projects/torbrowser/design/index.html.en (a7dd6f907) - tor-webwml.git

a7dd6f907400a58ad25fee24c26287dbcb8397a9

Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?> projects/en/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
Describe our efforts agains... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 4 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2857732">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2857732"></a>1. Introduction</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 4) projects/en/torbrowser/design/index.html.en 5) This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>, projects/en/torbrowser/design/index.html.en 6) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, projects/en/torbrowser/design/index.html.en 7) <a class="link" href="#Implementation" title="3. Implementation">implementation</a>, <a class="link" href="#Packaging" title="4. Packaging">packaging</a> and <a class="link" href="#Testing" title="5. Testing">testing projects/en/torbrowser/design/index.html.en 8) procedures</a> of the Tor Browser. It is
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 9) current as of Tor Browser 2.2.33-3.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 10) projects/en/torbrowser/design/index.html.en 11) </p><p> projects/en/torbrowser/design/index.html.en 12) projects/en/torbrowser/design/index.html.en 13) This document is also meant to serve as a set of design requirements and to projects/en/torbrowser/design/index.html.en 14) describe a reference implementation of a Private Browsing Mode that defends`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 15) against active network adversaries, in addition to the passive forensic local projects/torbrowser/design/index.html.en 16) adversary currently addressed by the major browsers.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 17) projects/en/torbrowser/design/index.html.en 18) </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 19) projects/en/torbrowser/design/index.html.en 20) A Tor web browser adversary has a number of goals, capabilities, and attack projects/en/torbrowser/design/index.html.en 21) types that can be used to guide us towards a set of requirements for the projects/en/torbrowser/design/index.html.en 22) Tor Browser. Let's start with the goals. projects/en/torbrowser/design/index.html.en 23) projects/en/torbrowser/design/index.html.en 24) </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of projects/en/torbrowser/design/index.html.en 25) Tor, causing the user to directly connect to an IP of the adversary's projects/en/torbrowser/design/index.html.en 26) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely projects/en/torbrowser/design/index.html.en 27) happily settle for the ability to correlate something a user did via Tor with projects/en/torbrowser/design/index.html.en 28) their non-Tor activity. This can be done with cookies, cache identifiers, projects/en/torbrowser/design/index.html.en 29) javascript events, and even CSS. Sometimes the fact that a user uses Tor may projects/en/torbrowser/design/index.html.en 30) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p> projects/en/torbrowser/design/index.html.en 31) The adversary may also be interested in history disclosure: the ability to projects/en/torbrowser/design/index.html.en 32) query a user's history to see if they have issued certain censored search projects/en/torbrowser/design/index.html.en 33) queries, or visited censored sites. projects/en/torbrowser/design/index.html.en 34) </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p> projects/en/torbrowser/design/index.html.en 35) projects/en/torbrowser/design/index.html.en 36) Location information such as timezone and locality can be useful for the projects/en/torbrowser/design/index.html.en 37) adversary to determine if a user is in fact originating from one of the projects/en/torbrowser/design/index.html.en 38) regions they are attempting to control, or to zero-in on the geographical projects/en/torbrowser/design/index.html.en 39) location of a particular dissident or whistleblower. projects/en/torbrowser/design/index.html.en 40) projects/en/torbrowser/design/index.html.en 41) </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p> projects/en/torbrowser/design/index.html.en 42) projects/en/torbrowser/design/index.html.en 43) Anonymity set reduction is also useful in attempting to zero in on a projects/en/torbrowser/design/index.html.en 44) particular individual. If the dissident or whistleblower is using a rare build projects/en/torbrowser/design/index.html.en 45) of Firefox for an obscure operating system, this can be very useful projects/en/torbrowser/design/index.html.en 46) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>. projects/en/torbrowser/design/index.html.en 47) projects/en/torbrowser/design/index.html.en 48) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk projects/en/torbrowser/design/index.html.en 49) information</strong></span><p> projects/en/torbrowser/design/index.html.en 50) In some cases, the adversary may opt for a heavy-handed approach, such as projects/en/torbrowser/design/index.html.en 51) seizing the computers of all Tor users in an area (especially after narrowing projects/en/torbrowser/design/index.html.en 52) the field by the above two pieces of information). History records and cache projects/en/torbrowser/design/index.html.en 53) data are the primary goals here. projects/en/torbrowser/design/index.html.en 54) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p> projects/en/torbrowser/design/index.html.en 55) The adversary can position themselves at a number of different locations in projects/en/torbrowser/design/index.html.en 56) order to execute their attacks. projects/en/torbrowser/design/index.html.en 57) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p> projects/en/torbrowser/design/index.html.en 58) The adversary can run exit nodes, or alternatively, they may control routers projects/en/torbrowser/design/index.html.en 59) upstream of exit nodes. Both of these scenarios have been observed in the projects/en/torbrowser/design/index.html.en 60) wild. projects/en/torbrowser/design/index.html.en 61) </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p> projects/en/torbrowser/design/index.html.en 62) The adversary can also run websites, or more likely, they can contract out projects/en/torbrowser/design/index.html.en 63) ad space from a number of different adservers and inject content that way. For projects/en/torbrowser/design/index.html.en 64) some users, the adversary may be the adservers themselves. It is not projects/en/torbrowser/design/index.html.en 65) inconceivable that adservers may try to subvert or reduce a user's anonymity projects/en/torbrowser/design/index.html.en 66) through Tor for marketing purposes. projects/en/torbrowser/design/index.html.en 67) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p> projects/en/torbrowser/design/index.html.en 68) The adversary can also inject malicious content at the user's upstream router projects/en/torbrowser/design/index.html.en 69) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor projects/en/torbrowser/design/index.html.en 70) activity. projects/en/torbrowser/design/index.html.en 71) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p> projects/en/torbrowser/design/index.html.en 72) Some users face adversaries with intermittent or constant physical access. projects/en/torbrowser/design/index.html.en 73) Users in Internet cafes, for example, face such a threat. In addition, in projects/en/torbrowser/design/index.html.en 74) countries where simply using tools like Tor is illegal, users may face projects/en/torbrowser/design/index.html.en 75) confiscation of their computer equipment for excessive Tor usage or just projects/en/torbrowser/design/index.html.en 76) general suspicion. projects/en/torbrowser/design/index.html.en 77) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p> projects/en/torbrowser/design/index.html.en 78) projects/en/torbrowser/design/index.html.en 79) The adversary can perform the following attacks from a number of different projects/en/torbrowser/design/index.html.en 80) positions to accomplish various aspects of their goals. It should be noted projects/en/torbrowser/design/index.html.en 81) that many of these attacks (especially those involving IP address leakage) are projects/en/torbrowser/design/index.html.en 82) often performed by accident by websites that simply have Javascript, dynamic projects/en/torbrowser/design/index.html.en 83) CSS elements, and plugins. Others are performed by adservers seeking to projects/en/torbrowser/design/index.html.en 84) correlate users' activity across different IP addresses, and still others are projects/en/torbrowser/design/index.html.en 85) performed by malicious agents on the Tor network and at national firewalls. projects/en/torbrowser/design/index.html.en 86)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 87) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 88)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 89) The browser contains multiple facilities for storing identifiers that the projects/torbrowser/design/index.html.en 90) adversary creates for the purposes of tracking users. These identifiers are projects/torbrowser/design/index.html.en 91) most obviously cookies, but also include HTTP auth, DOM storage, cached projects/torbrowser/design/index.html.en 92) scripts and other elements with embedded identifiers, client certificates, and projects/torbrowser/design/index.html.en 93) even TLS Session IDs.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 94)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 95) </p><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 96) projects/en/torbrowser/design/index.html.en 97) An adversary in a position to perform MITM content alteration can inject projects/en/torbrowser/design/index.html.en 98) document content elements to both read and inject cookies for arbitrary`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 99) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 100) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active projects/en/torbrowser/design/index.html.en 101) sidejacking</a>. In addition, the ad networks of course perform tracking projects/en/torbrowser/design/index.html.en 102) with cookies as well. projects/en/torbrowser/design/index.html.en 103) projects/en/torbrowser/design/index.html.en 104) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser projects/en/torbrowser/design/index.html.en 105) attributes</strong></span><p> projects/en/torbrowser/design/index.html.en 106) projects/en/torbrowser/design/index.html.en 107) There is an absurd amount of information available to websites via attributes projects/en/torbrowser/design/index.html.en 108) of the browser. This information can be used to reduce anonymity set, or even
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 109) uniquely fingerprint individual users. Fingerprinting is an intimidating projects/torbrowser/design/index.html.en 110) problem to attempt to tackle, especially without a metric to determine or at projects/torbrowser/design/index.html.en 111) least intuitively understand and estimate which features will most contribute projects/torbrowser/design/index.html.en 112) to linkability between visits. projects/torbrowser/design/index.html.en 113) projects/torbrowser/design/index.html.en 114) </p><p> projects/torbrowser/design/index.html.en 115) projects/torbrowser/design/index.html.en 116) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study projects/torbrowser/design/index.html.en 117) done</a> by the EFF uses the actual entropy - the number of identifying projects/torbrowser/design/index.html.en 118) bits of information encoded in browser properties - as this metric. Their projects/torbrowser/design/index.html.en 119) <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> projects/torbrowser/design/index.html.en 120) is definitely useful, and the metric is probably the appropriate one for
