Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>
projects/en/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn_torproject\org">erinn_torproject\org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject\org">sjmurdoch#torproject\org</a>></code></p></div></div></div></div><div><p class="pubdate">Sep 29 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2974058">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Domain Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Domain Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2974058"></a>1. Introduction</h2></div></div></div><p>
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 4)
projects/en/torbrowser/design/index.html.en 5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
projects/en/torbrowser/design/index.html.en 6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
projects/en/torbrowser/design/index.html.en 7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing
projects/en/torbrowser/design/index.html.en 8) procedures</a> of the Tor Browser. It is
projects/en/torbrowser/design/index.html.en 9) current as of Tor Browser 2.2.32-4.
projects/en/torbrowser/design/index.html.en 10)
projects/en/torbrowser/design/index.html.en 11) </p><p>
projects/en/torbrowser/design/index.html.en 12)
projects/en/torbrowser/design/index.html.en 13) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en 14) describe a reference implementation of a Private Browsing Mode that defends
projects/en/torbrowser/design/index.html.en 15) against both local and network adversaries.
projects/en/torbrowser/design/index.html.en 16)
projects/en/torbrowser/design/index.html.en 17) </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 18)
projects/en/torbrowser/design/index.html.en 19) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/en/torbrowser/design/index.html.en 20) types that can be used to guide us towards a set of requirements for the
projects/en/torbrowser/design/index.html.en 21) Tor Browser. Let's start with the goals.
projects/en/torbrowser/design/index.html.en 22)
projects/en/torbrowser/design/index.html.en 23) </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
projects/en/torbrowser/design/index.html.en 24) Tor, causing the user to directly connect to an IP of the adversary's
projects/en/torbrowser/design/index.html.en 25) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/en/torbrowser/design/index.html.en 26) happily settle for the ability to correlate something a user did via Tor with
projects/en/torbrowser/design/index.html.en 27) their non-Tor activity. This can be done with cookies, cache identifiers,
projects/en/torbrowser/design/index.html.en 28) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
projects/en/torbrowser/design/index.html.en 29) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/en/torbrowser/design/index.html.en 30) The adversary may also be interested in history disclosure: the ability to
projects/en/torbrowser/design/index.html.en 31) query a user's history to see if they have issued certain censored search
projects/en/torbrowser/design/index.html.en 32) queries, or visited censored sites.
projects/en/torbrowser/design/index.html.en 33) </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
projects/en/torbrowser/design/index.html.en 34)
projects/en/torbrowser/design/index.html.en 35) Location information such as timezone and locality can be useful for the
projects/en/torbrowser/design/index.html.en 36) adversary to determine if a user is in fact originating from one of the
projects/en/torbrowser/design/index.html.en 37) regions they are attempting to control, or to zero-in on the geographical
projects/en/torbrowser/design/index.html.en 38) location of a particular dissident or whistleblower.
projects/en/torbrowser/design/index.html.en 39)
projects/en/torbrowser/design/index.html.en 40) </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
projects/en/torbrowser/design/index.html.en 41)
projects/en/torbrowser/design/index.html.en 42) Anonymity set reduction is also useful in attempting to zero in on a
projects/en/torbrowser/design/index.html.en 43) particular individual. If the dissident or whistleblower is using a rare build
projects/en/torbrowser/design/index.html.en 44) of Firefox for an obscure operating system, this can be very useful
projects/en/torbrowser/design/index.html.en 45) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
projects/en/torbrowser/design/index.html.en 46)
projects/en/torbrowser/design/index.html.en 47) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/en/torbrowser/design/index.html.en 48) information</strong></span><p>
projects/en/torbrowser/design/index.html.en 49) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/en/torbrowser/design/index.html.en 50) seizing the computers of all Tor users in an area (especially after narrowing
projects/en/torbrowser/design/index.html.en 51) the field by the above two pieces of information). History records and cache
projects/en/torbrowser/design/index.html.en 52) data are the primary goals here.
projects/en/torbrowser/design/index.html.en 53) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en 54) The adversary can position themselves at a number of different locations in
projects/en/torbrowser/design/index.html.en 55) order to execute their attacks.
projects/en/torbrowser/design/index.html.en 56) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en 57) The adversary can run exit nodes, or alternatively, they may control routers
projects/en/torbrowser/design/index.html.en 58) upstream of exit nodes. Both of these scenarios have been observed in the
projects/en/torbrowser/design/index.html.en 59) wild.
projects/en/torbrowser/design/index.html.en 60) </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p>
projects/en/torbrowser/design/index.html.en 61) The adversary can also run websites, or more likely, they can contract out
projects/en/torbrowser/design/index.html.en 62) ad space from a number of different adservers and inject content that way. For
projects/en/torbrowser/design/index.html.en 63) some users, the adversary may be the adservers themselves. It is not
projects/en/torbrowser/design/index.html.en 64) inconceivable that adservers may try to subvert or reduce a user's anonymity
projects/en/torbrowser/design/index.html.en 65) through Tor for marketing purposes.
projects/en/torbrowser/design/index.html.en 66) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/en/torbrowser/design/index.html.en 67) The adversary can also inject malicious content at the user's upstream router
projects/en/torbrowser/design/index.html.en 68) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/en/torbrowser/design/index.html.en 69) activity.
projects/en/torbrowser/design/index.html.en 70) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/en/torbrowser/design/index.html.en 71) Some users face adversaries with intermittent or constant physical access.
projects/en/torbrowser/design/index.html.en 72) Users in Internet cafes, for example, face such a threat. In addition, in
projects/en/torbrowser/design/index.html.en 73) countries where simply using tools like Tor is illegal, users may face
projects/en/torbrowser/design/index.html.en 74) confiscation of their computer equipment for excessive Tor usage or just
projects/en/torbrowser/design/index.html.en 75) general suspicion.
projects/en/torbrowser/design/index.html.en 76) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
projects/en/torbrowser/design/index.html.en 77)
projects/en/torbrowser/design/index.html.en 78) The adversary can perform the following attacks from a number of different
projects/en/torbrowser/design/index.html.en 79) positions to accomplish various aspects of their goals. It should be noted
projects/en/torbrowser/design/index.html.en 80) that many of these attacks (especially those involving IP address leakage) are
projects/en/torbrowser/design/index.html.en 81) often performed by accident by websites that simply have Javascript, dynamic
projects/en/torbrowser/design/index.html.en 82) CSS elements, and plugins. Others are performed by adservers seeking to
projects/en/torbrowser/design/index.html.en 83) correlate users' activity across different IP addresses, and still others are
projects/en/torbrowser/design/index.html.en 84) performed by malicious agents on the Tor network and at national firewalls.
projects/en/torbrowser/design/index.html.en 85)
projects/en/torbrowser/design/index.html.en 86) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
projects/en/torbrowser/design/index.html.en 87) If not properly disabled, Javascript event handlers and timers
projects/en/torbrowser/design/index.html.en 88) can cause the browser to perform network activity after Tor has been disabled,
projects/en/torbrowser/design/index.html.en 89) thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
projects/en/torbrowser/design/index.html.en 90) a user's non-Tor IP address. Javascript
projects/en/torbrowser/design/index.html.en 91) also allows the adversary to execute <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure attacks</a>:
projects/en/torbrowser/design/index.html.en 92) to query the history via the different attributes of 'visited' links to search
projects/en/torbrowser/design/index.html.en 93) for particular Google queries, sites, or even to <a class="ulink" href="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/" target="_top">profile
projects/en/torbrowser/design/index.html.en 94) users based on gender and other classifications</a>. Finally,
projects/en/torbrowser/design/index.html.en 95) Javascript can be used to query the user's timezone via the
projects/en/torbrowser/design/index.html.en 96) <code class="function">Date()</code> object, and to reduce the anonymity set by querying
projects/en/torbrowser/design/index.html.en 97) the <code class="function">navigator</code> object for operating system, CPU, locale,
projects/en/torbrowser/design/index.html.en 98) and user agent information.
