Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1) <?xml version="1.0" encoding="UTF-8"?>
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">May 6th, 2015</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp53435264">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp55327360">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp55349120">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp55353648">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp55389664">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp53435264"></a>1. Introduction</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 3)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 4) This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 5) <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 6) 4.5.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 7)
projects/en/torbrowser/design/index.html.en 8) </p><p>
projects/en/torbrowser/design/index.html.en 9)
projects/en/torbrowser/design/index.html.en 10) This document is also meant to serve as a set of design requirements and to
projects/en/torbrowser/design/index.html.en 11) describe a reference implementation of a Private Browsing Mode that defends
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 12) against active network adversaries, in addition to the passive forensic local
projects/torbrowser/design/index.html.en 13) adversary currently addressed by the major browsers.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 14)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 15) </p><p>
projects/torbrowser/design/index.html.en 16)
projects/torbrowser/design/index.html.en 17) For more practical information regarding Tor Browser development, please
projects/torbrowser/design/index.html.en 18) consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor
projects/torbrowser/design/index.html.en 19) Browser Hacking Guide</a>.
projects/torbrowser/design/index.html.en 20)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 21) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 22)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 23) The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 24) Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a>
projects/torbrowser/design/index.html.en 25) against this browser to enhance privacy and security. Browser behavior is
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 26) additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 27) extension</a>, though we are in the process of moving this functionality
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 28) into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">change
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 29) a number of Firefox preferences</a> from their defaults.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 30)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 31) </p><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 32) Tor process management and configuration is accomplished through the <a class="ulink" href="https://gitweb.torproject.org/tor-launcher.git" target="_top">Tor Launcher</a>
projects/torbrowser/design/index.html.en 33) addon, which provides the initial Tor configuration splash screen and
projects/torbrowser/design/index.html.en 34) bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 35) Instantbird, and XULRunner.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 36)
projects/torbrowser/design/index.html.en 37) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 38)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 39) To help protect against potential Tor Exit Node eavesdroppers, we include
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 40) <a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 41) provide users with optional defense-in-depth against Javascript and other
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 42) potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 43) extension preferences</a> from their defaults.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 44)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 45) </p><p>
projects/torbrowser/design/index.html.en 46)
projects/torbrowser/design/index.html.en 47) To provide censorship circumvention in areas where the public Tor network is
projects/torbrowser/design/index.html.en 48) blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 49) Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs4proxy</a>,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 50) <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,
projects/torbrowser/design/index.html.en 51) <a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>, and <a class="ulink" href="https://crypto.stanford.edu/flashproxy/" target="_top">FlashProxy</a>.
projects/torbrowser/design/index.html.en 52)
projects/torbrowser/design/index.html.en 53) </p></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 54)
projects/en/torbrowser/design/index.html.en 55) The Tor Browser Design Requirements are meant to describe the properties of a
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 56) Private Browsing Mode that defends against both network and local forensic
projects/torbrowser/design/index.html.en 57) adversaries.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 58)
projects/en/torbrowser/design/index.html.en 59) </p><p>
projects/en/torbrowser/design/index.html.en 60)
projects/en/torbrowser/design/index.html.en 61) There are two main categories of requirements: <a class="link" href="#security" title="2.1. Security Requirements">Security Requirements</a>, and <a class="link" href="#privacy" title="2.2. Privacy Requirements">Privacy Requirements</a>. Security Requirements are the
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 62) minimum properties in order for a browser to be able to support Tor and
projects/torbrowser/design/index.html.en 63) similar privacy proxies safely. Privacy requirements are the set of properties
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 64) that cause us to prefer one browser over another.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 65)
projects/en/torbrowser/design/index.html.en 66) </p><p>
projects/en/torbrowser/design/index.html.en 67)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 68) While we will endorse the use of browsers that meet the security requirements,
projects/torbrowser/design/index.html.en 69) it is primarily the privacy requirements that cause us to maintain our own
projects/torbrowser/design/index.html.en 70) browser distribution.
projects/torbrowser/design/index.html.en 71)
projects/torbrowser/design/index.html.en 72) </p><p>
projects/torbrowser/design/index.html.en 73)
projects/torbrowser/design/index.html.en 74) The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
projects/torbrowser/design/index.html.en 75) NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
projects/torbrowser/design/index.html.en 76) "OPTIONAL" in this document are to be interpreted as described in
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 77) <a class="ulink" href="https://www.ietf.org/rfc/rfc2119.txt" target="_top">RFC 2119</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 78)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 79) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="security"></a>2.1. Security Requirements</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 80)
projects/en/torbrowser/design/index.html.en 81) The security requirements are primarily concerned with ensuring the safe use
projects/en/torbrowser/design/index.html.en 82) of Tor. Violations in these properties typically result in serious risk for
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 83) the user in terms of immediate deanonymization and/or observability. With
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 84) respect to browser support, security requirements are the minimum properties
projects/torbrowser/design/index.html.en 85) in order for Tor to support the use of a particular browser.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 86)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 87) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience"><span class="command"><strong>Proxy
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 88) Obedience</strong></span></a><p>The browser
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 89) MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a class="link" href="#state-separation" title="4.2. State Separation"><span class="command"><strong>State
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 90) Separation</strong></span></a><p>
projects/torbrowser/design/index.html.en 91)
projects/torbrowser/design/index.html.en 92) The browser MUST NOT provide the content window with any state from any other
projects/torbrowser/design/index.html.en 93) browsers or any non-Tor browsing modes. This includes shared state from
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 94) independent plugins, and shared state from operating system implementations of
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 95) TLS and other support libraries.
projects/torbrowser/design/index.html.en 96)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 97) </p></li><li class="listitem"><a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance"><span class="command"><strong>Disk
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 98) Avoidance</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 99)
projects/torbrowser/design/index.html.en 100) The browser MUST NOT write any information that is derived from or that
projects/torbrowser/design/index.html.en 101) reveals browsing activity to the disk, or store it in memory beyond the
projects/torbrowser/design/index.html.en 102) duration of one browsing session, unless the user has explicitly opted to
projects/torbrowser/design/index.html.en 103) store their browsing history information to disk.