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 121) determining how identifying a particular browser property is. However, some projects/en/torbrowser/design/index.html.en 122) quirks of their study means that they do not extract as much information as projects/en/torbrowser/design/index.html.en 123) they could from display information: they only use desktop resolution (which projects/en/torbrowser/design/index.html.en 124) Torbutton reports as the window resolution) and do not attempt to infer the`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 125) size of toolbars. In the other direction, they may be over-counting in some projects/torbrowser/design/index.html.en 126) areas, as they did not compute joint entropy over multiple attributes that may projects/torbrowser/design/index.html.en 127) exhibit a high degree of correlation. Also, new browser features are added projects/torbrowser/design/index.html.en 128) regularly, so the data should not be taken as final. projects/torbrowser/design/index.html.en 129) projects/torbrowser/design/index.html.en 130) </p><p> projects/torbrowser/design/index.html.en 131) projects/torbrowser/design/index.html.en 132) Despite the uncertainty, all fingerprinting attacks leverage the following projects/torbrowser/design/index.html.en 133) attack vectors: projects/torbrowser/design/index.html.en 134) projects/torbrowser/design/index.html.en 135) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p> projects/torbrowser/design/index.html.en 136) projects/torbrowser/design/index.html.en 137) Properties of the user's request behavior comprise the bulk of low-hanging projects/torbrowser/design/index.html.en 138) fingerprinting targets. These include: User agent, Accept-* headers, pipeline projects/torbrowser/design/index.html.en 139) usage, and request ordering. Additionally, the use of custom filters such as projects/torbrowser/design/index.html.en 140) AdBlock and other privacy filters can be used to fingerprint request patterns projects/torbrowser/design/index.html.en 141) (as an extreme example). projects/torbrowser/design/index.html.en 142) projects/torbrowser/design/index.html.en 143) </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 144)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 145) Javascript can reveal a lot of fingerprinting information. It provides DOM projects/torbrowser/design/index.html.en 146) objects, just as window.screen and window.navigator to extract information projects/torbrowser/design/index.html.en 147) about the useragent. Also, Javascript can be used to query the user's timezone projects/torbrowser/design/index.html.en 148) via the <code class="function">Date()</code> object, and to use timing information to projects/torbrowser/design/index.html.en 149) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU projects/torbrowser/design/index.html.en 150) and interpreter speed</a>.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 151) projects/en/torbrowser/design/index.html.en 152)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 153) projects/torbrowser/design/index.html.en 154) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p> projects/torbrowser/design/index.html.en 155) projects/torbrowser/design/index.html.en 156) The Panopticlick project found that the mere list of installed plugins (in projects/torbrowser/design/index.html.en 157) navigator.plugins) was sufficient to provide a large degree of projects/torbrowser/design/index.html.en 158) fingerprintability. Additionally, plugins are capable of extracting font lists, projects/torbrowser/design/index.html.en 159) interface addresses, and other machine information that is beyond what the projects/torbrowser/design/index.html.en 160) browser would normally provide to content. In addition, plugins can be used to projects/torbrowser/design/index.html.en 161) store unique identifiers that are more difficult to clear than standard projects/torbrowser/design/index.html.en 162) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based projects/torbrowser/design/index.html.en 163) cookies</a> fall into this category, but there are likely numerous other projects/torbrowser/design/index.html.en 164) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy projects/torbrowser/design/index.html.en 165) settings of the browser. projects/torbrowser/design/index.html.en 166) projects/torbrowser/design/index.html.en 167) projects/torbrowser/design/index.html.en 168) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p> projects/torbrowser/design/index.html.en 169) projects/torbrowser/design/index.html.en 170) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media projects/torbrowser/design/index.html.en 171) queries</a> can be inserted to gather information about the desktop size, projects/torbrowser/design/index.html.en 172) widget size, display type, DPI, user agent type, and other information that projects/torbrowser/design/index.html.en 173) was formerly available only to Javascript. projects/torbrowser/design/index.html.en 174) projects/torbrowser/design/index.html.en 175) </p></li></ol></div></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 176) OS</strong></span><p> projects/en/torbrowser/design/index.html.en 177) projects/en/torbrowser/design/index.html.en 178) Last, but definitely not least, the adversary can exploit either general projects/en/torbrowser/design/index.html.en 179) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to projects/en/torbrowser/design/index.html.en 180) install malware and surveillance software. An adversary with physical access projects/en/torbrowser/design/index.html.en 181) can perform similar actions. Regrettably, this last attack capability is projects/en/torbrowser/design/index.html.en 182) outside of our ability to defend against, but it is worth mentioning for projects/en/torbrowser/design/index.html.en 183) completeness. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails projects/en/torbrowser/design/index.html.en 184) system</a> however can provide some limited defenses against this projects/en/torbrowser/design/index.html.en 185) adversary. projects/en/torbrowser/design/index.html.en 186) projects/en/torbrowser/design/index.html.en 187) </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p> projects/en/torbrowser/design/index.html.en 188) projects/en/torbrowser/design/index.html.en 189) The Tor Browser Design Requirements are meant to describe the properties of a
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 190) Private Browsing Mode that defends against both network and forensic adversaries.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 191) projects/en/torbrowser/design/index.html.en 192) </p><p> projects/en/torbrowser/design/index.html.en 193) projects/en/torbrowser/design/index.html.en 194) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 195) minimum properties in order for a browser to be able to support Tor and projects/torbrowser/design/index.html.en 196) similar privacy proxies safely. Privacy requirements are the set of properties projects/torbrowser/design/index.html.en 197) that cause us to prefer one browser platform over another.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 198) projects/en/torbrowser/design/index.html.en 199) </p><p> projects/en/torbrowser/design/index.html.en 200)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 201) While we will endorse the use of browsers that meet the security requirements, projects/torbrowser/design/index.html.en 202) it is primarily the privacy requirements that cause us to maintain our own projects/torbrowser/design/index.html.en 203) browser distribution. projects/torbrowser/design/index.html.en 204) projects/torbrowser/design/index.html.en 205) </p><p> projects/torbrowser/design/index.html.en 206) projects/torbrowser/design/index.html.en 207) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL projects/torbrowser/design/index.html.en 208) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and projects/torbrowser/design/index.html.en 209) "OPTIONAL" in this document are to be interpreted as described in projects/torbrowser/design/index.html.en 210) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 211) projects/en/torbrowser/design/index.html.en 212) </p><div class="sect2" title="2.1. Security Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 213) projects/en/torbrowser/design/index.html.en 214) The security requirements are primarily concerned with ensuring the safe use projects/en/torbrowser/design/index.html.en 215) of Tor. Violations in these properties typically result in serious risk for
Add a couple extra sentence... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 216) the user in terms of immediate deanonymization and/or observability. With projects/torbrowser/design/index.html.en 217) respect to platform support, security requirements are the minimum properties projects/torbrowser/design/index.html.en 218) in order for Tor to support the use of a web client platform.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 219) projects/en/torbrowser/design/index.html.en 220) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Proxy Obedience</strong></span><p>The browser projects/en/torbrowser/design/index.html.en 221) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><span class="command"><strong>State Separation</strong></span><p>The browser MUST NOT provide any stored state to the content window projects/en/torbrowser/design/index.html.en 222) from other browsers or other browsing modes, including shared state from projects/en/torbrowser/design/index.html.en 223) plugins, machine identifiers, and TLS session state.
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 224) </p></li><li class="listitem"><span class="command"><strong>Disk Avoidance</strong></span><p> projects/torbrowser/design/index.html.en 225) projects/torbrowser/design/index.html.en 226) The browser MUST NOT write any information that is derived from or that projects/torbrowser/design/index.html.en 227) reveals browsing activity to the disk, or store it in memory beyond the projects/torbrowser/design/index.html.en 228) duration of one browsing session, unless the user has explicitly opted to projects/torbrowser/design/index.html.en 229) store their browsing history information to disk. projects/torbrowser/design/index.html.en 230) projects/torbrowser/design/index.html.en 231) </p></li><li class="listitem"><span class="command"><strong>Application Data Isolation</strong></span><p> projects/torbrowser/design/index.html.en 232) projects/torbrowser/design/index.html.en 233) The components involved in providing private browsing MUST BE self-contained, projects/torbrowser/design/index.html.en 234) or MUST provide a mechanism for rapid, complete removal of all evidence of the projects/torbrowser/design/index.html.en 235) use of the mode. In other words, the browser MUST NOT write or cause the projects/torbrowser/design/index.html.en 236) operating system to write <span class="emphasis"><em>any information</em></span> about the use projects/torbrowser/design/index.html.en 237) of private browsing to disk outside of the application's control. The user projects/torbrowser/design/index.html.en 238) must be able to ensure that secure removal of the software is sufficient to projects/torbrowser/design/index.html.en 239) remove evidence of the use of the software. All exceptions and shortcomings projects/torbrowser/design/index.html.en 240) due to operating system behavior MUST BE wiped by an uninstaller.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 241) projects/en/torbrowser/design/index.html.en 242) </p></li><li class="listitem"><span class="command"><strong>Update Safety</strong></span><p>The browser SHOULD NOT perform unsafe updates or upgrades.</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 243) projects/en/torbrowser/design/index.html.en 244) The privacy requirements are primarily concerned with reducing linkability:
Add a couple extra sentence... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 245) the ability for a user's activity on one site to be linked with their activity projects/torbrowser/design/index.html.en 246) on another site without their knowledge or explicit consent. With respect to projects/torbrowser/design/index.html.en 247) platform support, privacy requirements are the set of properties that cause us projects/torbrowser/design/index.html.en 248) to prefer one platform over another.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 249)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 250) </p><p> projects/torbrowser/design/index.html.en 251) projects/torbrowser/design/index.html.en 252) For the purposes of the unlinkability requirements of this section as well as projects/torbrowser/design/index.html.en 253) the descriptions in the <a class="link" href="#Implementation" title="3. Implementation">implementation projects/torbrowser/design/index.html.en 254) section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the projects/torbrowser/design/index.html.en 255) second-level DNS name. For example, for mail.google.com, the origin would be projects/torbrowser/design/index.html.en 256) google.com. Implementations MAY, at their option, restrict the url bar origin projects/torbrowser/design/index.html.en 257) to be the entire fully qualified domain name projects/torbrowser/design/index.html.en 258) projects/torbrowser/design/index.html.en 259) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p>
