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1490) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to
projects/torbrowser/design/index.html.en    1491) <span class="command"><strong>false</strong></span>, to avoid leaking plugin installation information.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1492) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1493)      </p></li><li class="listitem"><span class="command"><strong>HTML5 Canvas Image Extraction</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1494) 
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1495) After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5
projects/torbrowser/design/index.html.en    1496) Canvas</a> is the single largest fingerprinting threat browsers face
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1497) today. <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top">
projects/torbrowser/design/index.html.en    1498) Studies</a> <a class="ulink" href="https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf" target="_top">show</a> that the Canvas can provide an easy-access fingerprinting
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1499) target: The adversary simply renders WebGL, font, and named color data to a
projects/torbrowser/design/index.html.en    1500) Canvas element, extracts the image buffer, and computes a hash of that image
projects/torbrowser/design/index.html.en    1501) data. Subtle differences in the video card, font packs, and even font and
projects/torbrowser/design/index.html.en    1502) graphics library versions allow the adversary to produce a stable, simple,
projects/torbrowser/design/index.html.en    1503) high-entropy fingerprint of a computer. In fact, the hash of the rendered
projects/torbrowser/design/index.html.en    1504) image can be used almost identically to a tracking cookie by the web server.
projects/torbrowser/design/index.html.en    1505) 
projects/torbrowser/design/index.html.en    1506)      </p><p>
projects/torbrowser/design/index.html.en    1507) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1508) In some sense, the canvas can be seen as the union of many other
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1509) fingerprinting vectors. If WebGL is normalized through software rendering,
projects/torbrowser/design/index.html.en    1510) system colors were standardized, and the browser shipped a fixed collection of
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1511) fonts (see later points in this list), it might not be necessary to create a
projects/torbrowser/design/index.html.en    1512) canvas permission. However, until then, to reduce the threat from this vector,
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1513) we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=196354d7951a48b4e6f5309d2a8e46962fff9d5f" target="_top">prompt before returning valid image data</a> to the Canvas APIs,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1514) and for access to isPointInPath and related functions. Moreover, we put media
projects/torbrowser/design/index.html.en    1515) streams on a canvas behind the site permission in that patch as well.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1516) If the user hasn't previously allowed the site in the URL bar to access Canvas
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1517) image data, pure white image data is returned to the JavaScript APIs.
projects/torbrowser/design/index.html.en    1518) Extracting canvas image data by third parties is not allowed, though.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1519) 
projects/torbrowser/design/index.html.en    1520)      </p><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1521)      </p></li><li class="listitem"><span class="command"><strong>Open TCP Port and Local Network Fingerprinting</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1522) 
projects/torbrowser/design/index.html.en    1523) In Firefox, by using either WebSockets or XHR, it is possible for remote
projects/torbrowser/design/index.html.en    1524) content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1525) the list of TCP ports open on 127.0.0.1</a>, as well as on any other
projects/torbrowser/design/index.html.en    1526) machines on the local network. In other browsers, this can be accomplished by
projects/torbrowser/design/index.html.en    1527) DOM events on image or script tags. This open vs filtered vs closed port list
projects/torbrowser/design/index.html.en    1528) can provide a very unique fingerprint of a machine, because it essentially
projects/torbrowser/design/index.html.en    1529) enables the detection of many different popular third party applications and
projects/torbrowser/design/index.html.en    1530) optional system services (Skype, Bitcoin, Bittorrent and other P2P software,
projects/torbrowser/design/index.html.en    1531) SSH ports, SMB and related LAN services, CUPS and printer daemon config ports,
projects/torbrowser/design/index.html.en    1532) mail servers, and so on). It is also possible to determine when ports are
projects/torbrowser/design/index.html.en    1533) closed versus filtered/blocked (and thus probe custom firewall configuration).
projects/torbrowser/design/index.html.en    1534) 
projects/torbrowser/design/index.html.en    1535)      </p><p>
projects/torbrowser/design/index.html.en    1536) 
projects/torbrowser/design/index.html.en    1537) In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even
projects/torbrowser/design/index.html.en    1538) these requests are still sent by Firefox to our SOCKS proxy (ie we set
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1539) <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local
projects/torbrowser/design/index.html.en    1540) Tor client then rejects them, since it is configured to proxy for internal IP
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1541) addresses by default. Access to the local network is forbidden via the same
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1542) mechanism. We also disable the WebRTC API as mentioned previously, since even
projects/torbrowser/design/index.html.en    1543) if it were usable over Tor, it still currently provides the local IP address
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1544) and associated network information to websites. Additionally, we
projects/torbrowser/design/index.html.en    1545) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=13baf9df4b47bd13bb7da045048ed4339615ac03" target="_top">
projects/torbrowser/design/index.html.en    1546) rip out</a> the option to collect local IP addresses via the
projects/torbrowser/design/index.html.en    1547) NetworkInfoService.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1548) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1549)      </p></li><li class="listitem"><span class="command"><strong>Invasive Authentication Mechanisms (NTLM and SPNEGO)</strong></span><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1550) 
projects/torbrowser/design/index.html.en    1551) Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in
projects/torbrowser/design/index.html.en    1552) some cases the current username. The only reason why these aren't a more
projects/torbrowser/design/index.html.en    1553) serious problem is that they typically involve user interaction, and likely
projects/torbrowser/design/index.html.en    1554) aren't an attractive vector for this reason. However, because it is not clear
projects/torbrowser/design/index.html.en    1555) if certain carefully-crafted error conditions in these protocols could cause
projects/torbrowser/design/index.html.en    1556) them to reveal machine information and still fail silently prior to the
projects/torbrowser/design/index.html.en    1557) password prompt, these authentication mechanisms should either be disabled, or
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1558) placed behind a site permission before their use. We simply disable them
projects/torbrowser/design/index.html.en    1559) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=fe465944545a76287842321175cc7713091e77b1" target="_top">with a patch</a>.
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1560) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1561)      </p></li><li class="listitem"><span class="command"><strong>USB Device ID Enumeration via the GamePad API</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1562) 
projects/torbrowser/design/index.html.en    1563) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad
projects/torbrowser/design/index.html.en    1564) API</a> provides web pages with the <a class="ulink" href="https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.html#widl-Gamepad-id" target="_top">USB
projects/torbrowser/design/index.html.en    1565) device id, product id, and driver name</a> of all connected game
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1566) controllers, as well as detailed information about their capabilities.
projects/torbrowser/design/index.html.en    1567)     </p><p>
projects/torbrowser/design/index.html.en    1568) 
projects/torbrowser/design/index.html.en    1569) It's our opinion that this API needs to be completely redesigned to provide an
projects/torbrowser/design/index.html.en    1570) abstract notion of a game controller rather than offloading all of the
projects/torbrowser/design/index.html.en    1571) complexity associated with handling specific game controller models to web
projects/torbrowser/design/index.html.en    1572) content authors. For systems without a game controller, a standard controller
projects/torbrowser/design/index.html.en    1573) can be virtualized through the keyboard, which will serve to both improve
projects/torbrowser/design/index.html.en    1574) usability by normalizing user interaction with different games, as well as
projects/torbrowser/design/index.html.en    1575) eliminate fingerprinting vectors. Barring that, this API should be behind a
projects/torbrowser/design/index.html.en    1576) site permission in Private Browsing Modes. For now though, we simply disable
projects/torbrowser/design/index.html.en    1577) it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1578) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1579)      </p></li><li class="listitem"><span class="command"><strong>Fonts</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1580) 
projects/en/torbrowser/design/index.html.en 1581) According to the Panopticlick study, fonts provide the most linkability when
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1582) they are available as an enumerable list in file system order, via either the
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1583) Flash or Java plugins. However, it is still possible to use CSS and/or
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1584) JavaScript to query for the existence of specific fonts. With a large enough
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1585) pre-built list to query, a large amount of fingerprintable information may
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1586) still be available, especially given that additional fonts often end up
projects/torbrowser/design/index.html.en    1587) installed by third party software and for multilingual support.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1588) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1589)      </p><p><span class="command"><strong>Design Goal:</strong></span>Font-based fingerprinting MUST be rendered ineffective</p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1590) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1591) We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/13313" target="_top">investigated
projects/torbrowser/design/index.html.en    1592) </a>shipping a predefined set of fonts to all of our users allowing only
projects/torbrowser/design/index.html.en    1593) those fonts to be used by websites at the exclusion of system fonts. We are
projects/torbrowser/design/index.html.en    1594) currently following this approach, which has been <a class="ulink" href="https://www.bamsoftware.com/papers/fontfp.pdf" target="_top">
projects/torbrowser/design/index.html.en    1595) suggested</a> <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf" target="_top">by
projects/torbrowser/design/index.html.en    1596) researchers</a> previously. This defense is available for all three
projects/torbrowser/design/index.html.en    1597) supported platforms: Windows, macOS, and Linux, although the implementations
projects/torbrowser/design/index.html.en    1598) vary in detail.
projects/torbrowser/design/index.html.en    1599) 
projects/torbrowser/design/index.html.en    1600)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1601) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1602) For Windows and macOS we use a preference, <span class="command"><strong>font.system.whitelist</strong></span>,
projects/torbrowser/design/index.html.en    1603) to restrict fonts being used to those in the whitelist. This functionality is
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1604) provided by setting <span class="command"><strong>privacy.resistFingerprinting</strong></span> to
projects/torbrowser/design/index.html.en    1605) <span class="command"><strong>true</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1606) The whitelist for Windows and macOS contains both a set of
projects/torbrowser/design/index.html.en    1607) <a class="ulink" href="https://www.google.com/get/noto" target="_top">Noto fonts</a> which we bundle
projects/torbrowser/design/index.html.en    1608) and fonts provided by the operating system. For Linux systems we only bundle
projects/torbrowser/design/index.html.en    1609) fonts and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=b88443f6d8af62f763b069eb15e008a46d9b468a" target="_top">
projects/torbrowser/design/index.html.en    1610) deploy </a> a <span class="command"><strong>fonts.conf</strong></span> file to restrict the browser to
projects/torbrowser/design/index.html.en    1611) use those fonts exclusively. In addition to that we set the <span class="command"><strong>font.name*
projects/torbrowser/design/index.html.en    1612) </strong></span> preferences for macOS and Linux to make sure that a given code point
projects/torbrowser/design/index.html.en    1613) is always displayed with the same font. This is not guaranteed even if we bundle
projects/torbrowser/design/index.html.en    1614) all the fonts Tor Browser uses as it can happen that fonts are loaded in a
projects/torbrowser/design/index.html.en    1615) different order on different systems. Setting the above mentioned preferences
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1616) works around this issue by specifying the font to use explicitly.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1617) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1618)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1619) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1620) Allowing fonts provided by the operating system for Windows and macOS users is
projects/torbrowser/design/index.html.en    1621) currently a compromise between fingerprintability resistance and usability
projects/torbrowser/design/index.html.en    1622) concerns. We are still investigating the right balance between them and have
projects/torbrowser/design/index.html.en    1623) created a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/18097" target="_top">
projects/torbrowser/design/index.html.en    1624) ticket in our bug tracker</a> to summarize the current state of our defense
projects/torbrowser/design/index.html.en    1625) and future work that remains to be done.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1626) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1627)      </p></li><li class="listitem"><span class="command"><strong>Monitor, Widget, and OS Desktop Resolution</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1628) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1629) Both CSS and JavaScript have access to a lot of information about the screen
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1630) resolution, usable desktop size, OS widget size, toolbar size, title bar size,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1631) and OS desktop widget sizing information that are not at all relevant to
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1632) rendering and serve only to provide information for fingerprinting. Since many
projects/torbrowser/design/index.html.en    1633) aspects of desktop widget positioning and size are user configurable, these
projects/torbrowser/design/index.html.en    1634) properties yield customized information about the computer, even beyond the
projects/torbrowser/design/index.html.en    1635) monitor size.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1636) 
projects/en/torbrowser/design/index.html.en 1637)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1638) 
projects/en/torbrowser/design/index.html.en 1639) Our design goal here is to reduce the resolution information down to the bare
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1640) minimum required for properly rendering inside a content window. We intend to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1641) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 1642) properties of the content window, but report an effective size of 0 for all
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1643) border material, and also report that the desktop is only as big as the inner
projects/torbrowser/design/index.html.en    1644) content window. Additionally, new browser windows are sized such that their
projects/torbrowser/design/index.html.en    1645) content windows are one of a few fixed sizes based on the user's desktop
projects/torbrowser/design/index.html.en    1646) resolution. In addition, to further reduce resolution-based fingerprinting, we
projects/torbrowser/design/index.html.en    1647) are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating
projects/torbrowser/design/index.html.en    1648) zoom/viewport-based mechanisms</a> that might allow us to always report the
projects/torbrowser/design/index.html.en    1649) same desktop resolution regardless of the actual size of the content window,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1650) and simply scale to make up the difference. As an alternative to zoom-based
projects/torbrowser/design/index.html.en    1651) solutions we are testing a
projects/torbrowser/design/index.html.en    1652) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/14429" target="_top">different
projects/torbrowser/design/index.html.en    1653) approach</a> in our alpha series that tries to round the browser window at
projects/torbrowser/design/index.html.en    1654) all times to a multiple 200x100 pixels. Regardless which solution we finally
projects/torbrowser/design/index.html.en    1655) pick, until it will be available the user should also be informed that
projects/torbrowser/design/index.html.en    1656) maximizing their windows can lead to fingerprintability under the current scheme.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1657) 
projects/en/torbrowser/design/index.html.en 1658)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1659) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1660) We automatically resize new browser windows to a 200x100 pixel multiple based
projects/torbrowser/design/index.html.en    1661) on desktop resolution by backporting patches from
projects/torbrowser/design/index.html.en    1662) <a class="ulink" href="" target="_top">bug 1330882</a>
projects/torbrowser/design/index.html.en    1663) and setting <span class="command"><strong>privacy.resistfingerprinting</strong></span> to
projects/torbrowser/design/index.html.en    1664) <span class="command"><strong>true</strong></span>. To minimize the effect of the long tail of large
projects/torbrowser/design/index.html.en    1665) monitor sizes, we also cap the window size at 1000 pixels in each direction.
