f344776616227f3e490969038aaaad991a464e1d
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    1) <?xml version="1.0" encoding="UTF-8"?>
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en       2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 6th, 2015</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp53435264">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp55327360">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp55349120">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp55353648">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp55389664">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp53435264"></a>1. Introduction</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    3) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en       4) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en       5) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en       6) 4.5.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en    7) 
projects/en/torbrowser/design/index.html.en    8)   </p><p>
projects/en/torbrowser/design/index.html.en    9) 
projects/en/torbrowser/design/index.html.en   10) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en   11) describe a reference implementation of a Private Browsing Mode that defends
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      12) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en      13) adversary currently addressed by the major browsers.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   14) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      15)   </p><p>
projects/torbrowser/design/index.html.en      16) 
projects/torbrowser/design/index.html.en      17) For more practical information regarding Tor Browser development, please
projects/torbrowser/design/index.html.en      18) consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor
projects/torbrowser/design/index.html.en      19) Browser Hacking Guide</a>.
projects/torbrowser/design/index.html.en      20) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      21)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      22) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      23) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      24) Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a>
projects/torbrowser/design/index.html.en      25) against this browser to enhance privacy and security. Browser behavior is
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      26) additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      27) extension</a>, though we are in the process of moving this functionality
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      28) into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">change
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      29) a number of Firefox preferences</a> from their defaults.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      30) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      31)    </p><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      32) Tor process management and configuration is accomplished through the <a class="ulink" href="https://gitweb.torproject.org/tor-launcher.git" target="_top">Tor Launcher</a>
projects/torbrowser/design/index.html.en      33) addon, which provides the initial Tor configuration splash screen and
projects/torbrowser/design/index.html.en      34) bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      35) Instantbird, and XULRunner.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      36) 
projects/torbrowser/design/index.html.en      37)    </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   38) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      39) To help protect against potential Tor Exit Node eavesdroppers, we include
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      40) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      41) provide users with optional defense-in-depth against Javascript and other
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      42) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      43) extension preferences</a> from their defaults.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   44) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      45)    </p><p>
projects/torbrowser/design/index.html.en      46) 
projects/torbrowser/design/index.html.en      47) To provide censorship circumvention in areas where the public Tor network is
projects/torbrowser/design/index.html.en      48) blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en      49) Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs4proxy</a>,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      50) <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,
projects/torbrowser/design/index.html.en      51) <a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>, and <a class="ulink" href="https://crypto.stanford.edu/flashproxy/" target="_top">FlashProxy</a>.
projects/torbrowser/design/index.html.en      52) 
projects/torbrowser/design/index.html.en      53)    </p></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   54) 
projects/en/torbrowser/design/index.html.en   55) The Tor Browser Design Requirements are meant to describe the properties of a
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      56) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en      57) adversaries. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   58) 
projects/en/torbrowser/design/index.html.en   59)   </p><p>
projects/en/torbrowser/design/index.html.en   60) 
projects/en/torbrowser/design/index.html.en   61) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      62) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en      63) similar privacy proxies safely. Privacy requirements are the set of properties
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en      64) that cause us to prefer one browser over another. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   65) 
projects/en/torbrowser/design/index.html.en   66)   </p><p>
projects/en/torbrowser/design/index.html.en   67) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      68) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en      69) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en      70) browser distribution.
projects/torbrowser/design/index.html.en      71) 
projects/torbrowser/design/index.html.en      72)   </p><p>
projects/torbrowser/design/index.html.en      73) 
projects/torbrowser/design/index.html.en      74)       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en      75)       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
projects/torbrowser/design/index.html.en      76)       "OPTIONAL" in this document are to be interpreted as described in
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      77)       <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   78) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      79)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   80) 
projects/en/torbrowser/design/index.html.en   81) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en   82) of Tor. Violations in these properties typically result in serious risk for
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      83) the user in terms of immediate deanonymization and/or observability. With
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en      84) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en      85) in order for Tor to support the use of a particular browser.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en   86) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      87)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      88) Obedience</strong></span></a><p>The browser
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      89) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      90) Separation</strong></span></a><p>
projects/torbrowser/design/index.html.en      91) 
projects/torbrowser/design/index.html.en      92) The browser MUST NOT provide the content window with any state from any other
projects/torbrowser/design/index.html.en      93) browsers or any non-Tor browsing modes. This includes shared state from
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en      94) independent plugins, and shared state from operating system implementations of
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      95) TLS and other support libraries.
projects/torbrowser/design/index.html.en      96) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en      97) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      98) Avoidance</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en      99) 
projects/torbrowser/design/index.html.en     100) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en     101) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en     102) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en     103) store their browsing history information to disk.
projects/torbrowser/design/index.html.en     104) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     105) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     106) Isolation</strong></span></a><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     107) 
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     108) The components involved in providing private browsing MUST be self-contained,
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     109) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en     110) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en     111) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en     112) of private browsing to disk outside of the application's control. The user
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     113) must be able to ensure that secure deletion of the software is sufficient to
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     114) remove evidence of the use of the software. All exceptions and shortcomings
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     115) due to operating system behavior MUST be wiped by an uninstaller. However, due
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     116) to permissions issues with access to swap, implementations MAY choose to leave
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     117) it out of scope, and/or leave it to the operating system/platform to implement
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     118) ephemeral-keyed encrypted swap.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  119) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     120) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  121) 
projects/en/torbrowser/design/index.html.en  122) The privacy requirements are primarily concerned with reducing linkability:
Mike Perry Add a couple extra sentence...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     123) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en     124) on another site without their knowledge or explicit consent. With respect to
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     125) browser support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en     126) to prefer one browser over another. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  127) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     128)    </p><p>
projects/torbrowser/design/index.html.en     129) 
projects/torbrowser/design/index.html.en     130) For the purposes of the unlinkability requirements of this section as well as
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     131) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     132) section</a>, a <span class="command"><strong>URL bar origin</strong></span> means at least the
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     133) second-level DNS name.  For example, for mail.google.com, the origin would be
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     134) google.com. Implementations MAY, at their option, restrict the URL bar origin
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     135) to be the entire fully qualified domain name.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     136) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     137)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     138) Identifier Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  139) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     140) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     141) any other URL bar origin by any third party automatically or without user
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     142) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en     143) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en     144) requirement does not apply to linkable information the user manually submits
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     145) to sites, or due to information submitted during manual link traversal. This
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     146) functionality SHOULD NOT interfere with interactive, click-driven federated
projects/torbrowser/design/index.html.en     147) login in a substantial way.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  148) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     149)   </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     150) Fingerprinting Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  151) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     152) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en     153) any other URL bar origin by any third party. This property specifically applies to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  154) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en  155) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     156)   </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><span class="command"><strong>Long-Term
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     157) Unlinkability</strong></span></a><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  158) 
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     159) The browser MUST provide an obvious, easy way for the user to remove all of
projects/torbrowser/design/index.html.en     160) its authentication tokens and browser state and obtain a fresh identity.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     161) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en     162) upon browser restart, except at user option.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  163) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     164)   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  165) 
projects/en/torbrowser/design/index.html.en  166) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en  167) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en  168) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     169)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  170) 
projects/en/torbrowser/design/index.html.en  171) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en  172) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en  173) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en  174) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en  175) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en  176) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en  177) 
projects/en/torbrowser/design/index.html.en  178)       </p><p>
projects/en/torbrowser/design/index.html.en  179) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     180) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  181) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en  182) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en  183) in the face of accumulating tabs from multiple states crossed with the current
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     184) Tor-state of the browser. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  185) 
projects/en/torbrowser/design/index.html.en  186)       </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en  187) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en  188) 
projects/en/torbrowser/design/index.html.en  189) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en  190) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en  191) 
projects/en/torbrowser/design/index.html.en  192)       </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en  193) 
projects/en/torbrowser/design/index.html.en  194) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en  195) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en  196) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en  197) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en  198) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en  199) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en  200) 
projects/en/torbrowser/design/index.html.en  201)       </p><p>
projects/en/torbrowser/design/index.html.en  202) 
projects/en/torbrowser/design/index.html.en  203) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en  204) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en  205) placeholders), and/or be sandboxed to restrict the types of system calls they
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     206) can execute. If the user agent allows the user to craft an exemption to allow
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     207) a plugin to be used automatically, it must only apply to the top level URL bar
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     208) domain, and not to all sites, to reduce cross-origin fingerprinting
projects/torbrowser/design/index.html.en     209) linkability.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  210) 
projects/en/torbrowser/design/index.html.en  211)        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en  212) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     213) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     214) failure of Torbutton</a> was the options panel. Each option
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  215) that detectably alters browser behavior can be used as a fingerprinting tool.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     216) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be
projects/torbrowser/design/index.html.en     217) disabled in the mode</a> except as an opt-in basis. We should not load
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     218) system-wide and/or operating system provided addons or plugins.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  219) 
projects/en/torbrowser/design/index.html.en  220)      </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     221) Instead of global browser privacy options, privacy decisions should be made
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     222) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     223) URL bar origin</a> to eliminate the possibility of linkability
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  224) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en  225) window.plugins) is present in a page, the user should be given the choice of
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     226) allowing that plugin object for that URL bar origin only. The same
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     227) goes for exemptions to third party cookie policy, geolocation, and any other
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  228) privacy permissions.
projects/en/torbrowser/design/index.html.en  229)      </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     230) If the user has indicated they wish to record local history storage, these
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     231) permissions can be written to disk. Otherwise, they should remain memory-only. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  232)      </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en  233) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     234) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/torbrowser/design/index.html.en     235) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>,
projects/torbrowser/design/index.html.en     236) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  237) avoided. We believe that these addons do not add any real privacy to a proper
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     238) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
projects/torbrowser/design/index.html.en     239) should be focused on general solutions that prevent tracking by all
projects/torbrowser/design/index.html.en     240) third parties, rather than a list of specific URLs or hosts.
projects/torbrowser/design/index.html.en     241)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  242) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en  243) nightmares, and will also fail to do their job if an adversary simply
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     244) registers a new domain or creates a new URL path. Worse still, the unique
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     245) filter sets that each user creates or installs will provide a wealth of
projects/torbrowser/design/index.html.en     246) fingerprinting targets.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  247)       </p><p>
projects/en/torbrowser/design/index.html.en  248) 
projects/en/torbrowser/design/index.html.en  249) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en  250) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en  251) terms of demonstrating that we are providing privacy through a sound design
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     252) alone, as well as damage the acceptance of Tor users by sites that support
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  253) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en  254) 
projects/en/torbrowser/design/index.html.en  255)       </p><p>
projects/en/torbrowser/design/index.html.en  256) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en  257) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en  258)       </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en  259) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en  260) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en  261) their proper deployment or privacy realization. However, we will likely disable
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     262) high-risk features pending analysis, audit, and mitigation.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     263)       </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     264) 
projects/torbrowser/design/index.html.en     265) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/torbrowser/design/index.html.en     266) types that can be used to illustrate the design requirements for the
projects/torbrowser/design/index.html.en     267) Tor Browser. Let's start with the goals.
projects/torbrowser/design/index.html.en     268) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     269)    </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     270) Tor, causing the user to directly connect to an IP of the adversary's
projects/torbrowser/design/index.html.en     271) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/torbrowser/design/index.html.en     272) happily settle for the ability to correlate something a user did via Tor with
projects/torbrowser/design/index.html.en     273) their non-Tor activity. This can be done with cookies, cache identifiers,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     274) Javascript events, and even CSS. Sometimes the fact that a user uses Tor may
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     275) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/torbrowser/design/index.html.en     276) The adversary may also be interested in history disclosure: the ability to
projects/torbrowser/design/index.html.en     277) query a user's history to see if they have issued certain censored search
projects/torbrowser/design/index.html.en     278) queries, or visited censored sites.
projects/torbrowser/design/index.html.en     279)      </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p>
projects/torbrowser/design/index.html.en     280) 
projects/torbrowser/design/index.html.en     281) The primary goal of the advertising networks is to know that the user who
projects/torbrowser/design/index.html.en     282) visited siteX.com is the same user that visited siteY.com to serve them
projects/torbrowser/design/index.html.en     283) targeted ads. The advertising networks become our adversary insofar as they
projects/torbrowser/design/index.html.en     284) attempt to perform this correlation without the user's explicit consent.
projects/torbrowser/design/index.html.en     285) 
projects/torbrowser/design/index.html.en     286)      </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p>
projects/torbrowser/design/index.html.en     287) 
projects/torbrowser/design/index.html.en     288) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     289) to gather identifying information on a particular individual without the use
projects/torbrowser/design/index.html.en     290) of tracking identifiers. If the dissident or whistleblower's timezone is
projects/torbrowser/design/index.html.en     291) available, and they are using a rare build of Firefox for an obscure operating
projects/torbrowser/design/index.html.en     292) system, and they have a specific display resolution only used on one type of
projects/torbrowser/design/index.html.en     293) laptop, this can be very useful information for tracking them down, or at
projects/torbrowser/design/index.html.en     294) least <a class="link" href="#fingerprinting">tracking their activities</a>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     295) 
projects/torbrowser/design/index.html.en     296)      </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/torbrowser/design/index.html.en     297) information</strong></span><p>
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     298) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     299) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/torbrowser/design/index.html.en     300) seizing the computers of all Tor users in an area (especially after narrowing
projects/torbrowser/design/index.html.en     301) the field by the above two pieces of information). History records and cache
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     302) data are the primary goals here. Secondary goals may include confirming
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     303) on-disk identifiers (such as hostname and disk-logged spoofed MAC address
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     304) history) obtained by other means.
projects/torbrowser/design/index.html.en     305) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     306)      </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     307) The adversary can position themselves at a number of different locations in
projects/torbrowser/design/index.html.en     308) order to execute their attacks.
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     309)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     310) The adversary can run exit nodes, or alternatively, they may control routers
projects/torbrowser/design/index.html.en     311) upstream of exit nodes. Both of these scenarios have been observed in the
projects/torbrowser/design/index.html.en     312) wild.
projects/torbrowser/design/index.html.en     313)      </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
projects/torbrowser/design/index.html.en     314) The adversary can also run websites, or more likely, they can contract out
projects/torbrowser/design/index.html.en     315) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en     316) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en     317) inconceivable that ad servers may try to subvert or reduce a user's anonymity 
projects/torbrowser/design/index.html.en     318) through Tor for marketing purposes.
projects/torbrowser/design/index.html.en     319)      </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en     320) The adversary can also inject malicious content at the user's upstream router
projects/torbrowser/design/index.html.en     321) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/torbrowser/design/index.html.en     322) activity.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     323)      </p><p>
projects/torbrowser/design/index.html.en     324) 
projects/torbrowser/design/index.html.en     325) Additionally, at this position the adversary can block Tor, or attempt to
projects/torbrowser/design/index.html.en     326) recognize the traffic patterns of specific web pages at the entrance to the Tor
projects/torbrowser/design/index.html.en     327) network. 
projects/torbrowser/design/index.html.en     328) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     329)      </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/torbrowser/design/index.html.en     330) Some users face adversaries with intermittent or constant physical access.
projects/torbrowser/design/index.html.en     331) Users in Internet cafes, for example, face such a threat. In addition, in
projects/torbrowser/design/index.html.en     332) countries where simply using tools like Tor is illegal, users may face
projects/torbrowser/design/index.html.en     333) confiscation of their computer equipment for excessive Tor usage or just
projects/torbrowser/design/index.html.en     334) general suspicion.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     335)      </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     336) 
projects/torbrowser/design/index.html.en     337) The adversary can perform the following attacks from a number of different 
projects/torbrowser/design/index.html.en     338) positions to accomplish various aspects of their goals. It should be noted
projects/torbrowser/design/index.html.en     339) that many of these attacks (especially those involving IP address leakage) are
projects/torbrowser/design/index.html.en     340) often performed by accident by websites that simply have Javascript, dynamic 
projects/torbrowser/design/index.html.en     341) CSS elements, and plugins. Others are performed by ad servers seeking to
projects/torbrowser/design/index.html.en     342) correlate users' activity across different IP addresses, and still others are
projects/torbrowser/design/index.html.en     343) performed by malicious agents on the Tor network and at national firewalls.
projects/torbrowser/design/index.html.en     344) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     345)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     346) 
projects/torbrowser/design/index.html.en     347) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en     348) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en     349) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en     350) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en     351) even TLS Session IDs.
projects/torbrowser/design/index.html.en     352) 
projects/torbrowser/design/index.html.en     353)      </p><p>
projects/torbrowser/design/index.html.en     354) 
projects/torbrowser/design/index.html.en     355) An adversary in a position to perform MITM content alteration can inject
projects/torbrowser/design/index.html.en     356) document content elements to both read and inject cookies for arbitrary
projects/torbrowser/design/index.html.en     357) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     358) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     359) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/torbrowser/design/index.html.en     360) with cookies as well.
projects/torbrowser/design/index.html.en     361) 
projects/torbrowser/design/index.html.en     362)      </p><p>
projects/torbrowser/design/index.html.en     363) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     364) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlinkability</a> design requirements.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     365) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     366)      </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     367) attributes</strong></span><p>
projects/torbrowser/design/index.html.en     368) 
projects/torbrowser/design/index.html.en     369) There is an absurd amount of information available to websites via attributes
projects/torbrowser/design/index.html.en     370) of the browser. This information can be used to reduce anonymity set, or even
projects/torbrowser/design/index.html.en     371) uniquely fingerprint individual users. Attacks of this nature are typically
projects/torbrowser/design/index.html.en     372) aimed at tracking users across sites without their consent, in an attempt to
projects/torbrowser/design/index.html.en     373) subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     374) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">Long-Term Unlinkability</a> design requirements.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     375) 
projects/torbrowser/design/index.html.en     376) </p><p>
projects/torbrowser/design/index.html.en     377) 
projects/torbrowser/design/index.html.en     378) Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en     379) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en     380) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en     381) to linkability between visits.
projects/torbrowser/design/index.html.en     382) 
projects/torbrowser/design/index.html.en     383) </p><p>
projects/torbrowser/design/index.html.en     384) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     385) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
projects/torbrowser/design/index.html.en     386) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     387) entropy</a> - the number of identifying bits of information encoded in
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     388) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     389) definitely useful, and the metric is probably the appropriate one for
projects/torbrowser/design/index.html.en     390) determining how identifying a particular browser property is. However, some
projects/torbrowser/design/index.html.en     391) quirks of their study means that they do not extract as much information as
projects/torbrowser/design/index.html.en     392) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en     393) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en     394) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en     395) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en     396) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en     397) final.
projects/torbrowser/design/index.html.en     398) 
projects/torbrowser/design/index.html.en     399)       </p><p>
projects/torbrowser/design/index.html.en     400) 
projects/torbrowser/design/index.html.en     401) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en     402) attack vectors:
projects/torbrowser/design/index.html.en     403) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     404)      </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     405) 
projects/torbrowser/design/index.html.en     406) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en     407) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en     408) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en     409) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en     410) (as an extreme example).
projects/torbrowser/design/index.html.en     411) 
projects/torbrowser/design/index.html.en     412)      </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
projects/torbrowser/design/index.html.en     413) 
projects/torbrowser/design/index.html.en     414) Javascript can reveal a lot of fingerprinting information. It provides DOM
projects/torbrowser/design/index.html.en     415) objects such as window.screen and window.navigator to extract information
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     416) about the user agent. 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     417) 
projects/torbrowser/design/index.html.en     418) Also, Javascript can be used to query the user's timezone via the
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     419) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     420) reveal information about the video card in use, and high precision timing
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     421) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     422) interpreter speed</a>. In the future, new JavaScript features such as
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     423) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     424) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en     425) information.
projects/torbrowser/design/index.html.en     426) 
projects/torbrowser/design/index.html.en     427)      </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en     428) 
projects/torbrowser/design/index.html.en     429) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en     430) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en     431) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en     432) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en     433) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en     434) store unique identifiers that are more difficult to clear than standard
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     435) cookies.  <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     436) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en     437) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en     438) settings of the browser. 
projects/torbrowser/design/index.html.en     439) 
projects/torbrowser/design/index.html.en     440) 
projects/torbrowser/design/index.html.en     441)      </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en     442) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     443) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     444) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en     445) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en     446) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en     447) 
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     448)      </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en     449) 
projects/torbrowser/design/index.html.en     450) Website traffic fingerprinting is an attempt by the adversary to recognize the
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     451) encrypted traffic patterns of specific websites. In the case of Tor, this
projects/torbrowser/design/index.html.en     452) attack would take place between the user and the Guard node, or at the Guard
projects/torbrowser/design/index.html.en     453) node itself.
projects/torbrowser/design/index.html.en     454)      </p><p> The most comprehensive study of the statistical properties of this
projects/torbrowser/design/index.html.en     455) attack against Tor was done by <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     456) et al</a>. Unfortunately, the publication bias in academia has encouraged
projects/torbrowser/design/index.html.en     457) the production of a number of follow-on attack papers claiming "improved"
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     458) success rates, in some cases even claiming to completely invalidate any
projects/torbrowser/design/index.html.en     459) attempt at defense. These "improvements" are actually enabled primarily by
projects/torbrowser/design/index.html.en     460) taking a number of shortcuts (such as classifying only very small numbers of
projects/torbrowser/design/index.html.en     461) web pages, neglecting to publish ROC curves or at least false positive rates,
projects/torbrowser/design/index.html.en     462) and/or omitting the effects of dataset size on their results). Despite these
projects/torbrowser/design/index.html.en     463) subsequent "improvements", we are skeptical of the efficacy of this attack in
projects/torbrowser/design/index.html.en     464) a real world scenario, <span class="emphasis"><em>especially</em></span> in the face of any
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     465) defenses.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     466) 
projects/torbrowser/design/index.html.en     467)      </p><p>
projects/torbrowser/design/index.html.en     468) 
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     469) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of
projects/torbrowser/design/index.html.en     470) categories to classify</a> while maintaining a limit on reliable feature
projects/torbrowser/design/index.html.en     471) information you can extract, you eventually run out of descriptive feature
projects/torbrowser/design/index.html.en     472) information, and either true positive accuracy goes down or the false positive
projects/torbrowser/design/index.html.en     473) rate goes up. This error is called the <a class="ulink" href="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias
projects/torbrowser/design/index.html.en     474) in your hypothesis space</a>. In fact, even for unbiased hypothesis
projects/torbrowser/design/index.html.en     475) spaces, the number of training examples required to achieve a reasonable error
projects/torbrowser/design/index.html.en     476) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     477) function of the complexity of the categories</a> you need to classify.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     478) 
projects/torbrowser/design/index.html.en     479)      </p><p>
projects/torbrowser/design/index.html.en     480) 
projects/torbrowser/design/index.html.en     481) 
projects/torbrowser/design/index.html.en     482) In the case of this attack, the key factors that increase the classification
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     483) complexity (and thus hinder a real world adversary who attempts this attack)
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     484) are large numbers of dynamically generated pages, partially cached content,
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     485) and also the non-web activity of entire Tor network. This yields an effective
projects/torbrowser/design/index.html.en     486) number of "web pages" many orders of magnitude larger than even <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     487) "Open World" scenario</a>, which suffered continuous near-constant decline
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     488) in the true positive rate as the "Open World" size grew (see figure 4). This
projects/torbrowser/design/index.html.en     489) large level of classification complexity is further confounded by a noisy and
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     490) low resolution featureset - one which is also relatively easy for the defender
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     491) to manipulate at low cost.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     492) 
projects/torbrowser/design/index.html.en     493)      </p><p>
projects/torbrowser/design/index.html.en     494) 
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     495) To make matters worse for a real-world adversary, the ocean of Tor Internet
projects/torbrowser/design/index.html.en     496) activity (at least, when compared to a lab setting) makes it a certainty that
projects/torbrowser/design/index.html.en     497) an adversary attempting examine large amounts of Tor traffic will ultimately
projects/torbrowser/design/index.html.en     498) be overwhelmed by false positives (even after making heavy tradeoffs on the
projects/torbrowser/design/index.html.en     499) ROC curve to minimize false positives to below 0.01%). This problem is known
projects/torbrowser/design/index.html.en     500) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     501) Fallacy</a>, and it is the primary reason that anomaly and activity
projects/torbrowser/design/index.html.en     502) classification-based IDS and antivirus systems have failed to materialize in
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     503) the marketplace (despite early success in academic literature).