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 260)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 261) User activity on one url bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 262) any other url bar origin by any third party. This property specifically applies to`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 263) linkability from stored browser identifiers, authentication tokens, and shared projects/en/torbrowser/design/index.html.en 264) state. This functionality SHOULD NOT interfere with federated login in a projects/en/torbrowser/design/index.html.en 265) substantial way. projects/en/torbrowser/design/index.html.en 266)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 267) </p></li><li class="listitem"><span class="command"><strong>Cross-Origin Fingerprinting Unlinkability</strong></span><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 268)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 269) User activity on one url bar origin MUST NOT be linkable to their activity in projects/torbrowser/design/index.html.en 270) any other url bar origin by any third party. This property specifically applies to`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 271) linkability from fingerprinting browser behavior. projects/en/torbrowser/design/index.html.en 272) projects/en/torbrowser/design/index.html.en 273) </p></li><li class="listitem"><span class="command"><strong>Long-Term Unlinkability</strong></span><p> projects/en/torbrowser/design/index.html.en 274)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 275) The browser SHOULD provide an obvious, easy way to remove all of their projects/torbrowser/design/index.html.en 276) authentication tokens and browser state and obtain a fresh identity. projects/torbrowser/design/index.html.en 277) Additionally, the browser SHOULD clear linkable state by default automatically projects/torbrowser/design/index.html.en 278) upon browser restart, except at user option.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 279) projects/en/torbrowser/design/index.html.en 280) </p></li></ol></div></div><div class="sect2" title="2.3. Philosophy"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 281) projects/en/torbrowser/design/index.html.en 282) In addition to the above design requirements, the technology decisions about projects/en/torbrowser/design/index.html.en 283) Tor Browser are also guided by some philosophical positions about technology. projects/en/torbrowser/design/index.html.en 284) projects/en/torbrowser/design/index.html.en 285) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p> projects/en/torbrowser/design/index.html.en 286) projects/en/torbrowser/design/index.html.en 287) The existing way that the user expects to use a browser must be preserved. If projects/en/torbrowser/design/index.html.en 288) the user has to maintain a different mental model of how the sites they are projects/en/torbrowser/design/index.html.en 289) using behave depending on tab, browser state, or anything else that would not projects/en/torbrowser/design/index.html.en 290) normally be what they experience in their default browser, the user will projects/en/torbrowser/design/index.html.en 291) inevitably be confused. They will make mistakes and reduce their privacy as a projects/en/torbrowser/design/index.html.en 292) result. Worse, they may just stop using the browser, assuming it is broken. projects/en/torbrowser/design/index.html.en 293) projects/en/torbrowser/design/index.html.en 294) </p><p> projects/en/torbrowser/design/index.html.en 295) projects/en/torbrowser/design/index.html.en 296) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures projects/en/torbrowser/design/index.html.en 297) of Torbutton</a>: Even if users managed to install everything properly, projects/en/torbrowser/design/index.html.en 298) the toggle model was too hard for the average user to understand, especially projects/en/torbrowser/design/index.html.en 299) in the face of accumulating tabs from multiple states crossed with the current projects/en/torbrowser/design/index.html.en 300) tor-state of the browser. projects/en/torbrowser/design/index.html.en 301) projects/en/torbrowser/design/index.html.en 302) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to projects/en/torbrowser/design/index.html.en 303) break sites</strong></span><p> projects/en/torbrowser/design/index.html.en 304) projects/en/torbrowser/design/index.html.en 305) In general, we try to find solutions to privacy issues that will not induce projects/en/torbrowser/design/index.html.en 306) site breakage, though this is not always possible. projects/en/torbrowser/design/index.html.en 307) projects/en/torbrowser/design/index.html.en 308) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p> projects/en/torbrowser/design/index.html.en 309) projects/en/torbrowser/design/index.html.en 310) Even if plugins always properly used the browser proxy settings (which none of projects/en/torbrowser/design/index.html.en 311) them do) and could not be induced to bypass them (which all of them can), the projects/en/torbrowser/design/index.html.en 312) activities of closed-source plugins are very difficult to audit and control. projects/en/torbrowser/design/index.html.en 313) They can obtain and transmit all manner of system information to websites, projects/en/torbrowser/design/index.html.en 314) often have their own identifier storage for tracking users, and also projects/en/torbrowser/design/index.html.en 315) contribute to fingerprinting. projects/en/torbrowser/design/index.html.en 316) projects/en/torbrowser/design/index.html.en 317) </p><p> projects/en/torbrowser/design/index.html.en 318) projects/en/torbrowser/design/index.html.en 319) Therefore, if plugins are to be enabled in private browsing modes, they must projects/en/torbrowser/design/index.html.en 320) be restricted from running automatically on every page (via click-to-play projects/en/torbrowser/design/index.html.en 321) placeholders), and/or be sandboxed to restrict the types of system calls they projects/en/torbrowser/design/index.html.en 322) can execute. If the user decides to craft an exemption to allow a plugin to be
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 323) used, it MUST ONLY apply to the top level url bar domain, and not to all sites,`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 324) to reduce linkability. projects/en/torbrowser/design/index.html.en 325) projects/en/torbrowser/design/index.html.en 326) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p> projects/en/torbrowser/design/index.html.en 327) projects/en/torbrowser/design/index.html.en 328) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another projects/en/torbrowser/design/index.html.en 329) failure of Torbutton</a> was (and still is) the options panel. Each option projects/en/torbrowser/design/index.html.en 330) that detectably alters browser behavior can be used as a fingerprinting tool.
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 331) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">SHOULD be`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 332) disabled in the mode</a> except as an opt-in basis. We should not load projects/en/torbrowser/design/index.html.en 333) system-wide addons or plugins. projects/en/torbrowser/design/index.html.en 334) projects/en/torbrowser/design/index.html.en 335) </p><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 336) Instead of global browser privacy options, privacy decisions SHOULD be made`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 337) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 338) url bar origin</a> to eliminate the possibility of linkability`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 339) between domains. For example, when a plugin object (or a Javascript access of projects/en/torbrowser/design/index.html.en 340) window.plugins) is present in a page, the user should be given the choice of`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 341) allowing that plugin object for that url bar origin only. The same`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 342) goes for exemptions to third party cookie policy, geo-location, and any other projects/en/torbrowser/design/index.html.en 343) privacy permissions. projects/en/torbrowser/design/index.html.en 344) </p><p> projects/en/torbrowser/design/index.html.en 345) If the user has indicated they do not care about local history storage, these projects/en/torbrowser/design/index.html.en 346) permissions can be written to disk. Otherwise, they should remain memory-only. projects/en/torbrowser/design/index.html.en 347) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p> projects/en/torbrowser/design/index.html.en 348) projects/en/torbrowser/design/index.html.en 349) Filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock projects/en/torbrowser/design/index.html.en 350) Plus</a>, <a class="ulink" href="" target="_top">Request Policy</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be projects/en/torbrowser/design/index.html.en 351) avoided. We believe that these addons do not add any real privacy to a proper projects/en/torbrowser/design/index.html.en 352) <a class="link" href="#Implementation" title="3. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, as all third parties are projects/en/torbrowser/design/index.html.en 353) prevented from tracking users between sites by the implementation. projects/en/torbrowser/design/index.html.en 354) Filter-based addons can also introduce strange breakage and cause usability projects/en/torbrowser/design/index.html.en 355) nightmares, and will also fail to do their job if an adversary simply projects/en/torbrowser/design/index.html.en 356) registers a new domain or creates a new url path. Worse still, the unique
Fix a typo and some links i... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 357) filter sets that each user creates or installs will provide a wealth`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 358) of fingerprinting targets. projects/en/torbrowser/design/index.html.en 359) projects/en/torbrowser/design/index.html.en 360) </p><p> projects/en/torbrowser/design/index.html.en 361) projects/en/torbrowser/design/index.html.en 362) As a general matter, we are also generally opposed to shipping an always-on Ad projects/en/torbrowser/design/index.html.en 363) blocker with Tor Browser. We feel that this would damage our credibility in projects/en/torbrowser/design/index.html.en 364) terms of demonstrating that we are providing privacy through a sound design projects/en/torbrowser/design/index.html.en 365) alone, as well as damage the acceptance of Tor users by sites who support projects/en/torbrowser/design/index.html.en 366) themselves through advertising revenue. projects/en/torbrowser/design/index.html.en 367) projects/en/torbrowser/design/index.html.en 368) </p><p> projects/en/torbrowser/design/index.html.en 369) Users are free to install these addons if they wish, but doing projects/en/torbrowser/design/index.html.en 370) so is not recommended, as it will alter the browser request fingerprint. projects/en/torbrowser/design/index.html.en 371) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p> projects/en/torbrowser/design/index.html.en 372) We believe that if we do not stay current with the support of new web projects/en/torbrowser/design/index.html.en 373) technologies, we cannot hope to substantially influence or be involved in projects/en/torbrowser/design/index.html.en 374) their proper deployment or privacy realization. However, we will likely disable projects/en/torbrowser/design/index.html.en 375) certain new features (where possible) pending analysis and audit. projects/en/torbrowser/design/index.html.en 376) </p></li></ol></div></div></div><div class="sect1" title="3. Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>3. Implementation</h2></div></div></div><p> projects/en/torbrowser/design/index.html.en 377) </p><div class="sect2" title="3.1. Proxy Obedience"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>3.1. Proxy Obedience</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 378) projects/en/torbrowser/design/index.html.en 379) Proxy obedience is assured through the following: projects/en/torbrowser/design/index.html.en 380) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox Proxy settings projects/en/torbrowser/design/index.html.en 381) <p> projects/en/torbrowser/design/index.html.en 382) The Torbutton xpi sets the Firefox proxy settings to use Tor directly as a projects/en/torbrowser/design/index.html.en 383) SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>, projects/en/torbrowser/design/index.html.en 384) <span class="command"><strong>network.proxy.socks_version</strong></span>, and projects/en/torbrowser/design/index.html.en 385) <span class="command"><strong>network.proxy.socks_port</strong></span>. projects/en/torbrowser/design/index.html.en 386) </p></li><li class="listitem">Disabling plugins
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 387) projects/torbrowser/design/index.html.en 388) <p>Plugins have the ability to make arbitrary OS system calls and <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 389) the ability to make UDP sockets and send arbitrary data independent of the projects/en/torbrowser/design/index.html.en 390) browser proxy settings. projects/en/torbrowser/design/index.html.en 391) </p><p> projects/en/torbrowser/design/index.html.en 392) Torbutton disables plugins by using the projects/en/torbrowser/design/index.html.en 393) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags projects/en/torbrowser/design/index.html.en 394) as disabled. Additionally, we set projects/en/torbrowser/design/index.html.en 395) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to the list of projects/en/torbrowser/design/index.html.en 396) supported mime types for all currently installed plugins. projects/en/torbrowser/design/index.html.en 397) </p><p> projects/en/torbrowser/design/index.html.en 398) In addition, to prevent any unproxied activity by plugins at load time, we
Fix a typo and some links i... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 399) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0007-Block-all-plugins-except-flash.patch" target="_top">prevent the load of any plugins except`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 400) for Flash and Gnash</a>. projects/en/torbrowser/design/index.html.en 401)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 402) </p><p> projects/torbrowser/design/index.html.en 403) projects/torbrowser/design/index.html.en 404) Finally, even if the user alters their browser settings to re-enable the Flash projects/torbrowser/design/index.html.en 405) plugin, we have configured NoScript to provide click-to-play placeholders, so projects/torbrowser/design/index.html.en 406) that only desired objects will be loaded, and only after user confirmation. projects/torbrowser/design/index.html.en 407)