projects/torbrowser/design/index.html.en    1666) In addition to that we set <span class="command"><strong>privacy.resistFingerprinting</strong></span>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1667) to <span class="command"><strong>true</strong></span> to use the client content window size for
projects/torbrowser/design/index.html.en    1668) window.screen, and to report a window.devicePixelRatio of 1.0. Similarly,
projects/torbrowser/design/index.html.en    1669) we use that preference to return content window relative points for DOM events.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1670) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1671) We also force popups to open in new tabs (via
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1672) <span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid
projects/torbrowser/design/index.html.en    1673) full-screen popups inferring information about the browser resolution. In
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1674) addition, we prevent auto-maximizing on browser start, and inform users that
projects/torbrowser/design/index.html.en    1675) maximized windows are detrimental to privacy in this mode.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1676) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1677)      </p></li><li class="listitem"><span class="command"><strong>Display Media information</strong></span><p>
Mike Perry Update design doc to descri...

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1678) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1679) Beyond simple resolution information, a large amount of so-called "Media"
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1680) information is also exported to content. Even without JavaScript, CSS has
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1681) access to a lot of information about the device orientation, system theme
Mike Perry More fingerprinting clarifi...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1682) colors, and other desktop and display features that are not at all relevant to
projects/torbrowser/design/index.html.en    1683) rendering and also user configurable. Most of this
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1684) information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS
projects/torbrowser/design/index.html.en    1685) Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several
projects/torbrowser/design/index.html.en    1686) user and OS theme defined color values</a> to CSS as well.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1687) 
projects/torbrowser/design/index.html.en    1688)      </p><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1689) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1690) A website MUST NOT be able infer anything that the user has configured about
projects/torbrowser/design/index.html.en    1691) their computer. Additionally, it SHOULD NOT be able to infer machine-specific
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1692) details such as screen orientation or type.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1693) 
projects/torbrowser/design/index.html.en    1694)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1695) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1696) We set <span class="command"><strong>ui.use_standins_for_native_colors</strong></span> to <span class="command"><strong>true
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1697) </strong></span> and provide a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=9e84b962ae4e7369fcf13fdf3adb646877d48f1d" target="_top">Firefox patch</a>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1698) to report a fixed set of system colors to content window CSS, and prevent
projects/torbrowser/design/index.html.en    1699) detection of font smoothing on macOS with the help of
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1700) <span class="command"><strong>privacy.resistFingerprinting</strong></span> set to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en    1701) We use the same preference, too, to always report landscape-primary for the
projects/torbrowser/design/index.html.en    1702) <a class="ulink" href="https://w3c.github.io/screen-orientation/" target="_top">screen orientation</a>.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1703) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1704)      </p></li><li class="listitem"><span class="command"><strong>WebGL</strong></span><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1705) 
projects/torbrowser/design/index.html.en    1706) WebGL is fingerprintable both through information that is exposed about the
projects/torbrowser/design/index.html.en    1707) underlying driver and optimizations, as well as through performance
projects/torbrowser/design/index.html.en    1708) fingerprinting.
projects/torbrowser/design/index.html.en    1709) 
projects/torbrowser/design/index.html.en    1710)      </p><p>
projects/torbrowser/design/index.html.en    1711) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1712) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/" target="_top">
projects/torbrowser/design/index.html.en    1713) previously unexposed vulnerability surface</a>, we deploy a similar strategy
projects/torbrowser/design/index.html.en    1714) against WebGL as for plugins. First, WebGL Canvases have click-to-play
projects/torbrowser/design/index.html.en    1715) placeholders (provided by NoScript), and do not run until authorized by the user.
projects/torbrowser/design/index.html.en    1716) Second, we obfuscate driver information by setting the Firefox preferences
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1717) <span class="command"><strong>webgl.disable-extensions</strong></span>,
projects/torbrowser/design/index.html.en    1718) <span class="command"><strong>webgl.min_capability_mode</strong></span>, and
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1719) <span class="command"><strong>webgl.disable-fail-if-major-performance-caveat</strong></span> to
projects/torbrowser/design/index.html.en    1720) <span class="command"><strong>true</strong></span> which reduces the information provided by the following
projects/torbrowser/design/index.html.en    1721) WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,
projects/torbrowser/design/index.html.en    1722) <span class="command"><strong>getSupportedExtensions()</strong></span>, and <span class="command"><strong>getExtension()</strong></span>. Furthermore, WebGL2 is disabled by setting <span class="command"><strong>webgl.enable-webgl2</strong></span>
projects/torbrowser/design/index.html.en    1723) to <span class="command"><strong>false</strong></span>. To make the minimal WebGL mode usable we
projects/torbrowser/design/index.html.en    1724) additionally <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=1acd0c7fae9121240401cf4a8f0e2b1f6fdb9827" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1725) normalize its properties with a Firefox patch</a>.
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1726) 
projects/torbrowser/design/index.html.en    1727)      </p><p>
projects/torbrowser/design/index.html.en    1728) 
projects/torbrowser/design/index.html.en    1729) Another option for WebGL might be to use software-only rendering, using a
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1730) library such as <a class="ulink" href="https://www.mesa3d.org/" target="_top">Mesa</a>. The use of
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1731) such a library would avoid hardware-specific rendering differences.
projects/torbrowser/design/index.html.en    1732) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1733)      </p></li><li class="listitem"><span class="command"><strong>MediaDevices API</strong></span><p>
projects/torbrowser/design/index.html.en    1734) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices" target="_top">
projects/torbrowser/design/index.html.en    1735) MediaDevices API</a> provides access to connected media input devices like
projects/torbrowser/design/index.html.en    1736) cameras and microphones, as well as screen sharing. In particular, it allows web
projects/torbrowser/design/index.html.en    1737) content to easily enumerate those devices with <span class="command"><strong>
projects/torbrowser/design/index.html.en    1738) MediaDevices.enumerateDevices()</strong></span>. This relies on WebRTC being compiled
projects/torbrowser/design/index.html.en    1739) in which we currently don't do. Nevertheless, we disable this feature for now as
projects/torbrowser/design/index.html.en    1740) a defense-in-depth by setting <span class="command"><strong>media.peerconnection.enabled</strong></span> and
projects/torbrowser/design/index.html.en    1741) <span class="command"><strong>media.navigator.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en    1742)     </p></li><li class="listitem"><span class="command"><strong>MIME Types</strong></span><p>
projects/torbrowser/design/index.html.en    1743) 
projects/torbrowser/design/index.html.en    1744) Which MIME Types are registered with an operating system depends to a great deal
projects/torbrowser/design/index.html.en    1745) on the application software and/or drivers a user chose to install. Web pages
projects/torbrowser/design/index.html.en    1746) can not only estimate the amount of MIME types registered by checking
projects/torbrowser/design/index.html.en    1747) <span class="command"><strong>navigator.mimetypes.length</strong></span>. Rather, they are even able to
projects/torbrowser/design/index.html.en    1748) test whether particular MIME types are available which can have a non-negligible
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1749) impact on a user's fingerprint. We prevent both of these information leaks by
projects/torbrowser/design/index.html.en    1750) setting <span class="command"><strong>privacy.resistfingerprinting</strong></span> to <span class="command"><strong>true</strong></span>.
projects/torbrowser/design/index.html.en    1751)     </p></li><li class="listitem"><span class="command"><strong>Web Speech API</strong></span><p>
projects/torbrowser/design/index.html.en    1752) 
projects/torbrowser/design/index.html.en    1753) The Web Speech API consists of two parts: SpeechSynthesis (Text-to-Speech) and
projects/torbrowser/design/index.html.en    1754) SpeechRecognition (Asynchronous Speech Recognition). The latter is still
projects/torbrowser/design/index.html.en    1755) disabled in Firefox. However, the former is enabled by default and there is the
projects/torbrowser/design/index.html.en    1756) risk that <span class="command"><strong>speechSynthesis.getVoices()</strong></span> has access to
projects/torbrowser/design/index.html.en    1757) computer-specific speech packages making them available in an enumerable
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1758) fashion. Moreover, there are callbacks that would allow JavaScript to time how
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1759) long a phrase takes to be "uttered". To prevent both we set
projects/torbrowser/design/index.html.en    1760) <span class="command"><strong>media.webspeech.synth.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en    1761) 
projects/torbrowser/design/index.html.en    1762)       </p></li><li class="listitem"><span class="command"><strong>Touch API</strong></span><p>
projects/torbrowser/design/index.html.en    1763) 
projects/torbrowser/design/index.html.en    1764) Touch events are able to reveal the absolute screen coordinates of a device
projects/torbrowser/design/index.html.en    1765) which would defeat our approach to mitigate leaking the screen size as described
projects/torbrowser/design/index.html.en    1766) above. In order to prevent that we implemented two defenses: first we disable
projects/torbrowser/design/index.html.en    1767) the Touch API by setting <span class="command"><strong>dom.w3c_touch_events.enabled</strong></span> to
projects/torbrowser/design/index.html.en    1768) <span class="command"><strong>false</strong></span>. Second, for those user that really need or want to
projects/torbrowser/design/index.html.en    1769) have this API available we patched the code to give content-window related
projects/torbrowser/design/index.html.en    1770) coordinates back. Furthermore, we made sure that the touch area described by
projects/torbrowser/design/index.html.en    1771) <span class="command"><strong>Touch.radiusX</strong></span>, <span class="command"><strong>Touch.radiusY</strong></span>, and
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1772) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1773) <span class="command"><strong>Touch.rotationAngle</strong></span> does not leak further information and
projects/torbrowser/design/index.html.en    1774) <span class="command"><strong>Touch.force</strong></span> does not reveal how much pressure a user applied
projects/torbrowser/design/index.html.en    1775) to the surface. That is achieved by a direct
projects/torbrowser/design/index.html.en    1776) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=7d9701c2b6a203b1b7a556f614858588e3e5976e" target="_top">
projects/torbrowser/design/index.html.en    1777) Firefox patch</a> which reports back <span class="command"><strong>1</strong></span> for the first two
projects/torbrowser/design/index.html.en    1778) properties and <span class="command"><strong>0.0</strong></span> for the two last ones.