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     504) 
projects/torbrowser/design/index.html.en     505)      </p><p>
projects/torbrowser/design/index.html.en     506) 
projects/torbrowser/design/index.html.en     507) Still, we do not believe that these issues are enough to dismiss the attack
projects/torbrowser/design/index.html.en     508) outright. But we do believe these factors make it both worthwhile and
projects/torbrowser/design/index.html.en     509) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy
projects/torbrowser/design/index.html.en     510) light-weight defenses</a> that reduce the accuracy of this attack by
projects/torbrowser/design/index.html.en     511) further contributing noise to hinder successful feature extraction.
projects/torbrowser/design/index.html.en     512) 
projects/torbrowser/design/index.html.en     513)      </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     514) OS</strong></span><p>
projects/torbrowser/design/index.html.en     515) 
projects/torbrowser/design/index.html.en     516) Last, but definitely not least, the adversary can exploit either general
projects/torbrowser/design/index.html.en     517) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/torbrowser/design/index.html.en     518) install malware and surveillance software. An adversary with physical access
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     519) can perform similar actions.
projects/torbrowser/design/index.html.en     520) 
projects/torbrowser/design/index.html.en     521)     </p><p>
projects/torbrowser/design/index.html.en     522) 
projects/torbrowser/design/index.html.en     523) For the purposes of the browser itself, we limit the scope of this adversary
projects/torbrowser/design/index.html.en     524) to one that has passive forensic access to the disk after browsing activity
projects/torbrowser/design/index.html.en     525) has taken place. This adversary motivates our 
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     526) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     527) 
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     528)     </p><p>
projects/torbrowser/design/index.html.en     529) 
projects/torbrowser/design/index.html.en     530) An adversary with arbitrary code execution typically has more power, though.
projects/torbrowser/design/index.html.en     531) It can be quite hard to really significantly limit the capabilities of such an
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     532) adversary. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     533) provide some defense against this adversary through the use of readonly media
projects/torbrowser/design/index.html.en     534) and frequent reboots, but even this can be circumvented on machines without
projects/torbrowser/design/index.html.en     535) Secure Boot through the use of BIOS rootkits.
projects/torbrowser/design/index.html.en     536) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     537)      </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     538) 
projects/torbrowser/design/index.html.en     539) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en     540) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en     541) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en     542) implementation is then described for that property.
projects/torbrowser/design/index.html.en     543) 
projects/torbrowser/design/index.html.en     544)   </p><p>
projects/torbrowser/design/index.html.en     545) 
projects/torbrowser/design/index.html.en     546) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en     547) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en     548) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en     549) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     550) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
Mike Perry Update TBB design doc w/ an...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     551) are typically linked for these cases.
projects/torbrowser/design/index.html.en     552) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     553)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  554) 
projects/en/torbrowser/design/index.html.en  555) Proxy obedience is assured through the following:
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     556)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Firefox proxy settings, patches, and build flags</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     557) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     558) Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">Firefox
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     559) preferences file</a> sets the Firefox proxy settings to use Tor directly
projects/torbrowser/design/index.html.en     560) as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     561) <span class="command"><strong>network.proxy.socks_version</strong></span>,
projects/torbrowser/design/index.html.en     562) <span class="command"><strong>network.proxy.socks_port</strong></span>, and
projects/torbrowser/design/index.html.en     563) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     564) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     565)  </p><p>
projects/torbrowser/design/index.html.en     566) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     567) To prevent proxy bypass by WebRTC calls, we disable WebRTC at compile time
projects/torbrowser/design/index.html.en     568) with the <span class="command"><strong>--disable-webrtc</strong></span> configure switch, as well
projects/torbrowser/design/index.html.en     569) as set the pref <span class="command"><strong>media.peerconnection.enabled</strong></span> to false.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     570) 
projects/torbrowser/design/index.html.en     571)  </p><p>
projects/torbrowser/design/index.html.en     572) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     573) We also patch Firefox in order to provide several defense-in-depth mechanisms
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     574) for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=8c6604d2b776f0d8e33ed9130c5f5b8cf744bac8" target="_top">patch
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     575) the DNS service</a> to prevent any browser or addon DNS resolution, and we
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     576) also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=c96c854c0eca21fed1362d1ddd164b657d351795" target="_top">patch
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     577) OCSP and PKIX code</a> to prevent any use of the non-proxied command-line
projects/torbrowser/design/index.html.en     578) tool utility functions from being functional while linked in to the browser.
projects/torbrowser/design/index.html.en     579) In both cases, we could find no direct paths to these routines in the browser,
projects/torbrowser/design/index.html.en     580) but it seemed better safe than sorry.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     581) 
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     582)  </p><p>
projects/torbrowser/design/index.html.en     583) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     584) During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     585) code audits</a> to verify that there were no system calls or XPCOM
projects/torbrowser/design/index.html.en     586) activity in the source tree that did not use the browser proxy settings.
projects/torbrowser/design/index.html.en     587)  </p><p>
projects/torbrowser/design/index.html.en     588) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     589) We have verified that these settings and patches properly proxy HTTPS, OCSP,
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     590) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all JavaScript
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     591) activity, including HTML5 audio and video objects, addon updates, WiFi
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     592) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
projects/torbrowser/design/index.html.en     593) WebSockets, and live bookmark updates. We have also verified that IPv6
projects/torbrowser/design/index.html.en     594) connections are not attempted, through the proxy or otherwise (Tor does not
projects/torbrowser/design/index.html.en     595) yet support IPv6). We have also verified that external protocol helpers, such
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     596) as SMB URLs and other custom protocol handlers are all blocked.
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     597) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     598)  </p></li><li class="listitem"><span class="command"><strong>Disabling plugins</strong></span><p>Plugins have the ability to make arbitrary OS system calls and  <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  599) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en  600) browser proxy settings.
projects/en/torbrowser/design/index.html.en  601)  </p><p>
projects/en/torbrowser/design/index.html.en  602) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en  603) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     604) as disabled. This block can be undone through both the Torbutton Security UI,
projects/torbrowser/design/index.html.en     605) and the Firefox Plugin Preferences.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  606)  </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     607) If the user does enable plugins in this way, plugin-handled objects are still
projects/torbrowser/design/index.html.en     608) restricted from automatic load through Firefox's click-to-play preference
projects/torbrowser/design/index.html.en     609) <span class="command"><strong>plugins.click_to_play</strong></span>.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     610)  </p><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     611) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     612) In addition, to reduce any unproxied activity by arbitrary plugins at load
projects/torbrowser/design/index.html.en     613) time, and to reduce the fingerprintability of the installed plugin list, we
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     614) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=465cb8295db58a6450dc14a593d29372cbebc71d" target="_top">
projects/torbrowser/design/index.html.en     615) prevent the load of any plugins except for Flash and Gnash</a>. Even for
projects/torbrowser/design/index.html.en     616) Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e5531b1baa3c96dee7d8d4274791ff393bafd241" target="_top">prevent loading them into the
projects/torbrowser/design/index.html.en     617) address space</a> until they are explicitly enabled.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     618) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     619)  </p></li><li class="listitem"><span class="command"><strong>External App Blocking and Drag Event Filtering</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     620) 
projects/torbrowser/design/index.html.en     621) External apps can be induced to load files that perform network activity.
projects/torbrowser/design/index.html.en     622) Unfortunately, there are cases where such apps can be launched automatically
projects/torbrowser/design/index.html.en     623) with little to no user input. In order to prevent this, Torbutton installs a
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     624) component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     625) provide the user with a popup</a> whenever the browser attempts to launch
projects/torbrowser/design/index.html.en     626) a helper app.
projects/torbrowser/design/index.html.en     627) 
projects/torbrowser/design/index.html.en     628)   </p><p>
projects/torbrowser/design/index.html.en     629) 
projects/torbrowser/design/index.html.en     630) Additionally, modern desktops now pre-emptively fetch any URLs in Drag and
projects/torbrowser/design/index.html.en     631) Drop events as soon as the drag is initiated. This download happens
projects/torbrowser/design/index.html.en     632) independent of the browser's Tor settings, and can be triggered by something
projects/torbrowser/design/index.html.en     633) as simple as holding the mouse button down for slightly too long while
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     634) clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     635) Torbutton</a> before the OS downloads the URLs the events contained.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     636) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     637)   </p></li><li class="listitem"><span class="command"><strong>Disabling system extensions and clearing the addon whitelist</strong></span><p>
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     638) 
projects/torbrowser/design/index.html.en     639) Firefox addons can perform arbitrary activity on your computer, including
projects/torbrowser/design/index.html.en     640) bypassing Tor. It is for this reason we disable the addon whitelist
projects/torbrowser/design/index.html.en     641) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted
projects/torbrowser/design/index.html.en     642) before installing addons regardless of the source. We also exclude
projects/torbrowser/design/index.html.en     643) system-level addons from the browser through the use of
projects/torbrowser/design/index.html.en     644) <span class="command"><strong>extensions.enabledScopes</strong></span> and
projects/torbrowser/design/index.html.en     645) <span class="command"><strong>extensions.autoDisableScopes</strong></span>.
projects/torbrowser/design/index.html.en     646) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     647)   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     648) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  649) Tor Browser State is separated from existing browser state through use of a
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     650) custom Firefox profile, and by setting the $HOME environment variable to the
projects/torbrowser/design/index.html.en     651) root of the bundle's directory.  The browser also does not load any
projects/torbrowser/design/index.html.en     652) system-wide extensions (through the use of
projects/torbrowser/design/index.html.en     653) <span class="command"><strong>extensions.enabledScopes</strong></span> and
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     654) <span class="command"><strong>extensions.autoDisableScopes</strong></span>). Furthermore, plugins are
Mike Perry TBB design doc: Fix typos,...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     655) disabled, which prevents Flash cookies from leaking from a pre-existing Flash
projects/torbrowser/design/index.html.en     656) directory.
projects/torbrowser/design/index.html.en     657) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     658)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55029872"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     659) 
projects/torbrowser/design/index.html.en     660) The User Agent MUST (at user option) prevent all disk records of browser activity.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  661) The user should be able to optionally enable URL history and other history
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     662) features if they so desire. 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  663) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     664)     </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55031232"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  665) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     666) We achieve this goal through several mechanisms. First, we set the Firefox
projects/torbrowser/design/index.html.en     667) Private Browsing preference
projects/torbrowser/design/index.html.en     668) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if
projects/torbrowser/design/index.html.en     669) Private Browsing Mode is enabled. We need to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  670) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     671) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=44b8ae43a83191bbf5161cbdbf399e10c1b943d0" target="_top">prevent
projects/torbrowser/design/index.html.en     672) the permissions manager from recording HTTPS STS state</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e5abcb28f131aa96e8762212573488d303b3614d" target="_top">prevent
projects/torbrowser/design/index.html.en     673) intermediate SSL certificates from being recorded</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=ee34e122ac2929a7668314483e36e58a88c98c08" target="_top">prevent
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     674) the clipboard cache from being written to disk for large pastes</a>, and
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     675) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=c8e357740dd7bafa2a129007f27d2b243e36f4a2" target="_top">prevent
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     676) the content preferences service from recording site zoom</a>. We also had
projects/torbrowser/design/index.html.en     677) to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>,
projects/torbrowser/design/index.html.en     678) to prevent HTML5 videos from being written to the OS temporary directory,
projects/torbrowser/design/index.html.en     679) which happened regardless of the private browsing mode setting.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     680) 
projects/torbrowser/design/index.html.en     681)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en     682) 
projects/torbrowser/design/index.html.en     683) As an additional defense-in-depth measure, we set the following preferences:
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     684) <span class="command"><strong></strong></span>,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  685) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en  686) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     687) <span class="command"><strong>dom.indexedDB.enabled</strong></span>,
projects/torbrowser/design/index.html.en     688) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  689) <span class="command"><strong>signon.rememberSignons</strong></span>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     690) <span class="command"><strong>browser.formfill.enable</strong></span>,
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  691) <span class="command"><strong>browser.download.manager.retention</strong></span>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     692) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>,
projects/torbrowser/design/index.html.en     693) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these
projects/torbrowser/design/index.html.en     694) preferences are likely redundant with
projects/torbrowser/design/index.html.en     695) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the
projects/torbrowser/design/index.html.en     696) auditing work to ensure that yet.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  697) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     698)     </blockquote></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  699) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     700) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&amp;status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  701) 
projects/en/torbrowser/design/index.html.en  702) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en  703) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en  704) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en  705) computer.
projects/en/torbrowser/design/index.html.en  706) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     707)    </p><p>
projects/torbrowser/design/index.html.en     708) 
projects/torbrowser/design/index.html.en     709) To ensure TBB directory isolation, we set
projects/torbrowser/design/index.html.en     710) <span class="command"><strong>browser.download.useDownloadDir</strong></span>,
projects/torbrowser/design/index.html.en     711) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
projects/torbrowser/design/index.html.en     712) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
projects/torbrowser/design/index.html.en     713) $HOME environment variable to be the TBB extraction directory.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en     714)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  715) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     716) The Cross-Origin Identifier Unlinkability design requirement is satisfied
projects/torbrowser/design/index.html.en     717) through first party isolation of all browser identifier sources. First party
projects/torbrowser/design/index.html.en     718) isolation means that all identifier sources and browser state are scoped
projects/torbrowser/design/index.html.en     719) (isolated) using the URL bar domain. This scoping is performed in
projects/torbrowser/design/index.html.en     720) combination with any additional third party scope. When first party isolation
projects/torbrowser/design/index.html.en     721) is used with explicit identifier storage that already has a constrained third
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     722) party scope (such as cookies and DOM storage), this approach is
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     723) referred to as "double-keying".
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  724) 
projects/en/torbrowser/design/index.html.en  725)    </p><p>
projects/en/torbrowser/design/index.html.en  726) 
projects/en/torbrowser/design/index.html.en  727) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en  728) linkability, but also in terms of simplified privacy UI. If all stored browser
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     729) state and permissions become associated with the URL bar origin, the six or
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     730) seven different pieces of privacy UI governing these identifiers and
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  731) permissions can become just one piece of UI. For instance, a window that lists
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     732) the URL bar origin for which browser state exists, possibly with a
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     733) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en     734) An example of this simplification can be seen in Figure 1.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  735) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     736)    </p><div class="figure"><a id="idp55052928"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  737) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     738) This example UI is a mock-up of how isolating identifiers to the URL bar
projects/torbrowser/design/index.html.en     739) origin can simplify the privacy UI for all data - not just cookies. Once
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     740) browser identifiers and site permissions operate on a URL bar basis, the same
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     741) privacy window can represent browsing history, DOM Storage, HTTP Auth, search
projects/torbrowser/design/index.html.en     742) form history, login values, and so on within a context menu for each site.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  743) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     744) </div></div></div><br class="figure-break" /><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55056352"></a>Identifier Unlinkability Defenses in the Tor Browser</h4></div></div></div><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     745) 
projects/torbrowser/design/index.html.en     746) Unfortunately, many aspects of browser state can serve as identifier storage,
projects/torbrowser/design/index.html.en     747) and no other browser vendor or standards body has invested the effort to
projects/torbrowser/design/index.html.en     748) enumerate or otherwise deal with these vectors for third party tracking. As
projects/torbrowser/design/index.html.en     749) such, we have had to enumerate and isolate these identifier sources on a
projects/torbrowser/design/index.html.en     750) piecemeal basis. Here is the list that we have discovered and dealt with to
projects/torbrowser/design/index.html.en     751) date:
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  752) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     753)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     754) 
projects/torbrowser/design/index.html.en     755) All cookies MUST be double-keyed to the URL bar origin and third-party
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     756) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     757) that contains a prototype patch, but it lacks UI, and does not apply to modern
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     758) Firefox versions.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  759) 
projects/en/torbrowser/design/index.html.en  760)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  761) 
projects/en/torbrowser/design/index.html.en  762) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en  763) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en  764) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
Mike Perry Comments from Georg + proxy...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     765) third party content continue to function, but we believe the requirement for 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  766) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en  767) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     768)      </p></li><li class="listitem"><span class="command"><strong>Cache</strong></span><p>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     769) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     770) In Firefox, there are actually two distinct caching mechanisms: One for
projects/torbrowser/design/index.html.en     771) general content (HTML, Javascript, CSS), and one specifically for images. The
projects/torbrowser/design/index.html.en     772) content cache is isolated to the URL bar domain by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=7c58be929777d386a03e1faaee648909151fd951" target="_top">altering
projects/torbrowser/design/index.html.en     773) each cache key</a> to include an additional ID that includes the URL bar
projects/torbrowser/design/index.html.en     774) domain. This functionality can be observed by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key used for each cache
projects/torbrowser/design/index.html.en     775) entry. Each third party element should have an additional "id=string"
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     776) property prepended, which will list the FQDN that was used to source it.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     777) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     778)      </p><p>
projects/torbrowser/design/index.html.en     779) 
projects/torbrowser/design/index.html.en     780) Additionally, because the image cache is a separate entity from the content
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     781) cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=d8b98a75fb200268c40886d876adc19e00b933bf" target="_top">isolate
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     782) this cache per URL bar domain</a>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     783) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     784)      </p></li><li class="listitem"><span class="command"><strong>HTTP Authentication</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  785) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     786) HTTP Authorization headers can be used to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     787) third party tracking identifiers</a>. To prevent this, we remove HTTP
projects/torbrowser/design/index.html.en     788) authentication tokens for third party elements through a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=b8ce4a0760759431f146c71184c89fbd5e1a27e4" target="_top">patch
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     789) to nsHTTPChannel</a>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     790) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     791)      </p></li><li class="listitem"><span class="command"><strong>DOM Storage</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  792) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     793) DOM storage for third party domains MUST be isolated to the URL bar origin,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     794) to prevent linkability between sites. This functionality is provided through a
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     795) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=97490c4a90ca1c43374486d9ec0c5593d5fe5720" target="_top">patch
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     796) to Firefox</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  797) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     798)      </p></li><li class="listitem"><span class="command"><strong>Flash cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     799) 
projects/torbrowser/design/index.html.en     800) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en     801) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     802) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     803) settings manager</a>.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     804) 
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     805)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en     806) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     807) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     808) difficulties</a> causing Flash player to use this settings
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     809) file on Windows, so Flash remains difficult to enable.
Mike Perry Describe our efforts agains...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     810) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     811)      </p></li><li class="listitem"><span class="command"><strong>SSL+TLS session resumption</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  812) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     813) TLS session resumption tickets and SSL Session IDs MUST be limited to the URL
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     814) bar origin.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  815) 
projects/en/torbrowser/design/index.html.en  816)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en  817) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     818) We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     819) Identity</a>, we disable TLS Session Tickets via the Firefox Pref
projects/torbrowser/design/index.html.en     820) <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     821) IDs via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=a01fb747d4b8b24687de538cb6a1304fe27d9d88" target="_top">patch
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     822) to Firefox</a>. To compensate for the increased round trip latency from disabling
projects/torbrowser/design/index.html.en     823) these performance optimizations, we also enable
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     824) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     825) False Start</a> via the Firefox Pref
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     826) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     827)     </p></li><li class="listitem"><span class="command"><strong>Tor circuit and HTTP connection linkability</strong></span><p>
projects/torbrowser/design/index.html.en     828) 
projects/torbrowser/design/index.html.en     829) Tor circuits and HTTP connections from a third party in one URL bar origin
projects/torbrowser/design/index.html.en     830) MUST NOT be reused for that same third party in another URL bar origin.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     831) 
projects/torbrowser/design/index.html.en     832)      </p><p>
projects/torbrowser/design/index.html.en     833) 
projects/torbrowser/design/index.html.en     834) This isolation functionality is provided by the combination of a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=b3ea705cc35b79a9ba27323cb3e32d5d004ea113" target="_top">Firefox
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     835) patch to allow SOCKS usernames and passwords</a>, as well as a Torbutton
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     836) component that <a class="ulink" href="" target="_top">sets
projects/torbrowser/design/index.html.en     837) the SOCKS username and password for each request</a>. The Tor client has
projects/torbrowser/design/index.html.en     838) logic to prevent connections with different SOCKS usernames and passwords from
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     839) using the same Tor circuit. Firefox has existing logic to ensure that connections with
projects/torbrowser/design/index.html.en     840) SOCKS proxies do not re-use existing HTTP Keep-Alive connections unless the
projects/torbrowser/design/index.html.en     841) proxy settings match.  We extended this logic to cover SOCKS username and
projects/torbrowser/design/index.html.en     842) password authentication, providing us with HTTP Keep-Alive unlinkability.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     843) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     844)      </p></li><li class="listitem"><span class="command"><strong>SharedWorkers</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     845) 
projects/torbrowser/design/index.html.en     846) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>
projects/torbrowser/design/index.html.en     847) are a special form of Javascript Worker Threads that have a shared scope
projects/torbrowser/design/index.html.en     848) between all threads from the same Javascript origin.
projects/torbrowser/design/index.html.en     849)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     850) 
projects/torbrowser/design/index.html.en     851) SharedWorker scope MUST be isolated to the URL bar domain. A SharedWorker
projects/torbrowser/design/index.html.en     852) launched from a third party from one URL bar domain MUST NOT have access to
projects/torbrowser/design/index.html.en     853) the objects created by that same third party loaded under another URL bar domain.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  854) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     855)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en     856) 
projects/torbrowser/design/index.html.en     857) For now, we disable SharedWorkers via the pref
projects/torbrowser/design/index.html.en     858) <span class="command"><strong>dom.workers.sharedWorkers.enabled</strong></span>.
projects/torbrowser/design/index.html.en     859) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     860)      </p></li><li class="listitem"><span class="command"><strong>blob: URIs (URL.createObjectURL)</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     861) 
projects/torbrowser/design/index.html.en     862) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>
projects/torbrowser/design/index.html.en     863) API allows a site to load arbitrary content into a random UUID that is stored
projects/torbrowser/design/index.html.en     864) in the user's browser, and this content can be accessed via a URL of the form
projects/torbrowser/design/index.html.en     865) <span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the
projects/torbrowser/design/index.html.en     866) web. While this UUID value is neither under control of the site nor
projects/torbrowser/design/index.html.en     867) predictable, it can still be used to tag a set of users that are of high
projects/torbrowser/design/index.html.en     868) interest to an adversary.
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     869) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     870)      </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     871) 
projects/torbrowser/design/index.html.en     872) URIs created with URL.createObjectURL MUST be limited in scope to the first
projects/torbrowser/design/index.html.en     873) party URL bar domain that created them. We provide this isolation in Tor
projects/torbrowser/design/index.html.en     874) Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=0d67ab406bdd3cf095802cb25c081641aa1f0bcc" target="_top">direct
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     875) patch to Firefox</a> and disable URL.createObjectURL in the WebWorker
projects/torbrowser/design/index.html.en     876) context as a stopgap, due to an edge case with enforcing this isolation in
projects/torbrowser/design/index.html.en     877) WebWorkers.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     878) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     879)      </p></li><li class="listitem"><span class="command"><strong>SPDY</strong></span><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     880) 
projects/torbrowser/design/index.html.en     881) Because SPDY can store identifiers, it is disabled through the
projects/torbrowser/design/index.html.en     882) Firefox preference <span class="command"><strong>network.http.spdy.enabled</strong></span>.
projects/torbrowser/design/index.html.en     883) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     884)      </p></li><li class="listitem"><span class="command"><strong>Automated cross-origin redirects</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     885) 
projects/torbrowser/design/index.html.en     886) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en     887) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     888) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en     889) for cross-origin redirect intermediaries that do not prompt for user input.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     890) For example, if a user clicks on a bit.ly URL that redirects to a
projects/torbrowser/design/index.html.en     891) doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     892) cnn.com should be retained after the redirect chain completes.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     893) 
projects/torbrowser/design/index.html.en     894)     </p><p>
projects/torbrowser/design/index.html.en     895) 
Mike Perry Update design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en     896) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en     897) federated login systems) SHOULD still allow identifiers to persist.
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     898) 
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     899)     </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en     900) 
projects/torbrowser/design/index.html.en     901) There are numerous ways for the user to be redirected, and the Firefox API
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     902) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     903) open</a> to implement what we can.
projects/torbrowser/design/index.html.en     904) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     905)     </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  906) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     907) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  908) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en  909) for the lifespan of a browser tab. It is possible to utilize this property for
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     910) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  911) storage</a>.
projects/en/torbrowser/design/index.html.en  912) 
projects/en/torbrowser/design/index.html.en  913)      </p><p>
projects/en/torbrowser/design/index.html.en  914) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     915) In order to eliminate non-consensual linkability but still allow for sites
projects/torbrowser/design/index.html.en     916) that utilize this property to function, we reset the window.name property of
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     917) tabs in Torbutton every time we encounter a blank Referer. This behavior
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     918) allows window.name to persist for the duration of a click-driven navigation
projects/torbrowser/design/index.html.en     919) session, but as soon as the user enters a new URL or navigates between
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     920) HTTPS/HTTP schemes, the property is cleared.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  921) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     922)      </p></li><li class="listitem"><span class="command"><strong>Auto form-fill</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     923) 
projects/torbrowser/design/index.html.en     924) We disable the password saving functionality in the browser as part of our
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     925) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     926) since users may decide to re-enable disk history records and password saving,
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     927) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     928) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en     929) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en     930) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en     931) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     932)      </p></li><li class="listitem"><span class="command"><strong>HSTS supercookies</strong></span><p>
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     933) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     934) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     935) supercookies</a>. Since HSTS effectively stores one bit of information per domain
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     936) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en     937) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en     938) 
projects/torbrowser/design/index.html.en     939)       </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en     940) 
projects/torbrowser/design/index.html.en     941) There appears to be three options for us: 1. Disable HSTS entirely, and rely
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     942) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     943) Restrict the number of HSTS-enabled third parties allowed per URL bar origin.
Mike Perry Additional comments from Ge...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     944) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en     945) the best approach.
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     946) 
projects/torbrowser/design/index.html.en     947)       </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     948) cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en     949) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en     950) Identity</strong></span> invocations.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     951)       </p></li></ol></div><p>
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en     952) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     953)   </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  954) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     955) Browser fingerprinting is the act of inspecting browser behaviors and features in
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     956) an attempt to differentiate and track individual users.
projects/torbrowser/design/index.html.en     957)   </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en  958) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     959) Fingerprinting attacks are typically broken up into passive and active