projects/en/torbrowser/design/index.html.en 99) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/en/torbrowser/design/index.html.en 100)
projects/en/torbrowser/design/index.html.en 101) Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
projects/en/torbrowser/design/index.html.en 102) capable of performing network activity that the author has
projects/en/torbrowser/design/index.html.en 103) investigated is also capable of performing network activity independent of
projects/en/torbrowser/design/index.html.en 104) browser proxy settings - and often independent of its own proxy settings.
projects/en/torbrowser/design/index.html.en 105) Sites that have plugin content don't even have to be malicious to obtain a
projects/en/torbrowser/design/index.html.en 106) user's
projects/en/torbrowser/design/index.html.en 107) Non-Tor IP (it usually leaks by itself), though <a class="ulink" href="http://decloak.net" target="_top">plenty of active
projects/en/torbrowser/design/index.html.en 108) exploits</a> are possible as well. In addition, plugins can be used to store unique identifiers that are more
projects/en/torbrowser/design/index.html.en 109) difficult to clear than standard cookies.
projects/en/torbrowser/design/index.html.en 110) <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
projects/en/torbrowser/design/index.html.en 111) cookies</a> fall into this category, but there are likely numerous other
projects/en/torbrowser/design/index.html.en 112) examples.
projects/en/torbrowser/design/index.html.en 113)
projects/en/torbrowser/design/index.html.en 114) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/en/torbrowser/design/index.html.en 115)
projects/en/torbrowser/design/index.html.en 116) CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
projects/en/torbrowser/design/index.html.en 117) Non-Tor IP address, via the usage of
projects/en/torbrowser/design/index.html.en 118) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">CSS
projects/en/torbrowser/design/index.html.en 119) popups</a> - essentially CSS-based event handlers that fetch content via
projects/en/torbrowser/design/index.html.en 120) CSS's onmouseover attribute. If these popups are allowed to perform network
projects/en/torbrowser/design/index.html.en 121) activity in a different Tor state than they were loaded in, they can easily
projects/en/torbrowser/design/index.html.en 122) correlate Tor and Non-Tor activity and reveal a user's IP address. In
projects/en/torbrowser/design/index.html.en 123) addition, CSS can also be used without Javascript to perform <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only history disclosure
projects/en/torbrowser/design/index.html.en 124) attacks</a>.
projects/en/torbrowser/design/index.html.en 125) </p></li><li class="listitem"><span class="command"><strong>Read and insert cookies</strong></span><p>
projects/en/torbrowser/design/index.html.en 126)
projects/en/torbrowser/design/index.html.en 127) An adversary in a position to perform MITM content alteration can inject
projects/en/torbrowser/design/index.html.en 128) document content elements to both read and inject cookies for arbitrary
projects/en/torbrowser/design/index.html.en 129) domains. In fact, many "SSL secured" websites are vulnerable to this sort of
projects/en/torbrowser/design/index.html.en 130) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
projects/en/torbrowser/design/index.html.en 131) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/en/torbrowser/design/index.html.en 132) with cookies as well.
projects/en/torbrowser/design/index.html.en 133)
projects/en/torbrowser/design/index.html.en 134) </p></li><li class="listitem"><span class="command"><strong>Create arbitrary cached content</strong></span><p>
projects/en/torbrowser/design/index.html.en 135)
projects/en/torbrowser/design/index.html.en 136) Likewise, the browser cache can also be used to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
projects/en/torbrowser/design/index.html.en 137) identifiers</a>. Since by default the cache has no same-origin policy,
projects/en/torbrowser/design/index.html.en 138) these identifiers can be read by any domain, making them an ideal target for
projects/en/torbrowser/design/index.html.en 139) ad network-class adversaries.
projects/en/torbrowser/design/index.html.en 140)
projects/en/torbrowser/design/index.html.en 141) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
projects/en/torbrowser/design/index.html.en 142) attributes</strong></span><p>
projects/en/torbrowser/design/index.html.en 143)
projects/en/torbrowser/design/index.html.en 144) There is an absurd amount of information available to websites via attributes
projects/en/torbrowser/design/index.html.en 145) of the browser. This information can be used to reduce anonymity set, or even
projects/en/torbrowser/design/index.html.en 146) <a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">uniquely
projects/en/torbrowser/design/index.html.en 147) fingerprint individual users</a>. </p><p>
projects/en/torbrowser/design/index.html.en 148)
projects/en/torbrowser/design/index.html.en 149) The <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">Panopticlick study
projects/en/torbrowser/design/index.html.en 150) done</a> by the EFF attempts to measure the actual entropy - the number of
projects/en/torbrowser/design/index.html.en 151) identifying bits of information encoded in browser properties. Their result
projects/en/torbrowser/design/index.html.en 152) data is definitely useful, and the metric is probably the appropriate one for
projects/en/torbrowser/design/index.html.en 153) determining how identifying a particular browser property is. However, some
projects/en/torbrowser/design/index.html.en 154) quirks of their study means that they do not extract as much information as
projects/en/torbrowser/design/index.html.en 155) they could from display information: they only use desktop resolution (which
projects/en/torbrowser/design/index.html.en 156) Torbutton reports as the window resolution) and do not attempt to infer the
projects/en/torbrowser/design/index.html.en 157) size of toolbars.
projects/en/torbrowser/design/index.html.en 158)
projects/en/torbrowser/design/index.html.en 159)
projects/en/torbrowser/design/index.html.en 160)
projects/en/torbrowser/design/index.html.en 161) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
projects/en/torbrowser/design/index.html.en 162) OS</strong></span><p>
projects/en/torbrowser/design/index.html.en 163)
projects/en/torbrowser/design/index.html.en 164) Last, but definitely not least, the adversary can exploit either general
projects/en/torbrowser/design/index.html.en 165) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/en/torbrowser/design/index.html.en 166) install malware and surveillance software. An adversary with physical access
projects/en/torbrowser/design/index.html.en 167) can perform similar actions. Regrettably, this last attack capability is
projects/en/torbrowser/design/index.html.en 168) outside of our ability to defend against, but it is worth mentioning for
projects/en/torbrowser/design/index.html.en 169) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails
projects/en/torbrowser/design/index.html.en 170) system</a> however can provide some limited defenses against this
projects/en/torbrowser/design/index.html.en 171) adversary.
projects/en/torbrowser/design/index.html.en 172)
projects/en/torbrowser/design/index.html.en 173) </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
projects/en/torbrowser/design/index.html.en 174)
projects/en/torbrowser/design/index.html.en 175) The Tor Browser Design Requirements are meant to describe the properties of a
projects/en/torbrowser/design/index.html.en 176) Private Browsing Mode that defends against both network and local adversaries.
projects/en/torbrowser/design/index.html.en 177)
projects/en/torbrowser/design/index.html.en 178) </p><p>
projects/en/torbrowser/design/index.html.en 179)
projects/en/torbrowser/design/index.html.en 180) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
projects/en/torbrowser/design/index.html.en 181) minimum properties in order for a web client platform to be able to support
projects/en/torbrowser/design/index.html.en 182) Tor. Privacy requirements are the set of properties that cause us to prefer
projects/en/torbrowser/design/index.html.en 183) one platform over another.
projects/en/torbrowser/design/index.html.en 184)
projects/en/torbrowser/design/index.html.en 185) </p><p>
projects/en/torbrowser/design/index.html.en 186)
projects/en/torbrowser/design/index.html.en 187) We will maintain an alternate distribution of the web client in order to
projects/en/torbrowser/design/index.html.en 188) maintain and/or restore privacy properties to our users.
projects/en/torbrowser/design/index.html.en 189)
projects/en/torbrowser/design/index.html.en 190) </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 191)
projects/en/torbrowser/design/index.html.en 192) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en 193) of Tor. Violations in these properties typically result in serious risk for
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 194) the user in terms of immediate deanonymization and/or observability. With
projects/torbrowser/design/index.html.en 195) respect to platform support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en 196) in order for Tor to support the use of a web client platform.