projects/torbrowser/design/index.html.en    1779) 
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1780)       </p></li><li class="listitem"><span class="command"><strong>Battery Status API</strong></span><p>
projects/torbrowser/design/index.html.en    1781) 
projects/torbrowser/design/index.html.en    1782) The Battery Status API provides access to information about the system's battery
projects/torbrowser/design/index.html.en    1783) charge level. From Firefox 52 on it is disabled for web content. Initially, it
projects/torbrowser/design/index.html.en    1784) was possible on Linux to get a double-precision floating point value for the
projects/torbrowser/design/index.html.en    1785) charge level, which means there was a large number of possible values making it
projects/torbrowser/design/index.html.en    1786) almost behave like an identifier allowing to track a user cross-origin. But
projects/torbrowser/design/index.html.en    1787) still after that got fixed (and on other platforms where the precision was just
projects/torbrowser/design/index.html.en    1788) two significant digits anyway) the risk for tracking users remained as combined
projects/torbrowser/design/index.html.en    1789) with the <span class="command"><strong>chargingTime</strong></span> and <span class="command"><strong>dischargingTime</strong></span>
projects/torbrowser/design/index.html.en    1790) the possible values <a class="ulink" href="https://senglehardt.com/papers/iwpe17_battery_status_case_study.pdf" target="_top">
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1791) got estimated to be in the millions</a> under normal conditions. We avoid all
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1792) those possible issues with disabling the Battery Status API by setting
projects/torbrowser/design/index.html.en    1793) <span class="command"><strong>dom.battery.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en    1794) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1795)       </p></li><li class="listitem"><span class="command"><strong>System Uptime</strong></span><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1796) 
projects/torbrowser/design/index.html.en    1797) It is possible to get the system uptime of a Tor Browser user by querying the
projects/torbrowser/design/index.html.en    1798) <span class="command"><strong>Event.timestamp</strong></span> property. We avoid this by setting <span class="command"><strong>
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1799) dom.event.highrestimestamp.enabled</strong></span> to <span class="command"><strong>true</strong></span>. This
projects/torbrowser/design/index.html.en    1800) might seem to be counterintuitive at first glance but the effect of setting
projects/torbrowser/design/index.html.en    1801) that preference to <code class="code">true</code> is a
projects/torbrowser/design/index.html.en    1802) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/17046#comment:8" target="_top">
projects/torbrowser/design/index.html.en    1803) normalization</a> of <code class="code">evt.timestamp</code> and
projects/torbrowser/design/index.html.en    1804) <code class="code">new Event('').timeStamp</code>. Together with clamping the timer
projects/torbrowser/design/index.html.en    1805) resolution to 100ms this provides an effective means against system uptime
projects/torbrowser/design/index.html.en    1806) fingerprinting.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1807) 
projects/torbrowser/design/index.html.en    1808)       </p></li><li class="listitem"><span class="command"><strong>Keyboard Layout Fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en    1809) 
projects/torbrowser/design/index.html.en    1810) <span class="command"><strong>KeyboardEvent</strong></span>s provide a way for a website to find out
projects/torbrowser/design/index.html.en    1811) information about the keyboard layout of its visitors. In fact there are <a class="ulink" href="https://developers.google.com/web/updates/2016/04/keyboardevent-keys-codes" target="_top">
projects/torbrowser/design/index.html.en    1812) several dimensions</a> to this fingerprinting vector. The <span class="command"><strong>
projects/torbrowser/design/index.html.en    1813) KeyboardEvent.code</strong></span> property represents a physical key that can't be
projects/torbrowser/design/index.html.en    1814) changed by the keyboard layout nor by the modifier state. On the other hand the
projects/torbrowser/design/index.html.en    1815) <span class="command"><strong>KeyboardEvent.key</strong></span> property contains the character that is
projects/torbrowser/design/index.html.en    1816) generated by that key. This is dependent on things like keyboard layout, locale
projects/torbrowser/design/index.html.en    1817) and modifier keys.
projects/torbrowser/design/index.html.en    1818) 
projects/torbrowser/design/index.html.en    1819)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    1820) 
projects/torbrowser/design/index.html.en    1821) Websites MUST NOT be able to infer any information about the keyboard of a Tor
projects/torbrowser/design/index.html.en    1822) Browser user.
projects/torbrowser/design/index.html.en    1823) 
projects/torbrowser/design/index.html.en    1824)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1825) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1826) We provide <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=d6d29f155e60c63b38918c8879ee221b9c90b1f7" target="_top">two</a>
projects/torbrowser/design/index.html.en    1827) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=789bad5fe5a7a0c2d27e1d8dd7b9a7e35de91cc8" target="_top">Firefox patches</a>
projects/torbrowser/design/index.html.en    1828) that take care of spoofing <span class="command"><strong>KeyboardEvent.code</strong></span> and <span class="command"><strong>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1829) KeyboardEvent.keyCode</strong></span> by providing consensus (US-English-style) fake
projects/torbrowser/design/index.html.en    1830) properties. This is achieved by hiding the user's use of the numpad, and any
projects/torbrowser/design/index.html.en    1831) non-QWERTY US English keyboard. Characters from non-en-US languages
projects/torbrowser/design/index.html.en    1832) are currently returning an empty <span class="command"><strong>KeyboardEvent.code</strong></span> and a
projects/torbrowser/design/index.html.en    1833) <span class="command"><strong>KeyboardEvent.keyCode</strong></span> of <span class="command"><strong>0</strong></span>. Moreover,
projects/torbrowser/design/index.html.en    1834) neither <span class="command"><strong>Alt</strong></span> or <span class="command"><strong>Shift</strong></span>, or
projects/torbrowser/design/index.html.en    1835) <span class="command"><strong>AltGr</strong></span> keyboard events are reported to content.
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1836) 
projects/torbrowser/design/index.html.en    1837)       </p><p>
projects/torbrowser/design/index.html.en    1838) 
projects/torbrowser/design/index.html.en    1839) We are currently not taking the actually deployed browser locale or the locale
projects/torbrowser/design/index.html.en    1840) indicated by a loaded document into account when spoofing the keyboard layout.
projects/torbrowser/design/index.html.en    1841) We think that would be the right thing to do in the longer run, to mitigate
projects/torbrowser/design/index.html.en    1842) possible usability issues and broken functionality on websites. Similarily to
projects/torbrowser/design/index.html.en    1843) how users of non-english Tor Browser bundles right now can choose between
projects/torbrowser/design/index.html.en    1844) keeping the Accept header spoofed or not they would then be able to keep a
projects/torbrowser/design/index.html.en    1845) spoofed english keyboard or a spoofed one depending on the actual Tor Browser
projects/torbrowser/design/index.html.en    1846) locale or language of the document.
projects/torbrowser/design/index.html.en    1847) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1848)       </p></li><li class="listitem"><span class="command"><strong>User Agent and HTTP Headers</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update design doc to descri...

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1849) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1850) All Tor Browser users MUST provide websites with an identical user agent and
projects/torbrowser/design/index.html.en    1851) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/torbrowser/design/index.html.en    1852) and report a popular Windows platform. If the software is kept up to date,
projects/torbrowser/design/index.html.en    1853) these headers should remain identical across the population even when updated.
projects/torbrowser/design/index.html.en    1854) 
projects/torbrowser/design/index.html.en    1855)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1856) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1857) Firefox provides several options for controlling the browser user agent string
projects/torbrowser/design/index.html.en    1858) which we leverage. We also set similar prefs for controlling the
projects/torbrowser/design/index.html.en    1859) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1860) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=bd51d0c24d339c5135028297f5eeb591a65e99df" target="_top">remove
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1861) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1862) used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem"><span class="command"><strong>Timing-based Side Channels</strong></span><p>
projects/torbrowser/design/index.html.en    1863) Attacks based on timing side channels are nothing new in the browser context.
projects/torbrowser/design/index.html.en    1864) <a class="ulink" href="http://sip.cs.princeton.edu/pub/webtiming.pdf" target="_top">Cache-based</a>,
projects/torbrowser/design/index.html.en    1865) <a class="ulink" href="https://www.abortz.net/papers/timingweb.pdf" target="_top">cross-site timing</a>,
projects/torbrowser/design/index.html.en    1866) and <a class="ulink" href="https://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf" target="_top">
projects/torbrowser/design/index.html.en    1867) pixel stealing</a>, to name just a few, got investigated in the past.
projects/torbrowser/design/index.html.en    1868) While their fingerprinting potential varies all timing-based attacks have in
projects/torbrowser/design/index.html.en    1869) common that they need sufficiently fine-grained clocks.
projects/torbrowser/design/index.html.en    1870)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    1871) 
projects/torbrowser/design/index.html.en    1872) Websites MUST NOT be able to fingerprint a Tor Browser user by exploiting
projects/torbrowser/design/index.html.en    1873) timing-based side channels.
projects/torbrowser/design/index.html.en    1874) 
projects/torbrowser/design/index.html.en    1875)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1876) 
projects/torbrowser/design/index.html.en    1877) The cleanest solution to timing-based side channels would be to get rid of them.
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1878) This has been <a class="ulink" href="https://acmccs.github.io/papers/p163-caoA.pdf" target="_top">proposed</a>
projects/torbrowser/design/index.html.en    1879) in the research community. However, we remain skeptical as it does not seem to
projects/torbrowser/design/index.html.en    1880) be trivial even considering just a
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1881) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=711043" target="_top">single</a>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1882) <a class="ulink" href="https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf" target="_top">side channel</a>
projects/torbrowser/design/index.html.en    1883) and <a class="ulink" href="https://gruss.cc/files/fantastictimers.pdf" target="_top">more and more
projects/torbrowser/design/index.html.en    1884) potential side channels</a> are showing up. Thus, we rely on disabling all
projects/torbrowser/design/index.html.en    1885) possible timing sources or making them coarse-grained enough in order to render
projects/torbrowser/design/index.html.en    1886) timing side channels unsuitable as a means for fingerprinting browser users.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1887) 
projects/torbrowser/design/index.html.en    1888)       </p><p>
projects/torbrowser/design/index.html.en    1889) 
projects/torbrowser/design/index.html.en    1890) We set <span class="command"><strong>dom.enable_user_timing</strong></span> and
projects/torbrowser/design/index.html.en    1891) <span class="command"><strong>dom.enable_resource_timing</strong></span> to <span class="command"><strong>false</strong></span> to
projects/torbrowser/design/index.html.en    1892) disable these explicit timing sources. Furthermore, we clamp the resolution of
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1893) explicit clocks to 100ms <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=1736ea256276546c899d712dffdae2c8d050d8a0" target="_top">with two Firefox</a> <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=a4c6d2c07d483acfd729c7a50dd3f7b07fcba03a" target="_top">patches</a>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1894) 
projects/torbrowser/design/index.html.en    1895) This includes <span class="command"><strong>performance.now()</strong></span>, <span class="command"><strong>new Date().getTime()
projects/torbrowser/design/index.html.en    1896) </strong></span>, <span class="command"><strong>audioContext.currentTime</strong></span>, <span class="command"><strong>
projects/torbrowser/design/index.html.en    1897) canvasStream.currentTime</strong></span>, <span class="command"><strong>video.currentTime</strong></span>,
projects/torbrowser/design/index.html.en    1898) <span class="command"><strong>audio.currentTime</strong></span>, <span class="command"><strong>new File([], "").lastModified
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1899) </strong></span>, <span class="command"><strong>new File([], "").lastModifiedDate.getTime()</strong></span>,
projects/torbrowser/design/index.html.en    1900) <span class="command"><strong>animation.startTime</strong></span>, <span class="command"><strong>animation.currentTime</strong></span>,
projects/torbrowser/design/index.html.en    1901) <span class="command"><strong>animation.timeline.currentTime</strong></span>,
projects/torbrowser/design/index.html.en    1902) and <span class="command"><strong>document.timeline.currentTime</strong></span>.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1903) 
projects/torbrowser/design/index.html.en    1904)       </p><p>
projects/torbrowser/design/index.html.en    1905) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1906) While clamping the clock resolution to 100ms is a step towards mitigating
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1907) timing-based side channel fingerprinting, it is by no means sufficient. It turns
projects/torbrowser/design/index.html.en    1908) out that it is possible to subvert our clamping of explicit clocks by using
projects/torbrowser/design/index.html.en    1909) <a class="ulink" href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf" target="_top">
projects/torbrowser/design/index.html.en    1910) implicit ones</a>, e.g. extrapolating the true time by running a busy loop
projects/torbrowser/design/index.html.en    1911) with a predictable operation in it. We are tracking
projects/torbrowser/design/index.html.en    1912)  <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/16110" target="_top">this problem
projects/torbrowser/design/index.html.en    1913) </a> in our bug tracker and are working with the research community and
projects/torbrowser/design/index.html.en    1914) Mozilla to develop and test a proper solution to this part of our defense
projects/torbrowser/design/index.html.en    1915) against timing-based side channel fingerprinting risks.