projects/torbrowser/design/index.html.en     960) vectors. Passive fingerprinting makes use of any information the browser
projects/torbrowser/design/index.html.en     961) provides automatically to a website without any specific action on the part of
projects/torbrowser/design/index.html.en     962) the website. Active fingerprinting makes use of any information that can be
projects/torbrowser/design/index.html.en     963) extracted from the browser by some specific website action, usually involving
projects/torbrowser/design/index.html.en     964) Javascript.  Some definitions of browser fingerprinting also include
projects/torbrowser/design/index.html.en     965) supercookies and cookie-like identifier storage, but we deal with those issues
projects/torbrowser/design/index.html.en     966) separately in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on
projects/torbrowser/design/index.html.en     967) identifier linkability</a>.
projects/torbrowser/design/index.html.en     968)     </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     969) For the most part, however, we do not differentiate between passive or active
projects/torbrowser/design/index.html.en     970) fingerprinting sources, since many active fingerprinting mechanisms are very
projects/torbrowser/design/index.html.en     971) rapid, and can be obfuscated or disguised as legitimate functionality.
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     972) 
projects/torbrowser/design/index.html.en     973)    </p><p>
projects/torbrowser/design/index.html.en     974) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     975) Instead, we believe fingerprinting can only be rationally addressed if we
projects/torbrowser/design/index.html.en     976) understand where the problem comes from, what sources of issues are the most
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     977) severe, what types of defenses are suitable for which sources, and have a
projects/torbrowser/design/index.html.en     978) consistent strategy for designing defenses that maximizes our ability to study
projects/torbrowser/design/index.html.en     979) defense efficacy. The following subsections address these issues from a high
projects/torbrowser/design/index.html.en     980) level, and we then conclude with a list of our current specific defenses.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     981) 
projects/torbrowser/design/index.html.en     982)     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p>
projects/torbrowser/design/index.html.en     983) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     984) All browser fingerprinting issues arise from one of four primary sources:
projects/torbrowser/design/index.html.en     985) end-user configuration details, device and hardware characteristics, operating
projects/torbrowser/design/index.html.en     986) system vendor and version differences, and browser vendor and version
projects/torbrowser/design/index.html.en     987) differences. Additionally, user behavior itself provides one more source of
projects/torbrowser/design/index.html.en     988) potential fingerprinting.
projects/torbrowser/design/index.html.en     989) 
projects/torbrowser/design/index.html.en     990)     </p><p>
projects/torbrowser/design/index.html.en     991) 
projects/torbrowser/design/index.html.en     992) In order to help prioritize and inform defenses, we now list these sources in
projects/torbrowser/design/index.html.en     993) order from most severe to least severe in terms of the amount of information
projects/torbrowser/design/index.html.en     994) they reveal, and describe them in more detail.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en     995) 
projects/torbrowser/design/index.html.en     996)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p>
projects/torbrowser/design/index.html.en     997) 
projects/torbrowser/design/index.html.en     998) End-user configuration details are by far the most severe threat to
projects/torbrowser/design/index.html.en     999) fingerprinting, as they will quickly provide enough information to uniquely
projects/torbrowser/design/index.html.en    1000) identify a user. We believe it is essential to avoid exposing platform
projects/torbrowser/design/index.html.en    1001) configuration details to website content at all costs. We also discourage
projects/torbrowser/design/index.html.en    1002) excessive fine-grained customization of Tor Browser by minimizing and
projects/torbrowser/design/index.html.en    1003) aggregating user-facing privacy and security options, as well as by
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1004) discouraging the use of additional plugins and addons. When it is necessary to
projects/torbrowser/design/index.html.en    1005) expose configuration details in the course of providing functionality, we
projects/torbrowser/design/index.html.en    1006) strive to do so only on a per-site basis via site permissions, to avoid
projects/torbrowser/design/index.html.en    1007) linkability.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1008) 
projects/torbrowser/design/index.html.en    1009)      </p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p>
projects/torbrowser/design/index.html.en    1010) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1011) Device and hardware characteristics can be determined in three ways: they can
projects/torbrowser/design/index.html.en    1012) be reported explicitly by the browser, they can be inferred through browser
projects/torbrowser/design/index.html.en    1013) functionality, or they can be extracted through statistical measurements of
projects/torbrowser/design/index.html.en    1014) system performance. We are most concerned with the cases where this
projects/torbrowser/design/index.html.en    1015) information is either directly reported or can be determined via a single use
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1016) of an API or feature, and prefer to either alter functionality to prevent
projects/torbrowser/design/index.html.en    1017) exposing the most variable aspects of these characteristics, place such
projects/torbrowser/design/index.html.en    1018) features behind site permissions, or disable them entirely.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1019) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1020)       </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1021) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1022) On the other hand, because statistical inference of system performance
projects/torbrowser/design/index.html.en    1023) requires many iterations to achieve accuracy in the face of noise and
projects/torbrowser/design/index.html.en    1024) concurrent activity, we are less concerned with this mechanism of extracting
projects/torbrowser/design/index.html.en    1025) this information. We also expect that reducing the resolution of Javascript's
projects/torbrowser/design/index.html.en    1026) time sources will significantly increase the duration of execution required to
projects/torbrowser/design/index.html.en    1027) extract accurate results, and thus make statistical approaches both
projects/torbrowser/design/index.html.en    1028) unattractive and highly noticeable due to excessive resource consumption.
projects/torbrowser/design/index.html.en    1029) 
projects/torbrowser/design/index.html.en    1030)       </p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en    1031) 
projects/torbrowser/design/index.html.en    1032) Operating system vendor and version differences permeate many different
projects/torbrowser/design/index.html.en    1033) aspects of the browser. While it is possible to address these issues with some
projects/torbrowser/design/index.html.en    1034) effort, the relative lack of diversity in operating systems causes us to
projects/torbrowser/design/index.html.en    1035) primarily focus our efforts on passive operating system fingerprinting
projects/torbrowser/design/index.html.en    1036) mechanisms at this point in time. For the purposes of protecting user
projects/torbrowser/design/index.html.en    1037) anonymity, it is not strictly essential that the operating system be
projects/torbrowser/design/index.html.en    1038) completely concealed, though we recognize that it is useful to reduce this
projects/torbrowser/design/index.html.en    1039) differentiation ability where possible, especially for cases where the
projects/torbrowser/design/index.html.en    1040) specific version of a system can be inferred.
projects/torbrowser/design/index.html.en    1041) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1042)       </p></li><li class="listitem"><span class="command"><strong>User Behavior</strong></span><p>
projects/torbrowser/design/index.html.en    1043) 
projects/torbrowser/design/index.html.en    1044) While somewhat outside the scope of browser fingerprinting, for completeness
projects/torbrowser/design/index.html.en    1045) it is important to mention that users themselves theoretically might be
projects/torbrowser/design/index.html.en    1046) fingerprinted through their behavior while interacting with a website. This
projects/torbrowser/design/index.html.en    1047) behavior includes e.g. keystrokes, mouse movements, click speed, and writing
projects/torbrowser/design/index.html.en    1048) style. Basic vectors such as keystroke and mouse usage fingerprinting can be
projects/torbrowser/design/index.html.en    1049) mitigated by altering Javascript's notion of time. More advanced issues like
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1050) writing style fingerprinting are the domain of <a class="ulink" href="https://github.com/psal/anonymouth/blob/master/README.md" target="_top">other tools</a>.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1051) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1052)       </p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en    1053) 
projects/torbrowser/design/index.html.en    1054) Due to vast differences in feature set and implementation behavior even
projects/torbrowser/design/index.html.en    1055) between different versions of the same browser, browser vendor and version
projects/torbrowser/design/index.html.en    1056) differences are simply not possible to conceal in any realistic way. It
projects/torbrowser/design/index.html.en    1057) is only possible to minimize the differences among different installations of
projects/torbrowser/design/index.html.en    1058) the same browser vendor and version. We make no effort to mimic any other
projects/torbrowser/design/index.html.en    1059) major browser vendor, and in fact most of our fingerprinting defenses serve to
projects/torbrowser/design/index.html.en    1060) differentiate Tor Browser users from normal Firefox users. Because of this,
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1061) any study that lumps browser vendor and version differences into its analysis
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1062) of the fingerprintability of a population is largely useless for evaluating
projects/torbrowser/design/index.html.en    1063) either attacks or defenses. Unfortunately, this includes popular large-scale
projects/torbrowser/design/index.html.en    1064) studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>.
projects/torbrowser/design/index.html.en    1065) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1066)       </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses-general"></a>General Fingerprinting Defenses</h4></div></div></div><p>
projects/torbrowser/design/index.html.en    1067) 
projects/torbrowser/design/index.html.en    1068) To date, the Tor Browser team has concerned itself only with developing
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1069) defenses for APIs that have already been standardized and deployed. Once an
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1070) API or feature has been standardized and widely deployed, defenses to the
projects/torbrowser/design/index.html.en    1071) associated fingerprinting issues tend to have only a few options available to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1072) compensate for the lack of up-front privacy design. In our experience, so far
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1073) these options have been limited to value spoofing, subsystem modification or
projects/torbrowser/design/index.html.en    1074) reimplementation, virtualization, site permissions, and feature removal. We
projects/torbrowser/design/index.html.en    1075) will now describe these options and the fingerprinting sources they tend to
projects/torbrowser/design/index.html.en    1076) work best with.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1077) 
projects/torbrowser/design/index.html.en    1078)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Value Spoofing</strong></span><p>
projects/torbrowser/design/index.html.en    1079) 
projects/torbrowser/design/index.html.en    1080) Value spoofing can be used for simple cases where the browser directly
projects/torbrowser/design/index.html.en    1081) provides some aspect of the user's configuration details, devices, hardware,
projects/torbrowser/design/index.html.en    1082) or operating system directly to a website. It becomes less useful when the
projects/torbrowser/design/index.html.en    1083) fingerprinting method relies on behavior to infer aspects of the hardware or
projects/torbrowser/design/index.html.en    1084) operating system, rather than obtain them directly.
projects/torbrowser/design/index.html.en    1085) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1086)      </p></li><li class="listitem"><span class="command"><strong>Subsystem Modification or Reimplementation</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1087) 
projects/torbrowser/design/index.html.en    1088) In cases where simple spoofing is not enough to properly conceal underlying
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1089) device characteristics or operating system details, the underlying subsystem
projects/torbrowser/design/index.html.en    1090) that provides the functionality for a feature or API may need to be modified
projects/torbrowser/design/index.html.en    1091) or completely reimplemented. This is most common in cases where customizable
projects/torbrowser/design/index.html.en    1092) or version-specific aspects of the user's operating system are visible through
projects/torbrowser/design/index.html.en    1093) the browser's featureset or APIs, usually because the browser directly exposes
projects/torbrowser/design/index.html.en    1094) OS-provided implementations of underlying features. In these cases, such
projects/torbrowser/design/index.html.en    1095) OS-provided implementations must be replaced by a generic implementation, or
projects/torbrowser/design/index.html.en    1096) at least modified by an implementation wrapper layer that makes effort to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1097) conceal any user-customized aspects of the system.
projects/torbrowser/design/index.html.en    1098) 
projects/torbrowser/design/index.html.en    1099)    </p></li><li class="listitem"><span class="command"><strong>Virtualization</strong></span><p>
projects/torbrowser/design/index.html.en    1100) 
projects/torbrowser/design/index.html.en    1101) Virtualization is needed when simply reimplementing a feature in a different
projects/torbrowser/design/index.html.en    1102) way is insufficient to fully conceal the underlying behavior. This is most
projects/torbrowser/design/index.html.en    1103) common in instances of device and hardware fingerprinting, but since the
projects/torbrowser/design/index.html.en    1104) notion of time can also be virtualized, virtualization also can apply to any
projects/torbrowser/design/index.html.en    1105) instance where an accurate measurement of wall clock time is required for a
projects/torbrowser/design/index.html.en    1106) fingerprinting vector to attain high accuracy.
projects/torbrowser/design/index.html.en    1107) 
projects/torbrowser/design/index.html.en    1108)    </p></li><li class="listitem"><span class="command"><strong>Site Permissions</strong></span><p>
projects/torbrowser/design/index.html.en    1109) 
projects/torbrowser/design/index.html.en    1110) In the event that reimplementation or virtualization is too expensive in terms
projects/torbrowser/design/index.html.en    1111) of performance or engineering effort, and the relative expected usage of a
projects/torbrowser/design/index.html.en    1112) feature is rare, site permissions can be used to prevent the usage of a
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1113) feature for cross-site tracking. Unfortunately, site permissions become less
projects/torbrowser/design/index.html.en    1114) effective once a feature is already widely overused and abused by many
projects/torbrowser/design/index.html.en    1115) websites, since warning fatigue typically sets in for most users after just a
projects/torbrowser/design/index.html.en    1116) few permission requests.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1117) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1118)    </p></li><li class="listitem"><span class="command"><strong>Feature or Functionality Removal</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1119) 
projects/torbrowser/design/index.html.en    1120) Due to the current bias in favor of invasive APIs that expose the maximum
projects/torbrowser/design/index.html.en    1121) amount of platform information, some features and APIs are simply not
projects/torbrowser/design/index.html.en    1122) salvageable in their current form. When such invasive features serve only a
projects/torbrowser/design/index.html.en    1123) narrow domain or use case, or when there are alternate ways of accomplishing
projects/torbrowser/design/index.html.en    1124) the same task, these features and/or certain aspects of their functionality
projects/torbrowser/design/index.html.en    1125) may be simply removed.
projects/torbrowser/design/index.html.en    1126) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1127)    </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55149888"></a>Strategies for Defense: Randomization versus Uniformity</h4></div></div></div><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1128) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1129) When applying a form of defense to a specific fingerprinting vector or source,
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1130) there are two general strategies available: either the implementation for all
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1131) users of a single browser version can be made to behave as uniformly as
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1132) possible, or the user agent can attempt to randomize its behavior so that
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1133) each interaction between a user and a site provides a different fingerprint.
projects/torbrowser/design/index.html.en    1134) 
projects/torbrowser/design/index.html.en    1135)     </p><p>
projects/torbrowser/design/index.html.en    1136) 
projects/torbrowser/design/index.html.en    1137) Although <a class="ulink" href="http://research.microsoft.com/pubs/209989/tr1.pdf" target="_top">some
projects/torbrowser/design/index.html.en    1138) research suggests</a> that randomization can be effective, so far striving
projects/torbrowser/design/index.html.en    1139) for uniformity has generally proved to be a better strategy for Tor Browser
projects/torbrowser/design/index.html.en    1140) for the following reasons:
projects/torbrowser/design/index.html.en    1141) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1142)     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Evaluation and measurement difficulties</strong></span><p>
projects/torbrowser/design/index.html.en    1143) 
projects/torbrowser/design/index.html.en    1144) The fact that randomization causes behaviors to differ slightly with every
projects/torbrowser/design/index.html.en    1145) site visit makes it appealing at first glance, but this same property makes it
projects/torbrowser/design/index.html.en    1146) very difficult to objectively measure its effectiveness. By contrast, an
projects/torbrowser/design/index.html.en    1147) implementation that strives for uniformity is very simple to evaluate. Despite
projects/torbrowser/design/index.html.en    1148) their current flaws, a properly designed version of <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> or <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a> could report the entropy and
projects/torbrowser/design/index.html.en    1149) uniqueness rates for all users of a single user agent version, without the
projects/torbrowser/design/index.html.en    1150) need for complicated statistics about the variance of the measured behaviors.
projects/torbrowser/design/index.html.en    1151) 
projects/torbrowser/design/index.html.en    1152)       </p><p>
projects/torbrowser/design/index.html.en    1153) 
projects/torbrowser/design/index.html.en    1154) Randomization (especially incomplete randomization) may also provide a false
projects/torbrowser/design/index.html.en    1155) sense of security. When a fingerprinting attempt makes naive use of randomized
projects/torbrowser/design/index.html.en    1156) information, a fingerprint will appear unstable, but may not actually be
projects/torbrowser/design/index.html.en    1157) sufficiently randomized to impede a dedicated adversary.  Sophisticated
projects/torbrowser/design/index.html.en    1158) fingerprinting mechanisms may either ignore randomized information, or
projects/torbrowser/design/index.html.en    1159) incorporate knowledge of the distribution and range of randomized values into
projects/torbrowser/design/index.html.en    1160) the creation of a more stable fingerprint (by either removing the randomness,
projects/torbrowser/design/index.html.en    1161) modeling it, or averaging it out).
projects/torbrowser/design/index.html.en    1162) 
projects/torbrowser/design/index.html.en    1163)       </p></li><li class="listitem"><span class="command"><strong>Randomization is not a shortcut</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1164) 
projects/torbrowser/design/index.html.en    1165) While many end-user configuration details that the browser currently exposes
projects/torbrowser/design/index.html.en    1166) may be safely replaced by false information, randomization of these details
projects/torbrowser/design/index.html.en    1167) must be just as exhaustive as an approach that seeks to make these behaviors
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1168) uniform. When confronting either strategy, the adversary can still make use of
projects/torbrowser/design/index.html.en    1169) any details which have not been altered to be either sufficiently uniform or
projects/torbrowser/design/index.html.en    1170) sufficiently random.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1171) 
projects/torbrowser/design/index.html.en    1172)      </p><p>
projects/torbrowser/design/index.html.en    1173) 
projects/torbrowser/design/index.html.en    1174) Furthermore, the randomization approach seems to break down when it is applied
projects/torbrowser/design/index.html.en    1175) to deeper issues where underlying system functionality is directly exposed. In
projects/torbrowser/design/index.html.en    1176) particular, it is not clear how to randomize the capabilities of hardware
projects/torbrowser/design/index.html.en    1177) attached to a computer in such a way that it either convincingly behaves like
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1178) other hardware, or such that the exact properties of the hardware that vary
projects/torbrowser/design/index.html.en    1179) from user to user are sufficiently randomized. Similarly, truly concealing
projects/torbrowser/design/index.html.en    1180) operating system version differences through randomization may require
projects/torbrowser/design/index.html.en    1181) multiple reimplementations of the underlying operating system functionality to
projects/torbrowser/design/index.html.en    1182) ensure that every operating system version is covered by the range of possible
projects/torbrowser/design/index.html.en    1183) behaviors.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1184) 
Mike Perry More Tor Browser design doc...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1185)      </p></li><li class="listitem"><span class="command"><strong>Usability issues</strong></span><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1186) 
projects/torbrowser/design/index.html.en    1187) When randomization is introduced to features that affect site behavior, it can
projects/torbrowser/design/index.html.en    1188) be very distracting for this behavior to change between visits of a given
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1189) site. For the simplest cases, this will lead to minor visual nuisances.
projects/torbrowser/design/index.html.en    1190) However, when this information affects reported functionality or hardware
projects/torbrowser/design/index.html.en    1191) characteristics, sometimes a site will function one way on one visit, and
projects/torbrowser/design/index.html.en    1192) another way on a subsequent visit.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1193) 
projects/torbrowser/design/index.html.en    1194)       </p></li><li class="listitem"><span class="command"><strong>Performance costs</strong></span><p>
projects/torbrowser/design/index.html.en    1195) 
projects/torbrowser/design/index.html.en    1196) Randomizing involves performance costs. This is especially true if the
projects/torbrowser/design/index.html.en    1197) fingerprinting surface is large (like in a modern browser) and one needs more
projects/torbrowser/design/index.html.en    1198) elaborate randomizing strategies (including randomized virtualization) to
projects/torbrowser/design/index.html.en    1199) ensure that the randomization fully conceals the true behavior. Many calls to
projects/torbrowser/design/index.html.en    1200) a cryptographically secure random number generator during the course of a page
projects/torbrowser/design/index.html.en    1201) load will both serve to exhaust available entropy pools, as well as lead to
projects/torbrowser/design/index.html.en    1202) increased computation while loading a page.
projects/torbrowser/design/index.html.en    1203) 
projects/torbrowser/design/index.html.en    1204)       </p></li><li class="listitem"><span class="command"><strong>Increased vulnerability surface</strong></span><p>
projects/torbrowser/design/index.html.en    1205) 
projects/torbrowser/design/index.html.en    1206) Improper randomization might introduce a new fingerprinting vector, as the
projects/torbrowser/design/index.html.en    1207) process of generating the values for the fingerprintable attributes could be
projects/torbrowser/design/index.html.en    1208) itself susceptible to side-channel attacks, analysis, or exploitation.
projects/torbrowser/design/index.html.en    1209) 
projects/torbrowser/design/index.html.en    1210)       </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Specific Fingerprinting Defenses in the Tor Browser</h4></div></div></div><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1211) 
projects/torbrowser/design/index.html.en    1212) The following defenses are listed roughly in order of most severe
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1213) fingerprinting threat first. This ordering is based on the above intuition
projects/torbrowser/design/index.html.en    1214) that user configurable aspects of the computer are the most severe source of
projects/torbrowser/design/index.html.en    1215) fingerprintability, followed by device characteristics and hardware, and then
projects/torbrowser/design/index.html.en    1216) finally operating system vendor and version information.
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1217) 
projects/torbrowser/design/index.html.en    1218)    </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1219) 
projects/torbrowser/design/index.html.en    1220) Where our actual implementation differs from an ideal solution, we separately
projects/torbrowser/design/index.html.en    1221) describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en    1222) Status</strong></span>.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1223) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1224)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Plugins</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1225) 
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1226) Plugins add to fingerprinting risk via two main vectors: their mere presence
projects/torbrowser/design/index.html.en    1227) in window.navigator.plugins (because they are optional, end-user installed
projects/torbrowser/design/index.html.en    1228) third party software), as well as their internal functionality.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1229) 
projects/en/torbrowser/design/index.html.en 1230)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1231) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1232) All plugins that have not been specifically audited or sandboxed MUST be
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1233) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en 1234) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en 1235) barrier.  Additionally, version information should be reduced or obfuscated
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1236) until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1237) settings.sol file</a> to disable Flash cookies, and to restrict P2P
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1238) features that are likely to bypass proxy settings. We'd also like to restrict
projects/torbrowser/design/index.html.en    1239) access to fonts and other system information (such as IP address and MAC
projects/torbrowser/design/index.html.en    1240) address) in such a sandbox.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1241) 
projects/en/torbrowser/design/index.html.en 1242)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1243) 
projects/en/torbrowser/design/index.html.en 1244) Currently, we entirely disable all plugins in Tor Browser. However, as a
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1245) compromise due to the popularity of Flash, we allow users to re-enable Flash,
projects/torbrowser/design/index.html.en    1246) and flash objects are blocked behind a click-to-play barrier that is available
projects/torbrowser/design/index.html.en    1247) only after the user has specifically enabled plugins. Flash is the only plugin
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1248) available, the rest are entirely
projects/torbrowser/design/index.html.en    1249) blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience
projects/torbrowser/design/index.html.en    1250) section</a>. We also set the Firefox
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1251) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
projects/torbrowser/design/index.html.en    1252) leaking plugin installation information.
projects/torbrowser/design/index.html.en    1253) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1254)      </p></li><li class="listitem"><span class="command"><strong>HTML5 Canvas Image Extraction</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1255) 
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1256) After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5
projects/torbrowser/design/index.html.en    1257) Canvas</a> is the single largest fingerprinting threat browsers face
projects/torbrowser/design/index.html.en    1258) today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1259) studies</a> show that the Canvas can provide an easy-access fingerprinting
projects/torbrowser/design/index.html.en    1260) target: The adversary simply renders WebGL, font, and named color data to a
projects/torbrowser/design/index.html.en    1261) Canvas element, extracts the image buffer, and computes a hash of that image
projects/torbrowser/design/index.html.en    1262) data. Subtle differences in the video card, font packs, and even font and
projects/torbrowser/design/index.html.en    1263) graphics library versions allow the adversary to produce a stable, simple,
projects/torbrowser/design/index.html.en    1264) high-entropy fingerprint of a computer. In fact, the hash of the rendered
projects/torbrowser/design/index.html.en    1265) image can be used almost identically to a tracking cookie by the web server.
projects/torbrowser/design/index.html.en    1266) 
projects/torbrowser/design/index.html.en    1267)      </p><p>
projects/torbrowser/design/index.html.en    1268) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1269) In some sense, the canvas can be seen as the union of many other
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1270) fingerprinting vectors. If WebGL is normalized through software rendering,
projects/torbrowser/design/index.html.en    1271) system colors were standardized, and the browser shipped a fixed collection of
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1272) fonts (see later points in this list), it might not be necessary to create a
projects/torbrowser/design/index.html.en    1273) canvas permission. However, until then, to reduce the threat from this vector,
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1274) we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=6a169ef0166b268b1a27546a17b3d7470330917d" target="_top">prompt before returning valid image data</a> to the Canvas APIs,
projects/torbrowser/design/index.html.en    1275) and for <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=7d51acca6383732480b49ccdb5506ad6fb92e651" target="_top">access to isPointInPath and related functions</a>.
projects/torbrowser/design/index.html.en    1276) If the user hasn't previously allowed the site in the URL bar to access Canvas
projects/torbrowser/design/index.html.en    1277) image data, pure white image data is returned to the Javascript APIs.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1278) 
projects/torbrowser/design/index.html.en    1279)      </p><p>
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1280)      </p></li><li class="listitem"><span class="command"><strong>Open TCP Port and Local Network Fingerprinting</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1281) 
projects/torbrowser/design/index.html.en    1282) In Firefox, by using either WebSockets or XHR, it is possible for remote
projects/torbrowser/design/index.html.en    1283) content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1284) the list of TCP ports open on 127.0.0.1</a>, as well as on any other
projects/torbrowser/design/index.html.en    1285) machines on the local network. In other browsers, this can be accomplished by
projects/torbrowser/design/index.html.en    1286) DOM events on image or script tags. This open vs filtered vs closed port list
projects/torbrowser/design/index.html.en    1287) can provide a very unique fingerprint of a machine, because it essentially
projects/torbrowser/design/index.html.en    1288) enables the detection of many different popular third party applications and
projects/torbrowser/design/index.html.en    1289) optional system services (Skype, Bitcoin, Bittorrent and other P2P software,
projects/torbrowser/design/index.html.en    1290) SSH ports, SMB and related LAN services, CUPS and printer daemon config ports,
projects/torbrowser/design/index.html.en    1291) mail servers, and so on). It is also possible to determine when ports are
projects/torbrowser/design/index.html.en    1292) closed versus filtered/blocked (and thus probe custom firewall configuration).
projects/torbrowser/design/index.html.en    1293) 
projects/torbrowser/design/index.html.en    1294)      </p><p>
projects/torbrowser/design/index.html.en    1295) 
projects/torbrowser/design/index.html.en    1296) In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even
projects/torbrowser/design/index.html.en    1297) these requests are still sent by Firefox to our SOCKS proxy (ie we set
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1298) <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local
projects/torbrowser/design/index.html.en    1299) Tor client then rejects them, since it is configured to proxy for internal IP
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1300) addresses by default. Access to the local network is forbidden via the same
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1301) mechanism. We also disable the WebRTC API as mentioned previously, since even
projects/torbrowser/design/index.html.en    1302) if it were usable over Tor, it still currently provides the local IP address
projects/torbrowser/design/index.html.en    1303) and associated network information to websites.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1304) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1305)      </p></li><li class="listitem"><span class="command"><strong>Invasive Authentication Mechanisms (NTLM and SPNEGO)</strong></span><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1306) 
projects/torbrowser/design/index.html.en    1307) Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in
projects/torbrowser/design/index.html.en    1308) some cases the current username. The only reason why these aren't a more
projects/torbrowser/design/index.html.en    1309) serious problem is that they typically involve user interaction, and likely
projects/torbrowser/design/index.html.en    1310) aren't an attractive vector for this reason. However, because it is not clear
projects/torbrowser/design/index.html.en    1311) if certain carefully-crafted error conditions in these protocols could cause
projects/torbrowser/design/index.html.en    1312) them to reveal machine information and still fail silently prior to the
projects/torbrowser/design/index.html.en    1313) password prompt, these authentication mechanisms should either be disabled, or
projects/torbrowser/design/index.html.en    1314) placed behind a site permission before their use. We simply disable them.
projects/torbrowser/design/index.html.en    1315) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1316)      </p></li><li class="listitem"><span class="command"><strong>USB Device ID Enumeration via the GamePad API</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1317) 
projects/torbrowser/design/index.html.en    1318) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad
projects/torbrowser/design/index.html.en    1319) API</a> provides web pages with the <a class="ulink" href="https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.html#widl-Gamepad-id" target="_top">USB
projects/torbrowser/design/index.html.en    1320) device id, product id, and driver name</a> of all connected game
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1321) controllers, as well as detailed information about their capabilities.
projects/torbrowser/design/index.html.en    1322)     </p><p>
projects/torbrowser/design/index.html.en    1323) 
projects/torbrowser/design/index.html.en    1324) It's our opinion that this API needs to be completely redesigned to provide an
projects/torbrowser/design/index.html.en    1325) abstract notion of a game controller rather than offloading all of the
projects/torbrowser/design/index.html.en    1326) complexity associated with handling specific game controller models to web
projects/torbrowser/design/index.html.en    1327) content authors. For systems without a game controller, a standard controller
projects/torbrowser/design/index.html.en    1328) can be virtualized through the keyboard, which will serve to both improve
projects/torbrowser/design/index.html.en    1329) usability by normalizing user interaction with different games, as well as
projects/torbrowser/design/index.html.en    1330) eliminate fingerprinting vectors. Barring that, this API should be behind a
projects/torbrowser/design/index.html.en    1331) site permission in Private Browsing Modes. For now though, we simply disable
projects/torbrowser/design/index.html.en    1332) it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1333) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1334)      </p></li><li class="listitem"><span class="command"><strong>Fonts</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1335) 
projects/en/torbrowser/design/index.html.en 1336) According to the Panopticlick study, fonts provide the most linkability when
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1337) they are provided as an enumerable list in file system order, via either the
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1338) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en 1339) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en 1340) pre-built list to query, a large amount of fingerprintable information may
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1341) still be available, especially given that additional fonts often end up
projects/torbrowser/design/index.html.en    1342) installed by third party software and for multilingual support.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1343) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1344)      </p><p><span class="command"><strong>Design Goal:</strong></span> The sure-fire way to address font
projects/torbrowser/design/index.html.en    1345) linkability is to ship the browser with a font for every language, typeface,
projects/torbrowser/design/index.html.en    1346) and style, and to only use those fonts at the exclusion of system fonts. We are
projects/torbrowser/design/index.html.en    1347) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/13313" target="_top">currently
projects/torbrowser/design/index.html.en    1348) investigating</a> this approach, and our current favorite font sets for
projects/torbrowser/design/index.html.en    1349) this purpose are the <a class="ulink" href="http://www.droidfonts.com/droidfonts/" target="_top">Droid
projects/torbrowser/design/index.html.en    1350) fonts</a>, the <a class="ulink" href="http://hangeul.naver.com/" target="_top">Nanum fonts</a>,
projects/torbrowser/design/index.html.en    1351) and <a class="ulink" href="https://fedorahosted.org/lohit/" target="_top">Lohit fonts</a>. The Droid
projects/torbrowser/design/index.html.en    1352) font set is fairly complete by itself, but Nanum and Lohit have smaller
projects/torbrowser/design/index.html.en    1353) versions of many South Asian languages. When combined in a way that chooses the
projects/torbrowser/design/index.html.en    1354) smallest font implementations for each locale, these three font sets provide
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1355) coverage for the all languages used on Wikipedia with more than
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1356) 10,000 articles, and several others as well, in approximately 3MB of compressed
projects/torbrowser/design/index.html.en    1357) overhead. The <a class="ulink" href="https://www.google.com/get/noto/" target="_top">Noto font
projects/torbrowser/design/index.html.en    1358) set</a> is another font set that aims for complete coverage, but is
projects/torbrowser/design/index.html.en    1359) considerably larger than the combination of the Droid, Nanum, and Lohit fonts.
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1360) 
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1361)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1362) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1363) In the meantime while we investigate shipping our own fonts, we disable
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1364) plugins, which prevents font name enumeration. Additionally, we limit both the
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1365) number of font queries from CSS, as well as the total number of fonts that can
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1366) be used in a document <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e78bc05159a79c1358fa9c64e565af9d98c141ee" target="_top">with
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1367) a Firefox patch</a>. We create two prefs,
Mike Perry Update design doc to descri...

