add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>
torbutton/en/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 3) <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Torbutton Design Documentation</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="Torbutton Design Documentation"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>Torbutton Design Documentation</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry.fscked/org">mikeperry.fscked/org</a>></code></p></div></div></div></div><div><p class="pubdate">Apr 10 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2666923">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt><dt><span class="sect2"><a href="#requirements">1.2. Torbutton Requirements</a></span></dt><dt><span class="sect2"><a href="#layout">1.3. Extension Layout</a></span></dt></dl></dd><dt><span class="sect1"><a href="#components">2. Components</a></span></dt><dd><dl><dt><span class="sect2"><a href="#hookedxpcom">2.1. Hooked Components</a></span></dt><dt><span class="sect2"><a href="#id2690319">2.2. New Components</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2681735">3. Chrome</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2702019">3.1. XUL Windows and Overlays</a></span></dt><dt><span class="sect2"><a href="#id2694797">3.2. Major Chrome Observers</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2696524">4. Toggle Code Path</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2699452">4.1. Button Click</a></span></dt><dt><span class="sect2"><a href="#id2697978">4.2. Proxy Update</a></span></dt><dt><span class="sect2"><a href="#id2697015">4.3. Settings Update</a></span></dt><dt><span class="sect2"><a href="#preferences">4.4. Firefox preferences touched during Toggle</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2702702">5. Description of Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2704948">5.1. Proxy Settings</a></span></dt><dt><span class="sect2"><a href="#id2686645">5.2. Dynamic Content Settings</a></span></dt><dt><span class="sect2"><a href="#id2705261">5.3. History and Forms Settings</a></span></dt><dt><span class="sect2"><a href="#id2705577">5.4. Cache Settings</a></span></dt><dt><span class="sect2"><a href="#id2705686">5.5. Cookie and Auth Settings</a></span></dt><dt><span class="sect2"><a href="#id2705999">5.6. Startup Settings</a></span></dt><dt><span class="sect2"><a href="#id2706113">5.7. Shutdown Settings</a></span></dt><dt><span class="sect2"><a href="#id2706173">5.8. Header Settings</a></span></dt></dl></dd><dt><span class="sect1"><a href="#FirefoxBugs">6. Relevant Firefox Bugs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#TorBrowserBugs">6.1. Tor Browser Bugs</a></span></dt><dt><span class="sect2"><a href="#ToggleModelBugs">6.2. Toggle Model Bugs</a></span></dt></dl></dd><dt><span class="sect1"><a href="#TestPlan">7. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">7.1. Single state testing</a></span></dt><dt><span class="sect2"><a href="#id2707624">7.2. Multi-state testing</a></span></dt><dt><span class="sect2"><a href="#HackTorbutton">7.3. Active testing (aka How to Hack Torbutton)</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2666923"></a>1. Introduction</h2></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 4)
torbutton/en/design/index.html.en 5) This document describes the goals, operation, and testing procedures of the
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 6) Torbutton Firefox extension. It is current as of Torbutton 1.3.2.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 7)
torbutton/en/design/index.html.en 8) </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
torbutton/en/design/index.html.en 9)
torbutton/en/design/index.html.en 10) A Tor web browser adversary has a number of goals, capabilities, and attack
torbutton/en/design/index.html.en 11) types that can be used to guide us towards a set of requirements for the
torbutton/en/design/index.html.en 12) Torbutton extension. Let's start with the goals.
torbutton/en/design/index.html.en 13)
torbutton/en/design/index.html.en 14) </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
torbutton/en/design/index.html.en 15) Tor, causing the user to directly connect to an IP of the adversary's
torbutton/en/design/index.html.en 16) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
torbutton/en/design/index.html.en 17) happily settle for the ability to correlate something a user did via Tor with
torbutton/en/design/index.html.en 18) their non-Tor activity. This can be done with cookies, cache identifiers,
torbutton/en/design/index.html.en 19) javascript events, and even CSS. Sometimes the fact that a user uses Tor may
torbutton/en/design/index.html.en 20) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
torbutton/en/design/index.html.en 21) The adversary may also be interested in history disclosure: the ability to
torbutton/en/design/index.html.en 22) query a user's history to see if they have issued certain censored search
torbutton/en/design/index.html.en 23) queries, or visited censored sites.
torbutton/en/design/index.html.en 24) </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
torbutton/en/design/index.html.en 25)
torbutton/en/design/index.html.en 26) Location information such as timezone and locality can be useful for the
torbutton/en/design/index.html.en 27) adversary to determine if a user is in fact originating from one of the
torbutton/en/design/index.html.en 28) regions they are attempting to control, or to zero-in on the geographical
torbutton/en/design/index.html.en 29) location of a particular dissident or whistleblower.
torbutton/en/design/index.html.en 30)
torbutton/en/design/index.html.en 31) </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
torbutton/en/design/index.html.en 32)
torbutton/en/design/index.html.en 33) Anonymity set reduction is also useful in attempting to zero in on a
torbutton/en/design/index.html.en 34) particular individual. If the dissident or whistleblower is using a rare build
torbutton/en/design/index.html.en 35) of Firefox for an obscure operating system, this can be very useful
torbutton/en/design/index.html.en 36) information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
torbutton/en/design/index.html.en 37)
torbutton/en/design/index.html.en 38) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
torbutton/en/design/index.html.en 39) information</strong></span><p>
torbutton/en/design/index.html.en 40) In some cases, the adversary may opt for a heavy-handed approach, such as
torbutton/en/design/index.html.en 41) seizing the computers of all Tor users in an area (especially after narrowing
torbutton/en/design/index.html.en 42) the field by the above two pieces of information). History records and cache
torbutton/en/design/index.html.en 43) data are the primary goals here.
torbutton/en/design/index.html.en 44) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
torbutton/en/design/index.html.en 45) The adversary can position themselves at a number of different locations in
torbutton/en/design/index.html.en 46) order to execute their attacks.
torbutton/en/design/index.html.en 47) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
torbutton/en/design/index.html.en 48) The adversary can run exit nodes, or alternatively, they may control routers
torbutton/en/design/index.html.en 49) upstream of exit nodes. Both of these scenarios have been observed in the
torbutton/en/design/index.html.en 50) wild.
torbutton/en/design/index.html.en 51) </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p>
torbutton/en/design/index.html.en 52) The adversary can also run websites, or more likely, they can contract out
torbutton/en/design/index.html.en 53) ad space from a number of different adservers and inject content that way. For
torbutton/en/design/index.html.en 54) some users, the adversary may be the adservers themselves. It is not
torbutton/en/design/index.html.en 55) inconceivable that adservers may try to subvert or reduce a user's anonymity
torbutton/en/design/index.html.en 56) through Tor for marketing purposes.
torbutton/en/design/index.html.en 57) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
torbutton/en/design/index.html.en 58) The adversary can also inject malicious content at the user's upstream router
torbutton/en/design/index.html.en 59) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
torbutton/en/design/index.html.en 60) activity.
torbutton/en/design/index.html.en 61) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
torbutton/en/design/index.html.en 62) Some users face adversaries with intermittent or constant physical access.
torbutton/en/design/index.html.en 63) Users in Internet cafes, for example, face such a threat. In addition, in
torbutton/en/design/index.html.en 64) countries where simply using tools like Tor is illegal, users may face
torbutton/en/design/index.html.en 65) confiscation of their computer equipment for excessive Tor usage or just
torbutton/en/design/index.html.en 66) general suspicion.
torbutton/en/design/index.html.en 67) </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
torbutton/en/design/index.html.en 68)
torbutton/en/design/index.html.en 69) The adversary can perform the following attacks from a number of different
torbutton/en/design/index.html.en 70) positions to accomplish various aspects of their goals. It should be noted
torbutton/en/design/index.html.en 71) that many of these attacks (especially those involving IP address leakage) are
torbutton/en/design/index.html.en 72) often performed by accident by websites that simply have Javascript, dynamic
torbutton/en/design/index.html.en 73) CSS elements, and plugins. Others are performed by adservers seeking to
torbutton/en/design/index.html.en 74) correlate users' activity across different IP addresses, and still others are
torbutton/en/design/index.html.en 75) performed by malicious agents on the Tor network and at national firewalls.
torbutton/en/design/index.html.en 76)
torbutton/en/design/index.html.en 77) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
torbutton/en/design/index.html.en 78) If not properly disabled, Javascript event handlers and timers
torbutton/en/design/index.html.en 79) can cause the browser to perform network activity after Tor has been disabled,
torbutton/en/design/index.html.en 80) thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
torbutton/en/design/index.html.en 81) a user's non-Tor IP address. Javascript
torbutton/en/design/index.html.en 82) also allows the adversary to execute <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure attacks</a>:
torbutton/en/design/index.html.en 83) to query the history via the different attributes of 'visited' links to search
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 84) for particular Google queries, sites, or even to <a class="ulink" href="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/" target="_top">profile
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 85) users based on gender and other classifications</a>. Finally,
torbutton/en/design/index.html.en 86) Javascript can be used to query the user's timezone via the
torbutton/en/design/index.html.en 87) <code class="function">Date()</code> object, and to reduce the anonymity set by querying
torbutton/en/design/index.html.en 88) the <code class="function">navigator</code> object for operating system, CPU, locale,
torbutton/en/design/index.html.en 89) and user agent information.
torbutton/en/design/index.html.en 90) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
torbutton/en/design/index.html.en 91)
torbutton/en/design/index.html.en 92) Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
torbutton/en/design/index.html.en 93) capable of performing network activity that the author has
torbutton/en/design/index.html.en 94) investigated is also capable of performing network activity independent of
torbutton/en/design/index.html.en 95) browser proxy settings - and often independent of its own proxy settings.
torbutton/en/design/index.html.en 96) Sites that have plugin content don't even have to be malicious to obtain a
torbutton/en/design/index.html.en 97) user's
torbutton/en/design/index.html.en 98) Non-Tor IP (it usually leaks by itself), though <a class="ulink" href="http://decloak.net" target="_top">plenty of active
torbutton/en/design/index.html.en 99) exploits</a> are possible as well. In addition, plugins can be used to store unique identifiers that are more
torbutton/en/design/index.html.en 100) difficult to clear than standard cookies.
torbutton/en/design/index.html.en 101) <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
torbutton/en/design/index.html.en 102) cookies</a> fall into this category, but there are likely numerous other
torbutton/en/design/index.html.en 103) examples.
torbutton/en/design/index.html.en 104)
torbutton/en/design/index.html.en 105) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
torbutton/en/design/index.html.en 106)
torbutton/en/design/index.html.en 107) CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
torbutton/en/design/index.html.en 108) Non-Tor IP address, via the usage of
torbutton/en/design/index.html.en 109) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">CSS
torbutton/en/design/index.html.en 110) popups</a> - essentially CSS-based event handlers that fetch content via
torbutton/en/design/index.html.en 111) CSS's onmouseover attribute. If these popups are allowed to perform network
torbutton/en/design/index.html.en 112) activity in a different Tor state than they were loaded in, they can easily
torbutton/en/design/index.html.en 113) correlate Tor and Non-Tor activity and reveal a user's IP address. In
torbutton/en/design/index.html.en 114) addition, CSS can also be used without Javascript to perform <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only history disclosure
torbutton/en/design/index.html.en 115) attacks</a>.
torbutton/en/design/index.html.en 116) </p></li><li class="listitem"><span class="command"><strong>Read and insert cookies</strong></span><p>
torbutton/en/design/index.html.en 117)
torbutton/en/design/index.html.en 118) An adversary in a position to perform MITM content alteration can inject
torbutton/en/design/index.html.en 119) document content elements to both read and inject cookies for
torbutton/en/design/index.html.en 120) arbitrary domains. In fact, many "SSL secured" websites are vulnerable to this
torbutton/en/design/index.html.en 121) sort of <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
torbutton/en/design/index.html.en 122) sidejacking</a>.
torbutton/en/design/index.html.en 123)
torbutton/en/design/index.html.en 124) </p></li><li class="listitem"><span class="command"><strong>Create arbitrary cached content</strong></span><p>
torbutton/en/design/index.html.en 125)
torbutton/en/design/index.html.en 126) Likewise, the browser cache can also be used to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en 127) identifiers</a>. Since by default the cache has no same-origin policy,
torbutton/en/design/index.html.en 128) these identifiers can be read by any domain, making them an ideal target for
torbutton/en/design/index.html.en 129) adserver-class adversaries.
torbutton/en/design/index.html.en 130)
torbutton/en/design/index.html.en 131) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
torbutton/en/design/index.html.en 132) attributes</strong></span><p>
torbutton/en/design/index.html.en 133)
torbutton/en/design/index.html.en 134) There is an absurd amount of information available to websites via attributes
torbutton/en/design/index.html.en 135) of the browser. This information can be used to reduce anonymity set, or even
torbutton/en/design/index.html.en 136) <a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">uniquely
torbutton/en/design/index.html.en 137) fingerprint individual users</a>. </p><p>
torbutton/en/design/index.html.en 138) For illustration, let's perform a
torbutton/en/design/index.html.en 139) back-of-the-envelope calculation on the number of anonymity sets for just the
torbutton/en/design/index.html.en 140) resolution information available in the <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window" target="_top">window</a> and
torbutton/en/design/index.html.en 141) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.screen" target="_top">window.screen</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 142) objects.
torbutton/en/design/index.html.en 143)
torbutton/en/design/index.html.en 144)
torbutton/en/design/index.html.en 145)
torbutton/en/design/index.html.en 146) Browser window resolution information provides something like
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 147) (1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution
torbutton/en/design/index.html.en 148) information contributes about another factor of 5 (for about 5 resolutions in
torbutton/en/design/index.html.en 149) typical use). In addition, the dimensions and position of the desktop taskbar
torbutton/en/design/index.html.en 150) are available, which can reveal hints on OS information. This boosts the count
|
People like spelling it OS X
Sebastian Hahn authored 9 years ago
|
docs/torbutton/en/design/index.html.en 151) by a factor of 5 (for each of the major desktop taskbars - Windows, Mac
docs/torbutton/en/design/index.html.en 152) OS X, KDE and Gnome, and None). Subtracting the browser content window
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 153) size from the browser outer window size provide yet more information.
torbutton/en/design/index.html.en 154) Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 155) 2<sup>3</sup>=8). Interface effects such as title bar font size
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 156) and window manager settings gives a factor of about 9 (say 3 common font sizes
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 157) for the title bar and 3 common sizes for browser GUI element fonts).