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 197)
projects/en/torbrowser/design/index.html.en 198) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Proxy Obedience</strong></span><p>The browser
projects/en/torbrowser/design/index.html.en 199) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><span class="command"><strong>State Separation</strong></span><p>The browser MUST NOT provide any stored state to the content window
projects/en/torbrowser/design/index.html.en 200) from other browsers or other browsing modes, including shared state from
projects/en/torbrowser/design/index.html.en 201) plugins, machine identifiers, and TLS session state.
projects/en/torbrowser/design/index.html.en 202) </p></li><li class="listitem"><span class="command"><strong>Disk Avoidance</strong></span><p>The
projects/en/torbrowser/design/index.html.en 203) browser SHOULD NOT write any browsing history information to disk, or store it
projects/en/torbrowser/design/index.html.en 204) in memory beyond the duration of one Tor session, unless the user has
projects/en/torbrowser/design/index.html.en 205) explicitly opted to store their browsing history information to
projects/en/torbrowser/design/index.html.en 206) disk.</p></li><li class="listitem"><span class="command"><strong>Application Data Isolation</strong></span><p>The browser
projects/en/torbrowser/design/index.html.en 207) MUST NOT write or cause the operating system to
projects/en/torbrowser/design/index.html.en 208) write <span class="emphasis"><em>any information</em></span> to disk outside of the application
projects/en/torbrowser/design/index.html.en 209) directory. All exceptions and shortcomings due to operating system behavior
projects/en/torbrowser/design/index.html.en 210) MUST BE documented.
projects/en/torbrowser/design/index.html.en 211)
projects/en/torbrowser/design/index.html.en 212) </p></li><li class="listitem"><span class="command"><strong>Update Safety</strong></span><p>The browser SHOULD NOT perform unsafe updates or upgrades.</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 213)
projects/en/torbrowser/design/index.html.en 214) The privacy requirements are primarily concerned with reducing linkability:
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 215) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en 216) on another site without their knowledge or explicit consent. With respect to
projects/torbrowser/design/index.html.en 217) platform support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en 218) to prefer one platform over another.
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 219)
projects/en/torbrowser/design/index.html.en 220) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Domain Identifier Unlinkability</strong></span><p>
projects/en/torbrowser/design/index.html.en 221)
projects/en/torbrowser/design/index.html.en 222) User activity on one url bar domain MUST NOT be linkable to their activity in
projects/en/torbrowser/design/index.html.en 223) any other domain by any third party. This property specifically applies to
projects/en/torbrowser/design/index.html.en 224) linkability from stored browser identifiers, authentication tokens, and shared
projects/en/torbrowser/design/index.html.en 225) state. This functionality SHOULD NOT interfere with federated login in a
projects/en/torbrowser/design/index.html.en 226) substantial way.
projects/en/torbrowser/design/index.html.en 227)
projects/en/torbrowser/design/index.html.en 228) </p></li><li class="listitem"><span class="command"><strong>Cross-Domain Fingerprinting Unlinkability</strong></span><p>
projects/en/torbrowser/design/index.html.en 229)
projects/en/torbrowser/design/index.html.en 230) User activity on one url bar domain MUST NOT be linkable to their activity in
projects/en/torbrowser/design/index.html.en 231) any other domain by any third party. This property specifically applies to
projects/en/torbrowser/design/index.html.en 232) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en 233)
projects/en/torbrowser/design/index.html.en 234) </p></li><li class="listitem"><span class="command"><strong>Long-Term Unlinkability</strong></span><p>
projects/en/torbrowser/design/index.html.en 235)
projects/en/torbrowser/design/index.html.en 236) The browser SHOULD provide an obvious, easy way to remove all of their authentication
projects/en/torbrowser/design/index.html.en 237) tokens and browser state and obtain a fresh identity. Additionally, this
projects/en/torbrowser/design/index.html.en 238) should happen by default automatically upon browser restart.
projects/en/torbrowser/design/index.html.en 239)
projects/en/torbrowser/design/index.html.en 240) </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 241)
projects/en/torbrowser/design/index.html.en 242) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en 243) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en 244)
projects/en/torbrowser/design/index.html.en 245) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
projects/en/torbrowser/design/index.html.en 246)
projects/en/torbrowser/design/index.html.en 247) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en 248) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en 249) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en 250) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en 251) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en 252) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en 253)
projects/en/torbrowser/design/index.html.en 254) </p><p>
projects/en/torbrowser/design/index.html.en 255)
projects/en/torbrowser/design/index.html.en 256) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
projects/en/torbrowser/design/index.html.en 257) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en 258) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en 259) in the face of accumulating tabs from multiple states crossed with the current
projects/en/torbrowser/design/index.html.en 260) tor-state of the browser.
projects/en/torbrowser/design/index.html.en 261)
projects/en/torbrowser/design/index.html.en 262) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en 263) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en 264)
projects/en/torbrowser/design/index.html.en 265) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en 266) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en 267)
projects/en/torbrowser/design/index.html.en 268) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en 269)
projects/en/torbrowser/design/index.html.en 270) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en 271) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en 272) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en 273) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en 274) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en 275) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en 276)
projects/en/torbrowser/design/index.html.en 277) </p><p>
projects/en/torbrowser/design/index.html.en 278)
projects/en/torbrowser/design/index.html.en 279) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en 280) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en 281) placeholders), and/or be sandboxed to restrict the types of system calls they
projects/en/torbrowser/design/index.html.en 282) can execute. If the user decides to craft an exemption to allow a plugin to be
projects/en/torbrowser/design/index.html.en 283) used, it MUST ONLY apply to the top level urlbar domain, and not to all sites,
projects/en/torbrowser/design/index.html.en 284) to reduce linkability.
projects/en/torbrowser/design/index.html.en 285)
projects/en/torbrowser/design/index.html.en 286) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en 287)
projects/en/torbrowser/design/index.html.en 288) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
projects/en/torbrowser/design/index.html.en 289) failure of Torbutton</a> was (and still is) the options panel. Each option
projects/en/torbrowser/design/index.html.en 290) that detectably alters browser behavior can be used as a fingerprinting tool.
projects/en/torbrowser/design/index.html.en 291) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be
projects/en/torbrowser/design/index.html.en 292) disabled in the mode</a> except as an opt-in basis. We should not load
projects/en/torbrowser/design/index.html.en 293) system-wide addons or plugins.
projects/en/torbrowser/design/index.html.en 294)
projects/en/torbrowser/design/index.html.en 295) </p><p>
projects/en/torbrowser/design/index.html.en 296) Instead of global browser privacy options, privacy decisions should be made
projects/en/torbrowser/design/index.html.en 297) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
projects/en/torbrowser/design/index.html.en 298) top-level url-bar domain</a> to eliminate the possibility of linkability
projects/en/torbrowser/design/index.html.en 299) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en 300) window.plugins) is present in a page, the user should be given the choice of
projects/en/torbrowser/design/index.html.en 301) allowing that plugin object for that top-level url-bar domain only. The same
projects/en/torbrowser/design/index.html.en 302) goes for exemptions to third party cookie policy, geo-location, and any other
projects/en/torbrowser/design/index.html.en 303) privacy permissions.
projects/en/torbrowser/design/index.html.en 304) </p><p>
projects/en/torbrowser/design/index.html.en 305) If the user has indicated they do not care about local history storage, these
projects/en/torbrowser/design/index.html.en 306) permissions can be written to disk. Otherwise, they should remain memory-only.
projects/en/torbrowser/design/index.html.en 307) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en 308)
projects/en/torbrowser/design/index.html.en 309) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/en/torbrowser/design/index.html.en 310) Plus</a>, <a class="ulink" href="" target="_top">Request Policy</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
projects/en/torbrowser/design/index.html.en 311) avoided. We believe that these addons do not add any real privacy to a proper
projects/en/torbrowser/design/index.html.en 312) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are
projects/en/torbrowser/design/index.html.en 313) prevented from tracking users between sites by the implementation.
projects/en/torbrowser/design/index.html.en 314) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en 315) nightmares, and will also fail to do their job if an adversary simply
projects/en/torbrowser/design/index.html.en 316) registers a new domain or creates a new url path. Worse still, the unique
|
|
Fix a typo and some links i...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 317) filter sets that each user creates or installs will provide a wealth
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 318) of fingerprinting targets.