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1368) <span class="command"><strong>browser.display.max_font_attempts</strong></span> and
projects/torbrowser/design/index.html.en    1369) <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
projects/torbrowser/design/index.html.en    1370) limits are reached, the browser behaves as if
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1371) <span class="command"><strong>browser.display.use_document_fonts</strong></span> was set.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1372) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1373)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1374) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1375) To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face" target="_top">@font-face
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1376) fonts</a> from these counts, and if a font-family CSS rule lists a remote
projects/torbrowser/design/index.html.en    1377) font (in any order), we use that font instead of any of the named local fonts.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1378) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1379)      </p></li><li class="listitem"><span class="command"><strong>Monitor, Widget, and OS Desktop Resolution</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1380) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1381) Both CSS and Javascript have access to a lot of information about the screen
projects/torbrowser/design/index.html.en    1382) resolution, usable desktop size, OS widget size, toolbar size, title bar size,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1383) and OS desktop widget sizing information that are not at all relevant to
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1384) rendering and serve only to provide information for fingerprinting. Since many
projects/torbrowser/design/index.html.en    1385) aspects of desktop widget positioning and size are user configurable, these
projects/torbrowser/design/index.html.en    1386) properties yield customized information about the computer, even beyond the
projects/torbrowser/design/index.html.en    1387) monitor size.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1388) 
projects/en/torbrowser/design/index.html.en 1389)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1390) 
projects/en/torbrowser/design/index.html.en 1391) Our design goal here is to reduce the resolution information down to the bare
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1392) minimum required for properly rendering inside a content window. We intend to
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1393) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 1394) properties of the content window, but report an effective size of 0 for all
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1395) border material, and also report that the desktop is only as big as the inner
projects/torbrowser/design/index.html.en    1396) content window. Additionally, new browser windows are sized such that their
projects/torbrowser/design/index.html.en    1397) content windows are one of a few fixed sizes based on the user's desktop
projects/torbrowser/design/index.html.en    1398) resolution. In addition, to further reduce resolution-based fingerprinting, we
projects/torbrowser/design/index.html.en    1399) are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating
projects/torbrowser/design/index.html.en    1400) zoom/viewport-based mechanisms</a> that might allow us to always report the
projects/torbrowser/design/index.html.en    1401) same desktop resolution regardless of the actual size of the content window,
projects/torbrowser/design/index.html.en    1402) and simply scale to make up the difference.  Until then, the user should also
projects/torbrowser/design/index.html.en    1403) be informed that maximizing their windows can lead to fingerprintability under
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1404) this scheme.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1405) 
projects/en/torbrowser/design/index.html.en 1406)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1407) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1408) We automatically resize new browser windows to a 200x100 pixel multiple using
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1409) a window observer <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/chrome/content/torbutton.js#n3361" target="_top">based
projects/torbrowser/design/index.html.en    1410) on desktop resolution</a>. To minimize the effect of the long tail of large
projects/torbrowser/design/index.html.en    1411) monitor sizes, we also cap the window size at 1000 pixels in each direction.
projects/torbrowser/design/index.html.en    1412) Additionally, we patch Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5" target="_top">for
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1413) window.screen</a>, and to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=a5648c8d80f396caf294d761cc4a9a76c0b33a9d" target="_top">report
projects/torbrowser/design/index.html.en    1414) a window.devicePixelRatio of 1.0</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=3c02858027634ffcfbd97047dfdf170c19ca29ec" target="_top">patch
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1415) DOM events to return content window relative points</a>.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1416) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1417) We also force popups to open in new tabs (via
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1418) <span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid
projects/torbrowser/design/index.html.en    1419) full-screen popups inferring information about the browser resolution. In
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1420) addition, we prevent auto-maximizing on browser start, and inform users that
projects/torbrowser/design/index.html.en    1421) maximized windows are detrimental to privacy in this mode.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1422) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1423)      </p></li><li class="listitem"><span class="command"><strong>Display Media information</strong></span><p>
Mike Perry Update design doc to descri...