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 158) Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~=
torbutton/en/design/index.html.en 159) 2<sup>29</sup>, or a 29 bit identifier based on resolution
torbutton/en/design/index.html.en 160) information alone. </p><p>
torbutton/en/design/index.html.en 161)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 162) Of course, this space is non-uniform in user density and prone to incremental
torbutton/en/design/index.html.en 163) changes. The <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">Panopticlick study
torbutton/en/design/index.html.en 164) done</a> by the EFF attempts to measure the actual entropy - the number of
torbutton/en/design/index.html.en 165) identifying bits of information encoded in browser properties. Their result
torbutton/en/design/index.html.en 166) data is definitely useful, and the metric is probably the appropriate one for
torbutton/en/design/index.html.en 167) determining how identifying a particular browser property is. However, some
torbutton/en/design/index.html.en 168) quirks of their study means that they do not extract as much information as
torbutton/en/design/index.html.en 169) they could from display information: they only use desktop resolution (which
torbutton/en/design/index.html.en 170) Torbutton reports as the window resolution) and do not attempt to infer the
torbutton/en/design/index.html.en 171) size of toolbars.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 172)
torbutton/en/design/index.html.en 173) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
torbutton/en/design/index.html.en 174) OS</strong></span><p>
torbutton/en/design/index.html.en 175) Last, but definitely not least, the adversary can exploit either general
torbutton/en/design/index.html.en 176) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
torbutton/en/design/index.html.en 177) install malware and surveillance software. An adversary with physical access
torbutton/en/design/index.html.en 178) can perform similar actions. Regrettably, this last attack capability is
torbutton/en/design/index.html.en 179) outside of Torbutton's ability to defend against, but it is worth mentioning
torbutton/en/design/index.html.en 180) for completeness.
torbutton/en/design/index.html.en 181) </p></li></ol></div></div></div><div class="sect2" title="1.2. Torbutton Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="requirements"></a>1.2. Torbutton Requirements</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
torbutton/en/design/index.html.en 182)
torbutton/en/design/index.html.en 183) Since many settings satisfy multiple requirements, this design document is
torbutton/en/design/index.html.en 184) organized primarily by Torbutton components and settings. However, if you are
torbutton/en/design/index.html.en 185) the type that would rather read the document from the requirements
torbutton/en/design/index.html.en 186) perspective, it is in fact possible to search for each of the following
torbutton/en/design/index.html.en 187) requirement phrases in the text to find the relevant features that help meet
torbutton/en/design/index.html.en 188) that requirement.
torbutton/en/design/index.html.en 189)
torbutton/en/design/index.html.en 190) </div><p>
torbutton/en/design/index.html.en 191)
torbutton/en/design/index.html.en 192) From the above Adversary Model, a number of requirements become clear.
torbutton/en/design/index.html.en 193)
torbutton/en/design/index.html.en 194) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="proxy"></a><span class="command"><strong>Proxy Obedience</strong></span><p>The browser
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 195) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a id="state"></a><span class="command"><strong>State Separation</strong></span><p>Browser state (cookies, cache, history, 'DOM storage'), accumulated in
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 196) one Tor state MUST NOT be accessible via the network in
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 197) another Tor state.</p></li><li class="listitem"><a id="isolation"></a><span class="command"><strong>Network Isolation</strong></span><p>Pages MUST NOT perform any network activity in a Tor state different
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 198) from the state they were originally loaded in.</p><p>Note that this requirement is
torbutton/en/design/index.html.en 199) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en 200) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="undiscoverability"></a><span class="command"><strong>Tor Undiscoverability</strong></span><p>With
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 201) the advent of bridge support in Tor 0.2.0.x, there are now a class of Tor
torbutton/en/design/index.html.en 202) users whose network fingerprint does not obviously betray the fact that they
torbutton/en/design/index.html.en 203) are using Tor. This should extend to the browser as well - Torbutton MUST NOT
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 204) reveal its presence while Tor is disabled.
torbutton/en/design/index.html.en 205) </p><p>Note that this requirement is
torbutton/en/design/index.html.en 206) being de-emphasized due to the coming shift to supporting only the Tor Browser
torbutton/en/design/index.html.en 207) Bundles, which do not support a Toggle operation.</p></li><li class="listitem"><a id="disk"></a><span class="command"><strong>Disk Avoidance</strong></span><p>The browser SHOULD NOT write any Tor-related state to disk, or store it
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 208) in memory beyond the duration of one Tor toggle.</p></li><li class="listitem"><a id="location"></a><span class="command"><strong>Location Neutrality</strong></span><p>The browser SHOULD NOT leak location-specific information, such as
torbutton/en/design/index.html.en 209) timezone or locale via Tor.</p></li><li class="listitem"><a id="setpreservation"></a><span class="command"><strong>Anonymity Set
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 210) Preservation</strong></span><p>The browser SHOULD NOT leak any other anonymity
torbutton/en/design/index.html.en 211) set reducing or fingerprinting information
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 212) (such as user agent, extension presence, and resolution information)
torbutton/en/design/index.html.en 213) automatically via Tor. The assessment of the attacks above should make it clear
torbutton/en/design/index.html.en 214) that anonymity set reduction is a very powerful method of tracking and
torbutton/en/design/index.html.en 215) eventually identifying anonymous users.
torbutton/en/design/index.html.en 216) </p></li><li class="listitem"><a id="updates"></a><span class="command"><strong>Update Safety</strong></span><p>The browser
torbutton/en/design/index.html.en 217) SHOULD NOT perform unauthenticated updates or upgrades via Tor.</p></li><li class="listitem"><a id="interoperate"></a><span class="command"><strong>Interoperability</strong></span><p>Torbutton SHOULD interoperate with third-party proxy switchers that
torbutton/en/design/index.html.en 218) enable the user to switch between a number of different proxies. It MUST
torbutton/en/design/index.html.en 219) provide full Tor protection in the event a third-party proxy switcher has
torbutton/en/design/index.html.en 220) enabled the Tor proxy settings.</p></li></ol></div></div><div class="sect2" title="1.3. Extension Layout"><div class="titlepage"><div><div><h3 class="title"><a id="layout"></a>1.3. Extension Layout</h3></div></div></div><p>Firefox extensions consist of two main categories of code: 'Components' and
torbutton/en/design/index.html.en 221) 'Chrome'. Components are a fancy name for classes that implement a given
torbutton/en/design/index.html.en 222) interface or interfaces. In Firefox, components <a class="ulink" href="https://developer.mozilla.org/en/XPCOM" target="_top">can be
torbutton/en/design/index.html.en 223) written</a> in C++,
torbutton/en/design/index.html.en 224) Javascript, or a mixture of both. Components have two identifiers: their
torbutton/en/design/index.html.en 225) '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005005" target="_top">Contract
torbutton/en/design/index.html.en 226) ID</a>' (a human readable path-like string), and their '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005329" target="_top">Class
torbutton/en/design/index.html.en 227) ID</a>' (a GUID hex-string). In addition, the interfaces they implement each have a hex
torbutton/en/design/index.html.en 228) 'Interface ID'. It is possible to 'hook' system components - to reimplement
torbutton/en/design/index.html.en 229) their interface members with your own wrappers - but only if the rest of the
torbutton/en/design/index.html.en 230) browser refers to the component by its Contract ID. If the browser refers to
torbutton/en/design/index.html.en 231) the component by Class ID, it bypasses your hooks in that use case.
torbutton/en/design/index.html.en 232) Technically, it may be possible to hook Class IDs by unregistering the
torbutton/en/design/index.html.en 233) original component, and then re-registering your own, but this relies on
torbutton/en/design/index.html.en 234) obsolete and deprecated interfaces and has proved to be less than
torbutton/en/design/index.html.en 235) stable.</p><p>'Chrome' is a combination of XML and Javascript used to describe a window.
torbutton/en/design/index.html.en 236) Extensions are allowed to create 'overlays' that are 'bound' to existing XML
torbutton/en/design/index.html.en 237) window definitions, or they can create their own windows. The DTD for this XML
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 238) is called <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XUL</a>.</p></div></div><div class="sect1" title="2. Components"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="components"></a>2. Components</h2></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 239)
torbutton/en/design/index.html.en 240) Torbutton installs components for two purposes: hooking existing components to
torbutton/en/design/index.html.en 241) reimplement their interfaces; and creating new components that provide
torbutton/en/design/index.html.en 242) services to other pieces of the extension.
torbutton/en/design/index.html.en 243)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 244) </p><div class="sect2" title="2.1. Hooked Components"><div class="titlepage"><div><div><h3 class="title"><a id="hookedxpcom"></a>2.1. Hooked Components</h3></div></div></div><p>Torbutton makes extensive use of Contract ID hooking, and implements some
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 245) of its own standalone components as well. Let's discuss the hooked components
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 246) first.</p><div class="sect3" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="appblocker"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-protocol-service%3B1" target="_top">@mozilla.org/uriloader/external-protocol-service;1
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 247) </a>, <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-helper-app-service%3B1" target="_top">@mozilla.org/uriloader/external-helper-app-service;1</a>,
torbutton/en/design/index.html.en 248) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/mime%3B1" target="_top">@mozilla.org/mime;1</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 249) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">components/external-app-blocker.js</a></h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 250) Due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a> allowing Firefox 3.x to automatically launch some
torbutton/en/design/index.html.en 251) applications without user intervention, Torbutton had to wrap the three
torbutton/en/design/index.html.en 252) components involved in launching external applications to provide user
torbutton/en/design/index.html.en 253) confirmation before doing so while Tor is enabled. Since external applications
torbutton/en/design/index.html.en 254) do not obey proxy settings, they can be manipulated to automatically connect
torbutton/en/design/index.html.en 255) back to arbitrary servers outside of Tor with no user intervention. Fixing
torbutton/en/design/index.html.en 256) this issue helps to satisfy Torbutton's <a class="link" href="#proxy">Proxy
torbutton/en/design/index.html.en 257) Obedience</a> Requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 258) </p></div><div class="sect3" title="@mozilla.org/browser/global-history;2 - components/ignore-history.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2696239"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 259) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a></h4></div></div></div><p>This component was contributed by <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin Jackson</a> as a method for defeating
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 260) CSS and Javascript-based methods of history disclosure. The global-history
torbutton/en/design/index.html.en 261) component is what is used by Firefox to determine if a link was visited or not
torbutton/en/design/index.html.en 262) (to apply the appropriate style to the link). By hooking the <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#isVisited.28.29" target="_top">isVisited</a>
torbutton/en/design/index.html.en 263) and <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#addURI.28.29" target="_top">addURI</a>
torbutton/en/design/index.html.en 264) methods, Torbutton is able to selectively prevent history items from being
torbutton/en/design/index.html.en 265) added or being displayed as visited, depending on the Tor state and the user's
torbutton/en/design/index.html.en 266) preferences.
torbutton/en/design/index.html.en 267) </p><p>
torbutton/en/design/index.html.en 268) This component helps satisfy the <a class="link" href="#state">State Separation</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 269) and <a class="link" href="#disk">Disk Avoidance</a> requirements of Torbutton. It
torbutton/en/design/index.html.en 270) is only needed for Firefox 3.x. On Firefox 4, we omit this component in favor
torbutton/en/design/index.html.en 271) of the <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">built-in
torbutton/en/design/index.html.en 272) history protections</a>.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 273) </p></div><div class="sect3" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js"><div class="titlepage"><div><div><h4 class="title"><a id="livemarks"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">@mozilla.org/browser/livemark-service;2</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 274) - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/block-livemarks.js" target="_top">components/block-livemarks.js</a></h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 275)
torbutton/en/design/index.html.en 276) The <a class="ulink" href="http://www.mozilla.com/en-US/firefox/livebookmarks.html" target="_top">livemark</a> service
torbutton/en/design/index.html.en 277) is started by a timer that runs 5 seconds after Firefox
torbutton/en/design/index.html.en 278) startup. As a result, we cannot simply call the stopUpdateLivemarks() method to
torbutton/en/design/index.html.en 279) disable it. We must wrap the component to prevent this start() call from
torbutton/en/design/index.html.en 280) firing in the event the browser starts in Tor mode.
torbutton/en/design/index.html.en 281)
torbutton/en/design/index.html.en 282) </p><p>
torbutton/en/design/index.html.en 283) This component helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 284) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en 285) Preservation</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 286) </p></div></div><div class="sect2" title="2.2. New Components"><div class="titlepage"><div><div><h3 class="title"><a id="id2690319"></a>2.2. New Components</h3></div></div></div><p>Torbutton creates four new components that are used throughout the
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 287) extension. These components do not hook any interfaces, nor are they used
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 288) anywhere besides Torbutton itself.</p><div class="sect3" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js"><div class="titlepage"><div><div><h4 class="title"><a id="cookiejar"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 289) - components/cookie-jar-selector.js</a></h4></div></div></div><p>The cookie jar selector (also based on code from <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin
torbutton/en/design/index.html.en 290) Jackson</a>) is used by the Torbutton chrome to switch between
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 291) Tor and Non-Tor cookies. It stores an XML representation of the current
torbutton/en/design/index.html.en 292) cookie state in memory and/or on disk. When Tor is toggled, it syncs the
torbutton/en/design/index.html.en 293) current cookies to this XML store, and then loads the cookies for the other
torbutton/en/design/index.html.en 294) state from the XML store.
torbutton/en/design/index.html.en 295) </p><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 296) This component helps to address the <a class="link" href="#state">State
torbutton/en/design/index.html.en 297) Isolation</a> requirement of Torbutton.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 298) </p></div><div class="sect3" title="@torproject.org/torbutton-logger;1 - components/torbutton-logger.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2683534"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torbutton-logger.js" target="_top">@torproject.org/torbutton-logger;1
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 299) - components/torbutton-logger.js</a></h4></div></div></div><p>The torbutton logger component allows on-the-fly redirection of torbutton
torbutton/en/design/index.html.en 300) logging messages to either Firefox stderr
torbutton/en/design/index.html.en 301) (<span class="command"><strong>extensions.torbutton.logmethod=0</strong></span>), the Javascript error console
torbutton/en/design/index.html.en 302) (<span class="command"><strong>extensions.torbutton.logmethod=1</strong></span>), or the DebugLogger extension (if
torbutton/en/design/index.html.en 303) available - <span class="command"><strong>extensions.torbutton.logmethod=2</strong></span>). It also allows you to
torbutton/en/design/index.html.en 304) change the loglevel on the fly by changing
torbutton/en/design/index.html.en 305) <span class="command"><strong>extensions.torbutton.loglevel</strong></span> (1-5, 1 is most verbose).
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 306) </p></div><div class="sect3" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js"><div class="titlepage"><div><div><h4 class="title"><a id="windowmapper"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/window-mapper.js" target="_top">@torproject.org/content-window-mapper;1
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 307) - components/window-mapper.js</a></h4></div></div></div><p>Torbutton tags Firefox <a class="ulink" href="https://developer.mozilla.org/en/XUL_Tutorial/Tabboxes" target="_top">tabs</a> with a special variable that indicates the Tor
torbutton/en/design/index.html.en 308) state the tab was most recently used under to fetch a page. The problem is
torbutton/en/design/index.html.en 309) that for many Firefox events, it is not possible to determine the tab that is
torbutton/en/design/index.html.en 310) actually receiving the event. The Torbutton window mapper allows the Torbutton
torbutton/en/design/index.html.en 311) chrome and other components to look up a <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en 312) tab</a> for a given <a class="ulink" href="https://developer.mozilla.org/en/nsIDOMWindow" target="_top">HTML content
torbutton/en/design/index.html.en 313) window</a>. It does this by traversing all windows and all browsers, until it
torbutton/en/design/index.html.en 314) finds the browser with the requested <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser#p-contentWindow" target="_top">contentWindow</a> element. Since the content policy
torbutton/en/design/index.html.en 315) and page loading in general can generate hundreds of these lookups, this
torbutton/en/design/index.html.en 316) result is cached inside the component.
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 317) </p></div><div class="sect3" title="@torproject.org/crash-observer;1"><div class="titlepage"><div><div><h4 class="title"><a id="crashobserver"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/crash-observer.js" target="_top">@torproject.org/crash-observer;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en 318)
torbutton/en/design/index.html.en 319) This component detects when Firefox crashes by altering Firefox prefs during
torbutton/en/design/index.html.en 320) runtime and checking for the same values at startup. It <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIPrefService#savePrefFile()" target="_top">synchronizes
torbutton/en/design/index.html.en 321) the preference service</a> to ensure the altered prefs are written to disk
torbutton/en/design/index.html.en 322) immediately.
torbutton/en/design/index.html.en 323)
torbutton/en/design/index.html.en 324) </p></div><div class="sect3" title="@torproject.org/torbutton-ss-blocker;1"><div class="titlepage"><div><div><h4 class="title"><a id="tbsessionstore"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/tbSessionStore.js" target="_top">@torproject.org/torbutton-ss-blocker;1</a></h4></div></div></div><p>
torbutton/en/design/index.html.en 325)
torbutton/en/design/index.html.en 326) This component subscribes to the Firefox <a class="ulink" href="https://developer.mozilla.org/en/Observer_Notifications#Session_Store" target="_top">sessionstore-state-write</a>
torbutton/en/design/index.html.en 327) observer event to filter out URLs from tabs loaded during Tor, to prevent them
torbutton/en/design/index.html.en 328) from being written to disk. To do this, it checks the
torbutton/en/design/index.html.en 329) <span class="command"><strong>__tb_tor_fetched</strong></span> tag of tab objects before writing them out. If
torbutton/en/design/index.html.en 330) the tag is from a blocked Tor state, the tab is not written to disk. This is
torbutton/en/design/index.html.en 331) a rather expensive operation that involves potentially very large JSON
torbutton/en/design/index.html.en 332) evaluations and object tree traversals, but it preferable to replacing the
torbutton/en/design/index.html.en 333) Firefox session store with our own implementation, which is what was done in
torbutton/en/design/index.html.en 334) years past.
torbutton/en/design/index.html.en 335)
torbutton/en/design/index.html.en 336) </p></div><div class="sect3" title="@torproject.org/torRefSpoofer;1"><div class="titlepage"><div><div><h4 class="title"><a id="refspoofer"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/torRefSpoofer.js" target="_top">@torproject.org/torRefSpoofer;1</a></h4></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 337) This component handles optional referer spoofing for Torbutton. It implements a
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 338) form of "smart" referer spoofing using <a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers" target="_top">http-on-modify-request</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 339) to modify the Referer header. The code sends the default browser referer
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 340) header only if the destination domain is a suffix of the source, or if the
torbutton/en/design/index.html.en 341) source is a suffix of the destination. Otherwise, it sends no referer. This
torbutton/en/design/index.html.en 342) strange suffix logic is used as a heuristic: some rare sites on the web block
torbutton/en/design/index.html.en 343) requests without proper referer headers, and this logic is an attempt to cater
torbutton/en/design/index.html.en 344) to them. Unfortunately, it may not be enough. For example, google.fr will not
torbutton/en/design/index.html.en 345) send a referer to google.com using this logic. Hence, it is off by default.