projects/torbrowser/design/index.html.en    1916) 
projects/torbrowser/design/index.html.en    1917)       </p></li><li class="listitem"><span class="command"><strong>resource:// and chrome:// URIs Leaks</strong></span><p>
projects/torbrowser/design/index.html.en    1918) Due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=863246" target="_top">bugs
projects/torbrowser/design/index.html.en    1919) </a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1120398" target="_top">
projects/torbrowser/design/index.html.en    1920) in Firefox</a> it is possible to detect the locale and the platform of a
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1921) Tor Browser user. Moreover, it is possible to
projects/torbrowser/design/index.html.en    1922) <a class="ulink" href="https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf" target="_top">
projects/torbrowser/design/index.html.en    1923) find out the extensions</a> a user has installed. This is done by
projects/torbrowser/design/index.html.en    1924) including resource:// and/or chrome:// URIs into web content, which point to
projects/torbrowser/design/index.html.en    1925) resources included in Tor Browser itself or in installed extensions, and
projects/torbrowser/design/index.html.en    1926) exploiting the different behavior resulting out of that: the browser raises
projects/torbrowser/design/index.html.en    1927) an exception if a webpage requests a resource but the extension is not
projects/torbrowser/design/index.html.en    1928) installed. This does not happen if the extension is indeed installed but the
projects/torbrowser/design/index.html.en    1929) resource path does not exist.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1930)       </p><p>
projects/torbrowser/design/index.html.en    1931) 
projects/torbrowser/design/index.html.en    1932) We believe that it should be impossible for web content to extract information
projects/torbrowser/design/index.html.en    1933) out of a Tor Browser user by deploying resource:// and/or chrome:// URIs. Until
projects/torbrowser/design/index.html.en    1934) this is fixed in Firefox <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/content-policy.js" target="_top">
projects/torbrowser/design/index.html.en    1935) we filter</a> resource:// and chrome:// requests done
projects/torbrowser/design/index.html.en    1936) by web content denying them by default. We need a whitelist of resource:// and
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1937) chrome:// URIs, though, to avoid breaking parts of Firefox. There are more than a
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1938) dozen Firefox resources do not aid in fingerprinting Tor Browser users as they
projects/torbrowser/design/index.html.en    1939) are not different on the platforms and in the locales we support.
projects/torbrowser/design/index.html.en    1940) 
projects/torbrowser/design/index.html.en    1941)       </p></li><li class="listitem"><span class="command"><strong>Locale Fingerprinting</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1942) 
projects/torbrowser/design/index.html.en    1943) In Tor Browser, we provide non-English users the option of concealing their OS
projects/torbrowser/design/index.html.en    1944) and browser locale from websites. It is debatable if this should be as high of
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1945) a priority as information specific to the user's computer, but for completeness,
projects/torbrowser/design/index.html.en    1946) we attempt to maintain this property.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1947) 
projects/torbrowser/design/index.html.en    1948)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1949) 
projects/torbrowser/design/index.html.en    1950) We set the fallback character set to set to windows-1252 for all locales, via
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1951) <span class="command"><strong>intl.charset.default</strong></span>. We also set
projects/torbrowser/design/index.html.en    1952) <span class="command"><strong>javascript.use_us_english_locale</strong></span> to <span class="command"><strong>true</strong></span>
projects/torbrowser/design/index.html.en    1953) to instruct the JS engine to use en-US as its internal C locale for all Date,
projects/torbrowser/design/index.html.en    1954) Math, and exception handling. Additionally, we provide a patch to use an
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1955) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=d144738fedeeb23746d7a9f16067bd985b0d59aa" target="_top">
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1956) en-US label for the <span class="command"><strong>isindex</strong></span>HTML element</a> instead of
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1957) letting the label leak the browser's UI locale.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1958)      </p></li><li class="listitem"><span class="command"><strong>Timezone and Clock Offset</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1959) 
projects/torbrowser/design/index.html.en    1960) While the latency in Tor connections varies anywhere from milliseconds to
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1961) a few seconds, it is still possible for the remote site to detect large
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1962) differences between the user's clock and an official reference time source.
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1963) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1964)      </p><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1965) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1966) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en    1967) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en    1968) for EDT/EST due to the large English-speaking population density (coupled with
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1969) the fact that we spoof a US English user agent). Additionally, the Tor
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1970) software should detect if the user's clock is significantly divergent from the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1971) clocks of the relays that it connects to, and use this to reset the clock
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1972) values used in Tor Browser to something reasonably accurate. Alternatively,
projects/torbrowser/design/index.html.en    1973) the browser can obtain this clock skew via a mechanism similar to that used in
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1974) <a class="ulink" href="https://github.com/ioerror/tlsdate" target="_top">tlsdate</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1975) 
projects/en/torbrowser/design/index.html.en 1976)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1977) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1978) We <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=dd1ba0b5c9281ee3207e5a87991159b8d2609a11" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1979) set the timezone to UTC</a> with a Firefox patch using the TZ environment
projects/torbrowser/design/index.html.en    1980) variable, which is supported on all platforms. Moreover, with an additional
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1981) patch just needed for the Windows platform, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=008649e2ce0357f31eb67d874e6429c39ddd7e8f" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1982) we make sure</a> the TZ environment variable is respected by the
projects/torbrowser/design/index.html.en    1983) <a class="ulink" href="http://site.icu-project.org/" target="_top">ICU library</a> as well.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1984) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1985)      </p></li><li class="listitem"><span class="command"><strong>JavaScript Performance Fingerprinting</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1986) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    1987) <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf" target="_top">JavaScript
projects/torbrowser/design/index.html.en    1988) performance fingerprinting</a> is the act of profiling the performance of
projects/torbrowser/design/index.html.en    1989) various JavaScript functions for the purpose of fingerprinting the JavaScript
projects/torbrowser/design/index.html.en    1990) engine and the CPU.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1991) 
projects/en/torbrowser/design/index.html.en 1992)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1993) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1994) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1995) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 1996) fingerprinting without risking too much damage to functionality. Our current
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    1997) favorite is to reduce the resolution of the Event.timeStamp and the JavaScript
projects/torbrowser/design/index.html.en    1998) Date() object, while also introducing jitter. We believe that JavaScript time
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1999) resolution may be reduced all the way up to the second before it seriously
projects/torbrowser/design/index.html.en    2000) impacts site operation. Our goal with this quantization is to increase the
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2001) amount of time it takes to mount a successful attack. <a class="ulink" href="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf" target="_top">Mowery et al</a> found
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2002) that even with the default precision in most browsers, they required up to 120
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2003) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 2004) feature set. We intend to work with the research community to establish the
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2005) optimum trade-off between quantization+jitter and amortization time, as well
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2006) as identify highly variable JavaScript operations. As long as these attacks
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2007) take several seconds or more to execute, they are unlikely to be appealing to
projects/torbrowser/design/index.html.en    2008) advertisers, and are also very likely to be noticed if deployed against a
projects/torbrowser/design/index.html.en    2009) large number of people.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2010) 
projects/en/torbrowser/design/index.html.en 2011)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 2012) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2013) Currently, our mitigation against performance fingerprinting is to
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2014) disable <a class="ulink" href="https://www.w3.org/TR/navigation-timing/" target="_top">Navigation
projects/torbrowser/design/index.html.en    2015) Timing</a> by setting the Firefox preference
projects/torbrowser/design/index.html.en    2016) <span class="command"><strong>dom.enable_performance</strong></span> to <span class="command"><strong>false</strong></span>, and to
projects/torbrowser/design/index.html.en    2017) disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla
projects/torbrowser/design/index.html.en    2018) Video Statistics</a> API extensions by setting the preference
projects/torbrowser/design/index.html.en    2019) <span class="command"><strong>media.video_stats.enabled</strong></span> to <span class="command"><strong>false</strong></span>, too.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2020) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2021)      </p></li><li class="listitem"><span class="command"><strong>Keystroke Fingerprinting</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2022) 
projects/en/torbrowser/design/index.html.en 2023) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 2024) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 2025) 
projects/en/torbrowser/design/index.html.en 2026)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 2027) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2028) We intend to rely on the same mechanisms for defeating JavaScript performance
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2029) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 2030) 
projects/en/torbrowser/design/index.html.en 2031)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2032) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2033) We clamp keyboard event resolution to 100ms with a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=1736ea256276546c899d712dffdae2c8d050d8a0" target="_top">Firefox patch</a>.
projects/torbrowser/design/index.html.en    2034) 
projects/torbrowser/design/index.html.en    2035)      </p></li><li class="listitem"><span class="command"><strong>Amount of Processor Cores (hardwareConcurrency)</strong></span><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2036) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2037) Modern computers have multiple physical processor cores available in their
projects/torbrowser/design/index.html.en    2038) CPU.  For optimum performance, native code typically attempts to run as many
projects/torbrowser/design/index.html.en    2039) threads as there are cores, and
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2040) <span class="command"><strong>navigator.hardwareConcurrency</strong></span> makes the number of those
projects/torbrowser/design/index.html.en    2041) threads (i.e. logical processors) available to web content.
projects/torbrowser/design/index.html.en    2042) 
projects/torbrowser/design/index.html.en    2043)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    2044) 
projects/torbrowser/design/index.html.en    2045) Websites MUST NOT be able to fingerprint a Tor Browser user taking advantage of
projects/torbrowser/design/index.html.en    2046) the amount of logical processors available.
projects/torbrowser/design/index.html.en    2047) 
projects/torbrowser/design/index.html.en    2048)       </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    2049) 
projects/torbrowser/design/index.html.en    2050) We set <span class="command"><strong>dom.maxHardwareConcurrency</strong></span> to <span class="command"><strong>1</strong></span> to
projects/torbrowser/design/index.html.en    2051) report the same amount of logical processors for everyone. However, there are
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2052) <a class="ulink" href="https://github.com/oftn/core-estimator" target="_top">probabilistic ways of
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2053) determining the same information available</a> which we are not defending
projects/torbrowser/design/index.html.en    2054) against currently. Moreover, we might even want to think about a more elaborate
projects/torbrowser/design/index.html.en    2055) approach defending against this fingerprinting technique by not making all users
projects/torbrowser/design/index.html.en    2056) uniform but rather <a class="ulink" href="https://bugs.torproject.org/22127" target="_top">by following
projects/torbrowser/design/index.html.en    2057) a bucket approach</a> as we currently do in our defense against screen
projects/torbrowser/design/index.html.en    2058) size exfiltration.
projects/torbrowser/design/index.html.en    2059) 
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2060)       </p></li><li class="listitem"><span class="command"><strong>Web Audio API</strong></span><p>
projects/torbrowser/design/index.html.en    2061) 
projects/torbrowser/design/index.html.en    2062) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Audio_API" target="_top">
projects/torbrowser/design/index.html.en    2063) Web Audio API</a> provides several means to aid in fingerprinting users.