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1424) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1425) Beyond simple resolution information, a large amount of so-called "Media"
projects/torbrowser/design/index.html.en    1426) information is also exported to content. Even without Javascript, CSS has
projects/torbrowser/design/index.html.en    1427) access to a lot of information about the device orientation, system theme
Mike Perry More fingerprinting clarifi...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1428) colors, and other desktop and display features that are not at all relevant to
projects/torbrowser/design/index.html.en    1429) rendering and also user configurable. Most of this
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1430) information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS
projects/torbrowser/design/index.html.en    1431) Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several
projects/torbrowser/design/index.html.en    1432) user and OS theme defined color values</a> to CSS as well.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1433) 
projects/torbrowser/design/index.html.en    1434)      </p><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1435) 
projects/torbrowser/design/index.html.en    1436) CSS should not be able infer anything that the user has configured about their
projects/torbrowser/design/index.html.en    1437) computer. Additionally, it should not be able to infer machine-specific
projects/torbrowser/design/index.html.en    1438) details such as screen orientation or type.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1439) 
projects/torbrowser/design/index.html.en    1440)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1441) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1442) We patch
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1443) Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=cf8956b4460107c5b0053c8fc574e34b0a30ec1e" target="_top">report
projects/torbrowser/design/index.html.en    1444) a fixed set of system colors to content window CSS</a>, and <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bbc138486e0489b0d559343fa0522df4ee3b3533" target="_top">prevent
projects/torbrowser/design/index.html.en    1445) detection of font smoothing on OSX</a>. We also always
projects/torbrowser/design/index.html.en    1446) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e17d60442ab0db92664ff68d90fe7bf737374912" target="_top">report
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1447) landscape-primary</a> for the screen orientation.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1448) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1449)      </p></li><li class="listitem"><span class="command"><strong>WebGL</strong></span><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1450) 
projects/torbrowser/design/index.html.en    1451) WebGL is fingerprintable both through information that is exposed about the
projects/torbrowser/design/index.html.en    1452) underlying driver and optimizations, as well as through performance
projects/torbrowser/design/index.html.en    1453) fingerprinting.
projects/torbrowser/design/index.html.en    1454) 
projects/torbrowser/design/index.html.en    1455)      </p><p>
projects/torbrowser/design/index.html.en    1456) 
projects/torbrowser/design/index.html.en    1457) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed
projects/torbrowser/design/index.html.en    1458) vulnerability surface</a>, we deploy a similar strategy against WebGL as
projects/torbrowser/design/index.html.en    1459) for plugins. First, WebGL Canvases have click-to-play placeholders (provided
projects/torbrowser/design/index.html.en    1460) by NoScript), and do not run until authorized by the user. Second, we
projects/torbrowser/design/index.html.en    1461) obfuscate driver information by setting the Firefox preferences
projects/torbrowser/design/index.html.en    1462) <span class="command"><strong>webgl.disable-extensions</strong></span> and
projects/torbrowser/design/index.html.en    1463) <span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information
projects/torbrowser/design/index.html.en    1464) provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,
projects/torbrowser/design/index.html.en    1465) <span class="command"><strong>getSupportedExtensions()</strong></span>, and
projects/torbrowser/design/index.html.en    1466) <span class="command"><strong>getExtension()</strong></span>.
projects/torbrowser/design/index.html.en    1467) 
projects/torbrowser/design/index.html.en    1468)      </p><p>
projects/torbrowser/design/index.html.en    1469) 
projects/torbrowser/design/index.html.en    1470) Another option for WebGL might be to use software-only rendering, using a
projects/torbrowser/design/index.html.en    1471) library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of
projects/torbrowser/design/index.html.en    1472) such a library would avoid hardware-specific rendering differences.
projects/torbrowser/design/index.html.en    1473) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1474)      </p></li><li class="listitem"><span class="command"><strong>User Agent and HTTP Headers</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Update design doc to descri...