projects/en/torbrowser/design/index.html.en 319)
projects/en/torbrowser/design/index.html.en 320) </p><p>
projects/en/torbrowser/design/index.html.en 321)
projects/en/torbrowser/design/index.html.en 322) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en 323) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en 324) terms of demonstrating that we are providing privacy through a sound design
projects/en/torbrowser/design/index.html.en 325) alone, as well as damage the acceptance of Tor users by sites who support
projects/en/torbrowser/design/index.html.en 326) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en 327)
projects/en/torbrowser/design/index.html.en 328) </p><p>
projects/en/torbrowser/design/index.html.en 329) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en 330) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en 331) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en 332) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en 333) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en 334) their proper deployment or privacy realization. However, we will likely disable
projects/en/torbrowser/design/index.html.en 335) certain new features (where possible) pending analysis and audit.
projects/en/torbrowser/design/index.html.en 336) </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p>
projects/en/torbrowser/design/index.html.en 337) </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 338)
projects/en/torbrowser/design/index.html.en 339) Proxy obedience is assured through the following:
projects/en/torbrowser/design/index.html.en 340) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings
projects/en/torbrowser/design/index.html.en 341) <p>
projects/en/torbrowser/design/index.html.en 342) The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a
projects/en/torbrowser/design/index.html.en 343) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
projects/en/torbrowser/design/index.html.en 344) <span class="command"><strong>network.proxy.socks_version</strong></span>, and
projects/en/torbrowser/design/index.html.en 345) <span class="command"><strong>network.proxy.socks_port</strong></span>.
projects/en/torbrowser/design/index.html.en 346) </p></li><li class="listitem">Disabling plugins
projects/en/torbrowser/design/index.html.en 347) <p>
projects/en/torbrowser/design/index.html.en 348) Plugins have the ability to make arbitrary OS system calls. This includes
projects/en/torbrowser/design/index.html.en 349) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en 350) browser proxy settings.
projects/en/torbrowser/design/index.html.en 351) </p><p>
projects/en/torbrowser/design/index.html.en 352) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en 353) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
projects/en/torbrowser/design/index.html.en 354) as disabled. Additionally, we set
projects/en/torbrowser/design/index.html.en 355) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of
projects/en/torbrowser/design/index.html.en 356) supported mime types for all currently installed plugins.
projects/en/torbrowser/design/index.html.en 357) </p><p>
projects/en/torbrowser/design/index.html.en 358) In addition, to prevent any unproxied activity by plugins at load time, we
|
|
Fix a typo and some links i...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 359) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 360) for Flash and Gnash</a>.
projects/en/torbrowser/design/index.html.en 361)
projects/en/torbrowser/design/index.html.en 362) </p></li><li class="listitem">External App Blocking
projects/en/torbrowser/design/index.html.en 363) <p>
projects/en/torbrowser/design/index.html.en 364) External apps, if launched automatically, can be induced to load files that
projects/en/torbrowser/design/index.html.en 365) perform network activity. In order to prevent this, Torbutton installs a
projects/en/torbrowser/design/index.html.en 366) component to
|
|
Fix a typo and some links i...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 367) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 368) provide the user with a popup</a> whenever the browser attempts to
projects/en/torbrowser/design/index.html.en 369) launch a helper app.
projects/en/torbrowser/design/index.html.en 370) </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 371) Tor Browser State is separated from existing browser state through use of a
projects/en/torbrowser/design/index.html.en 372) custom Firefox profile. Furthermore, plugins are disabled, which prevents
projects/en/torbrowser/design/index.html.en 373) Flash cookies from leaking from a pre-existing Flash directory.
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 374) </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2980587"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 375) Tor Browser should optionally prevent all disk records of browser activity.
projects/en/torbrowser/design/index.html.en 376) The user should be able to optionally enable URL history and other history
projects/en/torbrowser/design/index.html.en 377) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
projects/en/torbrowser/design/index.html.en 378) preferences interface</a>, we will likely just enable Private Browsing
projects/en/torbrowser/design/index.html.en 379) mode by default to handle this goal.
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 380) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3006806"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 381) For now, Tor Browser blocks write access to the disk through Torbutton
projects/en/torbrowser/design/index.html.en 382) using several Firefox preferences.
projects/en/torbrowser/design/index.html.en 383)
projects/en/torbrowser/design/index.html.en 384)
projects/en/torbrowser/design/index.html.en 385)
projects/en/torbrowser/design/index.html.en 386) The set of prefs is:
projects/en/torbrowser/design/index.html.en 387) <span class="command"><strong>dom.storage.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en 388) <span class="command"><strong>browser.cache.memory.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 389) <span class="command"><strong>network.http.use-cache</strong></span>,
projects/en/torbrowser/design/index.html.en 390) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 391) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 392) <span class="command"><strong>general.open_location.last_url</strong></span>,
projects/en/torbrowser/design/index.html.en 393) <span class="command"><strong>places.history.enabled</strong></span>,
projects/en/torbrowser/design/index.html.en 394) <span class="command"><strong>browser.formfill.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 395) <span class="command"><strong>signon.rememberSignons</strong></span>,
projects/en/torbrowser/design/index.html.en 396) <span class="command"><strong>browser.download.manager.retention</strong></span>,
projects/en/torbrowser/design/index.html.en 397) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>.
projects/en/torbrowser/design/index.html.en 398) </blockquote></div></div><p>
projects/en/torbrowser/design/index.html.en 399) In addition, three Firefox patches are needed to prevent disk writes, even if
projects/en/torbrowser/design/index.html.en 400) Private Browsing Mode is enabled. We need to
projects/en/torbrowser/design/index.html.en 401)
projects/en/torbrowser/design/index.html.en 402) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 403) the permissions manager from recording HTTPS STS state</a>,
projects/en/torbrowser/design/index.html.en 404) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 405) intermediate SSL certificates from being recorded</a>, and
projects/en/torbrowser/design/index.html.en 406) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent
projects/en/torbrowser/design/index.html.en 407) the content preferences service from recording site zoom</a>.
projects/en/torbrowser/design/index.html.en 408)
projects/en/torbrowser/design/index.html.en 409) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the
projects/en/torbrowser/design/index.html.en 410) Firefox Patches section</a>.
projects/en/torbrowser/design/index.html.en 411)
projects/en/torbrowser/design/index.html.en 412) </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 413)
projects/en/torbrowser/design/index.html.en 414) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en 415) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en 416) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en 417) computer.
projects/en/torbrowser/design/index.html.en 418)
projects/en/torbrowser/design/index.html.en 419) </p><p>XXX: sjmurdoch, Erinn: explain what magic we do to satisfy this,
projects/en/torbrowser/design/index.html.en 420) and/or what additional work or auditing needs to be done.
projects/en/torbrowser/design/index.html.en 421) </p></div><div class="sect2" title="3.5. Cross-Domain Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Domain Identifier Unlinkability</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 422)
projects/en/torbrowser/design/index.html.en 423) The Tor Browser MUST prevent a user's activity on one site from being linked
projects/en/torbrowser/design/index.html.en 424) to their activity on another site. When this goal cannot yet be met with an
projects/en/torbrowser/design/index.html.en 425) existing web technology, that technology or functionality is disabled. Our
projects/en/torbrowser/design/index.html.en 426) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary
projects/en/torbrowser/design/index.html.en 427) technologies, and instead simply alter them in ways that allows them to
projects/en/torbrowser/design/index.html.en 428) function in a backwards-compatible way while avoiding linkability. Users
projects/en/torbrowser/design/index.html.en 429) should be able to use federated login of various kinds to explicitly inform
projects/en/torbrowser/design/index.html.en 430) sites who they are, but that information should not transparently allow a
projects/en/torbrowser/design/index.html.en 431) third party to record their activity from site to site without their prior
projects/en/torbrowser/design/index.html.en 432) consent.