projects/torbrowser/design/index.html.en 104)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 105) </p></li><li class="listitem"><a class="link" href="#app-data-isolation" title="4.4. Application Data Isolation"><span class="command"><strong>Application Data
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 106) Isolation</strong></span></a><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 107)
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 108) The components involved in providing private browsing MUST be self-contained,
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 109) or MUST provide a mechanism for rapid, complete removal of all evidence of the
projects/torbrowser/design/index.html.en 110) use of the mode. In other words, the browser MUST NOT write or cause the
projects/torbrowser/design/index.html.en 111) operating system to write <span class="emphasis"><em>any information</em></span> about the use
projects/torbrowser/design/index.html.en 112) of private browsing to disk outside of the application's control. The user
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 113) must be able to ensure that secure deletion of the software is sufficient to
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 114) remove evidence of the use of the software. All exceptions and shortcomings
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 115) due to operating system behavior MUST be wiped by an uninstaller. However, due
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 116) to permissions issues with access to swap, implementations MAY choose to leave
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 117) it out of scope, and/or leave it to the operating system/platform to implement
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 118) ephemeral-keyed encrypted swap.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 119)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 120) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 121)
projects/en/torbrowser/design/index.html.en 122) The privacy requirements are primarily concerned with reducing linkability:
|
Add a couple extra sentence...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 123) the ability for a user's activity on one site to be linked with their activity
projects/torbrowser/design/index.html.en 124) on another site without their knowledge or explicit consent. With respect to
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 125) browser support, privacy requirements are the set of properties that cause us
projects/torbrowser/design/index.html.en 126) to prefer one browser over another.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 127)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 128) </p><p>
projects/torbrowser/design/index.html.en 129)
projects/torbrowser/design/index.html.en 130) For the purposes of the unlinkability requirements of this section as well as
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 131) the descriptions in the <a class="link" href="#Implementation" title="4. Implementation">implementation
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 132) section</a>, a <span class="command"><strong>URL bar origin</strong></span> means at least the
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 133) second-level DNS name. For example, for mail.google.com, the origin would be
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 134) google.com. Implementations MAY, at their option, restrict the URL bar origin
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 135) to be the entire fully qualified domain name.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 136)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 137) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability"><span class="command"><strong>Cross-Origin
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 138) Identifier Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 139)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 140) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en 141) any other URL bar origin by any third party automatically or without user
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 142) interaction or approval. This requirement specifically applies to linkability
projects/torbrowser/design/index.html.en 143) from stored browser identifiers, authentication tokens, and shared state. The
projects/torbrowser/design/index.html.en 144) requirement does not apply to linkable information the user manually submits
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 145) to sites, or due to information submitted during manual link traversal. This
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 146) functionality SHOULD NOT interfere with interactive, click-driven federated
projects/torbrowser/design/index.html.en 147) login in a substantial way.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 148)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 149) </p></li><li class="listitem"><a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability"><span class="command"><strong>Cross-Origin
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 150) Fingerprinting Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 151)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 152) User activity on one URL bar origin MUST NOT be linkable to their activity in
projects/torbrowser/design/index.html.en 153) any other URL bar origin by any third party. This property specifically applies to
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 154) linkability from fingerprinting browser behavior.
projects/en/torbrowser/design/index.html.en 155)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 156) </p></li><li class="listitem"><a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button"><span class="command"><strong>Long-Term
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 157) Unlinkability</strong></span></a><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 158)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 159) The browser MUST provide an obvious, easy way for the user to remove all of
projects/torbrowser/design/index.html.en 160) its authentication tokens and browser state and obtain a fresh identity.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 161) Additionally, the browser SHOULD clear linkable state by default automatically
projects/torbrowser/design/index.html.en 162) upon browser restart, except at user option.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 163)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 164) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="philosophy"></a>2.3. Philosophy</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 165)
projects/en/torbrowser/design/index.html.en 166) In addition to the above design requirements, the technology decisions about
projects/en/torbrowser/design/index.html.en 167) Tor Browser are also guided by some philosophical positions about technology.
projects/en/torbrowser/design/index.html.en 168)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 169) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Preserve existing user model</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 170)
projects/en/torbrowser/design/index.html.en 171) The existing way that the user expects to use a browser must be preserved. If
projects/en/torbrowser/design/index.html.en 172) the user has to maintain a different mental model of how the sites they are
projects/en/torbrowser/design/index.html.en 173) using behave depending on tab, browser state, or anything else that would not
projects/en/torbrowser/design/index.html.en 174) normally be what they experience in their default browser, the user will
projects/en/torbrowser/design/index.html.en 175) inevitably be confused. They will make mistakes and reduce their privacy as a
projects/en/torbrowser/design/index.html.en 176) result. Worse, they may just stop using the browser, assuming it is broken.
projects/en/torbrowser/design/index.html.en 177)
projects/en/torbrowser/design/index.html.en 178) </p><p>
projects/en/torbrowser/design/index.html.en 179)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 180) User model breakage was one of the <a class="ulink" href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton" target="_top">failures
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 181) of Torbutton</a>: Even if users managed to install everything properly,
projects/en/torbrowser/design/index.html.en 182) the toggle model was too hard for the average user to understand, especially
projects/en/torbrowser/design/index.html.en 183) in the face of accumulating tabs from multiple states crossed with the current
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 184) Tor-state of the browser.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 185)
projects/en/torbrowser/design/index.html.en 186) </p></li><li class="listitem"><span class="command"><strong>Favor the implementation mechanism least likely to
projects/en/torbrowser/design/index.html.en 187) break sites</strong></span><p>
projects/en/torbrowser/design/index.html.en 188)
projects/en/torbrowser/design/index.html.en 189) In general, we try to find solutions to privacy issues that will not induce
projects/en/torbrowser/design/index.html.en 190) site breakage, though this is not always possible.
projects/en/torbrowser/design/index.html.en 191)
projects/en/torbrowser/design/index.html.en 192) </p></li><li class="listitem"><span class="command"><strong>Plugins must be restricted</strong></span><p>
projects/en/torbrowser/design/index.html.en 193)
projects/en/torbrowser/design/index.html.en 194) Even if plugins always properly used the browser proxy settings (which none of
projects/en/torbrowser/design/index.html.en 195) them do) and could not be induced to bypass them (which all of them can), the
projects/en/torbrowser/design/index.html.en 196) activities of closed-source plugins are very difficult to audit and control.
projects/en/torbrowser/design/index.html.en 197) They can obtain and transmit all manner of system information to websites,
projects/en/torbrowser/design/index.html.en 198) often have their own identifier storage for tracking users, and also
projects/en/torbrowser/design/index.html.en 199) contribute to fingerprinting.