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2064) At the simplest level it allows differentiating between users who have the API
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2065) available and those who don't by checking for an <span class="command"><strong>AudioContext</strong></span>
projects/torbrowser/design/index.html.en    2066) or <span class="command"><strong>OscillatorNode</strong></span> object. However, there are more bits of
projects/torbrowser/design/index.html.en    2067) information that the Web Audio API reveals if audio signals generated with an
projects/torbrowser/design/index.html.en    2068) <span class="command"><strong>OscillatorNode</strong></span> are processed as
projects/torbrowser/design/index.html.en    2069) <a class="ulink" href="https://senglehardt.com/papers/ccs16_online_tracking.pdf" target="_top">hardware
projects/torbrowser/design/index.html.en    2070) and software differences</a> influence those results.
projects/torbrowser/design/index.html.en    2071) 
projects/torbrowser/design/index.html.en    2072)       </p><p>
projects/torbrowser/design/index.html.en    2073) 
projects/torbrowser/design/index.html.en    2074) We disable the Web Audio API by setting <span class="command"><strong>dom.webaudio.enabled</strong></span>
projects/torbrowser/design/index.html.en    2075) to <span class="command"><strong>false</strong></span>. That has the positive side effect that it disables
projects/torbrowser/design/index.html.en    2076) one of several means to perform
projects/torbrowser/design/index.html.en    2077) <a class="ulink" href="https://petsymposium.org/2017/papers/issue2/paper18-2017-2-source.pdf" target="_top">
projects/torbrowser/design/index.html.en    2078) ultrasound cross-device tracking</a> as well, which is based on having
projects/torbrowser/design/index.html.en    2079) <span class="command"><strong>AudioContext</strong></span> available.
projects/torbrowser/design/index.html.en    2080) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2081)       </p></li><li class="listitem"><span class="command"><strong>MediaError.message</strong></span><p>
projects/torbrowser/design/index.html.en    2082) 
projects/torbrowser/design/index.html.en    2083) The <span class="command"><strong>MediaError</strong></span> object allows the user agent to report errors
projects/torbrowser/design/index.html.en    2084) that occurred while handling media, for instance using <span class="command"><strong>audio</strong></span>
projects/torbrowser/design/index.html.en    2085) or <span class="command"><strong>video</strong></span> elements. The <span class="command"><strong>message</strong></span> property
projects/torbrowser/design/index.html.en    2086) provides specific diagnostic information to help understanding the error
projects/torbrowser/design/index.html.en    2087) condition. As a defense-in-depth we make sure that no information aiding in
projects/torbrowser/design/index.html.en    2088) fingerprinting is leaking to websites that way
projects/torbrowser/design/index.html.en    2089) <span class="command"><strong>
projects/torbrowser/design/index.html.en    2090) by returning just an empty string</strong></span>.
projects/torbrowser/design/index.html.en    2091) 
projects/torbrowser/design/index.html.en    2092)       </p></li><li class="listitem"><span class="command"><strong>Connection State</strong></span><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2093) 
projects/torbrowser/design/index.html.en    2094) It is possible to monitor the connection state of a browser over time with
projects/torbrowser/design/index.html.en    2095) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine" target="_top">
projects/torbrowser/design/index.html.en    2096) navigator.onLine</a>. We prevent this by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en    2097) network.manage-offline-status</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en    2098) 
projects/torbrowser/design/index.html.en    2099)      </p></li><li class="listitem"><span class="command"><strong>Reader View</strong></span><p>
projects/torbrowser/design/index.html.en    2100) 
projects/torbrowser/design/index.html.en    2101) <a class="ulink" href="https://support.mozilla.org/t5/Basic-Browsing/Firefox-Reader-View-for-clutter-free-web-pages/ta-p/38466" target="_top">Reader View</a>
projects/torbrowser/design/index.html.en    2102) is a Firefox feature to view web pages clutter-free and easily adjusted to
projects/torbrowser/design/index.html.en    2103) own needs and preferences. To avoid fingerprintability risks we make Tor Browser
projects/torbrowser/design/index.html.en    2104) users uniform by setting <span class="command"><strong>reader.parse-on-load.enabled</strong></span> to
projects/torbrowser/design/index.html.en    2105) <span class="command"><strong>false</strong></span> and <span class="command"><strong>browser.reader.detectedFirstArticle</strong></span>
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2106) to <span class="command"><strong>true</strong></span>. This makes sure that documents are not parsed on
projects/torbrowser/design/index.html.en    2107) load as this is disabled on some devices due to memory consumption and we
projects/torbrowser/design/index.html.en    2108) pretend that everybody has already been using that feature in the past.
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2109) 
projects/torbrowser/design/index.html.en    2110)      </p></li><li class="listitem"><span class="command"><strong>Contacting Mozilla Services</strong></span><p>
projects/torbrowser/design/index.html.en    2111) 
projects/torbrowser/design/index.html.en    2112) Tor Browser is based on Firefox which is a Mozilla product. Quite naturally,
projects/torbrowser/design/index.html.en    2113) Mozilla is interested in making users aware of new features and in gathering
projects/torbrowser/design/index.html.en    2114) information to learn about the most pressing needs Firefox users are facing.
projects/torbrowser/design/index.html.en    2115) This is often implemented by contacting Mozilla services, be it for displaying
projects/torbrowser/design/index.html.en    2116) further information about a new feature or by
projects/torbrowser/design/index.html.en    2117) <a class="ulink" href="https://wiki.mozilla.org/Telemetry" target="_top">sending (aggregated) data back
projects/torbrowser/design/index.html.en    2118) for analysis</a>. While some of those mechanisms are disabled by default on
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2119) release channels (such as telemetry data) others are not. We
projects/torbrowser/design/index.html.en    2120) make sure that none of those Mozilla services are contacted to avoid possible
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2121) fingerprinting risks.
projects/torbrowser/design/index.html.en    2122) 
projects/torbrowser/design/index.html.en    2123)       </p><p>
projects/torbrowser/design/index.html.en    2124) 
projects/torbrowser/design/index.html.en    2125) In particular, we disable GeoIP-based search results by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en    2126) browser.search.countryCode</strong></span> and <span class="command"><strong>browser.search.region
projects/torbrowser/design/index.html.en    2127) </strong></span> to <span class="command"><strong>US</strong></span> and <span class="command"><strong>browser.search.geoip.url
projects/torbrowser/design/index.html.en    2128) </strong></span> to the empty string. Furthermore, we disable Selfsupport and Unified
projects/torbrowser/design/index.html.en    2129) Telemetry by setting <span class="command"><strong>browser.selfsupport.enabled</strong></span> and <span class="command"><strong>
projects/torbrowser/design/index.html.en    2130) toolkit.telemetry.unified</strong></span> to <span class="command"><strong>false</strong></span> and we make
projects/torbrowser/design/index.html.en    2131) sure no related ping is reaching Mozilla by setting <span class="command"><strong>
projects/torbrowser/design/index.html.en    2132) datareporting.healthreport.about.reportUrlUnified</strong></span> to <span class="command"><strong>
projects/torbrowser/design/index.html.en    2133) data:text/plain,</strong></span>. The same is done with <span class="command"><strong>
projects/torbrowser/design/index.html.en    2134) datareporting.healthreport.about.reportUrl</strong></span> and the new tiles feature
projects/torbrowser/design/index.html.en    2135) related <span class="command"><strong>browser.newtabpage.directory.ping</strong></span> and <span class="command"><strong>
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2136) browser.newtabpage.directory.source</strong></span> preferences.
projects/torbrowser/design/index.html.en    2137) <span class="command"><strong>browser.newtabpage.remote</strong></span> is set to <span class="command"><strong>false</strong></span>
projects/torbrowser/design/index.html.en    2138) in this context as well, as a defense-in-depth given that this feature is
projects/torbrowser/design/index.html.en    2139) already of by default. Additionally, we disable the UITour backend by setting
projects/torbrowser/design/index.html.en    2140) <span class="command"><strong>browser.uitour.enabled</strong></span> to <span class="command"><strong>false</strong></span> and avoid
projects/torbrowser/design/index.html.en    2141) getting Mozilla experiments installed into Tor Browser by flipping
projects/torbrowser/design/index.html.en    2142) <span class="command"><strong>experiments.enabled</strong></span> to <span class="command"><strong>false</strong></span>. On the
projects/torbrowser/design/index.html.en    2143) update side we prevent the browser from pinging the new
projects/torbrowser/design/index.html.en    2144) <a class="ulink" href="https://wiki.mozilla.org/Firefox/Kinto" target="_top">Kinto</a> service for
projects/torbrowser/design/index.html.en    2145) blocklist updates as it is not used for it yet anyway. This is done by setting
projects/torbrowser/design/index.html.en    2146) <span class="command"><strong>services.blocklist.update_enabled</strong></span> to <span class="command"><strong>false</strong></span>.
projects/torbrowser/design/index.html.en    2147) The captive portal detection code is disabled as well as it phones home to
projects/torbrowser/design/index.html.en    2148) Mozilla. We set <span class="command"><strong>network.captive-portal-service.enabled</strong></span> to
projects/torbrowser/design/index.html.en    2149) <span class="command"><strong>false</strong></span> to achieve that. Unrelated to that we make sure that
projects/torbrowser/design/index.html.en    2150) Mozilla does not get bothered with TLS error reports from Tor Browser users by
projects/torbrowser/design/index.html.en    2151) hiding the respective checkbox with
projects/torbrowser/design/index.html.en    2152) <span class="command"><strong>security.ssl.errorReporting.enabled</strong></span> set to
projects/torbrowser/design/index.html.en    2153) <span class="command"><strong>false</strong></span>. And while we have the Push API disabled as there are
projects/torbrowser/design/index.html.en    2154) no Service Workers available in Tor Browser yet, we remove the value for
projects/torbrowser/design/index.html.en    2155) <span class="command"><strong>dom.push.serverURL</strong></span> as a defense-in-depth. Finally, we provide
projects/torbrowser/design/index.html.en    2156) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=9f24ce35cd8776a0f7c3a4d54992ecb0eaad6311" target="_top">a patch</a>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2157) to prevent Mozilla's websites from querying whether particular extensions are
projects/torbrowser/design/index.html.en    2158) installed and what their state in Tor Browser is by using the
projects/torbrowser/design/index.html.en    2159) <span class="command"><strong>window.navigator.AddonManager</strong></span> API. As a defense-in-depth the
projects/torbrowser/design/index.html.en    2160) patch makes sure that not only Mozilla's websites can't get at that information
projects/torbrowser/design/index.html.en    2161) but that the whitelist governing this access is empty in general.
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2162) 
projects/torbrowser/design/index.html.en    2163)       </p><p>
projects/torbrowser/design/index.html.en    2164) 
projects/torbrowser/design/index.html.en    2165) We have <a class="ulink" href="https://wiki.mozilla.org/Security/Safe_Browsing" target="_top">Safebrowsing</a>
projects/torbrowser/design/index.html.en    2166) disabled in Tor Browser. In order to avoid pinging providers for list updates we
projects/torbrowser/design/index.html.en    2167) remove the entries for <span class="command"><strong>browser.safebrowsing.provider.mozilla.updateURL</strong></span>
projects/torbrowser/design/index.html.en    2168) and <span class="command"><strong>browser.safebrowsing.provider.mozilla.gethashURL</strong></span> (and the
projects/torbrowser/design/index.html.en    2169) values for Google related preferences as well).