projects/en/torbrowser/design/index.html.en 433)
projects/en/torbrowser/design/index.html.en 434) </p><p>
projects/en/torbrowser/design/index.html.en 435)
projects/en/torbrowser/design/index.html.en 436) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en 437) linkability, but also in terms of simplified privacy UI. If all stored browser
projects/en/torbrowser/design/index.html.en 438) state and permissions become associated with the top-level url-bar domain, the
projects/en/torbrowser/design/index.html.en 439) six or seven different pieces of privacy UI governing these identifiers and
projects/en/torbrowser/design/index.html.en 440) permissions can become just one piece of UI. For instance, a window that lists
projects/en/torbrowser/design/index.html.en 441) the top-level url bar domains for which browser state exists with the ability
projects/en/torbrowser/design/index.html.en 442) to clear and/or block them, possibly with a context-menu option to drill down
projects/en/torbrowser/design/index.html.en 443) into specific types of state. An exmaple of this simplifcation can be seen in
projects/en/torbrowser/design/index.html.en 444) Figure 1.
projects/en/torbrowser/design/index.html.en 445)
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 446) </p><div class="figure"><a id="id2962771"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 447)
projects/en/torbrowser/design/index.html.en 448) On the left is the standard Firefox cookie manager. On the right is a mock-up
projects/en/torbrowser/design/index.html.en 449) of how isolating identifiers to the URL bar domain might simplify the privacy
projects/en/torbrowser/design/index.html.en 450) UI for all data - not just cookies. Both windows represent the set of
projects/en/torbrowser/design/index.html.en 451) Cookies accomulated after visiting just five sites, but the window on the
projects/en/torbrowser/design/index.html.en 452) right has the option of also representing history, DOM Storage, HTTP Auth,
projects/en/torbrowser/design/index.html.en 453) search form history, login values, and so on within a context menu for each
projects/en/torbrowser/design/index.html.en 454) site.
projects/en/torbrowser/design/index.html.en 455)
projects/en/torbrowser/design/index.html.en 456) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies
projects/en/torbrowser/design/index.html.en 457) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 458)
projects/en/torbrowser/design/index.html.en 459) All cookies should be double-keyed to the top-level domain. There exists a
|
|
Fix a typo and some links i...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 460) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 461) bug</a> that contains a prototype patch, but it lacks UI, and does not
projects/en/torbrowser/design/index.html.en 462) apply to modern Firefoxes.
projects/en/torbrowser/design/index.html.en 463)
projects/en/torbrowser/design/index.html.en 464) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 465)
projects/en/torbrowser/design/index.html.en 466) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en 467) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en 468) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
projects/en/torbrowser/design/index.html.en 469) third party content continue to function , but we believe the requirement for
projects/en/torbrowser/design/index.html.en 470) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en 471)
projects/en/torbrowser/design/index.html.en 472) </p></li><li class="listitem">Cache
projects/en/torbrowser/design/index.html.en 473) <p>
projects/en/torbrowser/design/index.html.en 474) Cache is isolated to the top-level url bar domain by using a technique
projects/en/torbrowser/design/index.html.en 475) pioneered by Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the
projects/en/torbrowser/design/index.html.en 476) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>
projects/en/torbrowser/design/index.html.en 477) attribute that Firefox uses internally to prevent improper caching of HTTP POST data.
projects/en/torbrowser/design/index.html.en 478) </p><p>
projects/en/torbrowser/design/index.html.en 479) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
projects/en/torbrowser/design/index.html.en 480) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
projects/en/torbrowser/design/index.html.en 481) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
projects/en/torbrowser/design/index.html.en 482) Firefox to provide a cacheDomain cache attribute</a>. We use the full
projects/en/torbrowser/design/index.html.en 483) url bar domain as input to this field.
projects/en/torbrowser/design/index.html.en 484) </p><p>
projects/en/torbrowser/design/index.html.en 485)
projects/en/torbrowser/design/index.html.en 486)
projects/en/torbrowser/design/index.html.en 487) Furthermore, we chose a different isolation scheme than the Stanford
projects/en/torbrowser/design/index.html.en 488) implementation. First, we decoupled the cache isolation from the third party
projects/en/torbrowser/design/index.html.en 489) cookie attribute. Second, we use several mechanisms to attempt to determine
projects/en/torbrowser/design/index.html.en 490) the actual location attribute of the top-level window (the url bar domain)
projects/en/torbrowser/design/index.html.en 491) used to load the page, as opposed to relying solely on the referer property.
projects/en/torbrowser/design/index.html.en 492) </p><p>
projects/en/torbrowser/design/index.html.en 493) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original
projects/en/torbrowser/design/index.html.en 494) Stanford test
projects/en/torbrowser/design/index.html.en 495) cases</a> are expected to fail. Functionality can still be verified by
projects/en/torbrowser/design/index.html.en 496) navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key
projects/en/torbrowser/design/index.html.en 497) used for each cache entry. Each third party element should have an additional
projects/en/torbrowser/design/index.html.en 498) "domain=string" property prepended, which will list the top-level urlbar
projects/en/torbrowser/design/index.html.en 499) domain that was used to source the third party element.
projects/en/torbrowser/design/index.html.en 500) </p></li><li class="listitem">HTTP Auth
projects/en/torbrowser/design/index.html.en 501) <p>
projects/en/torbrowser/design/index.html.en 502)
projects/en/torbrowser/design/index.html.en 503) HTTP authentication tokens are removed for third party elements using the
projects/en/torbrowser/design/index.html.en 504) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
projects/en/torbrowser/design/index.html.en 505) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
projects/en/torbrowser/design/index.html.en 506) linkability between domains</a>. We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch
projects/en/torbrowser/design/index.html.en 507) Firefox to cause the headers to get added early enough</a> to allow the
projects/en/torbrowser/design/index.html.en 508) observer to modify it.
projects/en/torbrowser/design/index.html.en 509)
projects/en/torbrowser/design/index.html.en 510) </p></li><li class="listitem">DOM Storage
projects/en/torbrowser/design/index.html.en 511) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 512)
projects/en/torbrowser/design/index.html.en 513) DOM storage for third party domains MUST BE isolated to the url bar domain,
projects/en/torbrowser/design/index.html.en 514) to prevent linkability between sites.
projects/en/torbrowser/design/index.html.en 515)
projects/en/torbrowser/design/index.html.en 516) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 517)
projects/en/torbrowser/design/index.html.en 518) Because it is isolated to third party domain as opposed to top level url bar
projects/en/torbrowser/design/index.html.en 519) domain, we entirely disable DOM storage as a stopgap to ensure unlinkability.
projects/en/torbrowser/design/index.html.en 520)
projects/en/torbrowser/design/index.html.en 521) </p></li><li class="listitem">TLS session resumption and HTTP Keep-Alive
projects/en/torbrowser/design/index.html.en 522) <p>
projects/en/torbrowser/design/index.html.en 523) TLS session resumption and HTTP Keep-Alive must not allow third party origins
projects/en/torbrowser/design/index.html.en 524) to track users via either TLS session IDs, or the fact that different requests
projects/en/torbrowser/design/index.html.en 525) arrive on the same TCP connection.
projects/en/torbrowser/design/index.html.en 526) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 527)
projects/en/torbrowser/design/index.html.en 528) TLS session resumption IDs must be limited to the top-level url bar domain.
projects/en/torbrowser/design/index.html.en 529) HTTP Keep-Alive connections from a third party in one top-level domain must
projects/en/torbrowser/design/index.html.en 530) not be reused for that same third party in another top-level domain.
projects/en/torbrowser/design/index.html.en 531)
projects/en/torbrowser/design/index.html.en 532) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 533)
projects/en/torbrowser/design/index.html.en 534) We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099" target="_top">plan to
projects/en/torbrowser/design/index.html.en 535) disable</a> TLS session resumption, and limit HTTP Keep-alive duration.
projects/en/torbrowser/design/index.html.en 536)
projects/en/torbrowser/design/index.html.en 537) </p></li><li class="listitem">window.name
projects/en/torbrowser/design/index.html.en 538) <p>
projects/en/torbrowser/design/index.html.en 539)
projects/en/torbrowser/design/index.html.en 540) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
projects/en/torbrowser/design/index.html.en 541) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en 542) for the lifespan of a browser tab. It is possible to utilize this property for
projects/en/torbrowser/design/index.html.en 543) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
projects/en/torbrowser/design/index.html.en 544) storage</a>.