projects/en/torbrowser/design/index.html.en 200)
projects/en/torbrowser/design/index.html.en 201) </p><p>
projects/en/torbrowser/design/index.html.en 202)
projects/en/torbrowser/design/index.html.en 203) Therefore, if plugins are to be enabled in private browsing modes, they must
projects/en/torbrowser/design/index.html.en 204) be restricted from running automatically on every page (via click-to-play
projects/en/torbrowser/design/index.html.en 205) placeholders), and/or be sandboxed to restrict the types of system calls they
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 206) can execute. If the user agent allows the user to craft an exemption to allow
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 207) a plugin to be used automatically, it must only apply to the top level URL bar
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 208) domain, and not to all sites, to reduce cross-origin fingerprinting
projects/torbrowser/design/index.html.en 209) linkability.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 210)
projects/en/torbrowser/design/index.html.en 211) </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
projects/en/torbrowser/design/index.html.en 212)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 213) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">Another
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 214) failure of Torbutton</a> was the options panel. Each option
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 215) that detectably alters browser behavior can be used as a fingerprinting tool.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 216) Similarly, all extensions <a class="ulink" href="http://blog.chromium.org/2010/06/extensions-in-incognito.html" target="_top">should be
projects/torbrowser/design/index.html.en 217) disabled in the mode</a> except as an opt-in basis. We should not load
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 218) system-wide and/or operating system provided addons or plugins.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 219)
projects/en/torbrowser/design/index.html.en 220) </p><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 221) Instead of global browser privacy options, privacy decisions should be made
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 222) <a class="ulink" href="https://wiki.mozilla.org/Privacy/Features/Site-based_data_management_UI" target="_top">per
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 223) URL bar origin</a> to eliminate the possibility of linkability
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 224) between domains. For example, when a plugin object (or a Javascript access of
projects/en/torbrowser/design/index.html.en 225) window.plugins) is present in a page, the user should be given the choice of
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 226) allowing that plugin object for that URL bar origin only. The same
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 227) goes for exemptions to third party cookie policy, geolocation, and any other
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 228) privacy permissions.
projects/en/torbrowser/design/index.html.en 229) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 230) If the user has indicated they wish to record local history storage, these
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 231) permissions can be written to disk. Otherwise, they should remain memory-only.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 232) </p></li><li class="listitem"><span class="command"><strong>No filters</strong></span><p>
projects/en/torbrowser/design/index.html.en 233)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 234) Site-specific or filter-based addons such as <a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/" target="_top">AdBlock
projects/torbrowser/design/index.html.en 235) Plus</a>, <a class="ulink" href="http://requestpolicy.com/" target="_top">Request Policy</a>,
projects/torbrowser/design/index.html.en 236) <a class="ulink" href="http://www.ghostery.com/about" target="_top">Ghostery</a>, <a class="ulink" href="http://priv3.icsi.berkeley.edu/" target="_top">Priv3</a>, and <a class="ulink" href="http://sharemenot.cs.washington.edu/" target="_top">Sharemenot</a> are to be
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 237) avoided. We believe that these addons do not add any real privacy to a proper
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 238) <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the above <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirements</a>, and that development efforts
projects/torbrowser/design/index.html.en 239) should be focused on general solutions that prevent tracking by all
projects/torbrowser/design/index.html.en 240) third parties, rather than a list of specific URLs or hosts.
projects/torbrowser/design/index.html.en 241) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 242) Filter-based addons can also introduce strange breakage and cause usability
projects/en/torbrowser/design/index.html.en 243) nightmares, and will also fail to do their job if an adversary simply
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 244) registers a new domain or creates a new URL path. Worse still, the unique
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 245) filter sets that each user creates or installs will provide a wealth of
projects/torbrowser/design/index.html.en 246) fingerprinting targets.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 247) </p><p>
projects/en/torbrowser/design/index.html.en 248)
projects/en/torbrowser/design/index.html.en 249) As a general matter, we are also generally opposed to shipping an always-on Ad
projects/en/torbrowser/design/index.html.en 250) blocker with Tor Browser. We feel that this would damage our credibility in
projects/en/torbrowser/design/index.html.en 251) terms of demonstrating that we are providing privacy through a sound design
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 252) alone, as well as damage the acceptance of Tor users by sites that support
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 253) themselves through advertising revenue.
projects/en/torbrowser/design/index.html.en 254)
projects/en/torbrowser/design/index.html.en 255) </p><p>
projects/en/torbrowser/design/index.html.en 256) Users are free to install these addons if they wish, but doing
projects/en/torbrowser/design/index.html.en 257) so is not recommended, as it will alter the browser request fingerprint.
projects/en/torbrowser/design/index.html.en 258) </p></li><li class="listitem"><span class="command"><strong>Stay Current</strong></span><p>
projects/en/torbrowser/design/index.html.en 259) We believe that if we do not stay current with the support of new web
projects/en/torbrowser/design/index.html.en 260) technologies, we cannot hope to substantially influence or be involved in
projects/en/torbrowser/design/index.html.en 261) their proper deployment or privacy realization. However, we will likely disable
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 262) high-risk features pending analysis, audit, and mitigation.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 263) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="adversary"></a>3. Adversary Model</h2></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 264)
projects/torbrowser/design/index.html.en 265) A Tor web browser adversary has a number of goals, capabilities, and attack
projects/torbrowser/design/index.html.en 266) types that can be used to illustrate the design requirements for the
projects/torbrowser/design/index.html.en 267) Tor Browser. Let's start with the goals.
projects/torbrowser/design/index.html.en 268)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 269) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 270) Tor, causing the user to directly connect to an IP of the adversary's
projects/torbrowser/design/index.html.en 271) choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
projects/torbrowser/design/index.html.en 272) happily settle for the ability to correlate something a user did via Tor with
projects/torbrowser/design/index.html.en 273) their non-Tor activity. This can be done with cookies, cache identifiers,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 274) Javascript events, and even CSS. Sometimes the fact that a user uses Tor may
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 275) be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
projects/torbrowser/design/index.html.en 276) The adversary may also be interested in history disclosure: the ability to
projects/torbrowser/design/index.html.en 277) query a user's history to see if they have issued certain censored search
projects/torbrowser/design/index.html.en 278) queries, or visited censored sites.
projects/torbrowser/design/index.html.en 279) </p></li><li class="listitem"><span class="command"><strong>Correlate activity across multiple sites</strong></span><p>
projects/torbrowser/design/index.html.en 280)
projects/torbrowser/design/index.html.en 281) The primary goal of the advertising networks is to know that the user who
projects/torbrowser/design/index.html.en 282) visited siteX.com is the same user that visited siteY.com to serve them
projects/torbrowser/design/index.html.en 283) targeted ads. The advertising networks become our adversary insofar as they
projects/torbrowser/design/index.html.en 284) attempt to perform this correlation without the user's explicit consent.