torbutton/en/design/index.html.en 346) </p></div><div class="sect3" title="@torproject.org/cssblocker;1 - components/cssblocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="contentpolicy"></a><a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 347) - components/cssblocker.js</a></h4></div></div></div><p>This is a key component to Torbutton's security measures. When Tor is
torbutton/en/design/index.html.en 348) toggled, Javascript is disabled, and pages are instructed to stop loading.
torbutton/en/design/index.html.en 349) However, CSS is still able to perform network operations by loading styles for
torbutton/en/design/index.html.en 350) onmouseover events and other operations. In addition, favicons can still be
torbutton/en/design/index.html.en 351) loaded by the browser. The cssblocker component prevents this by implementing
torbutton/en/design/index.html.en 352) and registering an <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy" target="_top">nsIContentPolicy</a>.
torbutton/en/design/index.html.en 353) When an nsIContentPolicy is registered, Firefox checks every attempted network
torbutton/en/design/index.html.en 354) request against its <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy#shouldLoad()" target="_top">shouldLoad</a>
torbutton/en/design/index.html.en 355) member function to determine if the load should proceed. In Torbutton's case,
torbutton/en/design/index.html.en 356) the content policy looks up the appropriate browser tab using the <a class="link" href="#windowmapper" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js">window mapper</a>,
torbutton/en/design/index.html.en 357) and checks that tab's load tag against the current Tor state. If the tab was
torbutton/en/design/index.html.en 358) loaded in a different state than the current state, the fetch is denied.
torbutton/en/design/index.html.en 359) Otherwise, it is allowed.</p> This helps to achieve the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 360) Isolation</a> requirements of Torbutton.
torbutton/en/design/index.html.en 361)
torbutton/en/design/index.html.en 362) <p>In addition, the content policy also blocks website javascript from
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 363) <a class="ulink" href="http://webdevwonders.com/detecting-firefox-add-ons/" target="_top">querying for
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 364) versions and existence of extension chrome</a> while Tor is enabled, and
torbutton/en/design/index.html.en 365) also masks the presence of Torbutton to website javascript while Tor is
torbutton/en/design/index.html.en 366) disabled. </p><p>
torbutton/en/design/index.html.en 367)
torbutton/en/design/index.html.en 368) Finally, some of the work that logically belongs to the content policy is
torbutton/en/design/index.html.en 369) instead handled by the <span class="command"><strong>torbutton_http_observer</strong></span> and
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 370) <span class="command"><strong>torbutton_weblistener</strong></span> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>. These two objects handle blocking of
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 371) Firefox 3 favicon loads, popups, and full page plugins, which for whatever
torbutton/en/design/index.html.en 372) reason are not passed to the Firefox content policy itself (see Firefox Bugs
torbutton/en/design/index.html.en 373) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and
torbutton/en/design/index.html.en 374) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en 375)
torbutton/en/design/index.html.en 376) </p><p>
torbutton/en/design/index.html.en 377)
torbutton/en/design/index.html.en 378) This helps to fulfill both the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirements of
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 379) Torbutton.</p></div></div></div><div class="sect1" title="3. Chrome"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2681735"></a>3. Chrome</h2></div></div></div><p>The chrome is where all the torbutton graphical elements and windows are
torbutton/en/design/index.html.en 380) located. </p><div class="sect2" title="3.1. XUL Windows and Overlays"><div class="titlepage"><div><div><h3 class="title"><a id="id2702019"></a>3.1. XUL Windows and Overlays</h3></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 381) Each window is described as an <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XML file</a>, with zero or more Javascript
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 382) files attached. The scope of these Javascript files is their containing
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 383) window. XUL files that add new elements and script to existing Firefox windows
torbutton/en/design/index.html.en 384) are called overlays.</p><div class="sect3" title="Browser Overlay - torbutton.xul"><div class="titlepage"><div><div><h4 class="title"><a id="browseroverlay"></a>Browser Overlay - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a></h4></div></div></div><p>The browser overlay, torbutton.xul, defines the toolbar button, the status
torbutton/en/design/index.html.en 385) bar, and events for toggling the button. The overlay code is in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 386) It contains event handlers for preference update, shutdown, upgrade, and
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 387) location change events.</p></div><div class="sect3" title="Preferences Window - preferences.xul"><div class="titlepage"><div><div><h4 class="title"><a id="id2704559"></a>Preferences Window - <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences.xul</a></h4></div></div></div><p>The preferences window of course lays out the Torbutton preferences, with
torbutton/en/design/index.html.en 388) handlers located in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">chrome/content/preferences.js</a>.</p></div><div class="sect3" title="Other Windows"><div class="titlepage"><div><div><h4 class="title"><a id="id2669673"></a>Other Windows</h4></div></div></div><p>There are additional windows that describe popups for right clicking on
torbutton/en/design/index.html.en 389) the status bar, the toolbutton, and the about page.</p></div></div><div class="sect2" title="3.2. Major Chrome Observers"><div class="titlepage"><div><div><h3 class="title"><a id="id2694797"></a>3.2. Major Chrome Observers</h3></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 390) In addition to the <a class="link" href="#components" title="2. Components">components described
torbutton/en/design/index.html.en 391) above</a>, Torbutton also instantiates several observers in the browser
torbutton/en/design/index.html.en 392) overlay window. These mostly grew due to scoping convenience, and many should
torbutton/en/design/index.html.en 393) probably be relocated into their own components.
torbutton/en/design/index.html.en 394) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>torbutton_window_pref_observer</strong></span><p>
torbutton/en/design/index.html.en 395) This is an observer that listens for Torbutton state changes, for the purposes
torbutton/en/design/index.html.en 396) of updating the Torbutton button graphic as the Tor state changes.
torbutton/en/design/index.html.en 397) </p></li><li class="listitem"><span class="command"><strong>torbutton_unique_pref_observer</strong></span><p>
torbutton/en/design/index.html.en 398)
torbutton/en/design/index.html.en 399) This is an observer that only runs in one window, called the main window. It
torbutton/en/design/index.html.en 400) listens for changes to all of the Torbutton preferences, as well as Torbutton
torbutton/en/design/index.html.en 401) controlled Firefox preferences. It is what carries out the toggle path when
torbutton/en/design/index.html.en 402) the proxy settings change. When the main window is closed, the
torbutton/en/design/index.html.en 403) torbutton_close_window event handler runs to dub a new window the "main
torbutton/en/design/index.html.en 404) window".
torbutton/en/design/index.html.en 405)
torbutton/en/design/index.html.en 406) </p></li><li class="listitem"><span class="command"><strong>tbHistoryListener</strong></span><p>
torbutton/en/design/index.html.en 407) The tbHistoryListener exists to prevent client window Javascript from
torbutton/en/design/index.html.en 408) interacting with window.history to forcibly navigate a user to a tab session
torbutton/en/design/index.html.en 409) history entry from a different Tor state. It also expunges the window.history
torbutton/en/design/index.html.en 410) entries during toggle. This listener helps Torbutton
torbutton/en/design/index.html.en 411) satisfy the <a class="link" href="#isolation">Network Isolation</a> requirement as
torbutton/en/design/index.html.en 412) well as the <a class="link" href="#state">State Separation</a> requirement.
torbutton/en/design/index.html.en 413)
torbutton/en/design/index.html.en 414) </p></li><li class="listitem"><span class="command"><strong>torbutton_http_observer</strong></span><p>
torbutton/en/design/index.html.en 415)
torbutton/en/design/index.html.en 416) The torbutton_http_observer performs some of the work that logically belongs
torbutton/en/design/index.html.en 417) to the content policy. This handles blocking of
torbutton/en/design/index.html.en 418) Firefox 3 favicon loads, which for whatever
torbutton/en/design/index.html.en 419) reason are not passed to the Firefox content policy itself (see Firefox Bugs
torbutton/en/design/index.html.en 420) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and
torbutton/en/design/index.html.en 421) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
torbutton/en/design/index.html.en 422)
torbutton/en/design/index.html.en 423) </p><p>
torbutton/en/design/index.html.en 424) The observer is also responsible for redirecting users to alternate
torbutton/en/design/index.html.en 425) search engines when Google presents them with a Captcha, as well as copying
torbutton/en/design/index.html.en 426) Google Captcha-related cookies between international Google domains.
torbutton/en/design/index.html.en 427) </p></li><li class="listitem"><span class="command"><strong>torbutton_proxyservice</strong></span><p>
torbutton/en/design/index.html.en 428) The Torbutton proxy service handles redirecting Torbutton-related update
torbutton/en/design/index.html.en 429) checks on addons.mozilla.org through Tor. This is done to help satisfy the
torbutton/en/design/index.html.en 430) <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en 431) </p></li><li class="listitem"><span class="command"><strong>torbutton_weblistener</strong></span><p>The <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener#onLocationChange" target="_top">location
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 432) change</a> <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgress" target="_top">webprogress
torbutton/en/design/index.html.en 433) listener</a>, <span class="command"><strong>torbutton_weblistener</strong></span> is one of the most
torbutton/en/design/index.html.en 434) important parts of the chrome from a security standpoint. It is a <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en 435) listener</a> that handles receiving an event every time a page load or
torbutton/en/design/index.html.en 436) iframe load occurs. This class eventually calls down to
torbutton/en/design/index.html.en 437) <code class="function">torbutton_update_tags()</code> and
torbutton/en/design/index.html.en 438) <code class="function">torbutton_hookdoc()</code>, which apply the browser Tor load
torbutton/en/design/index.html.en 439) state tags, plugin permissions, and install the Javascript hooks to hook the
torbutton/en/design/index.html.en 440) <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en 441) object to obfuscate browser and desktop resolution information.
torbutton/en/design/index.html.en 442)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 443) </p></li></ol></div></div></div><div class="sect1" title="4. Toggle Code Path"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2696524"></a>4. Toggle Code Path</h2></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 444)
torbutton/en/design/index.html.en 445) The act of toggling is connected to <code class="function">torbutton_toggle()</code>
torbutton/en/design/index.html.en 446) via the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a>
torbutton/en/design/index.html.en 447) and <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/popup.xul" target="_top">popup.xul</a>
torbutton/en/design/index.html.en 448) overlay files. Most of the work in the toggling process is present in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>
torbutton/en/design/index.html.en 449)
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 450) </p><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 451)
torbutton/en/design/index.html.en 452) Toggling is a 3 stage process: Button Click, Proxy Update, and
torbutton/en/design/index.html.en 453) Settings Update. These stages are reflected in the prefs
torbutton/en/design/index.html.en 454) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span>,
torbutton/en/design/index.html.en 455) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span>, and
torbutton/en/design/index.html.en 456) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>. The reason for the
torbutton/en/design/index.html.en 457) three stage preference update is to ensure immediate enforcement of <a class="link" href="#isolation">Network Isolation</a> via the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>. Since the content window
torbutton/en/design/index.html.en 458) javascript runs on a different thread than the chrome javascript, it is
torbutton/en/design/index.html.en 459) important to properly convey the stages to the content policy to avoid race
torbutton/en/design/index.html.en 460) conditions and leakage, especially with <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en 461) 409737</a> unfixed. The content policy does not allow any network activity
torbutton/en/design/index.html.en 462) whatsoever during this three stage transition.
torbutton/en/design/index.html.en 463)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 464) </p><div class="sect2" title="4.1. Button Click"><div class="titlepage"><div><div><h3 class="title"><a id="id2699452"></a>4.1. Button Click</h3></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 465)
torbutton/en/design/index.html.en 466) This is the first step in the toggling process. When the user clicks the
torbutton/en/design/index.html.en 467) toggle button or the toolbar, <code class="function">torbutton_toggle()</code> is
torbutton/en/design/index.html.en 468) called. This function checks the current Tor status by comparing the current
torbutton/en/design/index.html.en 469) proxy settings to the selected Tor settings, and then sets the proxy settings
torbutton/en/design/index.html.en 470) to the opposite state, and sets the pref
torbutton/en/design/index.html.en 471) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> to reflect the new state.
torbutton/en/design/index.html.en 472) It is this proxy pref update that gives notification via the <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">pref
torbutton/en/design/index.html.en 473) observer</a>
torbutton/en/design/index.html.en 474) <span class="command"><strong>torbutton_unique_pref_observer</strong></span> to perform the rest of the
torbutton/en/design/index.html.en 475) toggle.
torbutton/en/design/index.html.en 476)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 477) </p></div><div class="sect2" title="4.2. Proxy Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697978"></a>4.2. Proxy Update</h3></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 478)
torbutton/en/design/index.html.en 479) When Torbutton receives any proxy change notifications via its
torbutton/en/design/index.html.en 480) <span class="command"><strong>torbutton_unique_pref_observer</strong></span>, it calls
torbutton/en/design/index.html.en 481) <code class="function">torbutton_set_status()</code> which checks against the Tor
torbutton/en/design/index.html.en 482) settings to see if the Tor proxy settings match the current settings. If so,
torbutton/en/design/index.html.en 483) it calls <code class="function">torbutton_update_status()</code>, which determines if
torbutton/en/design/index.html.en 484) the Tor state has actually changed, and sets
torbutton/en/design/index.html.en 485) <span class="command"><strong>extensions.torbutton.proxies_applied</strong></span> to the appropriate Tor
torbutton/en/design/index.html.en 486) state value, and ensures that
torbutton/en/design/index.html.en 487) <span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> is also set to the correct
torbutton/en/design/index.html.en 488) value. This is decoupled from the button click functionality via the pref
torbutton/en/design/index.html.en 489) observer so that other addons (such as SwitchProxy) can switch the proxy
torbutton/en/design/index.html.en 490) settings between multiple proxies.
torbutton/en/design/index.html.en 491)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 492) </p></div><div class="sect2" title="4.3. Settings Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2697015"></a>4.3. Settings Update</h3></div></div></div><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 493)
torbutton/en/design/index.html.en 494) The next stage is also handled by
torbutton/en/design/index.html.en 495) <code class="function">torbutton_update_status()</code>. This function sets scores of
torbutton/en/design/index.html.en 496) Firefox preferences, saving the original values to prefs under
torbutton/en/design/index.html.en 497) <span class="command"><strong>extensions.torbutton.saved.*</strong></span>, and performs the <a class="link" href="#cookiejar" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js">cookie jarring</a>, state clearing (such as window.name
torbutton/en/design/index.html.en 498) and DOM storage), and <a class="link" href="#preferences" title="4.4. Firefox preferences touched during Toggle">preference
torbutton/en/design/index.html.en 499) toggling</a>. At the
torbutton/en/design/index.html.en 500) end of its work, it sets
torbutton/en/design/index.html.en 501) <span class="command"><strong>extensions.torbutton.settings_applied</strong></span>, which signifies the
torbutton/en/design/index.html.en 502) completion of the toggle operation to the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en 503)
torbutton/en/design/index.html.en 504) </p></div><div class="sect2" title="4.4. Firefox preferences touched during Toggle"><div class="titlepage"><div><div><h3 class="title"><a id="preferences"></a>4.4. Firefox preferences touched during Toggle</h3></div></div></div><p>
torbutton/en/design/index.html.en 505) There are also a number of Firefox preferences set in
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 506) <code class="function">torbutton_update_status()</code> that aren't governed by any
torbutton/en/design/index.html.en 507) Torbutton setting. These are:
torbutton/en/design/index.html.en 508) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.security.ports.banned" target="_top">network.security.ports.banned</a><p>
torbutton/en/design/index.html.en 509) Torbutton sets this setting to add ports 8123, 8118, 9050 and 9051 (which it
torbutton/en/design/index.html.en 510) reads from <span class="command"><strong>extensions.torbutton.banned_ports</strong></span>) to the list
torbutton/en/design/index.html.en 511) of ports Firefox is forbidden to access. These ports are Polipo, Privoxy, Tor,
torbutton/en/design/index.html.en 512) and the Tor control port, respectively. This is set for both Tor and Non-Tor
torbutton/en/design/index.html.en 513) usage, and prevents websites from attempting to do http fetches from these
torbutton/en/design/index.html.en 514) ports to see if they are open, which addresses the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en 515) </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.send_pings" target="_top">browser.send_pings</a><p>
torbutton/en/design/index.html.en 516) This setting is currently always disabled. If anyone ever complains saying
torbutton/en/design/index.html.en 517) that they *want* their browser to be able to send ping notifications to a
torbutton/en/design/index.html.en 518) page or arbitrary link, I'll make this a pref or Tor-only. But I'm not holding
torbutton/en/design/index.html.en 519) my breath. I haven't checked if the content policy is called for pings, but if
torbutton/en/design/index.html.en 520) not, this setting helps with meeting the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 521) Isolation</a> requirement.
torbutton/en/design/index.html.en 522) </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups" target="_top">browser.safebrowsing.remoteLookups</a><p>
torbutton/en/design/index.html.en 523) Likewise for this setting. I find it hard to imagine anyone who wants to ask
torbutton/en/design/index.html.en 524) Google in real time if each URL they visit is safe, especially when the list
torbutton/en/design/index.html.en 525) of unsafe URLs is downloaded anyway. This helps fulfill the <a class="link" href="#disk">Disk Avoidance</a> requirement, by preventing your entire
torbutton/en/design/index.html.en 526) browsing history from ending up on Google's disks.