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 408) </p></li><li class="listitem">External App Blocking projects/en/torbrowser/design/index.html.en 409) <p> projects/en/torbrowser/design/index.html.en 410) External apps, if launched automatically, can be induced to load files that projects/en/torbrowser/design/index.html.en 411) perform network activity. In order to prevent this, Torbutton installs a projects/en/torbrowser/design/index.html.en 412) component to`
Fix a typo and some links i... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 413) <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 414) provide the user with a popup</a> whenever the browser attempts to projects/en/torbrowser/design/index.html.en 415) launch a helper app. projects/en/torbrowser/design/index.html.en 416) </p></li></ol></div></div><div class="sect2" title="3.2. State Separation"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>3.2. State Separation</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 417) Tor Browser State is separated from existing browser state through use of a projects/en/torbrowser/design/index.html.en 418) custom Firefox profile. Furthermore, plugins are disabled, which prevents projects/en/torbrowser/design/index.html.en 419) Flash cookies from leaking from a pre-existing Flash directory.
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 420) </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2886678"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 421) Tor Browser MUST (at user option) prevent all disk records of browser activity.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 422) The user should be able to optionally enable URL history and other history projects/en/torbrowser/design/index.html.en 423) features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the projects/en/torbrowser/design/index.html.en 424) preferences interface</a>, we will likely just enable Private Browsing projects/en/torbrowser/design/index.html.en 425) mode by default to handle this goal.
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 426) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874561"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 427) For now, Tor Browser blocks write access to the disk through Torbutton projects/en/torbrowser/design/index.html.en 428) using several Firefox preferences. projects/en/torbrowser/design/index.html.en 429) projects/en/torbrowser/design/index.html.en 430) projects/en/torbrowser/design/index.html.en 431) projects/en/torbrowser/design/index.html.en 432) The set of prefs is: projects/en/torbrowser/design/index.html.en 433) <span class="command"><strong>dom.storage.enabled</strong></span>, projects/en/torbrowser/design/index.html.en 434) <span class="command"><strong>browser.cache.memory.enable</strong></span>, projects/en/torbrowser/design/index.html.en 435) <span class="command"><strong>network.http.use-cache</strong></span>, projects/en/torbrowser/design/index.html.en 436) <span class="command"><strong>browser.cache.disk.enable</strong></span>, projects/en/torbrowser/design/index.html.en 437) <span class="command"><strong>browser.cache.offline.enable</strong></span>, projects/en/torbrowser/design/index.html.en 438) <span class="command"><strong>general.open_location.last_url</strong></span>, projects/en/torbrowser/design/index.html.en 439) <span class="command"><strong>places.history.enabled</strong></span>, projects/en/torbrowser/design/index.html.en 440) <span class="command"><strong>browser.formfill.enable</strong></span>, projects/en/torbrowser/design/index.html.en 441) <span class="command"><strong>signon.rememberSignons</strong></span>, projects/en/torbrowser/design/index.html.en 442) <span class="command"><strong>browser.download.manager.retention</strong></span>, projects/en/torbrowser/design/index.html.en 443) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. projects/en/torbrowser/design/index.html.en 444) </blockquote></div></div><p> projects/en/torbrowser/design/index.html.en 445) In addition, three Firefox patches are needed to prevent disk writes, even if projects/en/torbrowser/design/index.html.en 446) Private Browsing Mode is enabled. We need to projects/en/torbrowser/design/index.html.en 447) projects/en/torbrowser/design/index.html.en 448) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0002-Make-Permissions-Manager-memory-only.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 449) the permissions manager from recording HTTPS STS state</a>, projects/en/torbrowser/design/index.html.en 450) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0003-Make-Intermediate-Cert-Store-memory-only.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 451) intermediate SSL certificates from being recorded</a>, and projects/en/torbrowser/design/index.html.en 452) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0008-Make-content-pref-service-memory-only-clearable.patch" target="_top">prevent projects/en/torbrowser/design/index.html.en 453) the content preferences service from recording site zoom</a>. projects/en/torbrowser/design/index.html.en 454) projects/en/torbrowser/design/index.html.en 455) For more details on these patches, <a class="link" href="#firefox-patches" title="3.9. Description of Firefox Patches">see the projects/en/torbrowser/design/index.html.en 456) Firefox Patches section</a>. projects/en/torbrowser/design/index.html.en 457) projects/en/torbrowser/design/index.html.en 458) </p></div><div class="sect2" title="3.4. Application Data Isolation"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>3.4. Application Data Isolation</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 459) projects/en/torbrowser/design/index.html.en 460) Tor Browser Bundle MUST NOT cause any information to be written outside of the projects/en/torbrowser/design/index.html.en 461) bundle directory. This is to ensure that the user is able to completely and projects/en/torbrowser/design/index.html.en 462) safely remove the bundle without leaving other traces of Tor usage on their projects/en/torbrowser/design/index.html.en 463) computer. projects/en/torbrowser/design/index.html.en 464)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 465) </p><p>FIXME: sjmurdoch, Erinn: explain what magic we do to satisfy this,`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 466) and/or what additional work or auditing needs to be done.`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 467) </p></div><div class="sect2" title="3.5. Cross-Origin Identifier Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>3.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 468) projects/en/torbrowser/design/index.html.en 469) The Tor Browser MUST prevent a user's activity on one site from being linked projects/en/torbrowser/design/index.html.en 470) to their activity on another site. When this goal cannot yet be met with an projects/en/torbrowser/design/index.html.en 471) existing web technology, that technology or functionality is disabled. Our projects/en/torbrowser/design/index.html.en 472) <a class="link" href="#privacy" title="2.2. Privacy Requirements">design goal</a> is to ultimately eliminate the need to disable arbitrary projects/en/torbrowser/design/index.html.en 473) technologies, and instead simply alter them in ways that allows them to projects/en/torbrowser/design/index.html.en 474) function in a backwards-compatible way while avoiding linkability. Users projects/en/torbrowser/design/index.html.en 475) should be able to use federated login of various kinds to explicitly inform projects/en/torbrowser/design/index.html.en 476) sites who they are, but that information should not transparently allow a projects/en/torbrowser/design/index.html.en 477) third party to record their activity from site to site without their prior projects/en/torbrowser/design/index.html.en 478) consent. projects/en/torbrowser/design/index.html.en 479) projects/en/torbrowser/design/index.html.en 480) </p><p> projects/en/torbrowser/design/index.html.en 481) projects/en/torbrowser/design/index.html.en 482) The benefit of this approach comes not only in the form of reduced projects/en/torbrowser/design/index.html.en 483) linkability, but also in terms of simplified privacy UI. If all stored browser
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 484) state and permissions become associated with the url bar origin, the six or projects/torbrowser/design/index.html.en 485) seven different pieces of privacy UI governing these identifiers and`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 486) permissions can become just one piece of UI. For instance, a window that lists`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 487) the url bar origin for which browser state exists, possibly with a projects/torbrowser/design/index.html.en 488) context-menu option to drill down into specific types of state or permissions. projects/torbrowser/design/index.html.en 489) An example of this simplification can be seen in Figure 1.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 490)`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 491) </p><div class="figure"><a id="id2867838"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 492) projects/en/torbrowser/design/index.html.en 493) On the left is the standard Firefox cookie manager. On the right is a mock-up`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 494) of how isolating identifiers to the URL bar origin might simplify the privacy`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 495) UI for all data - not just cookies. Both windows represent the set of`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 496) Cookies accumulated after visiting just five sites, but the window on the`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 497) right has the option of also representing history, DOM Storage, HTTP Auth, projects/en/torbrowser/design/index.html.en 498) search form history, login values, and so on within a context menu for each projects/en/torbrowser/design/index.html.en 499) site. projects/en/torbrowser/design/index.html.en 500) projects/en/torbrowser/design/index.html.en 501) </div></div></div><br class="figure-break" /><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Cookies projects/en/torbrowser/design/index.html.en 502) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 503)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 504) All cookies MUST be double-keyed to the url bar origin and third-party projects/torbrowser/design/index.html.en 505) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a> projects/torbrowser/design/index.html.en 506) that contains a prototype patch, but it lacks UI, and does not apply to modern projects/torbrowser/design/index.html.en 507) Firefoxes.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 508) projects/en/torbrowser/design/index.html.en 509) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 510) projects/en/torbrowser/design/index.html.en 511) As a stopgap to satisfy our design requirement of unlinkability, we currently projects/en/torbrowser/design/index.html.en 512) entirely disable 3rd party cookies by setting projects/en/torbrowser/design/index.html.en 513) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that projects/en/torbrowser/design/index.html.en 514) third party content continue to function , but we believe the requirement for projects/en/torbrowser/design/index.html.en 515) unlinkability trumps that desire. projects/en/torbrowser/design/index.html.en 516) projects/en/torbrowser/design/index.html.en 517) </p></li><li class="listitem">Cache projects/en/torbrowser/design/index.html.en 518) <p>
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 519) projects/torbrowser/design/index.html.en 520) Cache is isolated to the url bar origin by using a technique pioneered by projects/torbrowser/design/index.html.en 521) Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 522) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 523) attribute that Firefox uses internally to prevent improper caching and reuse projects/torbrowser/design/index.html.en 524) of HTTP POST data. projects/torbrowser/design/index.html.en 525)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 526) </p><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 527)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 528) However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 529) security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts projects/torbrowser/design/index.html.en 530) with OCSP relying the cacheKey property for reuse of POST requests</a>, we projects/torbrowser/design/index.html.en 531) had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch projects/torbrowser/design/index.html.en 532) Firefox to provide a cacheDomain cache attribute</a>. We use the fully projects/torbrowser/design/index.html.en 533) qualified url bar domain as input to this field. projects/torbrowser/design/index.html.en 534)
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 535) </p><p> projects/en/torbrowser/design/index.html.en 536)`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 537) Furthermore, we chose a different projects/torbrowser/design/index.html.en 538) isolation scheme than the Stanford implementation. First, we decoupled the projects/torbrowser/design/index.html.en 539) cache isolation from the third party cookie attribute. Second, we use several projects/torbrowser/design/index.html.en 540) mechanisms to attempt to determine the actual location attribute of the projects/torbrowser/design/index.html.en 541) top-level window (to obtain the url bar FQDN) used to load the page, as projects/torbrowser/design/index.html.en 542) opposed to relying solely on the referer property.