projects/torbrowser/design/index.html.en    2170) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2171)       </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2172) 
projects/torbrowser/design/index.html.en    2173) As we mentioned in the introduction of this section, OS type fingerprinting is
projects/torbrowser/design/index.html.en    2174) currently considered a lower priority, due simply to the numerous ways that
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2175) characteristics of the operating system type may leak into content, and the
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2176) comparatively low contribution of OS to overall entropy. In particular, there
projects/torbrowser/design/index.html.en    2177) are likely to be many ways to measure the differences in widget size,
projects/torbrowser/design/index.html.en    2178) scrollbar size, and other rendered details on a page. Also, directly exported
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2179) OS routines (such as those from the standard C math library) expose
projects/torbrowser/design/index.html.en    2180) differences in their implementations through their return values.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2181) 
projects/torbrowser/design/index.html.en    2182)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    2183) 
projects/torbrowser/design/index.html.en    2184) We intend to reduce or eliminate OS type fingerprinting to the best extent
projects/torbrowser/design/index.html.en    2185) possible, but recognize that the effort for reward on this item is not as high
projects/torbrowser/design/index.html.en    2186) as other areas. The entropy on the current OS distribution is somewhere around
projects/torbrowser/design/index.html.en    2187) 2 bits, which is much lower than other vectors which can also be used to
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2188) fingerprint configuration and user-specific information. You can see the
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2189) major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os
projects/torbrowser/design/index.html.en    2190) tag on our bug tracker</a>.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2191) 
projects/torbrowser/design/index.html.en    2192)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    2193) 
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2194) At least two HTML5 features have a different implementation status across the
projects/torbrowser/design/index.html.en    2195) major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2196) Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2197) <span class="command"><strong>dom.network.enabled</strong></span> and
projects/torbrowser/design/index.html.en    2198) <span class="command"><strong>device.sensors.enabled</strong></span>, setting both to <span class="command"><strong>false</strong></span>.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2199) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2200)      </p></li></ol></div><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2201) For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2202)    </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2203) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2204) In order to avoid long-term linkability, we provide a "New Identity" context
projects/torbrowser/design/index.html.en    2205) menu option in Torbutton. This context menu option is active if Torbutton can
projects/torbrowser/design/index.html.en    2206) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2207) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2208)    </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1068"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2209) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2210) All linkable identifiers and browser state MUST be cleared by this feature.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2211) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2212)     </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1071"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2213) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2214) First, Torbutton disables JavaScript in all open tabs and windows by using
projects/torbrowser/design/index.html.en    2215) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavaScript</a>
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2216) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>.
projects/torbrowser/design/index.html.en    2217) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2218) We then clear the site-specific Zoom by temporarily disabling the preference
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2219) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2220) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL preference (if
projects/torbrowser/design/index.html.en    2221) it exists). Each tab is then closed.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2222) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2223)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2224) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2225) After closing all tabs, we then clear the searchbox and findbox text and emit
projects/torbrowser/design/index.html.en    2226) "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>"
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2227) (which instructs addons and various Firefox components to clear their session
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2228) state). Then we manually clear the following state: HTTP auth, SSL state,
projects/torbrowser/design/index.html.en    2229) crypto tokens, OCSP state, site-specific content preferences (including HSTS
projects/torbrowser/design/index.html.en    2230) state), the undo tab history, content and image cache, offline and memory cache,
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2231) offline storage, Cache storage, IndexedDB storage, asm.js cache, cookies,
projects/torbrowser/design/index.html.en    2232) DOM storage, the safe browsing key, the Google wifi geolocation token (if it
projects/torbrowser/design/index.html.en    2233) exists), and the domain isolator state. We also clear NoScript's site and
projects/torbrowser/design/index.html.en    2234) temporary permissions, and all other browser site permissions.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 2235) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2236)      </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    2237) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2238) After the state is cleared, we then close all remaining HTTP Keep-Alive
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2239) connections and then send the NEWNYM signal to the Tor control port to cause a
projects/torbrowser/design/index.html.en    2240) new circuit to be created.
projects/torbrowser/design/index.html.en    2241)      </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2242) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2243) Finally, a fresh browser window is opened, and the current browser window is
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2244) closed (this does not spawn a new Firefox process, only a new window). Upon
projects/torbrowser/design/index.html.en    2245) the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage
projects/torbrowser/design/index.html.en    2246) collector</a>, which has the effect of immediately purging any blob:UUID
projects/torbrowser/design/index.html.en    2247) URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>.
projects/torbrowser/design/index.html.en    2248) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2249)      </p></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2250) 
projects/torbrowser/design/index.html.en    2251) In addition to the above mechanisms that are devoted to preserving privacy
projects/torbrowser/design/index.html.en    2252) while browsing, we also have a number of technical mechanisms to address other
projects/torbrowser/design/index.html.en    2253) privacy and security issues.
projects/torbrowser/design/index.html.en    2254) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2255)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p>
projects/torbrowser/design/index.html.en    2256) In order to provide vulnerability surface reduction for users that need high
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2257) security, we have implemented a "Security Slider" to allow users to make a
projects/torbrowser/design/index.html.en    2258) tradeoff between usability and security while minimizing the total number of
projects/torbrowser/design/index.html.en    2259) choices (to reduce fingerprinting). Using metrics collected from
projects/torbrowser/design/index.html.en    2260) Mozilla's bug tracker, we analyzed the vulnerability counts of core
projects/torbrowser/design/index.html.en    2261) components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2262) gathered from a study performed by iSec Partners</a> to inform which
projects/torbrowser/design/index.html.en    2263) features should be disabled at which security levels.
projects/torbrowser/design/index.html.en    2264) 
projects/torbrowser/design/index.html.en    2265)      </p><p>
projects/torbrowser/design/index.html.en    2266) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2267) The Security Slider consists of three positions:
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2268) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2269)      </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low (default)</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2270) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2271) At this security level, the preferences are the Tor Browser defaults. This
projects/torbrowser/design/index.html.en    2272) includes three features that were formerly governed by the slider at
projects/torbrowser/design/index.html.en    2273) higher security levels: <span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>
projects/torbrowser/design/index.html.en    2274) is set to <span class="command"><strong>false</strong></span> now after Mozilla got convinced that
projects/torbrowser/design/index.html.en    2275) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1255731" target="_top">leaving
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2276) it enabled is too risky</a>. Even though Mozilla reverted that decision
projects/torbrowser/design/index.html.en    2277) after another round of fixing critical Graphite bugs, we remain skeptical
projects/torbrowser/design/index.html.en    2278) and keep that feature disabled for now. <span class="command"><strong>network.jar.block-remote-files</strong></span>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2279) is set to <span class="command"><strong>true</strong></span>. Mozilla tried to block remote JAR files in
projects/torbrowser/design/index.html.en    2280) Firefox 45 but needed to revert that decision due to breaking IBM's iNotes.
projects/torbrowser/design/index.html.en    2281) While Mozilla <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1329336" target="_top">
projects/torbrowser/design/index.html.en    2282) is working on getting this disabled again</a> we take the protective stance
projects/torbrowser/design/index.html.en    2283) already now and block remote JAR files even on the low security level. Finally,
projects/torbrowser/design/index.html.en    2284) we exempt asm.js from the security slider and block it on all levels. See the
projects/torbrowser/design/index.html.en    2285) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> and the cache linkability
projects/torbrowser/design/index.html.en    2286) concerns in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier
projects/torbrowser/design/index.html.en    2287) Unlinkability</a> sections for further details.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2288) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2289)       </p></li><li class="listitem"><span class="command"><strong>Medium</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2290) 
projects/torbrowser/design/index.html.en    2291) At this security level, we disable the ION JIT
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2292) (<span class="command"><strong>javascript.options.ion</strong></span>), native regular expressions
projects/torbrowser/design/index.html.en    2293) (<span class="command"><strong>javascript.options.native_regexp</strong></span>), Baseline JIT
projects/torbrowser/design/index.html.en    2294) (<span class="command"><strong>javascript.options.baselinejit</strong></span>), WebAudio
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2295) (<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2296) (<span class="command"><strong>mathml.disabled</strong></span>), SVG Opentype font rendering
projects/torbrowser/design/index.html.en    2297) (<span class="command"><strong>gfx.font_rendering.opentype_svg.enabled</strong></span>), and make HTML5 audio
projects/torbrowser/design/index.html.en    2298) and video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>).
projects/torbrowser/design/index.html.en    2299) Furthermore, we only allow JavaScript to run if it is loaded over HTTPS and the
projects/torbrowser/design/index.html.en    2300) URL bar is HTTPS (by setting <span class="command"><strong>noscript.global</strong></span> to false and
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2301) <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true).
projects/torbrowser/design/index.html.en    2302) 
projects/torbrowser/design/index.html.en    2303)        </p></li><li class="listitem"><span class="command"><strong>High</strong></span><p>
projects/torbrowser/design/index.html.en    2304) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2305) This security level inherits the preferences from the Medium level, and
projects/torbrowser/design/index.html.en    2306) additionally disables remote fonts (<span class="command"><strong>noscript.forbidFonts</strong></span>),
projects/torbrowser/design/index.html.en    2307) completely disables JavaScript (by
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2308) unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG
projects/torbrowser/design/index.html.en    2309) images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
projects/torbrowser/design/index.html.en    2310) 
projects/torbrowser/design/index.html.en    2311)        </p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2312) 
projects/torbrowser/design/index.html.en    2313) <a class="link" href="#website-traffic-fingerprinting">Website Traffic
projects/torbrowser/design/index.html.en    2314) Fingerprinting</a> is a statistical attack to attempt to recognize specific
projects/torbrowser/design/index.html.en    2315) encrypted website activity.
projects/torbrowser/design/index.html.en    2316) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2317)      </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1129"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2318) 
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2319) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2320) for classification. This mechanism would either impact the true and false
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2321) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of web pages
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2322) that could be classified at a given accuracy rate.
projects/torbrowser/design/index.html.en    2323) 
projects/torbrowser/design/index.html.en    2324)      </p><p>
projects/torbrowser/design/index.html.en    2325) 
projects/torbrowser/design/index.html.en    2326) Ideally, this mechanism would be as light-weight as possible, and would be
projects/torbrowser/design/index.html.en    2327) tunable in terms of overhead. We suspect that it may even be possible to
projects/torbrowser/design/index.html.en    2328) deploy a mechanism that reduces feature extraction resolution without any
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2329) network overhead. In the no-overhead category, we have <a class="ulink" href="https://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2330) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2331) use of HTTP pipelining and/or SPDY</a>.
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2332) In the tunable/low-overhead
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2333) category, we have <a class="ulink" href="https://arxiv.org/abs/1512.00524" target="_top">Adaptive
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2334) Padding</a> and <a class="ulink" href="https://www3.cs.stonybrook.edu/~xcai/fp.pdf" target="_top">
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2335) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such
projects/torbrowser/design/index.html.en    2336) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2337) network, making them also effectively no-overhead.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2338) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2339)      </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1141"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2340) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=b9fa77472aa67e26bd46a5ca889b20ce3448f9d1" target="_top">randomize
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2341) pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
projects/torbrowser/design/index.html.en    2342) Many sites do not support it, and even sites that advertise support for
projects/torbrowser/design/index.html.en    2343) pipelining may simply return error codes for successive requests, effectively
projects/torbrowser/design/index.html.en    2344) forcing the browser into non-pipelined behavior. Firefox also has code to back
projects/torbrowser/design/index.html.en    2345) off and reduce or eliminate the pipeline if this happens. These
projects/torbrowser/design/index.html.en    2346) shortcomings and fallback behaviors are the primary reason that Google
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2347) developed SPDY as opposed to simply extending HTTP to improve pipelining. It
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2348) turns out that we could actually deploy exit-side proxies that allow us to
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2349) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2350) SPDY from the client to the exit node</a>. This would make our defense not
projects/torbrowser/design/index.html.en    2351) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2352) 
projects/torbrowser/design/index.html.en    2353)      </p><p>
projects/torbrowser/design/index.html.en    2354) 
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2355) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2356) research prototype</a> to help evaluate what could be done in the best
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2357) case with full server support. Unfortunately, the bias in favor of compelling
projects/torbrowser/design/index.html.en    2358) attack papers has caused academia to ignore this request thus far, instead
projects/torbrowser/design/index.html.en    2359) publishing only cursory (yet "devastating") evaluations that fail to provide
projects/torbrowser/design/index.html.en    2360) even simple statistics such as the rates of actual pipeline utilization during
projects/torbrowser/design/index.html.en    2361) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can
projects/torbrowser/design/index.html.en    2362) accept that our defense might fail to work as well as others (in fact we
projects/torbrowser/design/index.html.en    2363) expect it), but unfortunately the very same shortcuts that provide excellent
projects/torbrowser/design/index.html.en    2364) attack results also allow the conclusion that all defenses are broken forever.