projects/en/torbrowser/design/index.html.en 545)
projects/en/torbrowser/design/index.html.en 546) </p><p>
projects/en/torbrowser/design/index.html.en 547)
projects/en/torbrowser/design/index.html.en 548) In order to eliminate linkability but still allow for sites that utilize this
projects/en/torbrowser/design/index.html.en 549) property to function, we reset the window.name property of tabs in Torbutton every
projects/en/torbrowser/design/index.html.en 550) time we encounter a blank referer. This behavior allows window.name to persist
projects/en/torbrowser/design/index.html.en 551) for the duration of a link-driven navigation session, but as soon as the user
projects/en/torbrowser/design/index.html.en 552) enters a new URL or navigates between https/http schemes, the property is cleared.
projects/en/torbrowser/design/index.html.en 553)
projects/en/torbrowser/design/index.html.en 554) </p></li><li class="listitem">Exit node usage
projects/en/torbrowser/design/index.html.en 555) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 556)
projects/en/torbrowser/design/index.html.en 557) Every distinct navigation session (as defined by a non-blank referer header)
projects/en/torbrowser/design/index.html.en 558) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
projects/en/torbrowser/design/index.html.en 559) observers from linking concurrent browsing activity.
projects/en/torbrowser/design/index.html.en 560)
projects/en/torbrowser/design/index.html.en 561) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 562)
projects/en/torbrowser/design/index.html.en 563) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
projects/en/torbrowser/design/index.html.en 564) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket
projects/en/torbrowser/design/index.html.en 565) #3455</a> is the Torbutton ticket to make use of the new Tor
projects/en/torbrowser/design/index.html.en 566) functionality.
projects/en/torbrowser/design/index.html.en 567)
projects/en/torbrowser/design/index.html.en 568) </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Domain Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Domain Fingerprinting Unlinkability</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 569)
projects/en/torbrowser/design/index.html.en 570) In order to properly address the fingerprinting adversary on a technical
projects/en/torbrowser/design/index.html.en 571) level, we need a metric to measure linkability of the various browser
projects/en/torbrowser/design/index.html.en 572) properties that extend beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>
projects/en/torbrowser/design/index.html.en 573) by the EFF provides us with exactly this metric. The researchers conducted a
projects/en/torbrowser/design/index.html.en 574) survey of volunteers who were asked to visit an experiment page that harvested
projects/en/torbrowser/design/index.html.en 575) many of the above components. They then computed the Shannon Entropy of the
projects/en/torbrowser/design/index.html.en 576) resulting distribution of each of several key attributes to determine how many
projects/en/torbrowser/design/index.html.en 577) bits of identifying information each attribute provided.
projects/en/torbrowser/design/index.html.en 578)
projects/en/torbrowser/design/index.html.en 579) </p><p>
projects/en/torbrowser/design/index.html.en 580)
projects/en/torbrowser/design/index.html.en 581) The study is not exhaustive, though. In particular, the test does not take in
projects/en/torbrowser/design/index.html.en 582) all aspects of resolution information. It did not calculate the size of
projects/en/torbrowser/design/index.html.en 583) widgets, window decoration, or toolbar size, which we believe may add high
projects/en/torbrowser/design/index.html.en 584) amounts of entropy. It also did not measure clock offset and other time-based
projects/en/torbrowser/design/index.html.en 585) fingerprints. Furthermore, as new browser features are added, this experiment
projects/en/torbrowser/design/index.html.en 586) should be repeated to include them.
projects/en/torbrowser/design/index.html.en 587)
projects/en/torbrowser/design/index.html.en 588) </p><p>
projects/en/torbrowser/design/index.html.en 589)
projects/en/torbrowser/design/index.html.en 590) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for
projects/en/torbrowser/design/index.html.en 591) fingerprinting resistance by only concerning ourselves with reducing the
projects/en/torbrowser/design/index.html.en 592) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We
projects/en/torbrowser/design/index.html.en 593) do not believe it is productive to concern ourselves with cross-browser
projects/en/torbrowser/design/index.html.en 594) fingerprinting issues, at least not at this stage.
projects/en/torbrowser/design/index.html.en 595)
projects/en/torbrowser/design/index.html.en 596) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
projects/en/torbrowser/design/index.html.en 597) <p>
projects/en/torbrowser/design/index.html.en 598)
projects/en/torbrowser/design/index.html.en 599) Plugins add to fingerprinting risk via two main vectors: their mere presence in
projects/en/torbrowser/design/index.html.en 600) window.navigator.plugins, as well as their internal functionality.
projects/en/torbrowser/design/index.html.en 601)
projects/en/torbrowser/design/index.html.en 602) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 603)
projects/en/torbrowser/design/index.html.en 604) All plugins that have not been specifically audited or sandboxed must be
projects/en/torbrowser/design/index.html.en 605) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en 606) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en 607) barrier. Additionally, version information should be reduced or obfuscated
projects/en/torbrowser/design/index.html.en 608) until the plugin object is loaded.
projects/en/torbrowser/design/index.html.en 609)
projects/en/torbrowser/design/index.html.en 610) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 611)
projects/en/torbrowser/design/index.html.en 612) Currently, we entirely disable all plugins in Tor Browser. However, as a
projects/en/torbrowser/design/index.html.en 613) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work
projects/en/torbrowser/design/index.html.en 614) towards</a> a
projects/en/torbrowser/design/index.html.en 615) click-to-play barrier using NoScript that is available only after the user has
projects/en/torbrowser/design/index.html.en 616) specifically enabled plugins. Flash will be the only plugin available, and we
projects/en/torbrowser/design/index.html.en 617) will ship a settings.sol file to disable Flash cookies, and to restrict P2P
projects/en/torbrowser/design/index.html.en 618) features that likely bypass proxy settings.
projects/en/torbrowser/design/index.html.en 619)
projects/en/torbrowser/design/index.html.en 620) </p></li><li class="listitem">Fonts
projects/en/torbrowser/design/index.html.en 621) <p>
projects/en/torbrowser/design/index.html.en 622)
projects/en/torbrowser/design/index.html.en 623) According to the Panopticlick study, fonts provide the most linkability when
projects/en/torbrowser/design/index.html.en 624) they are provided as an enumerable list in filesystem order, via either the
projects/en/torbrowser/design/index.html.en 625) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en 626) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en 627) pre-built list to query, a large amount of fingerprintable information may
projects/en/torbrowser/design/index.html.en 628) still be available.
projects/en/torbrowser/design/index.html.en 629)
projects/en/torbrowser/design/index.html.en 630) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 631)
projects/en/torbrowser/design/index.html.en 632) To address the Javascript issue, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of
projects/en/torbrowser/design/index.html.en 633) fonts</a> an origin can load, gracefully degrading to built-in and/or
projects/en/torbrowser/design/index.html.en 634) remote fonts once the limit is reached.
projects/en/torbrowser/design/index.html.en 635)
projects/en/torbrowser/design/index.html.en 636) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 637)
projects/en/torbrowser/design/index.html.en 638) Aside from disabling plugins to prevent enumeration, we have not yet
projects/en/torbrowser/design/index.html.en 639) implemented any defense against CSS or Javascript fonts.
projects/en/torbrowser/design/index.html.en 640)
projects/en/torbrowser/design/index.html.en 641) </p></li><li class="listitem">User Agent and HTTP Headers
projects/en/torbrowser/design/index.html.en 642) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 643)
projects/en/torbrowser/design/index.html.en 644) All Tor Browser users should provide websites with an identical user agent and
projects/en/torbrowser/design/index.html.en 645) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/en/torbrowser/design/index.html.en 646) and report a popular Windows platform. If the software is kept up to date,
projects/en/torbrowser/design/index.html.en 647) these headers should remain identical across the population even when updated.