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1475) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1476) All Tor Browser users MUST provide websites with an identical user agent and
projects/torbrowser/design/index.html.en    1477) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/torbrowser/design/index.html.en    1478) and report a popular Windows platform. If the software is kept up to date,
projects/torbrowser/design/index.html.en    1479) these headers should remain identical across the population even when updated.
projects/torbrowser/design/index.html.en    1480) 
projects/torbrowser/design/index.html.en    1481)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1482) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1483) Firefox provides several options for controlling the browser user agent string
projects/torbrowser/design/index.html.en    1484) which we leverage. We also set similar prefs for controlling the
projects/torbrowser/design/index.html.en    1485) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1486) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e9841ee41e7f3f1535be2d605084c41ee9faf6c2" target="_top">remove
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1487) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1488) used</a> to fingerprint OS, platform, and Firefox minor version.  </p></li><li class="listitem"><span class="command"><strong>Locale Fingerprinting</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1489) 
projects/torbrowser/design/index.html.en    1490) In Tor Browser, we provide non-English users the option of concealing their OS
projects/torbrowser/design/index.html.en    1491) and browser locale from websites. It is debatable if this should be as high of
projects/torbrowser/design/index.html.en    1492) a priority as information specific to the user's computer, but for
projects/torbrowser/design/index.html.en    1493) completeness, we attempt to maintain this property.
projects/torbrowser/design/index.html.en    1494) 
projects/torbrowser/design/index.html.en    1495)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1496) 
projects/torbrowser/design/index.html.en    1497) We set the fallback character set to set to windows-1252 for all locales, via
projects/torbrowser/design/index.html.en    1498) <span class="command"><strong>intl.charset.default</strong></span>.  We also patch Firefox to allow us to
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1499) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=4545ecd6dc2ca7d10aefe36b81658547ea97b800" target="_top">instruct
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1500) the JS engine</a> to use en-US as its internal C locale for all Date, Math,
projects/torbrowser/design/index.html.en    1501) and exception handling.
projects/torbrowser/design/index.html.en    1502) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1503)      </p></li><li class="listitem"><span class="command"><strong>Timezone and Clock Offset</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1504) 
projects/torbrowser/design/index.html.en    1505) While the latency in Tor connections varies anywhere from milliseconds to
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1506) a few seconds, it is still possible for the remote site to detect large
projects/torbrowser/design/index.html.en    1507) differences between the user's clock and an official reference time source. 
projects/torbrowser/design/index.html.en    1508) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1509)      </p><p><span class="command"><strong>Design Goal:</strong></span>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1510) 
Mike Perry Update TBB design doc with...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1511) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en    1512) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en    1513) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en    1514) the fact that we spoof a US English user agent).  Additionally, the Tor
projects/torbrowser/design/index.html.en    1515) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en    1516) clocks of the relays that it connects to, and use this to reset the clock
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1517) values used in Tor Browser to something reasonably accurate. Alternatively,
projects/torbrowser/design/index.html.en    1518) the browser can obtain this clock skew via a mechanism similar to that used in
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1519) <a class="ulink" href="https://github.com/ioerror/tlsdate" target="_top">tlsdate</a>.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1520) 
projects/en/torbrowser/design/index.html.en 1521)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1522) 
projects/en/torbrowser/design/index.html.en 1523) We set the timezone using the TZ environment variable, which is supported on
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1524) all platforms.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1525) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1526)      </p></li><li class="listitem"><span class="command"><strong>Javascript Performance Fingerprinting</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1527) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1528) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1529) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en 1530) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en 1531) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en 1532) 
projects/en/torbrowser/design/index.html.en 1533)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1534) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1535) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1536) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 1537) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en 1538) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1539) Date() object, while also introducing jitter. We believe that Javascript time
projects/torbrowser/design/index.html.en    1540) resolution may be reduced all the way up to the second before it seriously
projects/torbrowser/design/index.html.en    1541) impacts site operation. Our goal with this quantization is to increase the
projects/torbrowser/design/index.html.en    1542) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found
projects/torbrowser/design/index.html.en    1543) that even with the default precision in most browsers, they required up to 120
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1544) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 1545) feature set. We intend to work with the research community to establish the
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1546) optimum trade-off between quantization+jitter and amortization time, as well
projects/torbrowser/design/index.html.en    1547) as identify highly variable Javascript operations. As long as these attacks
projects/torbrowser/design/index.html.en    1548) take several seconds or more to execute, they are unlikely to be appealing to
projects/torbrowser/design/index.html.en    1549) advertisers, and are also very likely to be noticed if deployed against a
projects/torbrowser/design/index.html.en    1550) large number of people.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1551) 
projects/en/torbrowser/design/index.html.en 1552)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1553) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1554) Currently, our mitigation against performance fingerprinting is to
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1555) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1556) Timing</a> through the Firefox preference
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1557) <span class="command"><strong>dom.enable_performance</strong></span>, and to disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla
projects/torbrowser/design/index.html.en    1558) Video Statistics</a> API extensions via the preference
projects/torbrowser/design/index.html.en    1559) <span class="command"><strong>media.video_stats.enabled</strong></span>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1560) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1561)      </p></li><li class="listitem"><span class="command"><strong>Keystroke Fingerprinting</strong></span><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1562) 
projects/en/torbrowser/design/index.html.en 1563) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 1564) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 1565) 
projects/en/torbrowser/design/index.html.en 1566)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1567) 
projects/en/torbrowser/design/index.html.en 1568) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en 1569) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 1570) 
projects/en/torbrowser/design/index.html.en 1571)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1572) We have no implementation as of yet.
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1573)      </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1574) 
projects/torbrowser/design/index.html.en    1575) As we mentioned in the introduction of this section, OS type fingerprinting is
projects/torbrowser/design/index.html.en    1576) currently considered a lower priority, due simply to the numerous ways that
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1577) characteristics of the operating system type may leak into content, and the
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1578) comparatively low contribution of OS to overall entropy. In particular, there
projects/torbrowser/design/index.html.en    1579) are likely to be many ways to measure the differences in widget size,
projects/torbrowser/design/index.html.en    1580) scrollbar size, and other rendered details on a page. Also, directly exported
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1581) OS routines (such as those from the standard C math library) expose
projects/torbrowser/design/index.html.en    1582) differences in their implementations through their return values.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1583) 
projects/torbrowser/design/index.html.en    1584)      </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en    1585) 
projects/torbrowser/design/index.html.en    1586) We intend to reduce or eliminate OS type fingerprinting to the best extent
projects/torbrowser/design/index.html.en    1587) possible, but recognize that the effort for reward on this item is not as high
projects/torbrowser/design/index.html.en    1588) as other areas. The entropy on the current OS distribution is somewhere around
projects/torbrowser/design/index.html.en    1589) 2 bits, which is much lower than other vectors which can also be used to
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1590) fingerprint configuration and user-specific information.  You can see the
projects/torbrowser/design/index.html.en    1591) major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os
projects/torbrowser/design/index.html.en    1592) tag on our bug tracker</a>.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1593) 
projects/torbrowser/design/index.html.en    1594)      </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en    1595) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1596) At least three HTML5 features have different implementation status across the
projects/torbrowser/design/index.html.en    1597) major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
projects/torbrowser/design/index.html.en    1598) API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
projects/torbrowser/design/index.html.en    1599) Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
projects/torbrowser/design/index.html.en    1600) <span class="command"><strong>dom.battery.enabled</strong></span>,
projects/torbrowser/design/index.html.en    1601) <span class="command"><strong>dom.network.enabled</strong></span>, and
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1602) <span class="command"><strong>device.sensors.enabled</strong></span>.
Mike Perry Describe OS type fingerprin...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1603) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1604)      </p></li></ol></div><p>
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1605) For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1606)    </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1607) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1608) In order to avoid long-term linkability, we provide a "New Identity" context
projects/torbrowser/design/index.html.en    1609) menu option in Torbutton. This context menu option is active if Torbutton can
projects/torbrowser/design/index.html.en    1610) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1611) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1612)    </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55268352"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1613) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1614) All linkable identifiers and browser state MUST be cleared by this feature.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1615) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1616)     </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55269600"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1617) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1618) First, Torbutton disables Javascript in all open tabs and windows by using
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1619) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>
projects/torbrowser/design/index.html.en    1620) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>.
projects/torbrowser/design/index.html.en    1621) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1622) We then clear the site-specific Zoom by temporarily disabling the preference
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1623) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL
projects/torbrowser/design/index.html.en    1624) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL prefs (if
projects/torbrowser/design/index.html.en    1625) they exist). Each tab is then closed.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1626) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1627)      </p><p>
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1628) 
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1629) After closing all tabs, we then emit "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>"
projects/torbrowser/design/index.html.en    1630) (which instructs addons and various Firefox components to clear their session
projects/torbrowser/design/index.html.en    1631) state), and then manually clear the following state: searchbox and findbox
projects/torbrowser/design/index.html.en    1632) text, HTTP auth, SSL state, OCSP state, site-specific content preferences
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1633) (including HSTS state), content and image cache, offline cache, offline
projects/torbrowser/design/index.html.en    1634) storage, Cookies, crypto tokens, DOM storage, the safe browsing key, and the
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1635) Google wifi geolocation token (if it exists). We also clear NoScript's site
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1636) and temporary permissions, and all other browser site permissions.
Mike Perry Add design doc draft.