projects/torbrowser/design/index.html.en    2365) So sadly, we are still left in the dark on this point.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2366) 
projects/torbrowser/design/index.html.en    2367)      </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p>
projects/torbrowser/design/index.html.en    2368) 
projects/torbrowser/design/index.html.en    2369) In order to inform the user when their Tor Browser is out of date, we perform a
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2370) privacy-preserving update check asynchronously in the background. The
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2371) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a>
projects/torbrowser/design/index.html.en    2372) and searches that version list for the current value for the local preference
projects/torbrowser/design/index.html.en    2373) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is
projects/torbrowser/design/index.html.en    2374) present in the recommended version list, the check is considered to have
projects/torbrowser/design/index.html.en    2375) succeeded and the user is up to date. If not, it is considered to have failed
projects/torbrowser/design/index.html.en    2376) and an update is needed. The check is triggered upon browser launch, new
projects/torbrowser/design/index.html.en    2377) window, and new tab, but is rate limited so as to happen no more frequently
projects/torbrowser/design/index.html.en    2378) than once every 1.5 hours.
projects/torbrowser/design/index.html.en    2379) 
projects/torbrowser/design/index.html.en    2380)      </p><p>
projects/torbrowser/design/index.html.en    2381) 
projects/torbrowser/design/index.html.en    2382) If the check fails, we cache this fact, and update the Torbutton graphic to
projects/torbrowser/design/index.html.en    2383) display a flashing warning icon and insert a menu option that provides a link
projects/torbrowser/design/index.html.en    2384) to our download page. Additionally, we reset the value for the browser
projects/torbrowser/design/index.html.en    2385) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&amp;small=1&amp;uptodate=0" target="_top">page that
projects/torbrowser/design/index.html.en    2386) informs the user</a> that their browser is out of
projects/torbrowser/design/index.html.en    2387) date.
projects/torbrowser/design/index.html.en    2388) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2389)      </p><p>
projects/torbrowser/design/index.html.en    2390) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2391) We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=0efd496826cc3dfb0a6874d150e8acecd4eb6a92" target="_top">patched
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2392) the updater</a> to avoid sending OS and Kernel version information as part
projects/torbrowser/design/index.html.en    2393) of its update pings.
projects/torbrowser/design/index.html.en    2394) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2395)      </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BuildSecurity"></a>5. Build Security and Package Integrity</h2></div></div></div><p>
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    2396) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2397) In the age of state-sponsored malware, <a class="ulink" href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise" target="_top">we
projects/torbrowser/design/index.html.en    2398) believe</a> it is impossible to expect to keep a single build machine or
projects/torbrowser/design/index.html.en    2399) software signing key secure, given the class of adversaries that Tor has to
projects/torbrowser/design/index.html.en    2400) contend with. For this reason, we have deployed a build system
projects/torbrowser/design/index.html.en    2401) that allows anyone to use our source code to reproduce byte-for-byte identical
projects/torbrowser/design/index.html.en    2402) binary packages to the ones that we distribute.
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    2403) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2404)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1164"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    2405) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2406) The GNU toolchain has been working on providing reproducible builds for some
projects/torbrowser/design/index.html.en    2407) time, however a large software project such as Firefox typically ends up
projects/torbrowser/design/index.html.en    2408) embedding a large number of details about the machine it was built on, both
projects/torbrowser/design/index.html.en    2409) intentionally and inadvertently. Additionally, manual changes to the build
projects/torbrowser/design/index.html.en    2410) machine configuration can accumulate over time and are difficult for others to
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2411) replicate externally, which leads to difficulties with binary reproducibility.
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    2412) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2413)    </p><p>
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2414) For this reason, we decided to leverage the work done by the <a class="ulink" href="https://gitian.org/" target="_top">Gitian Project</a> from the Bitcoin community.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2415) Gitian is a wrapper around Ubuntu's virtualization tools that allows you to
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2416) specify an Ubuntu or Debian version, architecture, a set of additional packages,
projects/torbrowser/design/index.html.en    2417) a set of input files, and a bash build scriptlet in an YAML document called a
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2418) "Gitian Descriptor". This document is used to install a qemu-kvm image, and
projects/torbrowser/design/index.html.en    2419) execute your build scriptlet inside it.
projects/torbrowser/design/index.html.en    2420)    </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2421) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2422) We have created a <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/refs/heads/master" target="_top">set
projects/torbrowser/design/index.html.en    2423) of wrapper scripts</a> around Gitian to automate dependency download and
projects/torbrowser/design/index.html.en    2424) authentication, as well as transfer intermediate build outputs between the
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2425) stages of the build process. Because Gitian creates a Linux build environment,
projects/torbrowser/design/index.html.en    2426) we must use cross-compilation to create packages for Windows and macOS. For
projects/torbrowser/design/index.html.en    2427) Windows, we use mingw-w64 as our cross compiler. For macOS, we use cctools and
projects/torbrowser/design/index.html.en    2428) clang and a binary redistribution of the Mac OS 10.7 SDK.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2429) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2430)    </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2431) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2432) The use of the Gitian system eliminates build non-determinism by normalizing
projects/torbrowser/design/index.html.en    2433) the build environment's hostname, username, build path, uname output,
projects/torbrowser/design/index.html.en    2434) toolchain versions, and time. On top of what Gitian provides, we also had to
projects/torbrowser/design/index.html.en    2435) address the following additional sources of non-determinism:
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2436) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2437)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Filesystem and archive reordering</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2438) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2439) The most prevalent source of non-determinism in the components of Tor Browser
projects/torbrowser/design/index.html.en    2440) by far was various ways that archives (such as zip, tar, jar/ja, DMG, and
projects/torbrowser/design/index.html.en    2441) Firefox manifest lists) could be reordered. Many file archivers walk the
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2442) file system in inode structure order by default, which will result in ordering
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2443) differences between two different archive invocations, especially on machines
projects/torbrowser/design/index.html.en    2444) of different disk and hardware configurations.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2445) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2446)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2447) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2448) The fix for this is to perform an additional sorting step on the input list
projects/torbrowser/design/index.html.en    2449) for archives, but care must be taken to instruct libc and other sorting routines
projects/torbrowser/design/index.html.en    2450) to use a fixed locale to determine lexicographic ordering, or machines with
projects/torbrowser/design/index.html.en    2451) different locale settings will produce different sort results. We chose the
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2452) 'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
projects/torbrowser/design/index.html.en    2453) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
projects/torbrowser/design/index.html.en    2454) and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2455) to aid in reproducible archive creation.
projects/torbrowser/design/index.html.en    2456) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2457)     </p></li><li class="listitem"><span class="command"><strong>Uninitialized memory in toolchain/archivers</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2458) 
projects/torbrowser/design/index.html.en    2459) We ran into difficulties with both binutils and the DMG archive script using
projects/torbrowser/design/index.html.en    2460) uninitialized memory in certain data structures that ended up written to disk.
projects/torbrowser/design/index.html.en    2461) Our binutils fixes were merged upstream, but the DMG archive fix remains an
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2462) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2463) patch</a>.
projects/torbrowser/design/index.html.en    2464) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2465)     </p></li><li class="listitem"><span class="command"><strong>Fine-grained timestamps and timezone leaks</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2466) 
projects/torbrowser/design/index.html.en    2467) The standard way of controlling timestamps in Gitian is to use libfaketime,
projects/torbrowser/design/index.html.en    2468) which hooks time-related library calls to provide a fixed timestamp. However,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2469) due to our use of wine to run py2exe for python-based pluggable transports,
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2470) pyc timestamps had to be addressed with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2471) script</a>. The timezone leaks were addressed by setting the
projects/torbrowser/design/index.html.en    2472) <span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2473) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2474)     </p></li><li class="listitem"><span class="command"><strong>Deliberately generated entropy</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2475) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2476) In two circumstances, deliberately generated entropy was introduced in various
projects/torbrowser/design/index.html.en    2477) components of the build process. First, the BuildID Debuginfo identifier
projects/torbrowser/design/index.html.en    2478) (which associates detached debug files with their corresponding stripped
projects/torbrowser/design/index.html.en    2479) executables) was introducing entropy from some unknown source. We removed this
projects/torbrowser/design/index.html.en    2480) header using objcopy invocations in our build scriptlets, and opted to use GNU
projects/torbrowser/design/index.html.en    2481) DebugLink instead of BuildID for this association.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2482) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2483)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2484) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2485) Second, on Linux, Firefox builds detached signatures of its cryptographic
projects/torbrowser/design/index.html.en    2486) libraries using a temporary key for FIPS-140 certification. A rather insane
projects/torbrowser/design/index.html.en    2487) subsection of the FIPS-140 certification standard requires that you distribute
projects/torbrowser/design/index.html.en    2488) signatures for all of your cryptographic libraries. The Firefox build process
projects/torbrowser/design/index.html.en    2489) meets this requirement by generating a temporary key, using it to sign the
projects/torbrowser/design/index.html.en    2490) libraries, and discarding the private portion of that key. Because there are
projects/torbrowser/design/index.html.en    2491) many other ways to intercept the crypto outside of modifying the actual DLL
projects/torbrowser/design/index.html.en    2492) images, we opted to simply remove these signature files from distribution.
projects/torbrowser/design/index.html.en    2493) There simply is no way to verify code integrity on a running system without
projects/torbrowser/design/index.html.en    2494) both OS and co-processor assistance. Download package signatures make sense of
projects/torbrowser/design/index.html.en    2495) course, but we handle those another way (as mentioned above).
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2496) 
projects/torbrowser/design/index.html.en    2497) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2498)     </p></li><li class="listitem"><span class="command"><strong>LXC-specific leaks</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2499) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2500) Gitian provides an option to use LXC containers instead of full qemu-kvm
projects/torbrowser/design/index.html.en    2501) virtualization. Unfortunately, these containers can allow additional details
projects/torbrowser/design/index.html.en    2502) about the host OS to leak. In particular, umask settings as well as the
projects/torbrowser/design/index.html.en    2503) hostname and Linux kernel version can leak from the host OS into the LXC
projects/torbrowser/design/index.html.en    2504) container. We addressed umask by setting it explicitly in our Gitian
projects/torbrowser/design/index.html.en    2505) descriptor scriptlet, and addressed the hostname and kernel version leaks by
projects/torbrowser/design/index.html.en    2506) directly patching the aspects of the Firefox build process that included this
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2507) information into the build. It also turns out that some libraries (in
projects/torbrowser/design/index.html.en    2508) particular: libgmp) attempt to detect the current CPU to determine which
projects/torbrowser/design/index.html.en    2509) optimizations to compile in. This CPU type is uniform on our KVM instances,
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2510) but differs under LXC.
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2511) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2512)    </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1196"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2513) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2514) The build process generates a single sha256sums-unsigned-build.txt file that
projects/torbrowser/design/index.html.en    2515) contains a sorted list of the SHA-256 hashes of every package produced for that
projects/torbrowser/design/index.html.en    2516) build version. Each official builder uploads this file and a GPG signature of it
projects/torbrowser/design/index.html.en    2517) to a directory on a Tor Project's web server. The build scripts have an optional
projects/torbrowser/design/index.html.en    2518) matching step that downloads these signatures, verifies them, and ensures that
projects/torbrowser/design/index.html.en    2519) the local builds match this file.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2520) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2521)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2522) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2523) When builds are published officially, the single sha256sums-unsigned-build.txt
projects/torbrowser/design/index.html.en    2524) file is accompanied by a detached GPG signature from each official builder that
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2525) produced a matching build. The packages are additionally signed with detached
projects/torbrowser/design/index.html.en    2526) GPG signatures from an official signing key.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2527) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2528)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2529) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2530) The fact that the entire set of packages for a given version can be
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2531) authenticated by a single hash of the sha256sums-unsigned-build.txt file will
projects/torbrowser/design/index.html.en    2532) also allow us to create a number of auxiliary authentication mechanisms for our
projects/torbrowser/design/index.html.en    2533) packages, beyond just trusting a single offline build machine and a single
projects/torbrowser/design/index.html.en    2534) cryptographic key's integrity. Interesting examples include providing multiple
projects/torbrowser/design/index.html.en    2535) independent cryptographic signatures for packages, listing the package hashes in
projects/torbrowser/design/index.html.en    2536) the Tor consensus, and encoding the package hashes in the Bitcoin blockchain.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2537) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2538)      </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2539) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2540) The Windows releases are also signed by a hardware token provided by Digicert.