projects/torbrowser/design/index.html.en 285)
projects/torbrowser/design/index.html.en 286) </p></li><li class="listitem"><span class="command"><strong>Fingerprinting/anonymity set reduction</strong></span><p>
projects/torbrowser/design/index.html.en 287)
projects/torbrowser/design/index.html.en 288) Fingerprinting (more generally: "anonymity set reduction") is used to attempt
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 289) to gather identifying information on a particular individual without the use
projects/torbrowser/design/index.html.en 290) of tracking identifiers. If the dissident or whistleblower's timezone is
projects/torbrowser/design/index.html.en 291) available, and they are using a rare build of Firefox for an obscure operating
projects/torbrowser/design/index.html.en 292) system, and they have a specific display resolution only used on one type of
projects/torbrowser/design/index.html.en 293) laptop, this can be very useful information for tracking them down, or at
projects/torbrowser/design/index.html.en 294) least <a class="link" href="#fingerprinting">tracking their activities</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 295)
projects/torbrowser/design/index.html.en 296) </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
projects/torbrowser/design/index.html.en 297) information</strong></span><p>
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 298)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 299) In some cases, the adversary may opt for a heavy-handed approach, such as
projects/torbrowser/design/index.html.en 300) seizing the computers of all Tor users in an area (especially after narrowing
projects/torbrowser/design/index.html.en 301) the field by the above two pieces of information). History records and cache
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 302) data are the primary goals here. Secondary goals may include confirming
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 303) on-disk identifiers (such as hostname and disk-logged spoofed MAC address
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 304) history) obtained by other means.
projects/torbrowser/design/index.html.en 305)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 306) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 307) The adversary can position themselves at a number of different locations in
projects/torbrowser/design/index.html.en 308) order to execute their attacks.
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 309) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 310) The adversary can run exit nodes, or alternatively, they may control routers
projects/torbrowser/design/index.html.en 311) upstream of exit nodes. Both of these scenarios have been observed in the
projects/torbrowser/design/index.html.en 312) wild.
projects/torbrowser/design/index.html.en 313) </p></li><li class="listitem"><span class="command"><strong>Ad servers and/or Malicious Websites</strong></span><p>
projects/torbrowser/design/index.html.en 314) The adversary can also run websites, or more likely, they can contract out
projects/torbrowser/design/index.html.en 315) ad space from a number of different ad servers and inject content that way. For
projects/torbrowser/design/index.html.en 316) some users, the adversary may be the ad servers themselves. It is not
projects/torbrowser/design/index.html.en 317) inconceivable that ad servers may try to subvert or reduce a user's anonymity
projects/torbrowser/design/index.html.en 318) through Tor for marketing purposes.
projects/torbrowser/design/index.html.en 319) </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
projects/torbrowser/design/index.html.en 320) The adversary can also inject malicious content at the user's upstream router
projects/torbrowser/design/index.html.en 321) when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
projects/torbrowser/design/index.html.en 322) activity.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 323) </p><p>
projects/torbrowser/design/index.html.en 324)
projects/torbrowser/design/index.html.en 325) Additionally, at this position the adversary can block Tor, or attempt to
projects/torbrowser/design/index.html.en 326) recognize the traffic patterns of specific web pages at the entrance to the Tor
projects/torbrowser/design/index.html.en 327) network.
projects/torbrowser/design/index.html.en 328)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 329) </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
projects/torbrowser/design/index.html.en 330) Some users face adversaries with intermittent or constant physical access.
projects/torbrowser/design/index.html.en 331) Users in Internet cafes, for example, face such a threat. In addition, in
projects/torbrowser/design/index.html.en 332) countries where simply using tools like Tor is illegal, users may face
projects/torbrowser/design/index.html.en 333) confiscation of their computer equipment for excessive Tor usage or just
projects/torbrowser/design/index.html.en 334) general suspicion.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 335) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="attacks"></a>3.3. Adversary Capabilities - Attacks</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 336)
projects/torbrowser/design/index.html.en 337) The adversary can perform the following attacks from a number of different
projects/torbrowser/design/index.html.en 338) positions to accomplish various aspects of their goals. It should be noted
projects/torbrowser/design/index.html.en 339) that many of these attacks (especially those involving IP address leakage) are
projects/torbrowser/design/index.html.en 340) often performed by accident by websites that simply have Javascript, dynamic
projects/torbrowser/design/index.html.en 341) CSS elements, and plugins. Others are performed by ad servers seeking to
projects/torbrowser/design/index.html.en 342) correlate users' activity across different IP addresses, and still others are
projects/torbrowser/design/index.html.en 343) performed by malicious agents on the Tor network and at national firewalls.
projects/torbrowser/design/index.html.en 344)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 345) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Read and insert identifiers</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 346)
projects/torbrowser/design/index.html.en 347) The browser contains multiple facilities for storing identifiers that the
projects/torbrowser/design/index.html.en 348) adversary creates for the purposes of tracking users. These identifiers are
projects/torbrowser/design/index.html.en 349) most obviously cookies, but also include HTTP auth, DOM storage, cached
projects/torbrowser/design/index.html.en 350) scripts and other elements with embedded identifiers, client certificates, and
projects/torbrowser/design/index.html.en 351) even TLS Session IDs.
projects/torbrowser/design/index.html.en 352)
projects/torbrowser/design/index.html.en 353) </p><p>
projects/torbrowser/design/index.html.en 354)
projects/torbrowser/design/index.html.en 355) An adversary in a position to perform MITM content alteration can inject
projects/torbrowser/design/index.html.en 356) document content elements to both read and inject cookies for arbitrary
projects/torbrowser/design/index.html.en 357) domains. In fact, even many "SSL secured" websites are vulnerable to this sort of
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 358) <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 359) sidejacking</a>. In addition, the ad networks of course perform tracking
projects/torbrowser/design/index.html.en 360) with cookies as well.