Mike Perry authored 13 years ago

projects/en/torbrowser/design/index.html.en 1637) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1638)      </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 13 years ago

projects/torbrowser/design/index.html.en    1639) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1640) After the state is cleared, we then close all remaining HTTP keep-alive
projects/torbrowser/design/index.html.en    1641) connections and then send the NEWNYM signal to the Tor control port to cause a
projects/torbrowser/design/index.html.en    1642) new circuit to be created.
projects/torbrowser/design/index.html.en    1643)      </p><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1644) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1645) Finally, a fresh browser window is opened, and the current browser window is
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1646) closed (this does not spawn a new Firefox process, only a new window). Upon
projects/torbrowser/design/index.html.en    1647) the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage
projects/torbrowser/design/index.html.en    1648) collector</a>, which has the effect of immediately purging any blob:UUID
projects/torbrowser/design/index.html.en    1649) URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>.
projects/torbrowser/design/index.html.en    1650) 
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1651)      </p></blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en    1652) If the user chose to "protect" any cookies by using the Torbutton Cookie
projects/torbrowser/design/index.html.en    1653) Protections UI, those cookies are not cleared as part of the above.
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1654)     </blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1655) 
projects/torbrowser/design/index.html.en    1656) In addition to the above mechanisms that are devoted to preserving privacy
projects/torbrowser/design/index.html.en    1657) while browsing, we also have a number of technical mechanisms to address other
projects/torbrowser/design/index.html.en    1658) privacy and security issues.
projects/torbrowser/design/index.html.en    1659) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1660)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p>
projects/torbrowser/design/index.html.en    1661) 
projects/torbrowser/design/index.html.en    1662) In order to provide vulnerability surface reduction for users that need high
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1663) security, we have implemented a "Security Slider" to allow users to make a
projects/torbrowser/design/index.html.en    1664) tradeoff between usability and security while minimizing the total number of
projects/torbrowser/design/index.html.en    1665) choices (to reduce fingerprinting). Using metrics collected from
projects/torbrowser/design/index.html.en    1666) Mozilla's bug tracker, we analyzed the vulnerability counts of core
projects/torbrowser/design/index.html.en    1667) components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1668) gathered from a study performed by iSec Partners</a> to inform which
projects/torbrowser/design/index.html.en    1669) features should be disabled at which security levels.
projects/torbrowser/design/index.html.en    1670) 
projects/torbrowser/design/index.html.en    1671)      </p><p>
projects/torbrowser/design/index.html.en    1672) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1673) The Security Slider consists of four positions:
projects/torbrowser/design/index.html.en    1674) 
projects/torbrowser/design/index.html.en    1675)      </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low</strong></span><p>
projects/torbrowser/design/index.html.en    1676) 
projects/torbrowser/design/index.html.en    1677) At this security level, the preferences are the Tor Browser defaults.
projects/torbrowser/design/index.html.en    1678) 
projects/torbrowser/design/index.html.en    1679)       </p></li><li class="listitem"><span class="command"><strong>Medium-Low</strong></span><p>
projects/torbrowser/design/index.html.en    1680) 
projects/torbrowser/design/index.html.en    1681) At this security level, we disable the ION JIT
projects/torbrowser/design/index.html.en    1682) (<span class="command"><strong>javascript.options.ion.content</strong></span>), TypeInference JIT
projects/torbrowser/design/index.html.en    1683) (<span class="command"><strong>javascript.options.typeinference</strong></span>), ASM.JS
projects/torbrowser/design/index.html.en    1684) (<span class="command"><strong>javascript.options.asmjs</strong></span>), WebAudio
projects/torbrowser/design/index.html.en    1685) (<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML
projects/torbrowser/design/index.html.en    1686) (<span class="command"><strong>mathml.disabled</strong></span>), block remote JAR files
projects/torbrowser/design/index.html.en    1687) (<span class="command"><strong>network.jar.block-remote-files</strong></span>), and make HTML5 audio and
projects/torbrowser/design/index.html.en    1688) video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>).
projects/torbrowser/design/index.html.en    1689) 
projects/torbrowser/design/index.html.en    1690)        </p></li><li class="listitem"><span class="command"><strong>Medium-High</strong></span><p>
projects/torbrowser/design/index.html.en    1691) 
projects/torbrowser/design/index.html.en    1692) This security level inherits the preferences from the Medium-Low level, and
projects/torbrowser/design/index.html.en    1693) additionally disables the baseline JIT
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1694) (<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), disables Graphite
projects/torbrowser/design/index.html.en    1695) (<span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>) and SVG OpenType font
projects/torbrowser/design/index.html.en    1696) rendering (<span class="command"><strong>gfx.font_rendering.opentype_svg.enabled</strong></span>) and only
projects/torbrowser/design/index.html.en    1697) allows Javascript to run if it is loaded over HTTPS and the URL bar is HTTPS
projects/torbrowser/design/index.html.en    1698) (by setting <span class="command"><strong>noscript.global</strong></span> to false and
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1699) <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true).
projects/torbrowser/design/index.html.en    1700) 
projects/torbrowser/design/index.html.en    1701)        </p></li><li class="listitem"><span class="command"><strong>High</strong></span><p>
projects/torbrowser/design/index.html.en    1702) 
projects/torbrowser/design/index.html.en    1703) This security level inherits the preferences from the Medium-Low and
projects/torbrowser/design/index.html.en    1704) Medium-High levels, and additionally disables remote fonts
projects/torbrowser/design/index.html.en    1705) (<span class="command"><strong>noscript.forbidFonts</strong></span>), completely disables Javascript (by
projects/torbrowser/design/index.html.en    1706) unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG
projects/torbrowser/design/index.html.en    1707) images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
projects/torbrowser/design/index.html.en    1708) 
projects/torbrowser/design/index.html.en    1709)        </p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1710) 
projects/torbrowser/design/index.html.en    1711) <a class="link" href="#website-traffic-fingerprinting">Website Traffic
projects/torbrowser/design/index.html.en    1712) Fingerprinting</a> is a statistical attack to attempt to recognize specific
projects/torbrowser/design/index.html.en    1713) encrypted website activity.
projects/torbrowser/design/index.html.en    1714) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1715)      </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55303936"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1716) 
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1717) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1718) for classification. This mechanism would either impact the true and false
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1719) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of web pages
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1720) that could be classified at a given accuracy rate.
projects/torbrowser/design/index.html.en    1721) 
projects/torbrowser/design/index.html.en    1722)      </p><p>
projects/torbrowser/design/index.html.en    1723) 
projects/torbrowser/design/index.html.en    1724) Ideally, this mechanism would be as light-weight as possible, and would be
projects/torbrowser/design/index.html.en    1725) tunable in terms of overhead. We suspect that it may even be possible to
projects/torbrowser/design/index.html.en    1726) deploy a mechanism that reduces feature extraction resolution without any
projects/torbrowser/design/index.html.en    1727) network overhead. In the no-overhead category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and
projects/torbrowser/design/index.html.en    1728) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1729) use of HTTP pipelining and/or SPDY</a>. 
projects/torbrowser/design/index.html.en    1730) In the tunable/low-overhead
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1731) category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/ShWa-Timing06.pdf" target="_top">Adaptive
projects/torbrowser/design/index.html.en    1732) Padding</a> and <a class="ulink" href="http://www.cs.sunysb.edu/~xcai/fp.pdf" target="_top">
projects/torbrowser/design/index.html.en    1733) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such
projects/torbrowser/design/index.html.en    1734) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1735) network, making them also effectively no-overhead.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1736) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1737)      </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55310832"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1738) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=20a59cec9886cf2575b1fd8e92b43e31ba053fbd" target="_top">randomize
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1739) pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
projects/torbrowser/design/index.html.en    1740) Many sites do not support it, and even sites that advertise support for
projects/torbrowser/design/index.html.en    1741) pipelining may simply return error codes for successive requests, effectively
projects/torbrowser/design/index.html.en    1742) forcing the browser into non-pipelined behavior. Firefox also has code to back
projects/torbrowser/design/index.html.en    1743) off and reduce or eliminate the pipeline if this happens. These
projects/torbrowser/design/index.html.en    1744) shortcomings and fallback behaviors are the primary reason that Google
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1745) developed SPDY as opposed to simply extending HTTP to improve pipelining. It
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1746) turns out that we could actually deploy exit-side proxies that allow us to
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1747) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use
Mike Perry TBB Design Doc: Mention use...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1748) SPDY from the client to the exit node</a>. This would make our defense not
projects/torbrowser/design/index.html.en    1749) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1750) 
projects/torbrowser/design/index.html.en    1751)      </p><p>
projects/torbrowser/design/index.html.en    1752) 
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1753) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1754) research prototype</a> to help evaluate what could be done in the best
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1755) case with full server support. Unfortunately, the bias in favor of compelling
projects/torbrowser/design/index.html.en    1756) attack papers has caused academia to ignore this request thus far, instead
projects/torbrowser/design/index.html.en    1757) publishing only cursory (yet "devastating") evaluations that fail to provide
projects/torbrowser/design/index.html.en    1758) even simple statistics such as the rates of actual pipeline utilization during
projects/torbrowser/design/index.html.en    1759) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can
projects/torbrowser/design/index.html.en    1760) accept that our defense might fail to work as well as others (in fact we
projects/torbrowser/design/index.html.en    1761) expect it), but unfortunately the very same shortcuts that provide excellent
projects/torbrowser/design/index.html.en    1762) attack results also allow the conclusion that all defenses are broken forever.
projects/torbrowser/design/index.html.en    1763) So sadly, we are still left in the dark on this point.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1764) 
projects/torbrowser/design/index.html.en    1765)      </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p>
projects/torbrowser/design/index.html.en    1766) 
projects/torbrowser/design/index.html.en    1767) In order to inform the user when their Tor Browser is out of date, we perform a
Mike Perry TBB design doc: Clarify web...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1768) privacy-preserving update check asynchronously in the background. The
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1769) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a>
projects/torbrowser/design/index.html.en    1770) and searches that version list for the current value for the local preference
projects/torbrowser/design/index.html.en    1771) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is
projects/torbrowser/design/index.html.en    1772) present in the recommended version list, the check is considered to have
projects/torbrowser/design/index.html.en    1773) succeeded and the user is up to date. If not, it is considered to have failed
projects/torbrowser/design/index.html.en    1774) and an update is needed. The check is triggered upon browser launch, new
projects/torbrowser/design/index.html.en    1775) window, and new tab, but is rate limited so as to happen no more frequently
projects/torbrowser/design/index.html.en    1776) than once every 1.5 hours.
projects/torbrowser/design/index.html.en    1777) 
projects/torbrowser/design/index.html.en    1778)      </p><p>
projects/torbrowser/design/index.html.en    1779) 
projects/torbrowser/design/index.html.en    1780) If the check fails, we cache this fact, and update the Torbutton graphic to
projects/torbrowser/design/index.html.en    1781) display a flashing warning icon and insert a menu option that provides a link
projects/torbrowser/design/index.html.en    1782) to our download page. Additionally, we reset the value for the browser
projects/torbrowser/design/index.html.en    1783) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&amp;small=1&amp;uptodate=0" target="_top">page that
projects/torbrowser/design/index.html.en    1784) informs the user</a> that their browser is out of
projects/torbrowser/design/index.html.en    1785) date.
projects/torbrowser/design/index.html.en    1786) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1787)      </p><p>
projects/torbrowser/design/index.html.en    1788) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1789) We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bcf51aae541fc28de251924ce9394224bd2b814c" target="_top">patched
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1790) the updater</a> to avoid sending OS and Kernel version information as part
projects/torbrowser/design/index.html.en    1791) of its update pings.
projects/torbrowser/design/index.html.en    1792) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1793)      </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BuildSecurity"></a>5. Build Security and Package Integrity</h2></div></div></div><p>
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1794) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1795) In the age of state-sponsored malware, <a class="ulink" href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise" target="_top">we
projects/torbrowser/design/index.html.en    1796) believe</a> it is impossible to expect to keep a single build machine or
projects/torbrowser/design/index.html.en    1797) software signing key secure, given the class of adversaries that Tor has to
projects/torbrowser/design/index.html.en    1798) contend with. For this reason, we have deployed a build system
projects/torbrowser/design/index.html.en    1799) that allows anyone to use our source code to reproduce byte-for-byte identical
projects/torbrowser/design/index.html.en    1800) binary packages to the ones that we distribute.
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1801) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1802)   </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55327360"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1803) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1804) The GNU toolchain has been working on providing reproducible builds for some
projects/torbrowser/design/index.html.en    1805) time, however a large software project such as Firefox typically ends up
projects/torbrowser/design/index.html.en    1806) embedding a large number of details about the machine it was built on, both
projects/torbrowser/design/index.html.en    1807) intentionally and inadvertently. Additionally, manual changes to the build
projects/torbrowser/design/index.html.en    1808) machine configuration can accumulate over time and are difficult for others to
projects/torbrowser/design/index.html.en    1809) replicate externally, which leads to difficulties with binary reproducibility. 
Mike Perry Update TBB design doc.