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 543) projects/en/torbrowser/design/index.html.en 544) </p><p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 545)`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 546) Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original`
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 547) Stanford test cases</a> are expected to fail. Functionality can still be projects/torbrowser/design/index.html.en 548) verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and projects/torbrowser/design/index.html.en 549) viewing the key used for each cache entry. Each third party element should projects/torbrowser/design/index.html.en 550) have an additional "domain=string" property prepended, which will list the projects/torbrowser/design/index.html.en 551) FQDN that was used to source the third party element. projects/torbrowser/design/index.html.en 552)
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 553) </p></li><li class="listitem">HTTP Auth projects/en/torbrowser/design/index.html.en 554) <p> projects/en/torbrowser/design/index.html.en 555) projects/en/torbrowser/design/index.html.en 556) HTTP authentication tokens are removed for third party elements using the projects/en/torbrowser/design/index.html.en 557) <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request projects/en/torbrowser/design/index.html.en 558) observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent projects/en/torbrowser/design/index.html.en 559) linkability between domains</a>. We also needed to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0004-Add-HTTP-auth-headers-before-the-modify-request-obse.patch" target="_top">patch projects/en/torbrowser/design/index.html.en 560) Firefox to cause the headers to get added early enough</a> to allow the projects/en/torbrowser/design/index.html.en 561) observer to modify it. projects/en/torbrowser/design/index.html.en 562) projects/en/torbrowser/design/index.html.en 563) </p></li><li class="listitem">DOM Storage projects/en/torbrowser/design/index.html.en 564) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 565)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 566) DOM storage for third party domains MUST BE isolated to the url bar origin,`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 567) to prevent linkability between sites. projects/en/torbrowser/design/index.html.en 568) projects/en/torbrowser/design/index.html.en 569) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 570) projects/en/torbrowser/design/index.html.en 571) Because it is isolated to third party domain as opposed to top level url bar`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 572) origin, we entirely disable DOM storage as a stopgap to ensure unlinkability.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 573)`
Describe our efforts agains... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 574) </p></li><li class="listitem">Flash cookies projects/torbrowser/design/index.html.en 575) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 576) projects/torbrowser/design/index.html.en 577) Users should be able to click-to-play flash objects from trusted sites. To projects/torbrowser/design/index.html.en 578) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash projects/torbrowser/design/index.html.en 579) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash projects/torbrowser/design/index.html.en 580) settings manager</a>. projects/torbrowser/design/index.html.en 581) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/torbrowser/design/index.html.en 582) projects/torbrowser/design/index.html.en 583) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having projects/torbrowser/design/index.html.en 584) difficulties</a> causing Flash player to use this settings projects/torbrowser/design/index.html.en 585) file on Windows. projects/torbrowser/design/index.html.en 586)
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 587) </p></li><li class="listitem">TLS session resumption and HTTP Keep-Alive projects/en/torbrowser/design/index.html.en 588) <p>`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 589) TLS session resumption and HTTP Keep-Alive MUST NOT allow third party origins`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 590) to track users via either TLS session IDs, or the fact that different requests projects/en/torbrowser/design/index.html.en 591) arrive on the same TCP connection. projects/en/torbrowser/design/index.html.en 592) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 593)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 594) TLS session resumption IDs MUST be limited to the url bar origin. projects/torbrowser/design/index.html.en 595) HTTP Keep-Alive connections from a third party in one url bar origin must projects/torbrowser/design/index.html.en 596) not be reused for that same third party in another url bar origin.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 597) projects/en/torbrowser/design/index.html.en 598) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 599) projects/en/torbrowser/design/index.html.en 600) We <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/4099" target="_top">plan to projects/en/torbrowser/design/index.html.en 601) disable</a> TLS session resumption, and limit HTTP Keep-alive duration. projects/en/torbrowser/design/index.html.en 602)
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 603) </p></li><li class="listitem">User confirmation for cross-origin redirects projects/torbrowser/design/index.html.en 604) <p><span class="command"><strong>Design Goal:</strong></span> projects/torbrowser/design/index.html.en 605) projects/torbrowser/design/index.html.en 606) To prevent attacks aimed at subverting the Cross-Origin Identifier projects/torbrowser/design/index.html.en 607) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser projects/torbrowser/design/index.html.en 608) MUST prompt users before following redirects that would cause the user to projects/torbrowser/design/index.html.en 609) automatically navigate between two different url bar origins. projects/torbrowser/design/index.html.en 610) projects/torbrowser/design/index.html.en 611) </p><p><span class="command"><strong>Implementation status:</strong></span> projects/torbrowser/design/index.html.en 612) projects/torbrowser/design/index.html.en 613) There are numerous ways for the user to be redirected, and the Firefox API projects/torbrowser/design/index.html.en 614) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug projects/torbrowser/design/index.html.en 615) open</a> to implement what we can. projects/torbrowser/design/index.html.en 616) projects/torbrowser/design/index.html.en 617) </p><p> projects/torbrowser/design/index.html.en 618) projects/torbrowser/design/index.html.en 619) We are not concerned with linkability due to explicit user action (either by projects/torbrowser/design/index.html.en 620) accepting cross-origin redirects, or by clicking normal links) because it is projects/torbrowser/design/index.html.en 621) assumed that private browsing sessions will be relatively short-lived, projects/torbrowser/design/index.html.en 622) especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New projects/torbrowser/design/index.html.en 623) Identity</a> button. projects/torbrowser/design/index.html.en 624) projects/torbrowser/design/index.html.en 625) </p></li><li class="listitem">window.name
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 626) <p> projects/en/torbrowser/design/index.html.en 627) projects/en/torbrowser/design/index.html.en 628) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is projects/en/torbrowser/design/index.html.en 629) a magical DOM property that for some reason is allowed to retain a persistent value projects/en/torbrowser/design/index.html.en 630) for the lifespan of a browser tab. It is possible to utilize this property for projects/en/torbrowser/design/index.html.en 631) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier projects/en/torbrowser/design/index.html.en 632) storage</a>. projects/en/torbrowser/design/index.html.en 633) projects/en/torbrowser/design/index.html.en 634) </p><p> projects/en/torbrowser/design/index.html.en 635) projects/en/torbrowser/design/index.html.en 636) In order to eliminate linkability but still allow for sites that utilize this projects/en/torbrowser/design/index.html.en 637) property to function, we reset the window.name property of tabs in Torbutton every projects/en/torbrowser/design/index.html.en 638) time we encounter a blank referer. This behavior allows window.name to persist projects/en/torbrowser/design/index.html.en 639) for the duration of a link-driven navigation session, but as soon as the user projects/en/torbrowser/design/index.html.en 640) enters a new URL or navigates between https/http schemes, the property is cleared. projects/en/torbrowser/design/index.html.en 641) projects/en/torbrowser/design/index.html.en 642) </p></li><li class="listitem">Exit node usage projects/en/torbrowser/design/index.html.en 643) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 644) projects/en/torbrowser/design/index.html.en 645) Every distinct navigation session (as defined by a non-blank referer header) projects/en/torbrowser/design/index.html.en 646) MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node projects/en/torbrowser/design/index.html.en 647) observers from linking concurrent browsing activity. projects/en/torbrowser/design/index.html.en 648) projects/en/torbrowser/design/index.html.en 649) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 650) projects/en/torbrowser/design/index.html.en 651) The Tor feature that supports this ability only exists in the 0.2.3.x-alpha projects/en/torbrowser/design/index.html.en 652) series. <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3455" target="_top">Ticket projects/en/torbrowser/design/index.html.en 653) #3455</a> is the Torbutton ticket to make use of the new Tor projects/en/torbrowser/design/index.html.en 654) functionality. projects/en/torbrowser/design/index.html.en 655)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 656) </p></li></ol></div></div><div class="sect2" title="3.6. Cross-Origin Fingerprinting Unlinkability"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>3.