torbutton/en/design/index.html.en 527) </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.enabled" target="_top">browser.safebrowsing.enabled</a><p>
torbutton/en/design/index.html.en 528) Safebrowsing does <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=360387" target="_top">unauthenticated
torbutton/en/design/index.html.en 529) updates under Firefox 2</a>, so it is disabled during Tor usage.
torbutton/en/design/index.html.en 530) This helps fulfill the <a class="link" href="#updates">Update
torbutton/en/design/index.html.en 531) Safety</a> requirement. Firefox 3 has the fix for that bug, and so
torbutton/en/design/index.html.en 532) safebrowsing updates are enabled during Tor usage.
torbutton/en/design/index.html.en 533) </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29" target="_top">network.protocol-handler.warn-external.(protocol)</a><p>
torbutton/en/design/index.html.en 534) If Tor is enabled, we need to prevent random external applications from
torbutton/en/design/index.html.en 535) launching without at least warning the user. This group of settings only
torbutton/en/design/index.html.en 536) partially accomplishes this, however. Applications can still be launched via
torbutton/en/design/index.html.en 537) plugins. The mechanisms for handling this are described under the "Disable
torbutton/en/design/index.html.en 538) Plugins During Tor Usage" preference. This helps fulfill the <a class="link" href="#proxy">Proxy Obedience</a> requirement, by preventing external
torbutton/en/design/index.html.en 539) applications from accessing network resources at the command of Tor-fetched
torbutton/en/design/index.html.en 540) pages. Unfortunately, due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a>
torbutton/en/design/index.html.en 541) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a>,
torbutton/en/design/index.html.en 542) these prefs are no longer obeyed. They are set still anyway out of respect for
torbutton/en/design/index.html.en 543) the dead.
torbutton/en/design/index.html.en 544) </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.sessionstore.max_tabs_undo" target="_top">browser.sessionstore.max_tabs_undo</a><p>
torbutton/en/design/index.html.en 545)
torbutton/en/design/index.html.en 546) To help satisfy the Torbutton <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 547) and <a class="link" href="#isolation">Network Isolation</a> requirements,
torbutton/en/design/index.html.en 548) Torbutton needs to purge the Undo Tab history on toggle to prevent repeat
torbutton/en/design/index.html.en 549) "Undo Close" operations from accidentally restoring tabs from a different Tor
torbutton/en/design/index.html.en 550) State. This purge is accomplished by setting this preference to 0 and then
torbutton/en/design/index.html.en 551) restoring it to the previous user value upon toggle.
torbutton/en/design/index.html.en 552)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 553) </p></li><li class="listitem"><span class="command"><strong>security.enable_ssl2</strong></span> or <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/interfaces/nsIDOMCrypto" target="_top">nsIDOMCrypto::logout()</a><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 554) TLS Session IDs can persist for an indefinite duration, providing an
torbutton/en/design/index.html.en 555) identifier that is sent to TLS sites that can be used to link activity. This
torbutton/en/design/index.html.en 556) is particularly troublesome now that we have certificate verification in place
torbutton/en/design/index.html.en 557) in Firefox 3: The OCSP server can use this Session ID to build a history of
torbutton/en/design/index.html.en 558) TLS sites someone visits, and also correlate their activity as users move from
torbutton/en/design/index.html.en 559) network to network (such as home to work to coffee shop, etc), inside and
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 560) outside of Tor. To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>, we call the logout()
torbutton/en/design/index.html.en 561) function of nsIDOMCrypto. Since this may be absent, or may fail, we fall back
torbutton/en/design/index.html.en 562) to toggling
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 563) <span class="command"><strong>security.enable_ssl2</strong></span>, which clears the SSL Session ID
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 564) cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en 565) </p></li><li class="listitem"><span class="command"><strong>security.OCSP.enabled</strong></span><p>
torbutton/en/design/index.html.en 566) Similarly, we toggle <span class="command"><strong>security.OCSP.enabled</strong></span>, which clears the OCSP certificate
torbutton/en/design/index.html.en 567) validation cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp" target="_top">nsNSSComponent.cpp</a>.
torbutton/en/design/index.html.en 568) In this way, exit nodes will not be able to fingerprint you
torbutton/en/design/index.html.en 569) based the fact that non-Tor OCSP lookups were obviously previously cached.
torbutton/en/design/index.html.en 570) To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>,
torbutton/en/design/index.html.en 571) </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Updating_extensions#Disabling_update_checks_for_individual_add-ons_-_Advanced_users" target="_top">extensions.e0204bd5-9d31-402b-a99d-a6aa8ffebdca.getAddons.cache.enabled</a></strong></span><p>
torbutton/en/design/index.html.en 572) We permanently disable addon usage statistic reporting to the
torbutton/en/design/index.html.en 573) addons.mozilla.org statistics engine. These statistics send version
torbutton/en/design/index.html.en 574) information about Torbutton users via non-Tor, allowing their Tor use to be
torbutton/en/design/index.html.en 575) uncovered. Disabling this reporting helps Torbutton to satisfy its <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
torbutton/en/design/index.html.en 576)
torbutton/en/design/index.html.en 577) </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://www.mozilla.com/en-US/firefox/geolocation/" target="_top">geo.enabled</a></strong></span><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 578)
torbutton/en/design/index.html.en 579) Torbutton disables Geolocation support in Firefox 3.5 and above whenever tor
torbutton/en/design/index.html.en 580) is enabled. This helps Torbutton maintain its
torbutton/en/design/index.html.en 581) <a class="link" href="#location">Location Neutrality</a> requirement.
torbutton/en/design/index.html.en 582) While Firefox does prompt before divulging geolocational information,
torbutton/en/design/index.html.en 583) the assumption is that Tor users will never want to give their
torbutton/en/design/index.html.en 584) location away during Tor usage, and even allowing websites to prompt
torbutton/en/design/index.html.en 585) them to do so will only cause confusion and accidents to happen. Moreover,
torbutton/en/design/index.html.en 586) just because users may approve a site to know their location in non-Tor mode
torbutton/en/design/index.html.en 587) does not mean they want it divulged during Tor mode.
torbutton/en/design/index.html.en 588)
torbutton/en/design/index.html.en 589) </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.zoom.siteSpecific" target="_top">browser.zoom.siteSpecific</a></strong></span><p>
torbutton/en/design/index.html.en 590)
torbutton/en/design/index.html.en 591) Firefox actually remembers your zoom settings for certain sites. CSS
torbutton/en/design/index.html.en 592) and Javascript rule can use this to recognize previous visitors to a site.
torbutton/en/design/index.html.en 593) This helps Torbutton fulfill its <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 594) requirement.
torbutton/en/design/index.html.en 595)
torbutton/en/design/index.html.en 596) </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="https://developer.mozilla.org/en/controlling_dns_prefetching" target="_top">network.dns.disablePrefetch</a></strong></span><p>
torbutton/en/design/index.html.en 597)
torbutton/en/design/index.html.en 598) Firefox 3.5 and above implement prefetching of DNS resolution for hostnames in
torbutton/en/design/index.html.en 599) links on a page to decrease page load latency. While Firefox does typically
torbutton/en/design/index.html.en 600) disable this behavior when proxies are enabled, we set this pref for added
torbutton/en/design/index.html.en 601) safety during Tor usage. Additionally, to prevent Tor-loaded tabs from having
torbutton/en/design/index.html.en 602) their links prefetched after a toggle to Non-Tor mode occurs,
torbutton/en/design/index.html.en 603) we also set the docShell attribute
torbutton/en/design/index.html.en 604) <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell" target="_top">
torbutton/en/design/index.html.en 605) allowDNSPrefetch</a> to false on Tor loaded tabs. This happens in the same
torbutton/en/design/index.html.en 606) positions in the code as those for disabling plugins via the allowPlugins
torbutton/en/design/index.html.en 607) docShell attribute. This helps Torbutton fulfill its <a class="link" href="#isolation">Network Isolation</a> requirement.
torbutton/en/design/index.html.en 608)
torbutton/en/design/index.html.en 609) </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.cache.offline.enable" target="_top">browser.cache.offline.enable</a></strong></span><p>
torbutton/en/design/index.html.en 610)
torbutton/en/design/index.html.en 611) Firefox has the ability to store web applications in a special cache to allow
torbutton/en/design/index.html.en 612) them to continue to operate while the user is offline. Since this subsystem
torbutton/en/design/index.html.en 613) is actually different than the normal disk cache, it must be dealt with
torbutton/en/design/index.html.en 614) separately. Thus, Torbutton sets this preference to false whenever Tor is
torbutton/en/design/index.html.en 615) enabled. This helps Torbutton fulfill its <a class="link" href="#disk">Disk
torbutton/en/design/index.html.en 616) Avoidance</a> and <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 617) requirements.
torbutton/en/design/index.html.en 618)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 619) </p></li></ol></div></div></div><div class="sect1" title="5. Description of Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2702702"></a>5. Description of Options</h2></div></div></div><p>This section provides a detailed description of Torbutton's options. Each
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 620) option is presented as the string from the preferences window, a summary, the
torbutton/en/design/index.html.en 621) preferences it touches, and the effect this has on the components, chrome, and
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 622) browser properties.</p><div class="sect2" title="5.1. Proxy Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2704948"></a>5.1. Proxy Settings</h3></div></div></div><div class="sect3" title="Test Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2683681"></a>Test Settings</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 623) This button under the Proxy Settings tab provides a way to verify that the
torbutton/en/design/index.html.en 624) proxy settings are correct, and actually do route through the Tor network. It
torbutton/en/design/index.html.en 625) performs this check by issuing an <a class="ulink" href="http://developer.mozilla.org/en/docs/XMLHttpRequest" target="_top">XMLHTTPRequest</a>
torbutton/en/design/index.html.en 626) for <a class="ulink" href="https://check.torproject.org/?TorButton=True" target="_top">https://check.torproject.org/?Torbutton=True</a>.
torbutton/en/design/index.html.en 627) This is a special page that returns very simple, yet well-formed XHTML that
torbutton/en/design/index.html.en 628) Torbutton can easily inspect for a hidden link with an id of
torbutton/en/design/index.html.en 629) <span class="command"><strong>TorCheckResult</strong></span> and a target of <span class="command"><strong>success</strong></span>
torbutton/en/design/index.html.en 630) or <span class="command"><strong>failure</strong></span> to indicate if the
torbutton/en/design/index.html.en 631) user hit the page from a Tor IP, a non-Tor IP. This check is handled in
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 632) <code class="function">torbutton_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>.
torbutton/en/design/index.html.en 633) Presenting the results to the user is handled by the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.xul" target="_top">preferences
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 634) window</a>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 635) callback <code class="function">torbutton_prefs_test_settings()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/preferences.js" target="_top">preferences.js</a>.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 636)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 637) </p></div></div><div class="sect2" title="5.2. Dynamic Content Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2686645"></a>5.2. Dynamic Content Settings</h3></div></div></div><div class="sect3" title="Disable plugins on Tor Usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="plugins"></a>Disable plugins on Tor Usage (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_tor_plugins</strong></span></p><p>Java and plugins <a class="ulink" href="http://java.sun.com/j2se/1.5.0/docs/api/java/net/class-use/NetworkInterface.html" target="_top">can query</a> the <a class="ulink" href="http://www.rgagnon.com/javadetails/java-0095.html" target="_top">local IP
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 638) address</a> and report it back to the
torbutton/en/design/index.html.en 639) remote site. They can also <a class="ulink" href="http://decloak.net" target="_top">bypass proxy settings</a> and directly connect to a
torbutton/en/design/index.html.en 640) remote site without Tor. Every browser plugin we have tested with Firefox has
torbutton/en/design/index.html.en 641) some form of network capability, and every one ignores proxy settings or worse - only
torbutton/en/design/index.html.en 642) partially obeys them. This includes but is not limited to:
torbutton/en/design/index.html.en 643) QuickTime, Windows Media Player, RealPlayer, mplayerplug-in, AcroRead, and
torbutton/en/design/index.html.en 644) Flash.
torbutton/en/design/index.html.en 645)
torbutton/en/design/index.html.en 646) </p><p>
torbutton/en/design/index.html.en 647) Enabling this preference causes the above mentioned Torbutton chrome web progress
torbutton/en/design/index.html.en 648) listener <span class="command"><strong>torbutton_weblistener</strong></span> to disable Java via <span class="command"><strong>security.enable_java</strong></span> and to disable
torbutton/en/design/index.html.en 649) plugins via the browser <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a>
torbutton/en/design/index.html.en 650) attribute <span class="command"><strong>allowPlugins</strong></span>. These flags are set every time a new window is
torbutton/en/design/index.html.en 651) created (<code class="function">torbutton_tag_new_browser()</code>), every time a web
torbutton/en/design/index.html.en 652) load
torbutton/en/design/index.html.en 653) event occurs
torbutton/en/design/index.html.en 654) (<code class="function">torbutton_update_tags()</code>), and every time the tor state is changed
torbutton/en/design/index.html.en 655) (<code class="function">torbutton_update_status()</code>). As a backup measure, plugins are also
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 656) prevented from loading by the content policy in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> if Tor is
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 657) enabled and this option is set.
torbutton/en/design/index.html.en 658) </p><p>All of this turns out to be insufficient if the user directly clicks
torbutton/en/design/index.html.en 659) on a plugin-handled mime-type. <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">In this case</a>,
torbutton/en/design/index.html.en 660) the browser decides that maybe it should ignore all these other settings and
torbutton/en/design/index.html.en 661) load the plugin anyways, because maybe the user really did want to load it
torbutton/en/design/index.html.en 662) (never mind this same load-style could happen automatically with meta-refresh
torbutton/en/design/index.html.en 663) or any number of other ways..). To handle these cases, Torbutton stores a list
torbutton/en/design/index.html.en 664) of plugin-handled mime-types, and sets the pref
torbutton/en/design/index.html.en 665) <span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to this list.
torbutton/en/design/index.html.en 666) Additionally, (since nothing can be assumed when relying on Firefox
torbutton/en/design/index.html.en 667) preferences and internals) if it detects a load of one of them from the web
torbutton/en/design/index.html.en 668) progress listener, it cancels the request, tells the associated DOMWindow to
torbutton/en/design/index.html.en 669) stop loading, clears the document, AND throws an exception. Anything short of
torbutton/en/design/index.html.en 670) all this and the plugin managed to find some way to load.
torbutton/en/design/index.html.en 671) </p><p>
torbutton/en/design/index.html.en 672) All this could be avoided, of course, if Firefox would either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">obey
torbutton/en/design/index.html.en 673) allowPlugins</a> for directly visited URLs, or notify its content policy for such
torbutton/en/design/index.html.en 674) loads either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">via</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">shouldProcess</a> or shouldLoad. The fact that it does not is
torbutton/en/design/index.html.en 675) not very encouraging.
torbutton/en/design/index.html.en 676) </p><p>
torbutton/en/design/index.html.en 677)
torbutton/en/design/index.html.en 678) Since most plugins completely ignore browser proxy settings, the actions
torbutton/en/design/index.html.en 679) performed by this setting are crucial to satisfying the <a class="link" href="#proxy">Proxy Obedience</a> requirement.
torbutton/en/design/index.html.en 680)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 681) </p></div><div class="sect3" title="Isolate Dynamic Content to Tor State (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2688604"></a>Isolate Dynamic Content to Tor State (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.isolate_content</strong></span></p><p>Enabling this preference is what enables the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> content policy
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 682) mentioned above, and causes it to block content load attempts in pages an
torbutton/en/design/index.html.en 683) opposite Tor state from the current state. Freshly loaded <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
torbutton/en/design/index.html.en 684) tabs</a> are tagged
torbutton/en/design/index.html.en 685) with a <span class="command"><strong>__tb_load_state</strong></span> member in
torbutton/en/design/index.html.en 686) <code class="function">torbutton_update_tags()</code> and this
torbutton/en/design/index.html.en 687) value is compared against the current tor state in the content policy.</p><p>It also kills all Javascript in each page loaded under that state by
torbutton/en/design/index.html.en 688) toggling the <span class="command"><strong>allowJavascript</strong></span> <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a> property, and issues a
torbutton/en/design/index.html.en 689) <a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIWebNavigation#stop()" target="_top">webNavigation.stop(webNavigation.STOP_ALL)</a> to each browser tab (the
torbutton/en/design/index.html.en 690) equivalent of hitting the STOP button).</p><p>
torbutton/en/design/index.html.en 691)
torbutton/en/design/index.html.en 692) Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox bug
torbutton/en/design/index.html.en 693) 409737</a> prevents <span class="command"><strong>docShell.allowJavascript</strong></span> from killing
torbutton/en/design/index.html.en 694) all event handlers, and event handlers registered with <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:element.addEventListener" target="_top">addEventListener()</a>
torbutton/en/design/index.html.en 695) are still able to execute. The <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton Content
torbutton/en/design/index.html.en 696) Policy</a> should prevent such code from performing network activity within
torbutton/en/design/index.html.en 697) the current tab, but activity that happens via a popup window or via a
torbutton/en/design/index.html.en 698) Javascript redirect can still slip by. For this reason, Torbutton blocks
torbutton/en/design/index.html.en 699) popups by checking for a valid <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.opener" target="_top">window.opener</a>
torbutton/en/design/index.html.en 700) attribute in <code class="function">torbutton_check_progress()</code>. If the window
torbutton/en/design/index.html.en 701) has an opener from a different Tor state, its load is blocked. The content
torbutton/en/design/index.html.en 702) policy also takes similar action to prevent Javascript redirects. This also
torbutton/en/design/index.html.en 703) has the side effect/feature of preventing the user from following any links
torbutton/en/design/index.html.en 704) from a page loaded in an opposite Tor state.
torbutton/en/design/index.html.en 705)
torbutton/en/design/index.html.en 706) </p><p>
torbutton/en/design/index.html.en 707) This setting is responsible for satisfying the <a class="link" href="#isolation">Network Isolation</a> requirement.