projects/torbrowser/design/index.html.en    2541) In order to verify package integrity, the signature must be stripped off using
projects/torbrowser/design/index.html.en    2542) the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
projects/torbrowser/design/index.html.en    2543) Verification</a> page.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2544) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2545)     </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1203"></a>5.3. Anonymous Verification</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2546) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2547) Due to the fact that bit-identical packages can be produced by anyone, the
projects/torbrowser/design/index.html.en    2548) security of this build system extends beyond the security of the official
projects/torbrowser/design/index.html.en    2549) build machines. In fact, it is still possible for build integrity to be
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2550) achieved even if all official build machines are compromised.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2551) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2552)     </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2553) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2554) By default, all tor-specific dependencies and inputs to the build process are
projects/torbrowser/design/index.html.en    2555) downloaded over Tor, which allows build verifiers to remain anonymous and
projects/torbrowser/design/index.html.en    2556) hidden. Because of this, any individual can use our anonymity network to
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2557) privately download our source code, verify it against public, signed, audited,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2558) and mirrored git repositories, and reproduce our builds exactly, without being
projects/torbrowser/design/index.html.en    2559) subject to targeted attacks. If they notice any differences, they can alert
projects/torbrowser/design/index.html.en    2560) the public builders/signers, hopefully using a pseudonym or our anonymous
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2561) bug tracker account, to avoid revealing the fact that they are a build
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2562) verifier.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2563) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2564)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p>
projects/torbrowser/design/index.html.en    2565) 
projects/torbrowser/design/index.html.en    2566) We make use of the Firefox updater in order to provide automatic updates to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2567) users. We make use of certificate pinning to ensure that update checks cannot
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2568) be tampered with by setting <span class="command"><strong>security.cert_pinning.enforcement_level
projects/torbrowser/design/index.html.en    2569) </strong></span> to <span class="command"><strong>2</strong></span>, and we sign the individual MAR update files
projects/torbrowser/design/index.html.en    2570) with keys that get rotated every year.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2571) 
projects/torbrowser/design/index.html.en    2572)    </p><p>
projects/torbrowser/design/index.html.en    2573) 
projects/torbrowser/design/index.html.en    2574) The Firefox updater also has code to ensure that it can reliably access the
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2575) update server to prevent availability attacks, and complains to the user after 48
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2576) hours go by without a successful response from the server. Additionally, we
projects/torbrowser/design/index.html.en    2577) use Tor's SOCKS username and password isolation to ensure that every new
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2578) request to the updater (provided the former got issued more than 10 minutes ago)
projects/torbrowser/design/index.html.en    2579) traverses a separate circuit, to avoid holdback attacks by exit nodes.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2580) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2581)    </p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2582) 
projects/torbrowser/design/index.html.en    2583) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
projects/torbrowser/design/index.html.en    2584) upon the assumption that link-click navigation indicates user consent to
projects/torbrowser/design/index.html.en    2585) tracking between the linking site and the destination site.  While this
projects/torbrowser/design/index.html.en    2586) definition is sufficient to allow us to eliminate cross-site third party
projects/torbrowser/design/index.html.en    2587) tracking with only minimal site breakage, it is our long-term goal to further
projects/torbrowser/design/index.html.en    2588) reduce cross-origin click navigation tracking to mechanisms that are
projects/torbrowser/design/index.html.en    2589) detectable by attentive users, so they can alert the general public if
projects/torbrowser/design/index.html.en    2590) cross-origin click navigation tracking is happening where it should not be.
projects/torbrowser/design/index.html.en    2591) 
projects/torbrowser/design/index.html.en    2592) </p><p>
projects/torbrowser/design/index.html.en    2593) 
projects/torbrowser/design/index.html.en    2594) In an ideal world, the mechanisms of tracking that can be employed during a
projects/torbrowser/design/index.html.en    2595) link click would be limited to the contents of URL parameters and other
projects/torbrowser/design/index.html.en    2596) properties that are fully visible to the user before they click. However, the
projects/torbrowser/design/index.html.en    2597) entrenched nature of certain archaic web features make it impossible for us to
projects/torbrowser/design/index.html.en    2598) achieve this transparency goal by ourselves without substantial site breakage.
projects/torbrowser/design/index.html.en    2599) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation
projects/torbrowser/design/index.html.en    2600) Wishlist</a> of archaic web technologies that are currently being (ab)used
projects/torbrowser/design/index.html.en    2601) to facilitate federated login and other legitimate click-driven cross-domain
projects/torbrowser/design/index.html.en    2602) activity but that can one day be replaced with more privacy friendly,
projects/torbrowser/design/index.html.en    2603) auditable alternatives.
projects/torbrowser/design/index.html.en    2604) 
projects/torbrowser/design/index.html.en    2605) </p><p>
projects/torbrowser/design/index.html.en    2606) 
projects/torbrowser/design/index.html.en    2607) Because the total elimination of side channels during cross-origin navigation
projects/torbrowser/design/index.html.en    2608) will undoubtedly break federated login as well as destroy ad revenue, we
projects/torbrowser/design/index.html.en    2609) also describe auditable alternatives and promising web draft standards that would
projects/torbrowser/design/index.html.en    2610) preserve this functionality while still providing transparency when tracking is
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2611) occurring.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2612) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2613) </p><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>The Referer Header</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2614) 
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2615) When leaving a .onion domain we set the Referer header to an empty string by
projects/torbrowser/design/index.html.en    2616) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=021bffff111b6b93eecb5859e680d540991c20c9" target="_top">
projects/torbrowser/design/index.html.en    2617) providing a preference</a>, <span class="command"><strong>network.http.referer.hideOnionSource</strong></span>, and setting it to <span class="command"><strong>true</strong></span>. That avoids leaking
projects/torbrowser/design/index.html.en    2618) information which might be especially problematic in the case of transitioning
projects/torbrowser/design/index.html.en    2619) from a .onion domain to one reached over clearnet. Apart from that we haven't
projects/torbrowser/design/index.html.en    2620) disabled or restricted the Referer ourselves because of the non-trivial number
projects/torbrowser/design/index.html.en    2621) of sites that rely on the Referer header to "authenticate" image requests and
projects/torbrowser/design/index.html.en    2622) deep-link navigation on their sites. Furthermore, there seems to be no real
projects/torbrowser/design/index.html.en    2623) privacy benefit to taking this action by itself in a vacuum, because many sites
projects/torbrowser/design/index.html.en    2624) have begun encoding Referer URL information into GET parameters when they need
projects/torbrowser/design/index.html.en    2625) it to cross HTTP to HTTPS scheme transitions. Google's +1 buttons are the best
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2626) example of this activity.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2627) 
projects/torbrowser/design/index.html.en    2628)   </p><p>
projects/torbrowser/design/index.html.en    2629) 
projects/torbrowser/design/index.html.en    2630) Because of the availability of these other explicit vectors, we believe the
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2631) main risk of the Referer header is through inadvertent and/or covert data
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2632) leakage. In fact, <a class="ulink" href="http://web2.research.att.com/export/sites/att_labs/people/Krishnamurthy_Balachander/papers/wosn09.pdf" target="_top">
projects/torbrowser/design/index.html.en    2633) a great deal of personal data</a> is inadvertently leaked to third parties
projects/torbrowser/design/index.html.en    2634) through the source URL parameters.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2635) 
projects/torbrowser/design/index.html.en    2636)   </p><p>
projects/torbrowser/design/index.html.en    2637) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2638) We believe the Referer header should be made explicit, and believe that Referrer
Georg Koppen Update remaning things in d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2639) Policy, which is available since Firefox 52, provides a <a class="ulink" href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header" target="_top">
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2640) decent step in this direction</a>. If a site wishes to transmit its URL to
projects/torbrowser/design/index.html.en    2641) third party content elements during load or during link-click, it should have
projects/torbrowser/design/index.html.en    2642) to specify this as a property of the associated <a class="ulink" href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/" target="_top">
projects/torbrowser/design/index.html.en    2643) HTML tag</a> or in an HTTP response header. With an explicit property or
projects/torbrowser/design/index.html.en    2644) response header, it would then be possible for the user agent to inform the user
projects/torbrowser/design/index.html.en    2645) if they are about to click on a link that will transmit Referer information
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2646) (perhaps through something as subtle as a different color in the lower toolbar
projects/torbrowser/design/index.html.en    2647) for the destination URL). This same UI notification can also be used for links
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2648) with the <a class="ulink" href="https://developers.whatwg.org/links.html#ping" target="_top">"ping"</a>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2649) attribute.
projects/torbrowser/design/index.html.en    2650) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2651)   </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2652) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2653) a DOM property that for some reason is allowed to retain a persistent value
projects/torbrowser/design/index.html.en    2654) for the lifespan of a browser tab. It is possible to utilize this property for
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2655) <a class="ulink" href="https://www.thomasfrank.se/sessionvars.html" target="_top">identifier
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2656) storage</a> during click navigation. This is sometimes used for additional
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2657) CSRF protection and federated login.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2658)    </p><p>
projects/torbrowser/design/index.html.en    2659) 
projects/torbrowser/design/index.html.en    2660) It's our opinion that the contents of window.name should not be preserved for
projects/torbrowser/design/index.html.en    2661) cross-origin navigation, but doing so may break federated login for some sites.
projects/torbrowser/design/index.html.en    2662) 
Georg Koppen Updating the Tor Browser de...

Georg Koppen authored 7 years ago

projects/torbrowser/design/index.html.en    2663)    </p></li><li class="listitem"><span class="command"><strong>JavaScript link rewriting</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2664) 
projects/torbrowser/design/index.html.en    2665) In general, it should not be possible for onclick handlers to alter the
projects/torbrowser/design/index.html.en    2666) navigation destination of 'a' tags, silently transform them into POST
projects/torbrowser/design/index.html.en    2667) requests, or otherwise create situations where a user believes they are
projects/torbrowser/design/index.html.en    2668) clicking on a link leading to one URL that ends up on another. This
projects/torbrowser/design/index.html.en    2669) functionality is deceptive and is frequently a vector for malware and phishing
projects/torbrowser/design/index.html.en    2670) attacks. Unfortunately, many legitimate sites also employ such transparent
projects/torbrowser/design/index.html.en    2671) link rewriting, and blanket disabling this functionality ourselves will simply
projects/torbrowser/design/index.html.en    2672) cause Tor Browser to fail to navigate properly on these sites.
projects/torbrowser/design/index.html.en    2673) 
projects/torbrowser/design/index.html.en    2674)    </p><p>
projects/torbrowser/design/index.html.en    2675) 
projects/torbrowser/design/index.html.en    2676) Automated cross-origin redirects are one form of this behavior that is
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2677) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2678) ourselves</a>, as they are comparatively rare and can be handled with site
projects/torbrowser/design/index.html.en    2679) permissions.
projects/torbrowser/design/index.html.en    2680) 
Georg Koppen Addressing Mike's design do...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2681)    </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm1246"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://web.archive.org/web/20130213034335/http://web-send.org:80/" target="_top">Web-Send Introducer</a><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2682) 
projects/torbrowser/design/index.html.en    2683) Web-Send is a browser-based link sharing and federated login widget that is
projects/torbrowser/design/index.html.en    2684) designed to operate without relying on third-party tracking or abusing other
Georg Koppen Update Tor Browser design d...

Georg Koppen authored 6 years ago

projects/torbrowser/design/index.html.en    2685) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="https://web.archive.org/web/20130213034335/http://web-send.org:80/featurs.html" target="_top">
projects/torbrowser/design/index.html.en    2686) privacy and security features</a>, especially if used as a "Like button"
projects/torbrowser/design/index.html.en    2687) replacement.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2688) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2689)    </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2690) 
projects/torbrowser/design/index.html.en    2691) Mozilla's Persona is designed to provide decentralized, cryptographically
projects/torbrowser/design/index.html.en    2692) authenticated federated login in a way that does not expose the user to third
projects/torbrowser/design/index.html.en    2693) party tracking or require browser redirects or side channels. While it does
projects/torbrowser/design/index.html.en    2694) not directly provide the link sharing capabilities that Web-Send does, it is a
projects/torbrowser/design/index.html.en    2695) better solution to the privacy issues associated with federated login than
projects/torbrowser/design/index.html.en    2696) Web-Send is.
projects/torbrowser/design/index.html.en    2697)