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 657) projects/en/torbrowser/design/index.html.en 658) In order to properly address the fingerprinting adversary on a technical projects/en/torbrowser/design/index.html.en 659) level, we need a metric to measure linkability of the various browser`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 660) properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 661) by the EFF provides us with exactly this metric. The researchers conducted a projects/en/torbrowser/design/index.html.en 662) survey of volunteers who were asked to visit an experiment page that harvested projects/en/torbrowser/design/index.html.en 663) many of the above components. They then computed the Shannon Entropy of the projects/en/torbrowser/design/index.html.en 664) resulting distribution of each of several key attributes to determine how many projects/en/torbrowser/design/index.html.en 665) bits of identifying information each attribute provided. projects/en/torbrowser/design/index.html.en 666) projects/en/torbrowser/design/index.html.en 667) </p><p> projects/en/torbrowser/design/index.html.en 668) projects/en/torbrowser/design/index.html.en 669) The study is not exhaustive, though. In particular, the test does not take in projects/en/torbrowser/design/index.html.en 670) all aspects of resolution information. It did not calculate the size of projects/en/torbrowser/design/index.html.en 671) widgets, window decoration, or toolbar size, which we believe may add high projects/en/torbrowser/design/index.html.en 672) amounts of entropy. It also did not measure clock offset and other time-based projects/en/torbrowser/design/index.html.en 673) fingerprints. Furthermore, as new browser features are added, this experiment projects/en/torbrowser/design/index.html.en 674) should be repeated to include them. projects/en/torbrowser/design/index.html.en 675) projects/en/torbrowser/design/index.html.en 676) </p><p> projects/en/torbrowser/design/index.html.en 677) projects/en/torbrowser/design/index.html.en 678) On the other hand, to avoid an infinite sinkhole, we reduce the efforts for projects/en/torbrowser/design/index.html.en 679) fingerprinting resistance by only concerning ourselves with reducing the projects/en/torbrowser/design/index.html.en 680) fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. We projects/en/torbrowser/design/index.html.en 681) do not believe it is productive to concern ourselves with cross-browser projects/en/torbrowser/design/index.html.en 682) fingerprinting issues, at least not at this stage. projects/en/torbrowser/design/index.html.en 683) projects/en/torbrowser/design/index.html.en 684) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins projects/en/torbrowser/design/index.html.en 685) <p> projects/en/torbrowser/design/index.html.en 686) projects/en/torbrowser/design/index.html.en 687) Plugins add to fingerprinting risk via two main vectors: their mere presence in projects/en/torbrowser/design/index.html.en 688) window.navigator.plugins, as well as their internal functionality. projects/en/torbrowser/design/index.html.en 689) projects/en/torbrowser/design/index.html.en 690) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 691)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 692) All plugins that have not been specifically audited or sandboxed MUST be`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 693) disabled. To reduce linkability potential, even sandboxed plugins should not projects/en/torbrowser/design/index.html.en 694) be allowed to load objects until the user has clicked through a click-to-play projects/en/torbrowser/design/index.html.en 695) barrier. Additionally, version information should be reduced or obfuscated projects/en/torbrowser/design/index.html.en 696) until the plugin object is loaded. projects/en/torbrowser/design/index.html.en 697) projects/en/torbrowser/design/index.html.en 698) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 699) projects/en/torbrowser/design/index.html.en 700) Currently, we entirely disable all plugins in Tor Browser. However, as a projects/en/torbrowser/design/index.html.en 701) compromise due to the popularity of Flash, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">work projects/en/torbrowser/design/index.html.en 702) towards</a> a projects/en/torbrowser/design/index.html.en 703) click-to-play barrier using NoScript that is available only after the user has projects/en/torbrowser/design/index.html.en 704) specifically enabled plugins. Flash will be the only plugin available, and we projects/en/torbrowser/design/index.html.en 705) will ship a settings.sol file to disable Flash cookies, and to restrict P2P projects/en/torbrowser/design/index.html.en 706) features that likely bypass proxy settings. projects/en/torbrowser/design/index.html.en 707) projects/en/torbrowser/design/index.html.en 708) </p></li><li class="listitem">Fonts projects/en/torbrowser/design/index.html.en 709) <p> projects/en/torbrowser/design/index.html.en 710) projects/en/torbrowser/design/index.html.en 711) According to the Panopticlick study, fonts provide the most linkability when projects/en/torbrowser/design/index.html.en 712) they are provided as an enumerable list in filesystem order, via either the projects/en/torbrowser/design/index.html.en 713) Flash or Java plugins. However, it is still possible to use CSS and/or projects/en/torbrowser/design/index.html.en 714) Javascript to query for the existence of specific fonts. With a large enough projects/en/torbrowser/design/index.html.en 715) pre-built list to query, a large amount of fingerprintable information may projects/en/torbrowser/design/index.html.en 716) still be available. projects/en/torbrowser/design/index.html.en 717) projects/en/torbrowser/design/index.html.en 718) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 719) projects/en/torbrowser/design/index.html.en 720) To address the Javascript issue, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of projects/en/torbrowser/design/index.html.en 721) fonts</a> an origin can load, gracefully degrading to built-in and/or projects/en/torbrowser/design/index.html.en 722) remote fonts once the limit is reached. projects/en/torbrowser/design/index.html.en 723) projects/en/torbrowser/design/index.html.en 724) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 725) projects/en/torbrowser/design/index.html.en 726) Aside from disabling plugins to prevent enumeration, we have not yet projects/en/torbrowser/design/index.html.en 727) implemented any defense against CSS or Javascript fonts. projects/en/torbrowser/design/index.html.en 728) projects/en/torbrowser/design/index.html.en 729) </p></li><li class="listitem">User Agent and HTTP Headers projects/en/torbrowser/design/index.html.en 730) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 731)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 732) All Tor Browser users MUST provide websites with an identical user agent and`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 733) HTTP header set for a given request type. We omit the Firefox minor revision, projects/en/torbrowser/design/index.html.en 734) and report a popular Windows platform. If the software is kept up to date, projects/en/torbrowser/design/index.html.en 735) these headers should remain identical across the population even when updated. projects/en/torbrowser/design/index.html.en 736) projects/en/torbrowser/design/index.html.en 737) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 738) projects/en/torbrowser/design/index.html.en 739) Firefox provides several options for controlling the browser user agent string projects/en/torbrowser/design/index.html.en 740) which we leverage. We also set similar prefs for controlling the projects/en/torbrowser/design/index.html.en 741) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we projects/en/torbrowser/design/index.html.en 742) <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0001-Block-Components.interfaces-lookupMethod-from-conten.patch" target="_top">remove projects/en/torbrowser/design/index.html.en 743) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be projects/en/torbrowser/design/index.html.en 744) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Desktop resolution and CSS Media Queries projects/en/torbrowser/design/index.html.en 745) <p> projects/en/torbrowser/design/index.html.en 746) projects/en/torbrowser/design/index.html.en 747) Both CSS and Javascript have a lot of irrelevant information about the screen projects/en/torbrowser/design/index.html.en 748) resolution, usable desktop size, OS widget size, toolbar size, title bar size, and projects/en/torbrowser/design/index.html.en 749) other desktop features that are not at all relevant to rendering and serve projects/en/torbrowser/design/index.html.en 750) only to provide information for fingerprinting. projects/en/torbrowser/design/index.html.en 751) projects/en/torbrowser/design/index.html.en 752) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 753) projects/en/torbrowser/design/index.html.en 754) Our design goal here is to reduce the resolution information down to the bare projects/en/torbrowser/design/index.html.en 755) minimum required for properly rendering inside a content window. We intend to projects/en/torbrowser/design/index.html.en 756) report all rendering information correctly with respect to the size and projects/en/torbrowser/design/index.html.en 757) properties of the content window, but report an effective size of 0 for all projects/en/torbrowser/design/index.html.en 758) border material, and also report that the desktop is only as big as the projects/en/torbrowser/design/index.html.en 759) inner content window. Additionally, new browser windows are sized such that projects/en/torbrowser/design/index.html.en 760) their content windows are one of ~5 fixed sizes based on the user's projects/en/torbrowser/design/index.html.en 761) desktop resolution. projects/en/torbrowser/design/index.html.en 762) projects/en/torbrowser/design/index.html.en 763) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 764) projects/en/torbrowser/design/index.html.en 765) We have implemented the above strategy for Javascript using Torbutton's <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">JavaScript projects/en/torbrowser/design/index.html.en 766) hooks</a> as well as a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l4002" target="_top">resize projects/en/torbrowser/design/index.html.en 767) new windows based on desktop resolution</a>. However, CSS Media Queries projects/en/torbrowser/design/index.html.en 768) still <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2875" target="_top">need projects/en/torbrowser/design/index.html.en 769) to be dealt with</a>. projects/en/torbrowser/design/index.html.en 770) projects/en/torbrowser/design/index.html.en 771) </p></li><li class="listitem">Timezone and clock offset projects/en/torbrowser/design/index.html.en 772) <p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 773)
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 774) All Tor Browser users MUST report the same timezone to websites. Currently, we projects/torbrowser/design/index.html.en 775) choose UTC for this purpose, although an equally valid argument could be made projects/torbrowser/design/index.html.en 776) for EDT/EST due to the large English-speaking population density (coupled with projects/torbrowser/design/index.html.en 777) the fact that we spoof a US English user agent). Additionally, the Tor projects/torbrowser/design/index.html.en 778) software should detect if the users clock is significantly divergent from the projects/torbrowser/design/index.html.en 779) clocks of the relays that it connects to, and use this to reset the clock projects/torbrowser/design/index.html.en 780) values used in Tor Browser to something reasonably accurate.