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 708) </p></div><div class="sect3" title="Hook Dangerous Javascript"><div class="titlepage"><div><div><h4 class="title"><a id="jshooks"></a>Hook Dangerous Javascript</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.kill_bad_js</strong></span></p><p>This setting enables injection of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/jshooks.js" target="_top">Javascript
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 709) hooking code</a>. This is done in the chrome in
torbutton/en/design/index.html.en 710) <code class="function">torbutton_hookdoc()</code>, which is called ultimately by both the
torbutton/en/design/index.html.en 711) <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
torbutton/en/design/index.html.en 712) listener</a> <span class="command"><strong>torbutton_weblistener</strong></span> and the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> (the latter being a hack to handle
torbutton/en/design/index.html.en 713) javascript: urls).
torbutton/en/design/index.html.en 714)
torbutton/en/design/index.html.en 715) In the Firefox 2 days, this option did a lot more than
torbutton/en/design/index.html.en 716) it does now. It used to be responsible for timezone and improved useragent
torbutton/en/design/index.html.en 717) spoofing, and history object cloaking. However, now it only provides
torbutton/en/design/index.html.en 718) obfuscation of the <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
torbutton/en/design/index.html.en 719) object to mask your browser and desktop resolution.
torbutton/en/design/index.html.en 720) The resolution hooks
torbutton/en/design/index.html.en 721) effectively make the Firefox browser window appear to websites as if the renderable area
torbutton/en/design/index.html.en 722) takes up the entire desktop, has no toolbar or other GUI element space, and
torbutton/en/design/index.html.en 723) the desktop itself has no toolbars.
torbutton/en/design/index.html.en 724) These hooks drastically reduce the amount of information available to do <a class="link" href="#fingerprinting">anonymity set reduction attacks</a> and help to
torbutton/en/design/index.html.en 725) meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en 726) requirements. Unfortunately, Gregory Fleischer discovered it is still possible
torbutton/en/design/index.html.en 727) to retrieve the original screen values by using <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-sandbox-xpcnativewrapper.html" target="_top">XPCNativeWrapper</a>
torbutton/en/design/index.html.en 728) or <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-components-lookupmethod.html" target="_top">Components.lookupMethod</a>.
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 729) We are still looking for a workaround as of Torbutton 1.3.2.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 730)
torbutton/en/design/index.html.en 731)
torbutton/en/design/index.html.en 732)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 733)
torbutton/en/design/index.html.en 734) </p></div><div class="sect3" title="Resize windows to multiples of 50px during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663307"></a>Resize windows to multiples of 50px during Tor usage (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.resize_windows</strong></span></p><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 735)
torbutton/en/design/index.html.en 736) This option drastically cuts down on the number of distinct anonymity sets
torbutton/en/design/index.html.en 737) that divide the Tor web userbase. Without this setting, the dimensions for a
torbutton/en/design/index.html.en 738) typical browser window range from 600-1200 horizontal pixels and 400-1000
torbutton/en/design/index.html.en 739) vertical pixels, or about 600x600 = 360000 different sets. Resizing the
torbutton/en/design/index.html.en 740) browser window to multiples of 50 on each side reduces the number of sets by
torbutton/en/design/index.html.en 741) 50^2, bringing the total number of sets to 144. Of course, the distribution
torbutton/en/design/index.html.en 742) among these sets are not uniform, but scaling by 50 will improve the situation
torbutton/en/design/index.html.en 743) due to this non-uniformity for users in the less common resolutions.
torbutton/en/design/index.html.en 744) Obviously the ideal situation would be to lie entirely about the browser
torbutton/en/design/index.html.en 745) window size, but this will likely cause all sorts of rendering issues, and is
torbutton/en/design/index.html.en 746) also not implementable in a foolproof way from extension land.
torbutton/en/design/index.html.en 747)
torbutton/en/design/index.html.en 748) </p><p>
torbutton/en/design/index.html.en 749)
torbutton/en/design/index.html.en 750) The implementation of this setting is spread across a couple of different
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 751) locations in the Torbutton javascript <a class="link" href="#browseroverlay" title="Browser Overlay - torbutton.xul">browser
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 752) overlay</a>. Since resizing minimized windows causes them to be restored,
torbutton/en/design/index.html.en 753) and since maximized windows remember their previous size to the pixel, windows
torbutton/en/design/index.html.en 754) must be resized before every document load (at the time of browser tagging)
torbutton/en/design/index.html.en 755) via <code class="function">torbutton_check_round()</code>, called by
torbutton/en/design/index.html.en 756) <code class="function">torbutton_update_tags()</code>. To prevent drift, the extension
torbutton/en/design/index.html.en 757) tracks the original values of the windows and uses this to perform the
torbutton/en/design/index.html.en 758) rounding on document load. In addition, to prevent the user from resizing a
torbutton/en/design/index.html.en 759) window to a non-50px multiple, a resize listener
torbutton/en/design/index.html.en 760) (<code class="function">torbutton_do_resize()</code>) is installed on every new browser
torbutton/en/design/index.html.en 761) window to record the new size and round it to a 50px multiple while Tor is
torbutton/en/design/index.html.en 762) enabled. In all cases, the browser's contentWindow.innerWidth and innerHeight
torbutton/en/design/index.html.en 763) are set. This ensures that there is no discrepancy between the 50 pixel cutoff
torbutton/en/design/index.html.en 764) and the actual renderable area of the browser (so that it is not possible to
torbutton/en/design/index.html.en 765) infer toolbar size/presence by the distance to the nearest 50 pixel roundoff).
torbutton/en/design/index.html.en 766)
torbutton/en/design/index.html.en 767) </p><p>
torbutton/en/design/index.html.en 768) This setting helps to meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 769) </p></div><div class="sect3" title="Disable Search Suggestions during Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663391"></a>Disable Search Suggestions during Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_search</strong></span></p><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 770) This setting causes Torbutton to disable <a class="ulink" href="http://kb.mozillazine.org/Browser.search.suggest.enabled" target="_top"><span class="command"><strong>browser.search.suggest.enabled</strong></span></a>
torbutton/en/design/index.html.en 771) during Tor usage.
torbutton/en/design/index.html.en 772) This governs if you get Google search suggestions during Tor
torbutton/en/design/index.html.en 773) usage. Your Google cookie is transmitted with google search suggestions, hence
torbutton/en/design/index.html.en 774) this is recommended to be disabled.
torbutton/en/design/index.html.en 775)
torbutton/en/design/index.html.en 776) </p><p>
torbutton/en/design/index.html.en 777) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en 778) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en 779) for Tor usage.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 780) </p></div><div class="sect3" title="Disable Updates During Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2663430"></a>Disable Updates During Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_updates</strong></span></p><p>This setting causes Torbutton to disable the four <a class="ulink" href="http://wiki.mozilla.org/Update:Users/Checking_For_Updates#Preference_Controls_and_State" target="_top">Firefox
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 781) update settings</a> during Tor
torbutton/en/design/index.html.en 782) usage: <span class="command"><strong>extensions.update.enabled</strong></span>,
torbutton/en/design/index.html.en 783) <span class="command"><strong>app.update.enabled</strong></span>,
torbutton/en/design/index.html.en 784) <span class="command"><strong>app.update.auto</strong></span>, and
torbutton/en/design/index.html.en 785) <span class="command"><strong>browser.search.update</strong></span>. These prevent the
torbutton/en/design/index.html.en 786) browser from updating extensions, checking for Firefox upgrades, and
torbutton/en/design/index.html.en 787) checking for search plugin updates while Tor is enabled.
torbutton/en/design/index.html.en 788) </p><p>
torbutton/en/design/index.html.en 789) This setting satisfies the <a class="link" href="#updates">Update Safety</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 790) </p></div><div class="sect3" title="Redirect Torbutton Updates Via Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663492"></a>Redirect Torbutton Updates Via Tor (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.update_torbutton_via_tor</strong></span></p><p>This setting causes Torbutton to install an
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 791)
torbutton/en/design/index.html.en 792) <a class="ulink" href="https://developer.mozilla.org/en/nsIProtocolProxyFilter" target="_top">nsIProtocolProxyFilter</a>
torbutton/en/design/index.html.en 793) in order to redirect all version update checks and Torbutton update downloads
torbutton/en/design/index.html.en 794) via Tor, regardless of if Tor is enabled or not. This was done both to address
torbutton/en/design/index.html.en 795) concerns about data retention done by <a class="ulink" href="https://www.addons.mozilla.org" target="_top">addons.mozilla.org</a>, as well as to
torbutton/en/design/index.html.en 796) help censored users meet the <a class="link" href="#undiscoverability">Tor
torbutton/en/design/index.html.en 797) Undiscoverability</a> requirement.
torbutton/en/design/index.html.en 798)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 799) </p></div><div class="sect3" title="Disable livemarks updates during Tor usage (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663536"></a>Disable livemarks updates during Tor usage (recommended)</h4></div></div></div><p>Option:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 800) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.disable_livemarks</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 801) </p><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 802)
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 803) This option causes Torbutton to prevent Firefox from loading <a class="ulink" href="http://www.mozilla.com/firefox/livebookmarks.html" target="_top">Livemarks</a> during
torbutton/en/design/index.html.en 804) Tor usage. Because people often have very personalized Livemarks (such as RSS
torbutton/en/design/index.html.en 805) feeds of Wikipedia articles they maintain, etc). This is accomplished both by
torbutton/en/design/index.html.en 806) <a class="link" href="#livemarks" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js">wrapping the livemark-service component</a> and
torbutton/en/design/index.html.en 807) by calling stopUpdateLivemarks() on the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">Livemark
torbutton/en/design/index.html.en 808) service</a> when Tor is enabled.
torbutton/en/design/index.html.en 809)
torbutton/en/design/index.html.en 810) </p><p>
torbutton/en/design/index.html.en 811) This helps satisfy the <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 812) Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
torbutton/en/design/index.html.en 813) Preservation</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 814) </p></div><div class="sect3" title="Block Tor/Non-Tor access to network from file:// urls (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663607"></a>Block Tor/Non-Tor access to network from file:// urls (recommended)</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 815) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tor_file_net</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nontor_file_net</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 816) </p><p>
torbutton/en/design/index.html.en 817)
torbutton/en/design/index.html.en 818) These settings prevent file urls from performing network operations during the
torbutton/en/design/index.html.en 819) respective Tor states. Firefox 2's implementation of same origin policy allows
torbutton/en/design/index.html.en 820) file urls to read and <a class="ulink" href="http://www.gnucitizen.org/blog/content-disposition-hacking/" target="_top">submit
torbutton/en/design/index.html.en 821) arbitrary files from the local filesystem</a> to arbitrary websites. To
torbutton/en/design/index.html.en 822) make matters worse, the 'Content-Disposition' header can be injected
torbutton/en/design/index.html.en 823) arbitrarily by exit nodes to trick users into running arbitrary html files in
torbutton/en/design/index.html.en 824) the local context. These preferences cause the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> to block access to any network
torbutton/en/design/index.html.en 825) resources from File urls during the appropriate Tor state.
torbutton/en/design/index.html.en 826)
torbutton/en/design/index.html.en 827) </p><p>
torbutton/en/design/index.html.en 828)
torbutton/en/design/index.html.en 829) This preference helps to ensure Tor's <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 830) Isolation</a> requirement, by preventing file urls from executing network
torbutton/en/design/index.html.en 831) operations in opposite Tor states. Also, allowing pages to submit arbitrary
torbutton/en/design/index.html.en 832) files to arbitrary sites just generally seems like a bad idea.
torbutton/en/design/index.html.en 833)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 834) </p></div><div class="sect3" title="Close all Tor/Non-Tor tabs and windows on toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2663679"></a>Close all Tor/Non-Tor tabs and windows on toggle (optional)</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 835) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.close_nontor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.close_tor</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 836) </p><p>
torbutton/en/design/index.html.en 837)
torbutton/en/design/index.html.en 838) These settings cause Torbutton to enumerate through all windows and close all
torbutton/en/design/index.html.en 839) tabs in each window for the appropriate Tor state. This code can be found in
torbutton/en/design/index.html.en 840) <code class="function">torbutton_update_status()</code>. The main reason these settings
torbutton/en/design/index.html.en 841) exist is as a backup mechanism in the event of any Javascript or content policy
torbutton/en/design/index.html.en 842) leaks due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en 843) 409737</a>. Torbutton currently tries to block all Javascript network
torbutton/en/design/index.html.en 844) activity via the content policy, but until that bug is fixed, there is some
torbutton/en/design/index.html.en 845) risk that there are alternate ways to bypass the policy. This option is
torbutton/en/design/index.html.en 846) available as an extra assurance of <a class="link" href="#isolation">Network
torbutton/en/design/index.html.en 847) Isolation</a> for those who would like to be sure that when Tor is toggled
torbutton/en/design/index.html.en 848) all page activity has ceased. It also serves as a potential future workaround
torbutton/en/design/index.html.en 849) in the event a content policy failure is discovered, and provides an additional
torbutton/en/design/index.html.en 850) level of protection for the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en 851) protection so that browser state is not sitting around waiting to be swapped
torbutton/en/design/index.html.en 852) out longer than necessary.
torbutton/en/design/index.html.en 853)
torbutton/en/design/index.html.en 854) </p><p>
torbutton/en/design/index.html.en 855) While this setting doesn't satisfy any Torbutton requirements, the fact that
torbutton/en/design/index.html.en 856) cookies are transmitted for partially typed queries does not seem desirable
torbutton/en/design/index.html.en 857) for Tor usage.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 858) </p></div></div><div class="sect2" title="5.3. History and Forms Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705261"></a>5.3. History and Forms Settings</h3></div></div></div><div class="sect3" title="Isolate Access to History navigation to Tor state (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705267"></a>Isolate Access to History navigation to Tor state (crucial)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_js_history</strong></span></p><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 859) This setting determines if Torbutton installs an <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistoryListener" target="_top">nsISHistoryListener</a>
torbutton/en/design/index.html.en 860) attached to the <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">sessionHistory</a> of
torbutton/en/design/index.html.en 861) of each browser's <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3awebNavigation" target="_top">webNavigatator</a>.
torbutton/en/design/index.html.en 862) The nsIShistoryListener is instantiated with a reference to the containing
torbutton/en/design/index.html.en 863) browser window and blocks the back, forward, and reload buttons on the browser
torbutton/en/design/index.html.en 864) navigation bar when Tor is in an opposite state than the one to load the
torbutton/en/design/index.html.en 865) current tab. In addition, Tor clears the session history during a new document
torbutton/en/design/index.html.en 866) load if this setting is enabled.
torbutton/en/design/index.html.en 867)
torbutton/en/design/index.html.en 868) </p><p>
torbutton/en/design/index.html.en 869)
torbutton/en/design/index.html.en 870) This is marked as a crucial setting in part
torbutton/en/design/index.html.en 871) because Javascript access to the history object is indistinguishable from
torbutton/en/design/index.html.en 872) user clicks, and because
torbutton/en/design/index.html.en 873) <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
torbutton/en/design/index.html.en 874) 409737</a> allows javascript to execute in opposite Tor states, javascript
torbutton/en/design/index.html.en 875) can issue reloads after Tor toggle to reveal your original IP. Even without
torbutton/en/design/index.html.en 876) this bug, however, Javascript is still able to access previous pages in your
torbutton/en/design/index.html.en 877) session history that may have been loaded under a different Tor state, to
torbutton/en/design/index.html.en 878) attempt to correlate your activity.