projects/en/torbrowser/design/index.html.en 648)
projects/en/torbrowser/design/index.html.en 649) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 650)
projects/en/torbrowser/design/index.html.en 651) Firefox provides several options for controlling the browser user agent string
projects/en/torbrowser/design/index.html.en 652) which we leverage. We also set similar prefs for controlling the
projects/en/torbrowser/design/index.html.en 653) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
projects/en/torbrowser/design/index.html.en 654) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove
projects/en/torbrowser/design/index.html.en 655) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
projects/en/torbrowser/design/index.html.en 656) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Desktop resolution and CSS Media Queries
projects/en/torbrowser/design/index.html.en 657) <p>
projects/en/torbrowser/design/index.html.en 658)
projects/en/torbrowser/design/index.html.en 659) Both CSS and Javascript have a lot of irrelevant information about the screen
projects/en/torbrowser/design/index.html.en 660) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and
projects/en/torbrowser/design/index.html.en 661) other desktop features that are not at all relevant to rendering and serve
projects/en/torbrowser/design/index.html.en 662) only to provide information for fingerprinting.
projects/en/torbrowser/design/index.html.en 663)
projects/en/torbrowser/design/index.html.en 664) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 665)
projects/en/torbrowser/design/index.html.en 666) Our design goal here is to reduce the resolution information down to the bare
projects/en/torbrowser/design/index.html.en 667) minimum required for properly rendering inside a content window. We intend to
projects/en/torbrowser/design/index.html.en 668) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 669) properties of the content window, but report an effective size of 0 for all
projects/en/torbrowser/design/index.html.en 670) border material, and also report that the desktop is only as big as the
projects/en/torbrowser/design/index.html.en 671) inner content window. Additionally, new browser windows are sized such that
projects/en/torbrowser/design/index.html.en 672) their content windows are one of ~5 fixed sizes based on the user's
projects/en/torbrowser/design/index.html.en 673) desktop resolution.
projects/en/torbrowser/design/index.html.en 674)
projects/en/torbrowser/design/index.html.en 675) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 676)
projects/en/torbrowser/design/index.html.en 677) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript
projects/en/torbrowser/design/index.html.en 678) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize
projects/en/torbrowser/design/index.html.en 679) new windows based on desktop resolution</a>. However, CSS Media Queries
projects/en/torbrowser/design/index.html.en 680) still <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2875" target="_top">need
projects/en/torbrowser/design/index.html.en 681) to be dealt with</a>.
projects/en/torbrowser/design/index.html.en 682)
projects/en/torbrowser/design/index.html.en 683) </p></li><li class="listitem">Timezone and clock offset
projects/en/torbrowser/design/index.html.en 684) <p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 685)
projects/en/torbrowser/design/index.html.en 686) All Tor Browser users should report the same timezone to websites. Currently,
projects/en/torbrowser/design/index.html.en 687) we choose UTC for this purpose, although an equally valid argument could be
projects/en/torbrowser/design/index.html.en 688) made for EDT/EST due to the large English-speaking population density.
projects/en/torbrowser/design/index.html.en 689) Additionally, the Tor software should detect if the users clock is
projects/en/torbrowser/design/index.html.en 690) significantly divergent from the clocks of the relays that it connects to, and
projects/en/torbrowser/design/index.html.en 691) use this to reset the clock values used in Tor Browser to something reasonably
projects/en/torbrowser/design/index.html.en 692) accurate.
projects/en/torbrowser/design/index.html.en 693)
projects/en/torbrowser/design/index.html.en 694) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 695)
projects/en/torbrowser/design/index.html.en 696) We set the timezone using the TZ environment variable, which is supported on
projects/en/torbrowser/design/index.html.en 697) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock
projects/en/torbrowser/design/index.html.en 698) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in
projects/en/torbrowser/design/index.html.en 699) use.
projects/en/torbrowser/design/index.html.en 700)
projects/en/torbrowser/design/index.html.en 701) </p></li><li class="listitem">Javascript performance fingerprinting
projects/en/torbrowser/design/index.html.en 702) <p>
projects/en/torbrowser/design/index.html.en 703)
projects/en/torbrowser/design/index.html.en 704) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
projects/en/torbrowser/design/index.html.en 705) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en 706) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en 707) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en 708)
projects/en/torbrowser/design/index.html.en 709) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 710)
projects/en/torbrowser/design/index.html.en 711) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
projects/en/torbrowser/design/index.html.en 712) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 713) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en 714) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
projects/en/torbrowser/design/index.html.en 715) Date() object, while also introducing jitter. Our goal is to increase the
projects/en/torbrowser/design/index.html.en 716) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that
projects/en/torbrowser/design/index.html.en 717) even with the default precision in most browsers, they required up to 120
projects/en/torbrowser/design/index.html.en 718) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 719) feature set. We intend to work with the research community to establish the
projects/en/torbrowser/design/index.html.en 720) optimum tradeoff between quantization+jitter and amortization time.
projects/en/torbrowser/design/index.html.en 721)
projects/en/torbrowser/design/index.html.en 722)
projects/en/torbrowser/design/index.html.en 723) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 724)
projects/en/torbrowser/design/index.html.en 725) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en 726)
projects/en/torbrowser/design/index.html.en 727) </p></li><li class="listitem">Keystroke fingerprinting
projects/en/torbrowser/design/index.html.en 728) <p>
projects/en/torbrowser/design/index.html.en 729)
projects/en/torbrowser/design/index.html.en 730) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 731) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 732)
projects/en/torbrowser/design/index.html.en 733) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 734)
projects/en/torbrowser/design/index.html.en 735) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en 736) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 737)
projects/en/torbrowser/design/index.html.en 738) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 739) We have no implementation as of yet.
projects/en/torbrowser/design/index.html.en 740) </p></li><li class="listitem">WebGL
projects/en/torbrowser/design/index.html.en 741) <p>
projects/en/torbrowser/design/index.html.en 742)
projects/en/torbrowser/design/index.html.en 743) WebGL is fingerprintable both through information that is exposed about the
projects/en/torbrowser/design/index.html.en 744) underlying driver and optimizations, as well as through performance
projects/en/torbrowser/design/index.html.en 745) fingerprinting.
projects/en/torbrowser/design/index.html.en 746)
projects/en/torbrowser/design/index.html.en 747) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 748)
projects/en/torbrowser/design/index.html.en 749) Because of the large amount of potential fingerprinting vectors, we intend to
projects/en/torbrowser/design/index.html.en 750) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases
projects/en/torbrowser/design/index.html.en 751) will have click-to-play placeholders, and will not run until authorized by the
projects/en/torbrowser/design/index.html.en 752) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver
projects/en/torbrowser/design/index.html.en 753) information</a> by hooking
projects/en/torbrowser/design/index.html.en 754) <span class="command"><strong>getParameter()</strong></span>,
projects/en/torbrowser/design/index.html.en 755) <span class="command"><strong>getSupportedExtensions()</strong></span>,
projects/en/torbrowser/design/index.html.en 756) <span class="command"><strong>getExtension()</strong></span>, and
projects/en/torbrowser/design/index.html.en 757) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal,
projects/en/torbrowser/design/index.html.en 758) driver-neutral information.
projects/en/torbrowser/design/index.html.en 759)
projects/en/torbrowser/design/index.html.en 760) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 761)
projects/en/torbrowser/design/index.html.en 762) Currently we simply disable WebGL.
projects/en/torbrowser/design/index.html.en 763)
projects/en/torbrowser/design/index.html.en 764) </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 765) In order to avoid long-term linkability, we provide a "New Identity" context
projects/en/torbrowser/design/index.html.en 766) menu option in Torbutton.