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 781) projects/en/torbrowser/design/index.html.en 782) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 783) projects/en/torbrowser/design/index.html.en 784) We set the timezone using the TZ environment variable, which is supported on projects/en/torbrowser/design/index.html.en 785) all platforms. Additionally, we plan to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3652" target="_top">obtain a clock projects/en/torbrowser/design/index.html.en 786) offset from Tor</a>, but this won't be available until Tor 0.2.3.x is in projects/en/torbrowser/design/index.html.en 787) use. projects/en/torbrowser/design/index.html.en 788) projects/en/torbrowser/design/index.html.en 789) </p></li><li class="listitem">Javascript performance fingerprinting projects/en/torbrowser/design/index.html.en 790) <p> projects/en/torbrowser/design/index.html.en 791) projects/en/torbrowser/design/index.html.en 792) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance projects/en/torbrowser/design/index.html.en 793) fingerprinting</a> is the act of profiling the performance projects/en/torbrowser/design/index.html.en 794) of various Javascript functions for the purpose of fingerprinting the projects/en/torbrowser/design/index.html.en 795) Javascript engine and the CPU. projects/en/torbrowser/design/index.html.en 796) projects/en/torbrowser/design/index.html.en 797) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 798) projects/en/torbrowser/design/index.html.en 799) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential projects/en/torbrowser/design/index.html.en 800) mitigation approaches</a> to reduce the accuracy of performance projects/en/torbrowser/design/index.html.en 801) fingerprinting without risking too much damage to functionality. Our current projects/en/torbrowser/design/index.html.en 802) favorite is to reduce the resolution of the Event.timeStamp and the Javascript projects/en/torbrowser/design/index.html.en 803) Date() object, while also introducing jitter. Our goal is to increase the projects/en/torbrowser/design/index.html.en 804) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that projects/en/torbrowser/design/index.html.en 805) even with the default precision in most browsers, they required up to 120 projects/en/torbrowser/design/index.html.en 806) seconds of amortization and repeated trials to get stable results from their projects/en/torbrowser/design/index.html.en 807) feature set. We intend to work with the research community to establish the projects/en/torbrowser/design/index.html.en 808) optimum tradeoff between quantization+jitter and amortization time. projects/en/torbrowser/design/index.html.en 809) projects/en/torbrowser/design/index.html.en 810) projects/en/torbrowser/design/index.html.en 811) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 812) projects/en/torbrowser/design/index.html.en 813) We have no implementation as of yet. projects/en/torbrowser/design/index.html.en 814) projects/en/torbrowser/design/index.html.en 815) </p></li><li class="listitem">Keystroke fingerprinting projects/en/torbrowser/design/index.html.en 816) <p> projects/en/torbrowser/design/index.html.en 817) projects/en/torbrowser/design/index.html.en 818) Keystroke fingerprinting is the act of measuring key strike time and key projects/en/torbrowser/design/index.html.en 819) flight time. It is seeing increasing use as a biometric. projects/en/torbrowser/design/index.html.en 820) projects/en/torbrowser/design/index.html.en 821) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 822) projects/en/torbrowser/design/index.html.en 823) We intend to rely on the same mechanisms for defeating Javascript performance projects/en/torbrowser/design/index.html.en 824) fingerprinting: timestamp quantization and jitter. projects/en/torbrowser/design/index.html.en 825) projects/en/torbrowser/design/index.html.en 826) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 827) We have no implementation as of yet. projects/en/torbrowser/design/index.html.en 828) </p></li><li class="listitem">WebGL projects/en/torbrowser/design/index.html.en 829) <p> projects/en/torbrowser/design/index.html.en 830) projects/en/torbrowser/design/index.html.en 831) WebGL is fingerprintable both through information that is exposed about the projects/en/torbrowser/design/index.html.en 832) underlying driver and optimizations, as well as through performance projects/en/torbrowser/design/index.html.en 833) fingerprinting. projects/en/torbrowser/design/index.html.en 834) projects/en/torbrowser/design/index.html.en 835) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 836) projects/en/torbrowser/design/index.html.en 837) Because of the large amount of potential fingerprinting vectors, we intend to projects/en/torbrowser/design/index.html.en 838) deploy a similar strategy against WebGL as for plugins. First, WebGL canvases projects/en/torbrowser/design/index.html.en 839) will have click-to-play placeholders, and will not run until authorized by the projects/en/torbrowser/design/index.html.en 840) user. Second, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3323" target="_top">obfuscate driver projects/en/torbrowser/design/index.html.en 841) information</a> by hooking projects/en/torbrowser/design/index.html.en 842) <span class="command"><strong>getParameter()</strong></span>, projects/en/torbrowser/design/index.html.en 843) <span class="command"><strong>getSupportedExtensions()</strong></span>, projects/en/torbrowser/design/index.html.en 844) <span class="command"><strong>getExtension()</strong></span>, and projects/en/torbrowser/design/index.html.en 845) <span class="command"><strong>getContextAttributes()</strong></span> to provide standard minimal, projects/en/torbrowser/design/index.html.en 846) driver-neutral information. projects/en/torbrowser/design/index.html.en 847) projects/en/torbrowser/design/index.html.en 848) </p><p><span class="command"><strong>Implementation Status:</strong></span> projects/en/torbrowser/design/index.html.en 849) projects/en/torbrowser/design/index.html.en 850) Currently we simply disable WebGL. projects/en/torbrowser/design/index.html.en 851) projects/en/torbrowser/design/index.html.en 852) </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 853) In order to avoid long-term linkability, we provide a "New Identity" context projects/en/torbrowser/design/index.html.en 854) menu option in Torbutton.
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 855) </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2853903"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 856)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 857) All linkable identifiers and browser state MUST be cleared by this feature.`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 858)`
Describe our efforts agains... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 859) </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874701"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 860) First, Torbutton disables projects/en/torbrowser/design/index.html.en 861) all open tabs and windows via nsIContentPolicy blocking, and then closes each projects/en/torbrowser/design/index.html.en 862) tab and window. The extra step for blocking tabs is done as a precaution to projects/en/torbrowser/design/index.html.en 863) ensure that any asynchronous Javascript is in fact properly disabled. After projects/en/torbrowser/design/index.html.en 864) closing all of the windows, we then clear the following state: OCSP (by projects/en/torbrowser/design/index.html.en 865) toggling security.OCSP.enabled), cache, site-specific zoom and content projects/en/torbrowser/design/index.html.en 866) preferences, Cookies, DOM storage, safe browsing key, the Google wifi projects/en/torbrowser/design/index.html.en 867) geolocation token (if exists), HTTP auth, SSL Session IDs, and the last opened URL projects/en/torbrowser/design/index.html.en 868) field (via the pref general.open_location.last_url). After clearing the projects/en/torbrowser/design/index.html.en 869) browser state, we then send the NEWNYM signal to the Tor control port to cause projects/en/torbrowser/design/index.html.en 870) a new circuit to be created. projects/en/torbrowser/design/index.html.en 871) </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 872) Some content types are too invasive and/or too opaque for us to properly projects/en/torbrowser/design/index.html.en 873) eliminate their linkability properties. For these content types, we use projects/en/torbrowser/design/index.html.en 874) NoScript to provide click-to-play placeholders that do not activate the projects/en/torbrowser/design/index.html.en 875) content until the user clicks on it. This will eliminate the ability for an projects/en/torbrowser/design/index.html.en 876) adversary to use such content types to link users in a dragnet fashion across projects/en/torbrowser/design/index.html.en 877) arbitrary sites. projects/en/torbrowser/design/index.html.en 878) </p><p> projects/en/torbrowser/design/index.html.en 879) Currently, the content types isolated in this way include Flash, WebGL, and projects/en/torbrowser/design/index.html.en 880) audio and video objects. projects/en/torbrowser/design/index.html.en 881) </p></div><div class="sect2" title="3.9. Description of Firefox Patches"><div class="titlepage"><div><div><h3 class="title"><a id="firefox-patches"></a>3.9. Description of Firefox Patches</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 882) The set of patches we have against Firefox can be found in the <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/tree/refs/heads/maint-2.2:/src/current-patches" target="_top">current-patches projects/en/torbrowser/design/index.html.en 883) directory of the torbrowser git repository</a>. They are: projects/en/torbrowser/design/index.html.en 884) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Block Components.interfaces and Components.lookupMethod projects/en/torbrowser/design/index.html.en 885) <p> projects/en/torbrowser/design/index.html.en 886) projects/en/torbrowser/design/index.html.en 887) In order to reduce fingerprinting, we block access to these two interfaces projects/en/torbrowser/design/index.html.en 888) from content script. Components.lookupMethod can undo our <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/jshooks4.js" target="_top">Javascript projects/en/torbrowser/design/index.html.en 889) hooks</a>, projects/en/torbrowser/design/index.html.en 890) and Components.interfaces can be used for fingerprinting the platform, OS, and projects/en/torbrowser/design/index.html.en 891) Firebox version, but not much else. projects/en/torbrowser/design/index.html.en 892) projects/en/torbrowser/design/index.html.en 893) </p></li><li class="listitem">Make Permissions Manager memory only projects/en/torbrowser/design/index.html.en 894) <p> projects/en/torbrowser/design/index.html.en 895) projects/en/torbrowser/design/index.html.en 896) This patch exposes a pref 'permissions.memory_only' that properly isolates the projects/en/torbrowser/design/index.html.en 897) permissions manager to memory, which is responsible for all user specified projects/en/torbrowser/design/index.html.en 898) site permissions, as well as stored HTTPS STS policy from visited sites. projects/en/torbrowser/design/index.html.en 899) projects/en/torbrowser/design/index.html.en 900) The pref does successfully clear the permissions manager memory if toggled. It projects/en/torbrowser/design/index.html.en 901) does not need to be set in prefs.js, and can be handled by Torbutton. projects/en/torbrowser/design/index.html.en 902) projects/en/torbrowser/design/index.html.en 903) </p></li><li class="listitem">Make Intermediate Cert Store memory-only projects/en/torbrowser/design/index.html.en 904) <p> projects/en/torbrowser/design/index.html.en 905)
Update TBB design doc with... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 906) The intermediate certificate store records the intermediate SSL certificates projects/torbrowser/design/index.html.en 907) the browser has seen to date. Because these intermediate certificates are used projects/torbrowser/design/index.html.en 908) by a limited number of domains (and in some cases, only a single domain), projects/torbrowser/design/index.html.en 909) the intermediate certificate store can serve as a low-resolution record of projects/torbrowser/design/index.html.en 910) browsing history.