torbutton/en/design/index.html.en 879)
torbutton/en/design/index.html.en 880) </p><p>
torbutton/en/design/index.html.en 881)
torbutton/en/design/index.html.en 882) This setting helps to fulfill Torbutton's <a class="link" href="#state">State
torbutton/en/design/index.html.en 883) Separation</a> and (until Bug 409737 is fixed) <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en 884) requirements.
torbutton/en/design/index.html.en 885)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 886) </p></div><div class="sect3" title="History Access Settings"><div class="titlepage"><div><div><h4 class="title"><a id="id2705344"></a>History Access Settings</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 887) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_thread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_thwrite</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthwrite</strong></span></td></tr></table><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 888) </p><p>On Firefox 3.x, these four settings govern the behavior of the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/ignore-history.js" target="_top">components/ignore-history.js</a>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 889) history blocker component mentioned above. By hooking the browser's view of
torbutton/en/design/index.html.en 890) the history itself via the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
torbutton/en/design/index.html.en 891) and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/nav-history-service;1" target="_top">@mozilla.org/browser/nav-history-service;1</a>
torbutton/en/design/index.html.en 892) components, this mechanism defeats all document-based <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure
torbutton/en/design/index.html.en 893) attacks</a>, including <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only attacks</a>.
torbutton/en/design/index.html.en 894)
torbutton/en/design/index.html.en 895) The component also hooks functions involved in writing history to disk via
torbutton/en/design/index.html.en 896) both the <a class="ulink" href="http://developer.mozilla.org/en/docs/Places_migration_guide#History" target="_top">Places
torbutton/en/design/index.html.en 897) Database</a> and the older Firefox 2 mechanisms.
torbutton/en/design/index.html.en 898)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 899) </p><p>
torbutton/en/design/index.html.en 900) On Firefox 4, Mozilla finally <a class="ulink" href="https://developer.mozilla.org/en/CSS/Privacy_and_the_%3avisited_selector" target="_top">addressed
torbutton/en/design/index.html.en 901) these issues</a>, so we can effectively ignore the "read" pair of the
torbutton/en/design/index.html.en 902) above prefs. We then only need to link the write prefs to
torbutton/en/design/index.html.en 903) <span class="command"><strong>places.history.enabled</strong></span>, which disabled writing to the
torbutton/en/design/index.html.en 904) history store while set.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 905) </p><p>
torbutton/en/design/index.html.en 906) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 907) </p></div><div class="sect3" title="Clear History During Tor Toggle (optional)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705472"></a>Clear History During Tor Toggle (optional)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_history</strong></span></p><p>This setting governs if Torbutton calls
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 908) <a class="ulink" href="https://developer.mozilla.org/en/nsIBrowserHistory#removeAllPages.28.29" target="_top">nsIBrowserHistory.removeAllPages</a>
torbutton/en/design/index.html.en 909) and <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">nsISHistory.PurgeHistory</a>
torbutton/en/design/index.html.en 910) for each tab on Tor toggle.</p><p>
torbutton/en/design/index.html.en 911) This setting is an optional way to help satisfy the <a class="link" href="#state">State Separation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 912) </p></div><div class="sect3" title="Block Password+Form saving during Tor/Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705515"></a>Block Password+Form saving during Tor/Non-Tor</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 913) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tforms</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_ntforms</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 914) </p><p>These settings govern if Torbutton disables
torbutton/en/design/index.html.en 915) <span class="command"><strong>browser.formfill.enable</strong></span>
torbutton/en/design/index.html.en 916) and <span class="command"><strong>signon.rememberSignons</strong></span> during Tor and Non-Tor usage.
torbutton/en/design/index.html.en 917) Since form fields can be read at any time by Javascript, this setting is a lot
torbutton/en/design/index.html.en 918) more important than it seems.
torbutton/en/design/index.html.en 919) </p><p>
torbutton/en/design/index.html.en 920) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 921) </p></div></div><div class="sect2" title="5.4. Cache Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705577"></a>5.4. Cache Settings</h3></div></div></div><div class="sect3" title="Block Tor disk cache and clear all cache on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705582"></a>Block Tor disk cache and clear all cache on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cache</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 922) </p><p>This option causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICacheService#evictEntries.28.29" target="_top">nsICacheService.evictEntries(0)</a>
torbutton/en/design/index.html.en 923) on Tor toggle to remove all entries from the cache. In addition, this setting
torbutton/en/design/index.html.en 924) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> to false.
torbutton/en/design/index.html.en 925) </p><p>
torbutton/en/design/index.html.en 926) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 927) </p></div><div class="sect3" title="Block disk and memory cache during Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2705632"></a>Block disk and memory cache during Tor</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_cache</strong></span></p><p>This setting
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 928) causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.memory.enable" target="_top">browser.cache.memory.enable</a>,
torbutton/en/design/index.html.en 929) <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> and
torbutton/en/design/index.html.en 930) <a class="ulink" href="http://kb.mozillazine.org/Network.http.use-cache" target="_top">network.http.use-cache</a> to false during tor usage.
torbutton/en/design/index.html.en 931) </p><p>
torbutton/en/design/index.html.en 932) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 933) </p></div></div><div class="sect2" title="5.5. Cookie and Auth Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705686"></a>5.5. Cookie and Auth Settings</h3></div></div></div><div class="sect3" title="Clear Cookies on Tor Toggle"><div class="titlepage"><div><div><h4 class="title"><a id="id2705691"></a>Clear Cookies on Tor Toggle</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cookies</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 934) </p><p>
torbutton/en/design/index.html.en 935)
torbutton/en/design/index.html.en 936) This setting causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICookieManager#removeAll.28.29" target="_top">nsICookieManager.removeAll()</a> on
torbutton/en/design/index.html.en 937) every Tor toggle. In addition, this sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en 938) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en 939) which prevents them from being written to disk.
torbutton/en/design/index.html.en 940)
torbutton/en/design/index.html.en 941) </p><p>
torbutton/en/design/index.html.en 942) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 943) </p></div><div class="sect3" title="Store Non-Tor cookies in a protected jar"><div class="titlepage"><div><div><h4 class="title"><a id="id2705742"></a>Store Non-Tor cookies in a protected jar</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.cookie_jars</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 944) </p><p>
torbutton/en/design/index.html.en 945)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 946) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 947) non-tor cookies in a cookie jar during Tor usage, and clear the Tor cookies
torbutton/en/design/index.html.en 948) before restoring the jar.
torbutton/en/design/index.html.en 949) </p><p>
torbutton/en/design/index.html.en 950) This setting also sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en 951) to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
torbutton/en/design/index.html.en 952) which prevents them from being written to disk.
torbutton/en/design/index.html.en 953)
torbutton/en/design/index.html.en 954) </p><p>
torbutton/en/design/index.html.en 955) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 956) </p></div><div class="sect3" title="Store both Non-Tor and Tor cookies in a protected jar (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705799"></a>Store both Non-Tor and Tor cookies in a protected jar (dangerous)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.dual_cookie_jars</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 957) </p><p>
torbutton/en/design/index.html.en 958)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 959) This setting causes Torbutton to use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 960) both Tor and Non-Tor cookies into protected jars.
torbutton/en/design/index.html.en 961) </p><p>
torbutton/en/design/index.html.en 962) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 963) </p></div><div class="sect3" title="Manage My Own Cookies (dangerous)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705841"></a>Manage My Own Cookies (dangerous)</h4></div></div></div><p>Options: None</p><p>This setting disables all Torbutton cookie handling by setting the above
torbutton/en/design/index.html.en 964) cookie prefs all to false.</p></div><div class="sect3" title="Disable DOM Storage during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705856"></a>Disable DOM Storage during Tor usage (crucial)</h4></div></div></div><div class="sect3" title="Do not write Tor/Non-Tor cookies to disk"><div class="titlepage"><div><div><h4 class="title"><a id="id2705859"></a>Do not write Tor/Non-Tor cookies to disk</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 965) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.tor_memory_jar</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.nontor_memory_jar</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 966) </p><p>
torbutton/en/design/index.html.en 967) These settings (contributed by arno) cause Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
torbutton/en/design/index.html.en 968) to 2 during the appropriate Tor state, and to store cookies acquired in that
torbutton/en/design/index.html.en 969) state into a Javascript
torbutton/en/design/index.html.en 970) <a class="ulink" href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Processing_XML_with_E4X" target="_top">E4X</a>
torbutton/en/design/index.html.en 971) object as opposed to writing them to disk.
torbutton/en/design/index.html.en 972) </p><p>
torbutton/en/design/index.html.en 973) This allows Torbutton to provide an option to preserve a user's
torbutton/en/design/index.html.en 974) cookies while still satisfying the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en 975) requirement.
torbutton/en/design/index.html.en 976) </p></div><p>Option: <span class="command"><strong>extensions.torbutton.disable_domstorage</strong></span>
torbutton/en/design/index.html.en 977) </p><p>
torbutton/en/design/index.html.en 978)
torbutton/en/design/index.html.en 979) This setting causes Torbutton to toggle <span class="command"><strong>dom.storage.enabled</strong></span> during Tor
torbutton/en/design/index.html.en 980) usage to prevent
torbutton/en/design/index.html.en 981) <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:Storage" target="_top">DOM Storage</a> from
torbutton/en/design/index.html.en 982) being used to store persistent information across Tor states.</p><p>
torbutton/en/design/index.html.en 983) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 984) </p></div><div class="sect3" title="Clear HTTP Auth on Tor Toggle (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2705960"></a>Clear HTTP Auth on Tor Toggle (recommended)</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_http_auth</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 985) </p><p>
torbutton/en/design/index.html.en 986) This setting causes Torbutton to call <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIHttpAuthManager" target="_top">nsIHttpAuthManager.clearAll()</a>
torbutton/en/design/index.html.en 987) every time Tor is toggled.
torbutton/en/design/index.html.en 988) </p><p>
torbutton/en/design/index.html.en 989) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 990) </p></div></div><div class="sect2" title="5.6. Startup Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2705999"></a>5.6. Startup Settings</h3></div></div></div><div class="sect3" title="On Browser Startup, set Tor state to: Tor, Non-Tor"><div class="titlepage"><div><div><h4 class="title"><a id="id2706004"></a>On Browser Startup, set Tor state to: Tor, Non-Tor</h4></div></div></div><p>Options:
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 991) <span class="command"><strong>extensions.torbutton.restore_tor</strong></span>
torbutton/en/design/index.html.en 992) </p><p>This option governs what Tor state tor is loaded in to.
torbutton/en/design/index.html.en 993) <code class="function">torbutton_set_initial_state()</code> covers the case where the
torbutton/en/design/index.html.en 994) browser did not crash, and <code class="function">torbutton_crash_recover()</code>
torbutton/en/design/index.html.en 995) covers the case where the <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash observer</a>
torbutton/en/design/index.html.en 996) detected a crash.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 997) </p><p>
torbutton/en/design/index.html.en 998)
torbutton/en/design/index.html.en 999) Since the Tor state after a Firefox crash is unknown/indeterminate, this
torbutton/en/design/index.html.en 1000) setting helps to satisfy the <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 1001) requirement in the event of Firefox crashes by ensuring all cookies,
torbutton/en/design/index.html.en 1002) settings and saved sessions are reloaded from a fixed Tor state.
torbutton/en/design/index.html.en 1003)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1004) </p></div><div class="sect3" title="Prevent session store from saving Non-Tor/Tor-loaded tabs"><div class="titlepage"><div><div><h4 class="title"><a id="id2706055"></a>Prevent session store from saving Non-Tor/Tor-loaded tabs</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1005) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.nonontor_sessionstore</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.notor_sessionstore</strong></span></td></tr></table><p>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1006) </p><p>If these options are enabled, the <a class="link" href="#tbsessionstore" title="@torproject.org/torbutton-ss-blocker;1">tbSessionStore.js</a> component uses the session
torbutton/en/design/index.html.en 1007) store listeners to filter out the appropriate tabs before writing the session
torbutton/en/design/index.html.en 1008) store data to disk.
torbutton/en/design/index.html.en 1009) </p><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1010) This setting helps to satisfy the <a class="link" href="#disk">Disk Avoidance</a>
torbutton/en/design/index.html.en 1011) requirement, and also helps to satisfy the <a class="link" href="#state">State Separation</a> requirement in the event of Firefox
torbutton/en/design/index.html.en 1012) crashes.
torbutton/en/design/index.html.en 1013)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1014) </p></div></div><div class="sect2" title="5.7. Shutdown Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706113"></a>5.7. Shutdown Settings</h3></div></div></div><div class="sect3" title="Clear cookies on Tor/Non-Tor shutdown"><div class="titlepage"><div><div><h4 class="title"><a id="id2706119"></a>Clear cookies on Tor/Non-Tor shutdown</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.shutdown_method</strong></span>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1015) </p><p> This option variable can actually take 3 values: 0, 1, and 2. 0 means no
torbutton/en/design/index.html.en 1016) cookie clearing, 1 means clear only during Tor-enabled shutdown, and 2 means
torbutton/en/design/index.html.en 1017) clear for both Tor and Non-Tor shutdown. When set to 1 or 2, Torbutton listens
torbutton/en/design/index.html.en 1018) for the <a class="ulink" href="http://developer.mozilla.org/en/docs/Observer_Notifications#Application_shutdown" target="_top">quit-application-granted</a> event in
torbutton/en/design/index.html.en 1019) <a class="link" href="#crashobserver" title="@torproject.org/crash-observer;1">crash-observer.js</a> and use <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a>
torbutton/en/design/index.html.en 1020) to clear out all cookies and all cookie jars upon shutdown.
torbutton/en/design/index.html.en 1021) </p><p>
torbutton/en/design/index.html.en 1022) This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1023) </p></div></div><div class="sect2" title="5.8. Header Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2706173"></a>5.8. Header Settings</h3></div></div></div><div class="sect3" title="Set user agent during Tor usage (crucial)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706179"></a>Set user agent during Tor usage (crucial)</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1024) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.set_uagent</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.platform_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.oscpu_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.buildID_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.productsub_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appname_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appversion_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendorSub</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1025) </p><p>On face, user agent switching appears to be straight-forward in Firefox.
torbutton/en/design/index.html.en 1026) It provides several options for controlling the browser user agent string:
torbutton/en/design/index.html.en 1027) <span class="command"><strong>general.appname.override</strong></span>,
torbutton/en/design/index.html.en 1028) <span class="command"><strong>general.appversion.override</strong></span>,
torbutton/en/design/index.html.en 1029) <span class="command"><strong>general.platform.override</strong></span>,
torbutton/en/design/index.html.en 1030) <span class="command"><strong>general.oscpu.override</strong></span>,
torbutton/en/design/index.html.en 1031) <span class="command"><strong>general.productSub.override</strong></span>,
torbutton/en/design/index.html.en 1032) <span class="command"><strong>general.buildID.override</strong></span>,
torbutton/en/design/index.html.en 1033) <span class="command"><strong>general.useragent.override</strong></span>,
torbutton/en/design/index.html.en 1034) <span class="command"><strong>general.useragent.vendor</strong></span>, and
torbutton/en/design/index.html.en 1035) <span class="command"><strong>general.useragent.vendorSub</strong></span>. If
torbutton/en/design/index.html.en 1036) the Torbutton preference <span class="command"><strong>extensions.torbutton.set_uagent</strong></span> is
torbutton/en/design/index.html.en 1037) true, Torbutton copies all of the other above prefs into their corresponding
torbutton/en/design/index.html.en 1038) browser preferences during Tor usage.</p><p>
torbutton/en/design/index.html.en 1039)
torbutton/en/design/index.html.en 1040) It also turns out that it is possible to detect the original Firefox version
torbutton/en/design/index.html.en 1041) by <a class="ulink" href="http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/" target="_top">inspecting
torbutton/en/design/index.html.en 1042) certain resource:// files</a>. These cases are handled by Torbutton's
torbutton/en/design/index.html.en 1043) <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
torbutton/en/design/index.html.en 1044)
torbutton/en/design/index.html.en 1045) </p><p>
torbutton/en/design/index.html.en 1046) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1047) </p></div><div class="sect3" title="Spoof US English Browser"><div class="titlepage"><div><div><h4 class="title"><a id="id2706353"></a>Spoof US English Browser</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1048) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.spoof_english</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_charset</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_language</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1049) </p><p> This option causes Torbutton to set
torbutton/en/design/index.html.en 1050) <span class="command"><strong>general.useragent.locale</strong></span>
torbutton/en/design/index.html.en 1051) <span class="command"><strong>intl.accept_languages</strong></span> to the value specified in
torbutton/en/design/index.html.en 1052) <span class="command"><strong>extensions.torbutton.spoof_locale</strong></span>,
torbutton/en/design/index.html.en 1053) <span class="command"><strong>extensions.torbutton.spoof_charset</strong></span> and
torbutton/en/design/index.html.en 1054) <span class="command"><strong>extensions.torbutton.spoof_language</strong></span> during Tor usage, as
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1055) well as hooking <span class="command"><strong>navigator.language</strong></span> via its <a class="link" href="#jshooks" title="Hook Dangerous Javascript">javascript hooks</a>.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1056) </p><p>
torbutton/en/design/index.html.en 1057) This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and <a class="link" href="#location">Location Neutrality</a> requirements.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1058) </p></div><div class="sect3" title="Referer Spoofing Options"><div class="titlepage"><div><div><h4 class="title"><a id="id2706446"></a>Referer Spoofing Options</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.refererspoof</strong></span>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1059) </p><p>
torbutton/en/design/index.html.en 1060) This option variable has three values. If it is 0, "smart" referer spoofing is
torbutton/en/design/index.html.en 1061) enabled. If it is 1, the referer behaves as normal. If it is 2, no referer is
torbutton/en/design/index.html.en 1062) sent. The default value is 1. The smart referer spoofing is implemented by the
torbutton/en/design/index.html.en 1063) <a class="link" href="#refspoofer" title="@torproject.org/torRefSpoofer;1">torRefSpoofer</a> component.