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 767) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2991890"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 768)
projects/en/torbrowser/design/index.html.en 769) All linkable identifiers and browser state should be cleared by this feature.
projects/en/torbrowser/design/index.html.en 770)
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 771) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id3007443"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 772) First, Torbutton disables
projects/en/torbrowser/design/index.html.en 773) all open tabs and windows via nsIContentPolicy blocking, and then closes each
projects/en/torbrowser/design/index.html.en 774) tab and window. The extra step for blocking tabs is done as a precaution to
projects/en/torbrowser/design/index.html.en 775) ensure that any asynchronous Javascript is in fact properly disabled. After
projects/en/torbrowser/design/index.html.en 776) closing all of the windows, we then clear the following state: OCSP (by
projects/en/torbrowser/design/index.html.en 777) toggling security.OCSP.enabled), cache, site-specific zoom and content
projects/en/torbrowser/design/index.html.en 778) preferences, Cookies, DOM storage, safe browsing key, the Google wifi
projects/en/torbrowser/design/index.html.en 779) geolocation token (if exists), HTTP auth, SSL Session IDs, and the last opened URL
projects/en/torbrowser/design/index.html.en 780) field (via the pref general.open_location.last_url). After clearing the
projects/en/torbrowser/design/index.html.en 781) browser state, we then send the NEWNYM signal to the Tor control port to cause
projects/en/torbrowser/design/index.html.en 782) a new circuit to be created.
projects/en/torbrowser/design/index.html.en 783) </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 784) Some content types are too invasive and/or too opaque for us to properly
projects/en/torbrowser/design/index.html.en 785) eliminate their linkability properties. For these content types, we use
projects/en/torbrowser/design/index.html.en 786) NoScript to provide click-to-play placeholders that do not activate the
projects/en/torbrowser/design/index.html.en 787) content until the user clicks on it. This will eliminate the ability for an
projects/en/torbrowser/design/index.html.en 788) adversary to use such content types to link users in a dragnet fashion across
projects/en/torbrowser/design/index.html.en 789) arbitrary sites.
projects/en/torbrowser/design/index.html.en 790) </p><p>
projects/en/torbrowser/design/index.html.en 791) Currently, the content types isolated in this way include Flash, WebGL, and
projects/en/torbrowser/design/index.html.en 792) audio and video objects.
projects/en/torbrowser/design/index.html.en 793) </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p>
projects/en/torbrowser/design/index.html.en 794) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches" target="_top">current-patches
projects/en/torbrowser/design/index.html.en 795) directory of the torbrowser git repository</a>. They are:
projects/en/torbrowser/design/index.html.en 796) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod
projects/en/torbrowser/design/index.html.en 797) <p>
projects/en/torbrowser/design/index.html.en 798)
projects/en/torbrowser/design/index.html.en 799) In order to reduce fingerprinting, we block access to these two interfaces
projects/en/torbrowser/design/index.html.en 800) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript
projects/en/torbrowser/design/index.html.en 801) hooks</a>,
projects/en/torbrowser/design/index.html.en 802) and Components.interfaces can be used for fingerprinting the platform, OS, and
projects/en/torbrowser/design/index.html.en 803) Firebox version, but not much else.
projects/en/torbrowser/design/index.html.en 804)
projects/en/torbrowser/design/index.html.en 805) </p></li><li class="listitem">Make Permissions Manager memory only
projects/en/torbrowser/design/index.html.en 806) <p>
projects/en/torbrowser/design/index.html.en 807)
projects/en/torbrowser/design/index.html.en 808) This patch exposes a pref 'permissions.memory_only' that properly isolates the
projects/en/torbrowser/design/index.html.en 809) permissions manager to memory, which is responsible for all user specified
projects/en/torbrowser/design/index.html.en 810) site permissions, as well as stored HTTPS STS policy from visited sites.
projects/en/torbrowser/design/index.html.en 811)
projects/en/torbrowser/design/index.html.en 812) The pref does successfully clear the permissions manager memory if toggled. It
projects/en/torbrowser/design/index.html.en 813) does not need to be set in prefs.js, and can be handled by Torbutton.
projects/en/torbrowser/design/index.html.en 814)
projects/en/torbrowser/design/index.html.en 815) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 816)
projects/en/torbrowser/design/index.html.en 817) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 818) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 819) allow this.
projects/en/torbrowser/design/index.html.en 820)
projects/en/torbrowser/design/index.html.en 821) </p></li><li class="listitem">Make Intermediate Cert Store memory-only
projects/en/torbrowser/design/index.html.en 822) <p>
projects/en/torbrowser/design/index.html.en 823)
projects/en/torbrowser/design/index.html.en 824) The intermediate certificate store holds information about SSL certificates
projects/en/torbrowser/design/index.html.en 825) that may only be used by a limited number of domains. In some cases
projects/en/torbrowser/design/index.html.en 826) effectively recording on disk the fact that a website owned by a certain
projects/en/torbrowser/design/index.html.en 827) organization was viewed.
projects/en/torbrowser/design/index.html.en 828)
projects/en/torbrowser/design/index.html.en 829) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 830)
projects/en/torbrowser/design/index.html.en 831) As an additional design goal, we would like to later alter this patch to allow this
projects/en/torbrowser/design/index.html.en 832) information to be cleared from memory. The implementation does not currently
projects/en/torbrowser/design/index.html.en 833) allow this.
projects/en/torbrowser/design/index.html.en 834)
projects/en/torbrowser/design/index.html.en 835) </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires
projects/en/torbrowser/design/index.html.en 836) <p>
projects/en/torbrowser/design/index.html.en 837)
projects/en/torbrowser/design/index.html.en 838) This patch provides a trivial modification to allow us to properly remove HTTP
projects/en/torbrowser/design/index.html.en 839) auth for third parties. This patch allows us to defend against an adversary
projects/en/torbrowser/design/index.html.en 840) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP
projects/en/torbrowser/design/index.html.en 841) auth to silently track users between domains</a>.
projects/en/torbrowser/design/index.html.en 842)
projects/en/torbrowser/design/index.html.en 843) </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation
projects/en/torbrowser/design/index.html.en 844) <p>
projects/en/torbrowser/design/index.html.en 845)
projects/en/torbrowser/design/index.html.en 846) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
projects/en/torbrowser/design/index.html.en 847) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and
projects/en/torbrowser/design/index.html.en 848) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
projects/en/torbrowser/design/index.html.en 849) Firefox to provide a cacheDomain cache attribute</a>. We use the full
projects/en/torbrowser/design/index.html.en 850) url bar domain as input to this field.
projects/en/torbrowser/design/index.html.en 851)
projects/en/torbrowser/design/index.html.en 852) </p></li><li class="listitem">Randomize HTTP pipeline order and depth
projects/en/torbrowser/design/index.html.en 853) <p>
projects/en/torbrowser/design/index.html.en 854) As an
projects/en/torbrowser/design/index.html.en 855) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
projects/en/torbrowser/design/index.html.en 856) defense against Website Traffic Fingerprinting</a>, we patch the standard
projects/en/torbrowser/design/index.html.en 857) HTTP pipelining code to randomize the number of requests in a
projects/en/torbrowser/design/index.html.en 858) pipeline, as well as their order.
projects/en/torbrowser/design/index.html.en 859) </p></li><li class="listitem">Block all plugins except flash
projects/en/torbrowser/design/index.html.en 860) <p>
projects/en/torbrowser/design/index.html.en 861) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top">
projects/en/torbrowser/design/index.html.en 862) @mozilla.org/extensions/blocklist;1</a> service, because we
projects/en/torbrowser/design/index.html.en 863) actually want to stop plugins from ever entering the browser's process space
projects/en/torbrowser/design/index.html.en 864) and/or executing code (for example, AV plugins that collect statistics/analyze
projects/en/torbrowser/design/index.html.en 865) URLs, magical toolbars that phone home or "help" the user, skype buttons that
projects/en/torbrowser/design/index.html.en 866) ruin our day, and censorship filters). Hence we rolled our own.
projects/en/torbrowser/design/index.html.en 867) </p></li><li class="listitem">Make content-prefs service memory only
projects/en/torbrowser/design/index.html.en 868) <p>
projects/en/torbrowser/design/index.html.en 869) This patch prevents random URLs from being inserted into content-prefs.sqllite in
projects/en/torbrowser/design/index.html.en 870) the profile directory as content prefs change (includes site-zoom and perhaps
projects/en/torbrowser/design/index.html.en 871) other site prefs?).
|
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 872) </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2974027"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2999979"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id3006218"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
|
Add design doc draft.