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 911) projects/en/torbrowser/design/index.html.en 912) </p><p><span class="command"><strong>Design Goal:</strong></span> projects/en/torbrowser/design/index.html.en 913) projects/en/torbrowser/design/index.html.en 914) As an additional design goal, we would like to later alter this patch to allow this projects/en/torbrowser/design/index.html.en 915) information to be cleared from memory. The implementation does not currently projects/en/torbrowser/design/index.html.en 916) allow this. projects/en/torbrowser/design/index.html.en 917) projects/en/torbrowser/design/index.html.en 918) </p></li><li class="listitem">Add HTTP auth headers before on-modify-request fires projects/en/torbrowser/design/index.html.en 919) <p> projects/en/torbrowser/design/index.html.en 920) projects/en/torbrowser/design/index.html.en 921) This patch provides a trivial modification to allow us to properly remove HTTP projects/en/torbrowser/design/index.html.en 922) auth for third parties. This patch allows us to defend against an adversary projects/en/torbrowser/design/index.html.en 923) attempting to use <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">HTTP projects/en/torbrowser/design/index.html.en 924) auth to silently track users between domains</a>. projects/en/torbrowser/design/index.html.en 925) projects/en/torbrowser/design/index.html.en 926) </p></li><li class="listitem">Add a string-based cacheKey property for domain isolation projects/en/torbrowser/design/index.html.en 927) <p> projects/en/torbrowser/design/index.html.en 928) projects/en/torbrowser/design/index.html.en 929) To <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the projects/en/torbrowser/design/index.html.en 930) security of cache isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve strange and projects/en/torbrowser/design/index.html.en 931) unknown conflicts with OCSP</a>, we had to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/refs/heads/maint-2.2:/src/current-patches/0005-Add-a-string-based-cacheKey.patch" target="_top">patch
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 932) Firefox to provide a cacheDomain cache attribute</a>. We use the url bar projects/torbrowser/design/index.html.en 933) FQDN as input to this field.`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 934) projects/en/torbrowser/design/index.html.en 935) </p></li><li class="listitem">Randomize HTTP pipeline order and depth projects/en/torbrowser/design/index.html.en 936) <p> projects/en/torbrowser/design/index.html.en 937) As an projects/en/torbrowser/design/index.html.en 938) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental projects/en/torbrowser/design/index.html.en 939) defense against Website Traffic Fingerprinting</a>, we patch the standard projects/en/torbrowser/design/index.html.en 940) HTTP pipelining code to randomize the number of requests in a projects/en/torbrowser/design/index.html.en 941) pipeline, as well as their order. projects/en/torbrowser/design/index.html.en 942) </p></li><li class="listitem">Block all plugins except flash projects/en/torbrowser/design/index.html.en 943) <p> projects/en/torbrowser/design/index.html.en 944) We cannot use the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/@mozilla.org/extensions/blocklist%3B1" target="_top"> projects/en/torbrowser/design/index.html.en 945) @mozilla.org/extensions/blocklist;1</a> service, because we projects/en/torbrowser/design/index.html.en 946) actually want to stop plugins from ever entering the browser's process space projects/en/torbrowser/design/index.html.en 947) and/or executing code (for example, AV plugins that collect statistics/analyze projects/en/torbrowser/design/index.html.en 948) URLs, magical toolbars that phone home or "help" the user, skype buttons that projects/en/torbrowser/design/index.html.en 949) ruin our day, and censorship filters). Hence we rolled our own. projects/en/torbrowser/design/index.html.en 950) </p></li><li class="listitem">Make content-prefs service memory only projects/en/torbrowser/design/index.html.en 951) <p> projects/en/torbrowser/design/index.html.en 952) This patch prevents random URLs from being inserted into content-prefs.sqllite in projects/en/torbrowser/design/index.html.en 953) the profile directory as content prefs change (includes site-zoom and perhaps projects/en/torbrowser/design/index.html.en 954) other site prefs?).
Describe our efforts agains... Mike Perry authored 13 years ago	projects/torbrowser/design/index.html.en 955) </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2886800"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2882777"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2864076"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 956) projects/en/torbrowser/design/index.html.en 957) The purpose of this section is to cover all the known ways that Tor browser projects/en/torbrowser/design/index.html.en 958) security can be subverted from a penetration testing perspective. The hope projects/en/torbrowser/design/index.html.en 959) is that it will be useful both for creating a "Tor Safety Check" projects/en/torbrowser/design/index.html.en 960) page, and for developing novel tests and actively attacking Torbutton with the projects/en/torbrowser/design/index.html.en 961) goal of finding vulnerabilities in either it or the Mozilla components, projects/en/torbrowser/design/index.html.en 962) interfaces and settings upon which it relies. projects/en/torbrowser/design/index.html.en 963) projects/en/torbrowser/design/index.html.en 964) </p><div class="sect2" title="5.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>5.1. Single state testing</h3></div></div></div><p> projects/en/torbrowser/design/index.html.en 965) projects/en/torbrowser/design/index.html.en 966) Torbutton is a complicated piece of software. During development, changes to projects/en/torbrowser/design/index.html.en 967) one component can affect a whole slough of unrelated features. A number of projects/en/torbrowser/design/index.html.en 968) aggregated test suites exist that can be used to test for regressions in projects/en/torbrowser/design/index.html.en 969) Torbutton and to help aid in the development of Torbutton-like addons and projects/en/torbrowser/design/index.html.en 970) other privacy modifications of other browsers. Some of these test suites exist projects/en/torbrowser/design/index.html.en 971) as a single automated page, while others are a series of pages you must visit projects/en/torbrowser/design/index.html.en 972) individually. They are provided here for reference and future regression projects/en/torbrowser/design/index.html.en 973) testing, and also in the hope that some brave soul will one day decide to projects/en/torbrowser/design/index.html.en 974) combine them into a comprehensive automated test suite. projects/en/torbrowser/design/index.html.en 975) projects/en/torbrowser/design/index.html.en 976) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p> projects/en/torbrowser/design/index.html.en 977) projects/en/torbrowser/design/index.html.en 978) Decloak.net is the canonical source of plugin and external-application based projects/en/torbrowser/design/index.html.en 979) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to projects/en/torbrowser/design/index.html.en 980) use to test their anonymity systems. projects/en/torbrowser/design/index.html.en 981) projects/en/torbrowser/design/index.html.en 982) </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p> projects/en/torbrowser/design/index.html.en 983) projects/en/torbrowser/design/index.html.en 984) Deanonymizer.com is another automated test suite that tests for proxy bypass projects/en/torbrowser/design/index.html.en 985) and other information disclosure vulnerabilities. It is maintained by Kyle projects/en/torbrowser/design/index.html.en 986) Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a> projects/en/torbrowser/design/index.html.en 987) and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>. projects/en/torbrowser/design/index.html.en 988)
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 989) </p></li><li class="listitem"><a class="ulink" href="https://ip-check.info" target="_top">JonDos`
Add design doc draft. Mike Perry authored 13 years ago	`projects/en/torbrowser/design/index.html.en 990) AnonTest</a><p> projects/en/torbrowser/design/index.html.en 991)`
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 992) The <a class="ulink" href="https://anonymous-proxy-servers.net/" target="_top">JonDos people</a> also provide an projects/torbrowser/design/index.html.en 993) anonymity tester. It is more focused on HTTP headers and behaviors than plugin bypass, and`
Add design doc draft. Mike Perry authored 13 years ago	projects/en/torbrowser/design/index.html.en 994) points out a couple of headers Torbutton could do a better job with projects/en/torbrowser/design/index.html.en 995) obfuscating. projects/en/torbrowser/design/index.html.en 996) projects/en/torbrowser/design/index.html.en 997) </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p> projects/en/torbrowser/design/index.html.en 998) projects/en/torbrowser/design/index.html.en 999) Browserspy.dk provides a tremendous collection of browser fingerprinting and projects/en/torbrowser/design/index.html.en 1000) general privacy tests. Unfortunately they are only available one page at a projects/en/torbrowser/design/index.html.en 1001) time, and there is not really solid feedback on good vs bad behavior in projects/en/torbrowser/design/index.html.en 1002) the test results. projects/en/torbrowser/design/index.html.en 1003) projects/en/torbrowser/design/index.html.en 1004) </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy projects/en/torbrowser/design/index.html.en 1005) Analyzer</a><p> projects/en/torbrowser/design/index.html.en 1006) projects/en/torbrowser/design/index.html.en 1007) The Privacy Analyzer provides a dump of all sorts of browser attributes and
Update TBB design doc with... Mike Perry authored 13 years ago	`projects/torbrowser/design/index.html.en 1008) settings that it detects, including some information on your original IP`