torbutton/en/design/index.html.en 1064)
torbutton/en/design/index.html.en 1065) </p><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1066) This setting also does not directly satisfy any Torbutton requirement, but
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1067) some may desire to mask their referer for general privacy concerns.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1068) </p></div><div class="sect3" title="Strip platform and language off of Google Search Box queries"><div class="titlepage"><div><div><h4 class="title"><a id="id2706480"></a>Strip platform and language off of Google Search Box queries</h4></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.fix_google_srch</strong></span>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1069) </p><p>
torbutton/en/design/index.html.en 1070)
torbutton/en/design/index.html.en 1071) This option causes Torbutton to use the <a class="ulink" href="https://wiki.mozilla.org/Search_Service:API" target="_top">@mozilla.org/browser/search-service;1</a>
torbutton/en/design/index.html.en 1072) component to wrap the Google search plugin. On many platforms, notably Debian
torbutton/en/design/index.html.en 1073) and Ubuntu, the Google search plugin is set to reveal a lot of language and
torbutton/en/design/index.html.en 1074) platform information. This setting strips off that info while Tor is enabled.
torbutton/en/design/index.html.en 1075)
torbutton/en/design/index.html.en 1076) </p><p>
torbutton/en/design/index.html.en 1077) This setting helps Torbutton to fulfill its <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1078) </p></div><div class="sect3" title="Automatically use an alternate search engine when presented with a Google Captcha"><div class="titlepage"><div><div><h4 class="title"><a id="id2706521"></a>Automatically use an alternate search engine when presented with a
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1079) Google Captcha</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1080) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.asked_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.dodge_google_captcha</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.google_redir_url</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1081) </p><p>
torbutton/en/design/index.html.en 1082)
torbutton/en/design/index.html.en 1083) Google's search engine has rate limiting features that cause it to
torbutton/en/design/index.html.en 1084) <a class="ulink" href="http://googleonlinesecurity.blogspot.com/2007/07/reason-behind-were-sorry-message.html" target="_top">present
torbutton/en/design/index.html.en 1085) captchas</a> and sometimes even outright ban IPs that issue large numbers
torbutton/en/design/index.html.en 1086) of search queries, especially if a lot of these queries appear to be searching
torbutton/en/design/index.html.en 1087) for software vulnerabilities or unprotected comment areas.
torbutton/en/design/index.html.en 1088)
torbutton/en/design/index.html.en 1089) </p><p>
torbutton/en/design/index.html.en 1090)
torbutton/en/design/index.html.en 1091) Despite multiple discussions with Google, we were unable to come to a solution
torbutton/en/design/index.html.en 1092) or any form of compromise that would reduce the number of captchas and
torbutton/en/design/index.html.en 1093) outright bans seen by Tor users issuing regular queries.
torbutton/en/design/index.html.en 1094)
torbutton/en/design/index.html.en 1095) </p><p>
torbutton/en/design/index.html.en 1096) As a result, we've implemented this option as an <a class="ulink" href="https://developer.mozilla.org/en/XUL_School/Intercepting_Page_Loads#HTTP_Observers" target="_top">'http-on-modify-request'</a>
torbutton/en/design/index.html.en 1097) http observer to optionally redirect banned or captcha-triggering Google
torbutton/en/design/index.html.en 1098) queries to search engines that do not rate limit Tor users. The current
|
Update FF bugs in design do...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1099) options are duckduckgo.com, ixquick.com, bing.com, yahoo.com and scroogle.org. These are
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1100) encoded in the preferences
|
Update FF bugs in design do...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1101) <span class="command"><strong>extensions.torbutton.redir_url.[1-5]</strong></span>.
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1102)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1103) </p></div><div class="sect3" title="Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)"><div class="titlepage"><div><div><h4 class="title"><a id="id2706601"></a>Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</h4></div></div></div><p>Options:
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1104) </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.jar_certs</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.jar_ca_certs</strong></span></td></tr></table><p>
torbutton/en/design/index.html.en 1105) </p><p>
torbutton/en/design/index.html.en 1106)
torbutton/en/design/index.html.en 1107) These settings govern if Torbutton attempts to isolate the user's SSL
torbutton/en/design/index.html.en 1108) certificates into separate jars for each Tor state. This isolation is
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1109) implemented in <code class="function">torbutton_jar_certs()</code> in <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>,
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1110) which calls <code class="function">torbutton_jar_cert_type()</code> and
torbutton/en/design/index.html.en 1111) <code class="function">torbutton_unjar_cert_type()</code> for each certificate type in
torbutton/en/design/index.html.en 1112) the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/nsscertcache;1" target="_top">@mozilla.org/security/nsscertcache;1</a>.
torbutton/en/design/index.html.en 1113) Certificates are deleted from and imported to the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/x509certdb;1" target="_top">@mozilla.org/security/x509certdb;1</a>.
torbutton/en/design/index.html.en 1114) </p><p>
torbutton/en/design/index.html.en 1115) The first time this pref is used, a backup of the user's certificates is
torbutton/en/design/index.html.en 1116) created in their profile directory under the name
torbutton/en/design/index.html.en 1117) <code class="filename">cert8.db.bak</code>. This file can be copied back to
torbutton/en/design/index.html.en 1118) <code class="filename">cert8.db</code> to fully restore the original state of the
torbutton/en/design/index.html.en 1119) user's certificates in the event of any error.
torbutton/en/design/index.html.en 1120) </p><p>
torbutton/en/design/index.html.en 1121) Since exit nodes and malicious sites can insert content elements sourced to
torbutton/en/design/index.html.en 1122) specific SSL sites to query if a user has a certain certificate,
torbutton/en/design/index.html.en 1123) this setting helps to satisfy the <a class="link" href="#state">State
torbutton/en/design/index.html.en 1124) Separation</a> requirement of Torbutton. Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Firefox Bug
torbutton/en/design/index.html.en 1125) 435159</a> prevents it from functioning correctly in the event of rapid Tor toggle, so it
torbutton/en/design/index.html.en 1126) is currently not exposed via the preferences UI.
torbutton/en/design/index.html.en 1127)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1128) </p></div></div></div><div class="sect1" title="6. Relevant Firefox Bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="FirefoxBugs"></a>6. Relevant Firefox Bugs</h2></div></div></div><p>
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1129) Future releases of Torbutton are going to be designed around supporting only
torbutton/en/design/index.html.en 1130) <a class="ulink" href="https://www.torproject.org/projects/torbrowser.html.en" target="_top">Tor
torbutton/en/design/index.html.en 1131) Browser Bundle</a>, which greatly simplifies the number and nature of Firefox
torbutton/en/design/index.html.en 1132) bugs we must fix. This allows us to abandon the complexities of <a class="link" href="#state">State
torbutton/en/design/index.html.en 1133) Separation</a> and <a class="link" href="#isolation">Network Isolation</a> requirements
torbutton/en/design/index.html.en 1134) associated with the Toggle Model.
torbutton/en/design/index.html.en 1135) </p><div class="sect2" title="6.1. Tor Browser Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="TorBrowserBugs"></a>6.1. Tor Browser Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en 1136) The list of Firefox patches we must create to improve privacy on the
torbutton/en/design/index.html.en 1137) Tor Browser Bundle are collected in the Tor Bug Tracker under <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2871" target="_top">ticket
torbutton/en/design/index.html.en 1138) #2871</a>. These bugs are also applicable to the Toggle Model, and
torbutton/en/design/index.html.en 1139) should be considered higher priority than all Toggle Model specific bugs
torbutton/en/design/index.html.en 1140) below.
torbutton/en/design/index.html.en 1141) </p></div><div class="sect2" title="6.2. Toggle Model Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="ToggleModelBugs"></a>6.2. Toggle Model Bugs</h3></div></div></div><p>
torbutton/en/design/index.html.en 1142) In addition to the Tor Browser bugs, the Torbutton Toggle Model suffers from
torbutton/en/design/index.html.en 1143) additional bugs specific to the need to isolate state across the toggle.
torbutton/en/design/index.html.en 1144) Toggle model bugs are considered a lower priority than the bugs against the
torbutton/en/design/index.html.en 1145) Tor Browser model.
torbutton/en/design/index.html.en 1146) </p><div class="sect3" title="Bugs impacting security"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxSecurity"></a>Bugs impacting security</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1147)
torbutton/en/design/index.html.en 1148) Torbutton has to work around a number of Firefox bugs that impact its
torbutton/en/design/index.html.en 1149) security. Most of these are mentioned elsewhere in this document, but they
torbutton/en/design/index.html.en 1150) have also been gathered here for reference. In order of decreasing severity,
torbutton/en/design/index.html.en 1151) they are:
torbutton/en/design/index.html.en 1152)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1153) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Bug 435159 -
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1154) nsNSSCertificateDB::DeleteCertificate has race conditions</a><p>
torbutton/en/design/index.html.en 1155)
torbutton/en/design/index.html.en 1156) In Torbutton 1.2.0rc1, code was added to attempt to isolate SSL certificates
torbutton/en/design/index.html.en 1157) the user has installed. Unfortunately, the method call to delete a certificate
torbutton/en/design/index.html.en 1158) from the current certificate database acts lazily: it only sets a variable
torbutton/en/design/index.html.en 1159) that marks a cert for deletion later, and it is not cleared if that
torbutton/en/design/index.html.en 1160) certificate is re-added. This means that if the Tor state is toggled quickly,
torbutton/en/design/index.html.en 1161) that certificate could remain present until it is re-inserted (causing an
torbutton/en/design/index.html.en 1162) error dialog), and worse, it would still be deleted after that. The lack of
torbutton/en/design/index.html.en 1163) this functionality is considered a Torbutton security bug because cert
torbutton/en/design/index.html.en 1164) isolation is considered a <a class="link" href="#state">State Separation</a>
torbutton/en/design/index.html.en 1165) feature.
torbutton/en/design/index.html.en 1166)
|
Update design html.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1167) </p></li><li class="listitem">Give more visibility into and control over TLS
torbutton/en/design/index.html.en 1168) negotiation
torbutton/en/design/index.html.en 1169) <p>
torbutton/en/design/index.html.en 1170)
torbutton/en/design/index.html.en 1171) There are several <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2482" target="_top">TLS issues
torbutton/en/design/index.html.en 1172) impacting Torbutton security</a>. It is not clear if these should be one
torbutton/en/design/index.html.en 1173) Firefox bug or several, but in particular we need better control over various
torbutton/en/design/index.html.en 1174) aspects of TLS connections. Firefox currently provides no observer capable of
torbutton/en/design/index.html.en 1175) extracting TLS parameters or certificates early enough to cancel a TLS
torbutton/en/design/index.html.en 1176) request. We would like to be able to provide <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a> users with
torbutton/en/design/index.html.en 1177) the ability to <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/HTTPSEverywhere/SSLObservatorySubmission" target="_top">have
torbutton/en/design/index.html.en 1178) their certificates audited</a> by a <a class="ulink" href="http://www.networknotary.org/" target="_top">Perspectives</a>-style set of
torbutton/en/design/index.html.en 1179) notaries. The problem with this is that the API observer points do not exist
torbutton/en/design/index.html.en 1180) for any Firefox addon to actually block authentication token submission over a
torbutton/en/design/index.html.en 1181) TLS channel, so every addon to date (including Perspectives) is actually
torbutton/en/design/index.html.en 1182) providing users with notification *after* their authentication tokens have
torbutton/en/design/index.html.en 1183) already been compromised. This obviously needs to be fixed.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1184) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=122752" target="_top">Bug 122752 - SOCKS
|
Update FF bugs in design do...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1185) Username/Password Support</a><p>
torbutton/en/design/index.html.en 1186) We need <a class="ulink" href="https://developer.mozilla.org/en/nsIProxyInfo" target="_top">Firefox
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1187) APIs</a> or about:config settings to control the SOCKS Username and
|
Update FF bugs in design do...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1188) Password fields. The reason why we need this support is to utilize an (as yet
torbutton/en/design/index.html.en 1189) unimplemented) scheme to separate Tor traffic based <a class="ulink" href="https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/171-separate-streams.txt" target="_top">on
torbutton/en/design/index.html.en 1190) SOCKS username/password</a>.
torbutton/en/design/index.html.en 1191) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Bug 409737 -
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1192) javascript.enabled and docShell.allowJavascript do not disable all event
torbutton/en/design/index.html.en 1193) handlers</a><p>
torbutton/en/design/index.html.en 1194)
torbutton/en/design/index.html.en 1195) This bug allows pages to execute javascript via addEventListener and perhaps
torbutton/en/design/index.html.en 1196) other callbacks. In order to prevent this bug from enabling an attacker to
torbutton/en/design/index.html.en 1197) break the <a class="link" href="#isolation">Network Isolation</a> requirement,
torbutton/en/design/index.html.en 1198) Torbutton 1.1.13 began blocking popups and history manipulation from different
torbutton/en/design/index.html.en 1199) Tor states. So long as there are no ways to open popups or redirect the user
torbutton/en/design/index.html.en 1200) to a new page, the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton content
torbutton/en/design/index.html.en 1201) policy</a> should block Javascript network access. However, if there are
torbutton/en/design/index.html.en 1202) ways to open popups or perform redirects such that Torbutton cannot block
torbutton/en/design/index.html.en 1203) them, pages may still have free reign to break that requirement and reveal a
torbutton/en/design/index.html.en 1204) user's original IP address.
torbutton/en/design/index.html.en 1205)
torbutton/en/design/index.html.en 1206) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448743" target="_top">Bug 448743 -
torbutton/en/design/index.html.en 1207) Decouple general.useragent.locale from spoofing of navigator.language</a><p>
torbutton/en/design/index.html.en 1208)
torbutton/en/design/index.html.en 1209) Currently, Torbutton spoofs the <span class="command"><strong>navigator.language</strong></span>
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1210) attribute via <a class="link" href="#jshooks" title="Hook Dangerous Javascript">Javascript hooks</a>. Unfortunately,
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1211) these do not work on Firefox 3. It would be ideal to have
torbutton/en/design/index.html.en 1212) a pref to set this value (something like a
torbutton/en/design/index.html.en 1213) <span class="command"><strong>general.useragent.override.locale</strong></span>),
torbutton/en/design/index.html.en 1214) to avoid fragmenting the anonymity set of users of foreign locales. This issue
torbutton/en/design/index.html.en 1215) impedes Torbutton from fully meeting its <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
torbutton/en/design/index.html.en 1216) requirement on Firefox 3.
torbutton/en/design/index.html.en 1217)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1218) </p></li></ol></div></div><div class="sect3" title="Bugs blocking functionality"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxWishlist"></a>Bugs blocking functionality</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1219) The following bugs impact Torbutton and similar extensions' functionality.