projects/torbrowser/design/index.html.en 361)
projects/torbrowser/design/index.html.en 362) </p><p>
projects/torbrowser/design/index.html.en 363)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 364) These types of attacks are attempts at subverting our <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">Cross-Origin Identifier Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 365)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 366) </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 367) attributes</strong></span><p>
projects/torbrowser/design/index.html.en 368)
projects/torbrowser/design/index.html.en 369) There is an absurd amount of information available to websites via attributes
projects/torbrowser/design/index.html.en 370) of the browser. This information can be used to reduce anonymity set, or even
projects/torbrowser/design/index.html.en 371) uniquely fingerprint individual users. Attacks of this nature are typically
projects/torbrowser/design/index.html.en 372) aimed at tracking users across sites without their consent, in an attempt to
projects/torbrowser/design/index.html.en 373) subvert our <a class="link" href="#fingerprinting-linkability" title="4.6. Cross-Origin Fingerprinting Unlinkability">Cross-Origin
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 374) Fingerprinting Unlinkability</a> and <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">Long-Term Unlinkability</a> design requirements.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 375)
projects/torbrowser/design/index.html.en 376) </p><p>
projects/torbrowser/design/index.html.en 377)
projects/torbrowser/design/index.html.en 378) Fingerprinting is an intimidating
projects/torbrowser/design/index.html.en 379) problem to attempt to tackle, especially without a metric to determine or at
projects/torbrowser/design/index.html.en 380) least intuitively understand and estimate which features will most contribute
projects/torbrowser/design/index.html.en 381) to linkability between visits.
projects/torbrowser/design/index.html.en 382)
projects/torbrowser/design/index.html.en 383) </p><p>
projects/torbrowser/design/index.html.en 384)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 385) The <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">Panopticlick study
projects/torbrowser/design/index.html.en 386) done</a> by the EFF uses the <a class="ulink" href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29" target="_top">Shannon
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 387) entropy</a> - the number of identifying bits of information encoded in
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 388) browser properties - as this metric. Their <a class="ulink" href="https://wiki.mozilla.org/Fingerprinting#Data" target="_top">result data</a> is
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 389) definitely useful, and the metric is probably the appropriate one for
projects/torbrowser/design/index.html.en 390) determining how identifying a particular browser property is. However, some
projects/torbrowser/design/index.html.en 391) quirks of their study means that they do not extract as much information as
projects/torbrowser/design/index.html.en 392) they could from display information: they only use desktop resolution and do
projects/torbrowser/design/index.html.en 393) not attempt to infer the size of toolbars. In the other direction, they may be
projects/torbrowser/design/index.html.en 394) over-counting in some areas, as they did not compute joint entropy over
projects/torbrowser/design/index.html.en 395) multiple attributes that may exhibit a high degree of correlation. Also, new
projects/torbrowser/design/index.html.en 396) browser features are added regularly, so the data should not be taken as
projects/torbrowser/design/index.html.en 397) final.
projects/torbrowser/design/index.html.en 398)
projects/torbrowser/design/index.html.en 399) </p><p>
projects/torbrowser/design/index.html.en 400)
projects/torbrowser/design/index.html.en 401) Despite the uncertainty, all fingerprinting attacks leverage the following
projects/torbrowser/design/index.html.en 402) attack vectors:
projects/torbrowser/design/index.html.en 403)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 404) </p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem"><span class="command"><strong>Observing Request Behavior</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 405)
projects/torbrowser/design/index.html.en 406) Properties of the user's request behavior comprise the bulk of low-hanging
projects/torbrowser/design/index.html.en 407) fingerprinting targets. These include: User agent, Accept-* headers, pipeline
projects/torbrowser/design/index.html.en 408) usage, and request ordering. Additionally, the use of custom filters such as
projects/torbrowser/design/index.html.en 409) AdBlock and other privacy filters can be used to fingerprint request patterns
projects/torbrowser/design/index.html.en 410) (as an extreme example).
projects/torbrowser/design/index.html.en 411)
projects/torbrowser/design/index.html.en 412) </p></li><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
projects/torbrowser/design/index.html.en 413)
projects/torbrowser/design/index.html.en 414) Javascript can reveal a lot of fingerprinting information. It provides DOM
projects/torbrowser/design/index.html.en 415) objects such as window.screen and window.navigator to extract information
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 416) about the user agent.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 417)
projects/torbrowser/design/index.html.en 418) Also, Javascript can be used to query the user's timezone via the
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 419) <code class="function">Date()</code> object, <a class="ulink" href="https://www.khronos.org/registry/webgl/specs/1.0/#5.13" target="_top">WebGL</a> can
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 420) reveal information about the video card in use, and high precision timing
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 421) information can be used to <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">fingerprint the CPU and
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 422) interpreter speed</a>. In the future, new JavaScript features such as
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 423) <a class="ulink" href="http://w3c-test.org/webperf/specs/ResourceTiming/" target="_top">Resource
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 424) Timing</a> may leak an unknown amount of network timing related
projects/torbrowser/design/index.html.en 425) information.
projects/torbrowser/design/index.html.en 426)
projects/torbrowser/design/index.html.en 427) </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
projects/torbrowser/design/index.html.en 428)
projects/torbrowser/design/index.html.en 429) The Panopticlick project found that the mere list of installed plugins (in
projects/torbrowser/design/index.html.en 430) navigator.plugins) was sufficient to provide a large degree of
projects/torbrowser/design/index.html.en 431) fingerprintability. Additionally, plugins are capable of extracting font lists,
projects/torbrowser/design/index.html.en 432) interface addresses, and other machine information that is beyond what the
projects/torbrowser/design/index.html.en 433) browser would normally provide to content. In addition, plugins can be used to
projects/torbrowser/design/index.html.en 434) store unique identifiers that are more difficult to clear than standard
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 435) cookies. <a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 436) cookies</a> fall into this category, but there are likely numerous other
projects/torbrowser/design/index.html.en 437) examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy
projects/torbrowser/design/index.html.en 438) settings of the browser.
projects/torbrowser/design/index.html.en 439)
projects/torbrowser/design/index.html.en 440)
projects/torbrowser/design/index.html.en 441) </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
projects/torbrowser/design/index.html.en 442)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 443) <a class="ulink" href="https://developer.mozilla.org/En/CSS/Media_queries" target="_top">CSS media
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 444) queries</a> can be inserted to gather information about the desktop size,
projects/torbrowser/design/index.html.en 445) widget size, display type, DPI, user agent type, and other information that
projects/torbrowser/design/index.html.en 446) was formerly available only to Javascript.
projects/torbrowser/design/index.html.en 447)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 448) </p></li></ol></div></li><li class="listitem"><a id="website-traffic-fingerprinting"></a><span class="command"><strong>Website traffic fingerprinting</strong></span><p>
projects/torbrowser/design/index.html.en 449)
projects/torbrowser/design/index.html.en 450) Website traffic fingerprinting is an attempt by the adversary to recognize the
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 451) encrypted traffic patterns of specific websites. In the case of Tor, this
projects/torbrowser/design/index.html.en 452) attack would take place between the user and the Guard node, or at the Guard
projects/torbrowser/design/index.html.en 453) node itself.