Mike Perry authored 12 years ago

projects/torbrowser/design/index.html.en    1810) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1811)    </p><p>
projects/torbrowser/design/index.html.en    1812) For this reason, we decided to leverage the work done by the <a class="ulink" href="http://gitian.org/" target="_top">Gitian Project</a> from the Bitcoin community.
projects/torbrowser/design/index.html.en    1813) Gitian is a wrapper around Ubuntu's virtualization tools that allows you to
projects/torbrowser/design/index.html.en    1814) specify an Ubuntu version, architecture, a set of additional packages, a set
projects/torbrowser/design/index.html.en    1815) of input files, and a bash build scriptlet in an YAML document called a
projects/torbrowser/design/index.html.en    1816) "Gitian Descriptor". This document is used to install a qemu-kvm image, and
projects/torbrowser/design/index.html.en    1817) execute your build scriptlet inside it.
projects/torbrowser/design/index.html.en    1818)    </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1819) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1820) We have created a <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/refs/heads/master" target="_top">set
projects/torbrowser/design/index.html.en    1821) of wrapper scripts</a> around Gitian to automate dependency download and
projects/torbrowser/design/index.html.en    1822) authentication, as well as transfer intermediate build outputs between the
projects/torbrowser/design/index.html.en    1823) stages of the build process. Because Gitian creates an Ubuntu build
projects/torbrowser/design/index.html.en    1824) environment, we must use cross-compilation to create packages for Windows and
projects/torbrowser/design/index.html.en    1825) Mac OS. For Windows, we use mingw-w64 as our cross compiler. For Mac OS, we
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1826) use crosstools-ng in combination with a binary redistribution of the Mac OS 10.6
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1827) SDK.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1828) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1829)    </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1830) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1831) The use of the Gitian system eliminates build non-determinism by normalizing
projects/torbrowser/design/index.html.en    1832) the build environment's hostname, username, build path, uname output,
projects/torbrowser/design/index.html.en    1833) toolchain versions, and time. On top of what Gitian provides, we also had to
projects/torbrowser/design/index.html.en    1834) address the following additional sources of non-determinism:
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1835) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1836)    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Filesystem and archive reordering</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1837) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1838) The most prevalent source of non-determinism in the components of Tor Browser
projects/torbrowser/design/index.html.en    1839) by far was various ways that archives (such as zip, tar, jar/ja, DMG, and
projects/torbrowser/design/index.html.en    1840) Firefox manifest lists) could be reordered. Many file archivers walk the
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1841) file system in inode structure order by default, which will result in ordering
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1842) differences between two different archive invocations, especially on machines
projects/torbrowser/design/index.html.en    1843) of different disk and hardware configurations.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1844) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1845)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1846) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1847) The fix for this is to perform an additional sorting step on the input list
projects/torbrowser/design/index.html.en    1848) for archives, but care must be taken to instruct libc and other sorting routines
projects/torbrowser/design/index.html.en    1849) to use a fixed locale to determine lexicographic ordering, or machines with
projects/torbrowser/design/index.html.en    1850) different locale settings will produce different sort results. We chose the
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1851) 'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
projects/torbrowser/design/index.html.en    1852) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
projects/torbrowser/design/index.html.en    1853) and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1854) to aid in reproducible archive creation.
projects/torbrowser/design/index.html.en    1855) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1856)     </p></li><li class="listitem"><span class="command"><strong>Uninitialized memory in toolchain/archivers</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1857) 
projects/torbrowser/design/index.html.en    1858) We ran into difficulties with both binutils and the DMG archive script using
projects/torbrowser/design/index.html.en    1859) uninitialized memory in certain data structures that ended up written to disk.
projects/torbrowser/design/index.html.en    1860) Our binutils fixes were merged upstream, but the DMG archive fix remains an
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1861) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1862) patch</a>.
projects/torbrowser/design/index.html.en    1863) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1864)     </p></li><li class="listitem"><span class="command"><strong>Fine-grained timestamps and timezone leaks</strong></span><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1865) 
projects/torbrowser/design/index.html.en    1866) The standard way of controlling timestamps in Gitian is to use libfaketime,
projects/torbrowser/design/index.html.en    1867) which hooks time-related library calls to provide a fixed timestamp. However,
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1868) due to our use of wine to run py2exe for python-based pluggable transports,
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1869) pyc timestamps had to be addressed with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1870) script</a>. The timezone leaks were addressed by setting the
projects/torbrowser/design/index.html.en    1871) <span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1872) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1873)     </p></li><li class="listitem"><span class="command"><strong>Deliberately generated entropy</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1874) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1875) In two circumstances, deliberately generated entropy was introduced in various
projects/torbrowser/design/index.html.en    1876) components of the build process. First, the BuildID Debuginfo identifier
projects/torbrowser/design/index.html.en    1877) (which associates detached debug files with their corresponding stripped
projects/torbrowser/design/index.html.en    1878) executables) was introducing entropy from some unknown source. We removed this
projects/torbrowser/design/index.html.en    1879) header using objcopy invocations in our build scriptlets, and opted to use GNU
projects/torbrowser/design/index.html.en    1880) DebugLink instead of BuildID for this association.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1881) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1882)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1883) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1884) Second, on Linux, Firefox builds detached signatures of its cryptographic
projects/torbrowser/design/index.html.en    1885) libraries using a temporary key for FIPS-140 certification. A rather insane
projects/torbrowser/design/index.html.en    1886) subsection of the FIPS-140 certification standard requires that you distribute
projects/torbrowser/design/index.html.en    1887) signatures for all of your cryptographic libraries. The Firefox build process
projects/torbrowser/design/index.html.en    1888) meets this requirement by generating a temporary key, using it to sign the
projects/torbrowser/design/index.html.en    1889) libraries, and discarding the private portion of that key. Because there are
projects/torbrowser/design/index.html.en    1890) many other ways to intercept the crypto outside of modifying the actual DLL
projects/torbrowser/design/index.html.en    1891) images, we opted to simply remove these signature files from distribution.
projects/torbrowser/design/index.html.en    1892) There simply is no way to verify code integrity on a running system without
projects/torbrowser/design/index.html.en    1893) both OS and co-processor assistance. Download package signatures make sense of
projects/torbrowser/design/index.html.en    1894) course, but we handle those another way (as mentioned above).
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1895) 
projects/torbrowser/design/index.html.en    1896) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1897)     </p></li><li class="listitem"><span class="command"><strong>LXC-specific leaks</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1898) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1899) Gitian provides an option to use LXC containers instead of full qemu-kvm
projects/torbrowser/design/index.html.en    1900) virtualization. Unfortunately, these containers can allow additional details
projects/torbrowser/design/index.html.en    1901) about the host OS to leak. In particular, umask settings as well as the
projects/torbrowser/design/index.html.en    1902) hostname and Linux kernel version can leak from the host OS into the LXC
projects/torbrowser/design/index.html.en    1903) container. We addressed umask by setting it explicitly in our Gitian
projects/torbrowser/design/index.html.en    1904) descriptor scriptlet, and addressed the hostname and kernel version leaks by
projects/torbrowser/design/index.html.en    1905) directly patching the aspects of the Firefox build process that included this
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1906) information into the build. It also turns out that some libraries (in
projects/torbrowser/design/index.html.en    1907) particular: libgmp) attempt to detect the current CPU to determine which
projects/torbrowser/design/index.html.en    1908) optimizations to compile in. This CPU type is uniform on our KVM instances,
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1909) but differs under LXC. We are also investigating currently
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1910) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to
projects/torbrowser/design/index.html.en    1911) time-based dependency tracking</a> that only appear in LXC containers.
projects/torbrowser/design/index.html.en    1912) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1913)    </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55349120"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1914) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1915) The build process generates a single sha256sums.txt file that contains a sorted
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1916) list of the SHA-256 hashes of every package produced for that build version. Each
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1917) official builder uploads this file and a GPG signature of it to a directory
projects/torbrowser/design/index.html.en    1918) on a Tor Project's web server. The build scripts have an optional matching
projects/torbrowser/design/index.html.en    1919) step that downloads these signatures, verifies them, and ensures that the
projects/torbrowser/design/index.html.en    1920) local builds match this file.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1921) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1922)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1923) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1924) When builds are published officially, the single sha256sums.txt file is
projects/torbrowser/design/index.html.en    1925) accompanied by a detached GPG signature from each official builder that
projects/torbrowser/design/index.html.en    1926) produced a matching build. The packages are additionally signed with detached
projects/torbrowser/design/index.html.en    1927) GPG signatures from an official signing key.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1928) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1929)     </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1930) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1931) The fact that the entire set of packages for a given version can be
projects/torbrowser/design/index.html.en    1932) authenticated by a single hash of the sha256sums.txt file will also allow us
projects/torbrowser/design/index.html.en    1933) to create a number of auxiliary authentication mechanisms for our packages,
projects/torbrowser/design/index.html.en    1934) beyond just trusting a single offline build machine and a single cryptographic
projects/torbrowser/design/index.html.en    1935) key's integrity. Interesting examples include providing multiple independent
projects/torbrowser/design/index.html.en    1936) cryptographic signatures for packages, listing the package hashes in the Tor
projects/torbrowser/design/index.html.en    1937) consensus, and encoding the package hashes in the Bitcoin blockchain.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1938) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1939)      </p><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1940) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1941) The Windows releases are also signed by a hardware token provided by Digicert.
projects/torbrowser/design/index.html.en    1942) In order to verify package integrity, the signature must be stripped off using
projects/torbrowser/design/index.html.en    1943) the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
projects/torbrowser/design/index.html.en    1944) Verification</a> page.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1945) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1946)     </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55353648"></a>5.3. Anonymous Verification</h3></div></div></div><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1947) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1948) Due to the fact that bit-identical packages can be produced by anyone, the
projects/torbrowser/design/index.html.en    1949) security of this build system extends beyond the security of the official
projects/torbrowser/design/index.html.en    1950) build machines. In fact, it is still possible for build integrity to be
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1951) achieved even if all official build machines are compromised.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1952) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1953)     </p><p>
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1954) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1955) By default, all tor-specific dependencies and inputs to the build process are
projects/torbrowser/design/index.html.en    1956) downloaded over Tor, which allows build verifiers to remain anonymous and
projects/torbrowser/design/index.html.en    1957) hidden. Because of this, any individual can use our anonymity network to
projects/torbrowser/design/index.html.en    1958) privately download our source code, verify it against public signed, audited,
projects/torbrowser/design/index.html.en    1959) and mirrored git repositories, and reproduce our builds exactly, without being
projects/torbrowser/design/index.html.en    1960) subject to targeted attacks. If they notice any differences, they can alert
projects/torbrowser/design/index.html.en    1961) the public builders/signers, hopefully using a pseudonym or our anonymous
Mike Perry Updates to fingerprinting s...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1962) bug tracker account, to avoid revealing the fact that they are a build
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1963) verifier.
Mike Perry Update TBB design doc based...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1964) 
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1965)    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p>
projects/torbrowser/design/index.html.en    1966) 
projects/torbrowser/design/index.html.en    1967) We make use of the Firefox updater in order to provide automatic updates to
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1968) users. We make use of certificate pinning to ensure that update checks cannot
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1969) be tampered with, and we sign the individual MAR update files with an offline
projects/torbrowser/design/index.html.en    1970) signing key.
projects/torbrowser/design/index.html.en    1971) 
projects/torbrowser/design/index.html.en    1972)    </p><p>
projects/torbrowser/design/index.html.en    1973) 
projects/torbrowser/design/index.html.en    1974) The Firefox updater also has code to ensure that it can reliably access the
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1975) update server to prevent availability attacks, and complains to the user after 48
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1976) hours go by without a successful response from the server. Additionally, we
projects/torbrowser/design/index.html.en    1977) use Tor's SOCKS username and password isolation to ensure that every new
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1978) request to the updater (provided the former got issued more than 10 minutes ago)
projects/torbrowser/design/index.html.en    1979) traverses a separate circuit, to avoid holdback attacks by exit nodes.
Mike Perry Update Tor Browser Design D...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    1980) 
Mike Perry Update design doc for TBB 4.0.

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    1981)    </p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    1982) 
projects/torbrowser/design/index.html.en    1983) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
projects/torbrowser/design/index.html.en    1984) upon the assumption that link-click navigation indicates user consent to
projects/torbrowser/design/index.html.en    1985) tracking between the linking site and the destination site.  While this
projects/torbrowser/design/index.html.en    1986) definition is sufficient to allow us to eliminate cross-site third party
projects/torbrowser/design/index.html.en    1987) tracking with only minimal site breakage, it is our long-term goal to further
projects/torbrowser/design/index.html.en    1988) reduce cross-origin click navigation tracking to mechanisms that are
projects/torbrowser/design/index.html.en    1989) detectable by attentive users, so they can alert the general public if
projects/torbrowser/design/index.html.en    1990) cross-origin click navigation tracking is happening where it should not be.
projects/torbrowser/design/index.html.en    1991) 
projects/torbrowser/design/index.html.en    1992) </p><p>
projects/torbrowser/design/index.html.en    1993) 
projects/torbrowser/design/index.html.en    1994) In an ideal world, the mechanisms of tracking that can be employed during a
projects/torbrowser/design/index.html.en    1995) link click would be limited to the contents of URL parameters and other
projects/torbrowser/design/index.html.en    1996) properties that are fully visible to the user before they click. However, the
projects/torbrowser/design/index.html.en    1997) entrenched nature of certain archaic web features make it impossible for us to
projects/torbrowser/design/index.html.en    1998) achieve this transparency goal by ourselves without substantial site breakage.
projects/torbrowser/design/index.html.en    1999) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation
projects/torbrowser/design/index.html.en    2000) Wishlist</a> of archaic web technologies that are currently being (ab)used
projects/torbrowser/design/index.html.en    2001) to facilitate federated login and other legitimate click-driven cross-domain
projects/torbrowser/design/index.html.en    2002) activity but that can one day be replaced with more privacy friendly,
projects/torbrowser/design/index.html.en    2003) auditable alternatives.
projects/torbrowser/design/index.html.en    2004) 
projects/torbrowser/design/index.html.en    2005) </p><p>
projects/torbrowser/design/index.html.en    2006) 
projects/torbrowser/design/index.html.en    2007) Because the total elimination of side channels during cross-origin navigation
projects/torbrowser/design/index.html.en    2008) will undoubtedly break federated login as well as destroy ad revenue, we
projects/torbrowser/design/index.html.en    2009) also describe auditable alternatives and promising web draft standards that would
projects/torbrowser/design/index.html.en    2010) preserve this functionality while still providing transparency when tracking is
projects/torbrowser/design/index.html.en    2011) occurring. 
projects/torbrowser/design/index.html.en    2012) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2013) </p><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>The Referer Header</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2014) 
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2015) We haven't disabled or restricted the Referer ourselves because of the
projects/torbrowser/design/index.html.en    2016) non-trivial number of sites that rely on the Referer header to "authenticate"
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2017) image requests and deep-link navigation on their sites. Furthermore, there
projects/torbrowser/design/index.html.en    2018) seems to be no real privacy benefit to taking this action by itself in a
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2019) vacuum, because many sites have begun encoding Referer URL information into
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2020) GET parameters when they need it to cross HTTP to HTTPS scheme transitions.
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2021) Google's +1 buttons are the best example of this activity.
projects/torbrowser/design/index.html.en    2022) 
projects/torbrowser/design/index.html.en    2023)   </p><p>
projects/torbrowser/design/index.html.en    2024) 
projects/torbrowser/design/index.html.en    2025) Because of the availability of these other explicit vectors, we believe the
Mike Perry TBB design doc: More review...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2026) main risk of the Referer header is through inadvertent and/or covert data
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2027) leakage.  In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2028) personal data</a> is inadvertently leaked to third parties through the
projects/torbrowser/design/index.html.en    2029) source URL parameters. 
projects/torbrowser/design/index.html.en    2030) 
projects/torbrowser/design/index.html.en    2031)   </p><p>
projects/torbrowser/design/index.html.en    2032) 
Mike Perry Update design document base...

Mike Perry authored 10 years ago

projects/torbrowser/design/index.html.en    2033) We believe the Referer header should be made explicit, and believe that CSP
projects/torbrowser/design/index.html.en    2034) 2.0 provides a <a class="ulink" href="http://www.w3.org/TR/CSP11/#directive-referrer" target="_top">decent step in this
projects/torbrowser/design/index.html.en    2035) direction</a>. If a site wishes to transmit its URL to third party content
projects/torbrowser/design/index.html.en    2036) elements during load or during link-click, it should have to specify this as a
projects/torbrowser/design/index.html.en    2037) property of the associated HTML tag or CSP policy. With an explicit property
projects/torbrowser/design/index.html.en    2038) or policy, it would then be possible for the user agent to inform the user if
projects/torbrowser/design/index.html.en    2039) they are about to click on a link that will transmit Referer information
projects/torbrowser/design/index.html.en    2040) (perhaps through something as subtle as a different color in the lower toolbar
projects/torbrowser/design/index.html.en    2041) for the destination URL). This same UI notification can also be used for links
projects/torbrowser/design/index.html.en    2042) with the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes" target="_top">"ping"</a>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2043) attribute.
projects/torbrowser/design/index.html.en    2044) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2045)   </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2046) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2047) a DOM property that for some reason is allowed to retain a persistent value
projects/torbrowser/design/index.html.en    2048) for the lifespan of a browser tab. It is possible to utilize this property for
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2049) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2050) storage</a> during click navigation. This is sometimes used for additional
projects/torbrowser/design/index.html.en    2051) XSRF protection and federated login.
projects/torbrowser/design/index.html.en    2052)    </p><p>
projects/torbrowser/design/index.html.en    2053) 
projects/torbrowser/design/index.html.en    2054) It's our opinion that the contents of window.name should not be preserved for
projects/torbrowser/design/index.html.en    2055) cross-origin navigation, but doing so may break federated login for some sites.
projects/torbrowser/design/index.html.en    2056) 
Mike Perry Update Tor Browser design doc.

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2057)    </p></li><li class="listitem"><span class="command"><strong>Javascript link rewriting</strong></span><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2058) 
projects/torbrowser/design/index.html.en    2059) In general, it should not be possible for onclick handlers to alter the
projects/torbrowser/design/index.html.en    2060) navigation destination of 'a' tags, silently transform them into POST
projects/torbrowser/design/index.html.en    2061) requests, or otherwise create situations where a user believes they are
projects/torbrowser/design/index.html.en    2062) clicking on a link leading to one URL that ends up on another. This
projects/torbrowser/design/index.html.en    2063) functionality is deceptive and is frequently a vector for malware and phishing
projects/torbrowser/design/index.html.en    2064) attacks. Unfortunately, many legitimate sites also employ such transparent
projects/torbrowser/design/index.html.en    2065) link rewriting, and blanket disabling this functionality ourselves will simply
projects/torbrowser/design/index.html.en    2066) cause Tor Browser to fail to navigate properly on these sites.
projects/torbrowser/design/index.html.en    2067) 
projects/torbrowser/design/index.html.en    2068)    </p><p>
projects/torbrowser/design/index.html.en    2069) 
projects/torbrowser/design/index.html.en    2070) Automated cross-origin redirects are one form of this behavior that is
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2071) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2072) ourselves</a>, as they are comparatively rare and can be handled with site
projects/torbrowser/design/index.html.en    2073) permissions.
projects/torbrowser/design/index.html.en    2074) 
Mike Perry One more TBB design doc upd...

Mike Perry authored 9 years ago

projects/torbrowser/design/index.html.en    2075)    </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp55389664"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2076) 
projects/torbrowser/design/index.html.en    2077) Web-Send is a browser-based link sharing and federated login widget that is
projects/torbrowser/design/index.html.en    2078) designed to operate without relying on third-party tracking or abusing other
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2079) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2080) especially if used as a "Like button" replacement.
projects/torbrowser/design/index.html.en    2081) 
Mike Perry TBB design doc: Fix charset...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2082)    </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>
Mike Perry Update design doc with FF17...

Mike Perry authored 11 years ago

projects/torbrowser/design/index.html.en    2083) 
projects/torbrowser/design/index.html.en    2084) Mozilla's Persona is designed to provide decentralized, cryptographically
projects/torbrowser/design/index.html.en    2085) authenticated federated login in a way that does not expose the user to third
projects/torbrowser/design/index.html.en    2086) party tracking or require browser redirects or side channels. While it does
projects/torbrowser/design/index.html.en    2087) not directly provide the link sharing capabilities that Web-Send does, it is a
projects/torbrowser/design/index.html.en    2088) better solution to the privacy issues associated with federated login than
projects/torbrowser/design/index.html.en    2089) Web-Send is.
projects/torbrowser/design/index.html.en    2090)