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1220) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=629820" target="_top">Bug 629820 - nsIContentPolicy::shouldLoad not
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1221) called for web request in Firefox Mobile</a><p>
torbutton/en/design/index.html.en 1222)
torbutton/en/design/index.html.en 1223) The new <a class="ulink" href="https://wiki.mozilla.org/Mobile/Fennec/Extensions/Electrolysis" target="_top">Electrolysis</a>
torbutton/en/design/index.html.en 1224) multiprocess system appears to have some pretty rough edge cases with respect
torbutton/en/design/index.html.en 1225) to registering XPCOM category managers such as the nsIContentPolicy, which
torbutton/en/design/index.html.en 1226) make it difficult to do a straight-forward port of Torbutton or
torbutton/en/design/index.html.en 1227) HTTPS-Everywhere to Firefox Mobile. It probably also has similar issues with
torbutton/en/design/index.html.en 1228) wrapping existing <a class="link" href="#hookedxpcom" title="2.1. Hooked Components">Firefox XPCOM components</a>,
torbutton/en/design/index.html.en 1229) which will also cause more problems for porting Torbutton.
torbutton/en/design/index.html.en 1230)
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1231) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=417869" target="_top">Bug 417869 -
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1232) Browser context is difficult to obtain from many XPCOM callbacks</a><p>
torbutton/en/design/index.html.en 1233)
torbutton/en/design/index.html.en 1234) It is difficult to determine which tabbrowser many XPCOM callbacks originate
torbutton/en/design/index.html.en 1235) from, and in some cases absolutely no context information is provided at all.
torbutton/en/design/index.html.en 1236) While this doesn't have much of an effect on Torbutton, it does make writing
torbutton/en/design/index.html.en 1237) extensions that would like to do per-tab settings and content filters (such as
torbutton/en/design/index.html.en 1238) FoxyProxy) difficult to impossible to implement securely.
torbutton/en/design/index.html.en 1239)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1240) </p></li></ol></div></div><div class="sect3" title="Low Priority Bugs"><div class="titlepage"><div><div><h4 class="title"><a id="FirefoxMiscBugs"></a>Low Priority Bugs</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1241) The following bugs have an effect upon Torbutton, but are superseded by more
torbutton/en/design/index.html.en 1242) practical and more easily fixable variant bugs above; or have stable, simple
torbutton/en/design/index.html.en 1243) workarounds.
|
Update Torbutton design doc.
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1244) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">Bug 440892 -
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1245) network.protocol-handler.warn-external are ignored</a><p>
torbutton/en/design/index.html.en 1246)
torbutton/en/design/index.html.en 1247) Sometime in the Firefox 3 development cycle, the preferences that governed
torbutton/en/design/index.html.en 1248) warning a user when external apps were launched got disconnected from the code
torbutton/en/design/index.html.en 1249) that does the launching. Torbutton depended on these prefs to prevent websites
torbutton/en/design/index.html.en 1250) from launching specially crafted documents and application arguments that
torbutton/en/design/index.html.en 1251) caused Proxy Bypass. We currently work around this issue by <a class="link" href="#appblocker" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js">wrapping the app launching components</a> to present a
torbutton/en/design/index.html.en 1252) popup before launching external apps while Tor is enabled. While this works,
torbutton/en/design/index.html.en 1253) it would be nice if these prefs were either fixed or removed.
torbutton/en/design/index.html.en 1254)
torbutton/en/design/index.html.en 1255) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">Bug 437014 -
torbutton/en/design/index.html.en 1256) nsIContentPolicy::shouldLoad no longer called for favicons</a><p>
torbutton/en/design/index.html.en 1257)
torbutton/en/design/index.html.en 1258) Firefox 3.0 stopped calling the shouldLoad call of content policy for favicon
torbutton/en/design/index.html.en 1259) loads. Torbutton had relied on this call to block favicon loads for opposite
torbutton/en/design/index.html.en 1260) Tor states. The workaround it employs for Firefox 3 is to cancel the request
torbutton/en/design/index.html.en 1261) when it arrives in the <span class="command"><strong>torbutton_http_observer</strong></span> used for
torbutton/en/design/index.html.en 1262) blocking full page plugin loads. This seems to work just fine, but is a bit
torbutton/en/design/index.html.en 1263) dirty.
torbutton/en/design/index.html.en 1264)
torbutton/en/design/index.html.en 1265) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">Bug 309524</a>
torbutton/en/design/index.html.en 1266) and <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">Bug
torbutton/en/design/index.html.en 1267) 380556</a> - nsIContentPolicy::shouldProcess is not called.
torbutton/en/design/index.html.en 1268) <p>
torbutton/en/design/index.html.en 1269)
torbutton/en/design/index.html.en 1270) This is a call that would be useful to develop a better workaround for the
torbutton/en/design/index.html.en 1271) allowPlugins issue above. If the content policy were called before a URL was
torbutton/en/design/index.html.en 1272) handed over to a plugin or helper app, it would make the workaround for the
torbutton/en/design/index.html.en 1273) above allowPlugins bug a lot cleaner. Obviously this bug is not as severe as
torbutton/en/design/index.html.en 1274) the others though, but it might be nice to have this API as a backup.
torbutton/en/design/index.html.en 1275)
torbutton/en/design/index.html.en 1276) </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">Bug 401296 - docShell.allowPlugins
torbutton/en/design/index.html.en 1277) not honored for direct links</a> (Perhaps subset of <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=282106" target="_top">Bug 282106</a>?)
torbutton/en/design/index.html.en 1278) <p>
torbutton/en/design/index.html.en 1279)
torbutton/en/design/index.html.en 1280) Similar to the javascript plugin disabling attribute, the plugin disabling
torbutton/en/design/index.html.en 1281) attribute is also not perfect — it is ignored for direct links to plugin
torbutton/en/design/index.html.en 1282) handled content, as well as meta-refreshes to plugin handled content. This
torbutton/en/design/index.html.en 1283) requires Torbutton to listen to a number of different http events to intercept
torbutton/en/design/index.html.en 1284) plugin-related mime type URLs and cancel their requests. Again, since plugins
torbutton/en/design/index.html.en 1285) are quite horrible about obeying proxy settings, loading a plugin pretty much
torbutton/en/design/index.html.en 1286) ensures a way to break the <a class="link" href="#isolation">Network Isolation</a>
torbutton/en/design/index.html.en 1287) requirement and reveal a user's original IP address. Torbutton's code to
torbutton/en/design/index.html.en 1288) perform this workaround has been subverted at least once already by Kyle
torbutton/en/design/index.html.en 1289) Williams.
torbutton/en/design/index.html.en 1290)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1291) </p></li></ol></div></div></div></div><div class="sect1" title="7. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="TestPlan"></a>7. Testing</h2></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1292)
torbutton/en/design/index.html.en 1293) The purpose of this section is to cover all the known ways that Tor browser
torbutton/en/design/index.html.en 1294) security can be subverted from a penetration testing perspective. The hope
torbutton/en/design/index.html.en 1295) is that it will be useful both for creating a "Tor Safety Check"
torbutton/en/design/index.html.en 1296) page, and for developing novel tests and actively attacking Torbutton with the
torbutton/en/design/index.html.en 1297) goal of finding vulnerabilities in either it or the Mozilla components,
torbutton/en/design/index.html.en 1298) interfaces and settings upon which it relies.
torbutton/en/design/index.html.en 1299)
torbutton/en/design/index.html.en 1300) </p><div class="sect2" title="7.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>7.1. Single state testing</h3></div></div></div><p>
torbutton/en/design/index.html.en 1301)
torbutton/en/design/index.html.en 1302) Torbutton is a complicated piece of software. During development, changes to
torbutton/en/design/index.html.en 1303) one component can affect a whole slough of unrelated features. A number of
torbutton/en/design/index.html.en 1304) aggregated test suites exist that can be used to test for regressions in
torbutton/en/design/index.html.en 1305) Torbutton and to help aid in the development of Torbutton-like addons and
torbutton/en/design/index.html.en 1306) other privacy modifications of other browsers. Some of these test suites exist
torbutton/en/design/index.html.en 1307) as a single automated page, while others are a series of pages you must visit
torbutton/en/design/index.html.en 1308) individually. They are provided here for reference and future regression
torbutton/en/design/index.html.en 1309) testing, and also in the hope that some brave soul will one day decide to
torbutton/en/design/index.html.en 1310) combine them into a comprehensive automated test suite.
torbutton/en/design/index.html.en 1311)
torbutton/en/design/index.html.en 1312) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
torbutton/en/design/index.html.en 1313)
torbutton/en/design/index.html.en 1314) Decloak.net is the canonical source of plugin and external-application based
torbutton/en/design/index.html.en 1315) proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
torbutton/en/design/index.html.en 1316) use to test their anonymity systems.
torbutton/en/design/index.html.en 1317)
torbutton/en/design/index.html.en 1318) </p></li><li class="listitem"><a class="ulink" href="https://www.jondos.de/en/anontest" target="_top">JonDos
torbutton/en/design/index.html.en 1319) AnonTest</a><p>
torbutton/en/design/index.html.en 1320)
torbutton/en/design/index.html.en 1321) The <a class="ulink" href="https://www.jondos.de" target="_top">JonDos people</a> also provide an
torbutton/en/design/index.html.en 1322) anonymity tester. It is more focused on HTTP headers than plugin bypass, and
torbutton/en/design/index.html.en 1323) points out a couple of headers Torbutton could do a better job with
torbutton/en/design/index.html.en 1324) obfuscating.
torbutton/en/design/index.html.en 1325)
torbutton/en/design/index.html.en 1326) </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
torbutton/en/design/index.html.en 1327)
torbutton/en/design/index.html.en 1328) Browserspy.dk provides a tremendous collection of browser fingerprinting and
torbutton/en/design/index.html.en 1329) general privacy tests. Unfortunately they are only available one page at a
torbutton/en/design/index.html.en 1330) time, and there is not really solid feedback on good vs bad behavior in
torbutton/en/design/index.html.en 1331) the test results.
torbutton/en/design/index.html.en 1332)
torbutton/en/design/index.html.en 1333) </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
torbutton/en/design/index.html.en 1334) Analyzer</a><p>
torbutton/en/design/index.html.en 1335)
torbutton/en/design/index.html.en 1336) The Privacy Analyzer provides a dump of all sorts of browser attributes and
torbutton/en/design/index.html.en 1337) settings that it detects, including some information on your origin IP
torbutton/en/design/index.html.en 1338) address. Its page layout and lack of good vs bad test result feedback makes it
torbutton/en/design/index.html.en 1339) not as useful as a user-facing testing tool, but it does provide some
torbutton/en/design/index.html.en 1340) interesting checks in a single page.
torbutton/en/design/index.html.en 1341)
torbutton/en/design/index.html.en 1342) </p></li><li class="listitem"><a class="ulink" href="http://ha.ckers.org/mr-t/" target="_top">Mr. T</a><p>
torbutton/en/design/index.html.en 1343)
torbutton/en/design/index.html.en 1344) Mr. T is a collection of browser fingerprinting and deanonymization exploits
torbutton/en/design/index.html.en 1345) discovered by the <a class="ulink" href="http://ha.ckers.org" target="_top">ha.ckers.org</a> crew
torbutton/en/design/index.html.en 1346) and others. It is also not as user friendly as some of the above tests, but it
torbutton/en/design/index.html.en 1347) is a useful collection.
torbutton/en/design/index.html.en 1348)
torbutton/en/design/index.html.en 1349) </p></li><li class="listitem">Gregory Fleischer's <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">Torbutton</a> and
torbutton/en/design/index.html.en 1350) <a class="ulink" href="http://pseudo-flaw.net/content/defcon/dc-17-demos/d.html" target="_top">Defcon
torbutton/en/design/index.html.en 1351) 17</a> Test Cases
torbutton/en/design/index.html.en 1352) <p>
torbutton/en/design/index.html.en 1353)
torbutton/en/design/index.html.en 1354) Gregory Fleischer has been hacking and testing Firefox and Torbutton privacy
torbutton/en/design/index.html.en 1355) issues for the past 2 years. He has an excellent collection of all his test
torbutton/en/design/index.html.en 1356) cases that can be used for regression testing. In his Defcon work, he
torbutton/en/design/index.html.en 1357) demonstrates ways to infer Firefox version based on arcane browser properties.
torbutton/en/design/index.html.en 1358) We are still trying to determine the best way to address some of those test
torbutton/en/design/index.html.en 1359) cases.
torbutton/en/design/index.html.en 1360)
torbutton/en/design/index.html.en 1361) </p></li><li class="listitem"><a class="ulink" href="https://torcheck.xenobite.eu/index.php" target="_top">Xenobite's
torbutton/en/design/index.html.en 1362) TorCheck Page</a><p>
torbutton/en/design/index.html.en 1363)
torbutton/en/design/index.html.en 1364) This page checks to ensure you are using a valid Tor exit node and checks for
torbutton/en/design/index.html.en 1365) some basic browser properties related to privacy. It is not very fine-grained
torbutton/en/design/index.html.en 1366) or complete, but it is automated and could be turned into something useful
torbutton/en/design/index.html.en 1367) with a bit of work.
torbutton/en/design/index.html.en 1368)
torbutton/en/design/index.html.en 1369) </p></li></ol></div><p>
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1370) </p></div><div class="sect2" title="7.2. Multi-state testing"><div class="titlepage"><div><div><h3 class="title"><a id="id2707624"></a>7.2. Multi-state testing</h3></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1371)
torbutton/en/design/index.html.en 1372) The tests in this section are geared towards a page that would instruct the
torbutton/en/design/index.html.en 1373) user to toggle their Tor state after the fetch and perform some operations:
torbutton/en/design/index.html.en 1374) mouseovers, stray clicks, and potentially reloads.
torbutton/en/design/index.html.en 1375)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1376) </p><div class="sect3" title="Cookies and Cache Correlation"><div class="titlepage"><div><div><h4 class="title"><a id="id2707636"></a>Cookies and Cache Correlation</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1377) The most obvious test is to set a cookie, ask the user to toggle tor, and then
torbutton/en/design/index.html.en 1378) have them reload the page. The cookie should no longer be set if they are
torbutton/en/design/index.html.en 1379) using the default Torbutton settings. In addition, it is possible to leverage
torbutton/en/design/index.html.en 1380) the cache to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
torbutton/en/design/index.html.en 1381) identifiers</a>. The default settings of Torbutton should also protect
torbutton/en/design/index.html.en 1382) against these from persisting across Tor Toggle.
torbutton/en/design/index.html.en 1383)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1384) </p></div><div class="sect3" title="Javascript timers and event handlers"><div class="titlepage"><div><div><h4 class="title"><a id="id2707658"></a>Javascript timers and event handlers</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1385)
torbutton/en/design/index.html.en 1386) Javascript can set timers and register event handlers in the hopes of fetching
torbutton/en/design/index.html.en 1387) URLs after the user has toggled Torbutton.
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1388) </p></div><div class="sect3" title="CSS Popups and non-script Dynamic Content"><div class="titlepage"><div><div><h4 class="title"><a id="id2707671"></a>CSS Popups and non-script Dynamic Content</h4></div></div></div><p>
|
add in the torbutton design...
Andrew Lewman authored 13 years ago
|
torbutton/en/design/index.html.en 1389)
torbutton/en/design/index.html.en 1390) Even if Javascript is disabled, CSS is still able to
torbutton/en/design/index.html.en 1391) <a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">create popup-like
torbutton/en/design/index.html.en 1392) windows</a>
torbutton/en/design/index.html.en 1393) via the 'onmouseover' CSS attribute, which can cause arbitrary browser
torbutton/en/design/index.html.en 1394) activity as soon as the mouse enters into the content window. It is also
torbutton/en/design/index.html.en 1395) possible for meta-refresh tags to set timers long enough to make it likely
torbutton/en/design/index.html.en 1396) that the user has toggled Tor before fetching content.
torbutton/en/design/index.html.en 1397)
torbutton/en/design/index.html.en 1398) </p></div></div><div class="sect2" title="7.3. Active testing (aka How to Hack Torbutton)"><div class="titlepage"><div><div><h3 class="title"><a id="HackTorbutton"></a>7.3. Active testing (aka How to Hack Torbutton)</h3></div></div></div><p>
torbutton/en/design/index.html.en 1399)
torbutton/en/design/index.html.en 1400) The idea behind active testing is to discover vulnerabilities in Torbutton to
torbutton/en/design/index.html.en 1401) bypass proxy settings, run script in an opposite Tor state, store unique
torbutton/en/design/index.html.en 1402) identifiers, leak location information, or otherwise violate <a class="link" href="#requirements" title="1.2. Torbutton Requirements">its requirements</a>. Torbutton has ventured out
torbutton/en/design/index.html.en 1403) into a strange and new security landscape. It depends on Firefox mechanisms
torbutton/en/design/index.html.en 1404) that haven't necessarily been audited for security, certainly not for the
torbutton/en/design/index.html.en 1405) threat model that Torbutton seeks to address. As such, it and the interfaces
torbutton/en/design/index.html.en 1406) it depends upon still need a 'trial by fire' typical of new technologies. This
torbutton/en/design/index.html.en 1407) section of the document was written with the intention of making that period
torbutton/en/design/index.html.en 1408) as fast as possible. Please help us get through this period by considering
torbutton/en/design/index.html.en 1409) these attacks, playing with them, and reporting what you find (and potentially
torbutton/en/design/index.html.en 1410) submitting the test cases back to be run in the standard batch of Torbutton
torbutton/en/design/index.html.en 1411) tests.
torbutton/en/design/index.html.en 1412)
|
Update design doc to reflec...
Mike Perry authored 13 years ago
|
torbutton/en/design/index.html.en 1413) </p><div class="sect3" title="Some suggested vectors to investigate"><div class="titlepage"><div><div><h4 class="title"><a id="id2707726"></a>Some suggested vectors to investigate</h4></div></div></div><p>
|