projects/torbrowser/design/index.html.en 454) </p><p> The most comprehensive study of the statistical properties of this
projects/torbrowser/design/index.html.en 455) attack against Tor was done by <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 456) et al</a>. Unfortunately, the publication bias in academia has encouraged
projects/torbrowser/design/index.html.en 457) the production of a number of follow-on attack papers claiming "improved"
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 458) success rates, in some cases even claiming to completely invalidate any
projects/torbrowser/design/index.html.en 459) attempt at defense. These "improvements" are actually enabled primarily by
projects/torbrowser/design/index.html.en 460) taking a number of shortcuts (such as classifying only very small numbers of
projects/torbrowser/design/index.html.en 461) web pages, neglecting to publish ROC curves or at least false positive rates,
projects/torbrowser/design/index.html.en 462) and/or omitting the effects of dataset size on their results). Despite these
projects/torbrowser/design/index.html.en 463) subsequent "improvements", we are skeptical of the efficacy of this attack in
projects/torbrowser/design/index.html.en 464) a real world scenario, <span class="emphasis"><em>especially</em></span> in the face of any
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 465) defenses.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 466)
projects/torbrowser/design/index.html.en 467) </p><p>
projects/torbrowser/design/index.html.en 468)
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 469) In general, with machine learning, as you increase the <a class="ulink" href="https://en.wikipedia.org/wiki/VC_dimension" target="_top">number and/or complexity of
projects/torbrowser/design/index.html.en 470) categories to classify</a> while maintaining a limit on reliable feature
projects/torbrowser/design/index.html.en 471) information you can extract, you eventually run out of descriptive feature
projects/torbrowser/design/index.html.en 472) information, and either true positive accuracy goes down or the false positive
projects/torbrowser/design/index.html.en 473) rate goes up. This error is called the <a class="ulink" href="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm" target="_top">bias
projects/torbrowser/design/index.html.en 474) in your hypothesis space</a>. In fact, even for unbiased hypothesis
projects/torbrowser/design/index.html.en 475) spaces, the number of training examples required to achieve a reasonable error
projects/torbrowser/design/index.html.en 476) bound is <a class="ulink" href="https://en.wikipedia.org/wiki/Probably_approximately_correct_learning#Equivalence" target="_top">a
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 477) function of the complexity of the categories</a> you need to classify.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 478)
projects/torbrowser/design/index.html.en 479) </p><p>
projects/torbrowser/design/index.html.en 480)
projects/torbrowser/design/index.html.en 481)
projects/torbrowser/design/index.html.en 482) In the case of this attack, the key factors that increase the classification
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 483) complexity (and thus hinder a real world adversary who attempts this attack)
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 484) are large numbers of dynamically generated pages, partially cached content,
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 485) and also the non-web activity of entire Tor network. This yields an effective
projects/torbrowser/design/index.html.en 486) number of "web pages" many orders of magnitude larger than even <a class="ulink" href="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf" target="_top">Panchenko's
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 487) "Open World" scenario</a>, which suffered continuous near-constant decline
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 488) in the true positive rate as the "Open World" size grew (see figure 4). This
projects/torbrowser/design/index.html.en 489) large level of classification complexity is further confounded by a noisy and
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 490) low resolution featureset - one which is also relatively easy for the defender
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 491) to manipulate at low cost.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 492)
projects/torbrowser/design/index.html.en 493) </p><p>
projects/torbrowser/design/index.html.en 494)
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 495) To make matters worse for a real-world adversary, the ocean of Tor Internet
projects/torbrowser/design/index.html.en 496) activity (at least, when compared to a lab setting) makes it a certainty that
projects/torbrowser/design/index.html.en 497) an adversary attempting examine large amounts of Tor traffic will ultimately
projects/torbrowser/design/index.html.en 498) be overwhelmed by false positives (even after making heavy tradeoffs on the
projects/torbrowser/design/index.html.en 499) ROC curve to minimize false positives to below 0.01%). This problem is known
projects/torbrowser/design/index.html.en 500) in the IDS literature as the <a class="ulink" href="http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf" target="_top">Base Rate
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 501) Fallacy</a>, and it is the primary reason that anomaly and activity
projects/torbrowser/design/index.html.en 502) classification-based IDS and antivirus systems have failed to materialize in
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 503) the marketplace (despite early success in academic literature).
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 504)
projects/torbrowser/design/index.html.en 505) </p><p>
projects/torbrowser/design/index.html.en 506)
projects/torbrowser/design/index.html.en 507) Still, we do not believe that these issues are enough to dismiss the attack
projects/torbrowser/design/index.html.en 508) outright. But we do believe these factors make it both worthwhile and
projects/torbrowser/design/index.html.en 509) effective to <a class="link" href="#traffic-fingerprinting-defenses">deploy
projects/torbrowser/design/index.html.en 510) light-weight defenses</a> that reduce the accuracy of this attack by
projects/torbrowser/design/index.html.en 511) further contributing noise to hinder successful feature extraction.
projects/torbrowser/design/index.html.en 512)
projects/torbrowser/design/index.html.en 513) </p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 514) OS</strong></span><p>
projects/torbrowser/design/index.html.en 515)
projects/torbrowser/design/index.html.en 516) Last, but definitely not least, the adversary can exploit either general
projects/torbrowser/design/index.html.en 517) browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
projects/torbrowser/design/index.html.en 518) install malware and surveillance software. An adversary with physical access
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 519) can perform similar actions.
projects/torbrowser/design/index.html.en 520)
projects/torbrowser/design/index.html.en 521) </p><p>
projects/torbrowser/design/index.html.en 522)
projects/torbrowser/design/index.html.en 523) For the purposes of the browser itself, we limit the scope of this adversary
projects/torbrowser/design/index.html.en 524) to one that has passive forensic access to the disk after browsing activity
projects/torbrowser/design/index.html.en 525) has taken place. This adversary motivates our
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 526) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> defenses.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 527)
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 528) </p><p>
projects/torbrowser/design/index.html.en 529)
projects/torbrowser/design/index.html.en 530) An adversary with arbitrary code execution typically has more power, though.
projects/torbrowser/design/index.html.en 531) It can be quite hard to really significantly limit the capabilities of such an
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 532) adversary. <a class="ulink" href="http://tails.boum.org/contribute/design/" target="_top">The Tails system</a> can
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 533) provide some defense against this adversary through the use of readonly media
projects/torbrowser/design/index.html.en 534) and frequent reboots, but even this can be circumvented on machines without
projects/torbrowser/design/index.html.en 535) Secure Boot through the use of BIOS rootkits.
projects/torbrowser/design/index.html.en 536)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 537) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Implementation"></a>4. Implementation</h2></div></div></div><p>
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 538)
projects/torbrowser/design/index.html.en 539) The Implementation section is divided into subsections, each of which
projects/torbrowser/design/index.html.en 540) corresponds to a <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">Design Requirement</a>.
projects/torbrowser/design/index.html.en 541) Each subsection is divided into specific web technologies or properties. The
projects/torbrowser/design/index.html.en 542) implementation is then described for that property.
projects/torbrowser/design/index.html.en 543)
projects/torbrowser/design/index.html.en 544) </p><p>
projects/torbrowser/design/index.html.en 545)
projects/torbrowser/design/index.html.en 546) In some cases, the implementation meets the design requirements in a non-ideal
projects/torbrowser/design/index.html.en 547) way (for example, by disabling features). In rare cases, there may be no
projects/torbrowser/design/index.html.en 548) implementation at all. Both of these cases are denoted by differentiating
projects/torbrowser/design/index.html.en 549) between the <span class="command"><strong>Design Goal</strong></span> and the <span class="command"><strong>Implementation
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 550) Status</strong></span> for each property. Corresponding bugs in the <a class="ulink" href="https://trac.torproject.org/projects/tor/report" target="_top">Tor bug tracker</a>
|
Update TBB design doc w/ an...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 551) are typically linked for these cases.
projects/torbrowser/design/index.html.en 552)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 553) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="proxy-obedience"></a>4.1. Proxy Obedience</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 554)
projects/en/torbrowser/design/index.html.en 555) Proxy obedience is assured through the following:
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 556) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Firefox proxy settings, patches, and build flags</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 557)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 558) Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">Firefox
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 559) preferences file</a> sets the Firefox proxy settings to use Tor directly
projects/torbrowser/design/index.html.en 560) as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 561) <span class="command"><strong>network.proxy.socks_version</strong></span>,
projects/torbrowser/design/index.html.en 562) <span class="command"><strong>network.proxy.socks_port</strong></span>, and
projects/torbrowser/design/index.html.en 563) <span class="command"><strong>network.dns.disablePrefetch</strong></span>.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 564)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 565) </p><p>
projects/torbrowser/design/index.html.en 566)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 567) To prevent proxy bypass by WebRTC calls, we disable WebRTC at compile time
projects/torbrowser/design/index.html.en 568) with the <span class="command"><strong>--disable-webrtc</strong></span> configure switch, as well
projects/torbrowser/design/index.html.en 569) as set the pref <span class="command"><strong>media.peerconnection.enabled</strong></span> to false.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 570)
projects/torbrowser/design/index.html.en 571) </p><p>
projects/torbrowser/design/index.html.en 572)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 573) We also patch Firefox in order to provide several defense-in-depth mechanisms
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 574) for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=8c6604d2b776f0d8e33ed9130c5f5b8cf744bac8" target="_top">patch
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 575) the DNS service</a> to prevent any browser or addon DNS resolution, and we
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 576) also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=c96c854c0eca21fed1362d1ddd164b657d351795" target="_top">patch
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 577) OCSP and PKIX code</a> to prevent any use of the non-proxied command-line
projects/torbrowser/design/index.html.en 578) tool utility functions from being functional while linked in to the browser.
projects/torbrowser/design/index.html.en 579) In both cases, we could find no direct paths to these routines in the browser,
projects/torbrowser/design/index.html.en 580) but it seemed better safe than sorry.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 581)
|
Comments from Georg + proxy...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 582) </p><p>
projects/torbrowser/design/index.html.en 583)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 584) During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 585) code audits</a> to verify that there were no system calls or XPCOM
projects/torbrowser/design/index.html.en 586) activity in the source tree that did not use the browser proxy settings.
projects/torbrowser/design/index.html.en 587) </p><p>
projects/torbrowser/design/index.html.en 588)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 589) We have verified that these settings and patches properly proxy HTTPS, OCSP,
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 590) HTTP, FTP, gopher (now defunct), DNS, SafeBrowsing Queries, all JavaScript
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 591) activity, including HTML5 audio and video objects, addon updates, WiFi
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 592) geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
projects/torbrowser/design/index.html.en 593) WebSockets, and live bookmark updates. We have also verified that IPv6
projects/torbrowser/design/index.html.en 594) connections are not attempted, through the proxy or otherwise (Tor does not
projects/torbrowser/design/index.html.en 595) yet support IPv6). We have also verified that external protocol helpers, such
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 596) as SMB URLs and other custom protocol handlers are all blocked.
|
Comments from Georg + proxy...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 597)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 598) </p></li><li class="listitem"><span class="command"><strong>Disabling plugins</strong></span><p>Plugins have the ability to make arbitrary OS system calls and <a class="ulink" href="http://decloak.net/" target="_top">bypass proxy settings</a>. This includes
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 599) the ability to make UDP sockets and send arbitrary data independent of the
projects/en/torbrowser/design/index.html.en 600) browser proxy settings.
projects/en/torbrowser/design/index.html.en 601) </p><p>
projects/en/torbrowser/design/index.html.en 602) Torbutton disables plugins by using the
projects/en/torbrowser/design/index.html.en 603) <span class="command"><strong>@mozilla.org/plugin/host;1</strong></span> service to mark the plugin tags
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 604) as disabled. This block can be undone through both the Torbutton Security UI,
projects/torbrowser/design/index.html.en 605) and the Firefox Plugin Preferences.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 606) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 607) If the user does enable plugins in this way, plugin-handled objects are still
projects/torbrowser/design/index.html.en 608) restricted from automatic load through Firefox's click-to-play preference
projects/torbrowser/design/index.html.en 609) <span class="command"><strong>plugins.click_to_play</strong></span>.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 610) </p><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 611)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 612) In addition, to reduce any unproxied activity by arbitrary plugins at load
projects/torbrowser/design/index.html.en 613) time, and to reduce the fingerprintability of the installed plugin list, we
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 614) also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=465cb8295db58a6450dc14a593d29372cbebc71d" target="_top">
projects/torbrowser/design/index.html.en 615) prevent the load of any plugins except for Flash and Gnash</a>. Even for
projects/torbrowser/design/index.html.en 616) Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=e5531b1baa3c96dee7d8d4274791ff393bafd241" target="_top">prevent loading them into the
projects/torbrowser/design/index.html.en 617) address space</a> until they are explicitly enabled.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 618)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 619) </p></li><li class="listitem"><span class="command"><strong>External App Blocking and Drag Event Filtering</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 620)
projects/torbrowser/design/index.html.en 621) External apps can be induced to load files that perform network activity.
projects/torbrowser/design/index.html.en 622) Unfortunately, there are cases where such apps can be launched automatically
projects/torbrowser/design/index.html.en 623) with little to no user input. In order to prevent this, Torbutton installs a
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 624) component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 625) provide the user with a popup</a> whenever the browser attempts to launch
projects/torbrowser/design/index.html.en 626) a helper app.
projects/torbrowser/design/index.html.en 627)
projects/torbrowser/design/index.html.en 628) </p><p>
projects/torbrowser/design/index.html.en 629)
projects/torbrowser/design/index.html.en 630) Additionally, modern desktops now pre-emptively fetch any URLs in Drag and
projects/torbrowser/design/index.html.en 631) Drop events as soon as the drag is initiated. This download happens
projects/torbrowser/design/index.html.en 632) independent of the browser's Tor settings, and can be triggered by something
projects/torbrowser/design/index.html.en 633) as simple as holding the mouse button down for slightly too long while
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 634) clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 635) Torbutton</a> before the OS downloads the URLs the events contained.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 636)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 637) </p></li><li class="listitem"><span class="command"><strong>Disabling system extensions and clearing the addon whitelist</strong></span><p>
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 638)
projects/torbrowser/design/index.html.en 639) Firefox addons can perform arbitrary activity on your computer, including
projects/torbrowser/design/index.html.en 640) bypassing Tor. It is for this reason we disable the addon whitelist
projects/torbrowser/design/index.html.en 641) (<span class="command"><strong>xpinstall.whitelist.add</strong></span>), so that users are prompted
projects/torbrowser/design/index.html.en 642) before installing addons regardless of the source. We also exclude
projects/torbrowser/design/index.html.en 643) system-level addons from the browser through the use of
projects/torbrowser/design/index.html.en 644) <span class="command"><strong>extensions.enabledScopes</strong></span> and
projects/torbrowser/design/index.html.en 645) <span class="command"><strong>extensions.autoDisableScopes</strong></span>.
projects/torbrowser/design/index.html.en 646)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 647) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="state-separation"></a>4.2. State Separation</h3></div></div></div><p>
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 648)
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 649) Tor Browser State is separated from existing browser state through use of a
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 650) custom Firefox profile, and by setting the $HOME environment variable to the
projects/torbrowser/design/index.html.en 651) root of the bundle's directory. The browser also does not load any
projects/torbrowser/design/index.html.en 652) system-wide extensions (through the use of
projects/torbrowser/design/index.html.en 653) <span class="command"><strong>extensions.enabledScopes</strong></span> and
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 654) <span class="command"><strong>extensions.autoDisableScopes</strong></span>). Furthermore, plugins are
|
TBB design doc: Fix typos,...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 655) disabled, which prevents Flash cookies from leaking from a pre-existing Flash
projects/torbrowser/design/index.html.en 656) directory.
projects/torbrowser/design/index.html.en 657)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 658) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55029872"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 659)
projects/torbrowser/design/index.html.en 660) The User Agent MUST (at user option) prevent all disk records of browser activity.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 661) The user should be able to optionally enable URL history and other history
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 662) features if they so desire.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 663)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 664) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55031232"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 665)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 666) We achieve this goal through several mechanisms. First, we set the Firefox
projects/torbrowser/design/index.html.en 667) Private Browsing preference
projects/torbrowser/design/index.html.en 668) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if
projects/torbrowser/design/index.html.en 669) Private Browsing Mode is enabled. We need to
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 670)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 671) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=44b8ae43a83191bbf5161cbdbf399e10c1b943d0" target="_top">prevent
projects/torbrowser/design/index.html.en 672) the permissions manager from recording HTTPS STS state</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=e5abcb28f131aa96e8762212573488d303b3614d" target="_top">prevent
projects/torbrowser/design/index.html.en 673) intermediate SSL certificates from being recorded</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=ee34e122ac2929a7668314483e36e58a88c98c08" target="_top">prevent
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 674) the clipboard cache from being written to disk for large pastes</a>, and
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 675) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=c8e357740dd7bafa2a129007f27d2b243e36f4a2" target="_top">prevent
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 676) the content preferences service from recording site zoom</a>. We also had
projects/torbrowser/design/index.html.en 677) to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>,
projects/torbrowser/design/index.html.en 678) to prevent HTML5 videos from being written to the OS temporary directory,
projects/torbrowser/design/index.html.en 679) which happened regardless of the private browsing mode setting.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 680)
projects/torbrowser/design/index.html.en 681) </blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en 682)
projects/torbrowser/design/index.html.en 683) As an additional defense-in-depth measure, we set the following preferences:
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 684) <span class="command"><strong></strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 685) <span class="command"><strong>browser.cache.disk.enable</strong></span>,
projects/en/torbrowser/design/index.html.en 686) <span class="command"><strong>browser.cache.offline.enable</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 687) <span class="command"><strong>dom.indexedDB.enabled</strong></span>,
projects/torbrowser/design/index.html.en 688) <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 689) <span class="command"><strong>signon.rememberSignons</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 690) <span class="command"><strong>browser.formfill.enable</strong></span>,
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 691) <span class="command"><strong>browser.download.manager.retention</strong></span>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 692) <span class="command"><strong>browser.sessionstore.privacy_level</strong></span>,
projects/torbrowser/design/index.html.en 693) and <span class="command"><strong>network.cookie.lifetimePolicy</strong></span>. Many of these
projects/torbrowser/design/index.html.en 694) preferences are likely redundant with
projects/torbrowser/design/index.html.en 695) <span class="command"><strong>browser.privatebrowsing.autostart</strong></span>, but we have not done the
projects/torbrowser/design/index.html.en 696) auditing work to ensure that yet.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 697)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 698) </blockquote></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 699)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 700) For more details on disk leak bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed" target="_top">tbb-disk-leak tag in our bugtracker</a></blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="app-data-isolation"></a>4.4. Application Data Isolation</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 701)
projects/en/torbrowser/design/index.html.en 702) Tor Browser Bundle MUST NOT cause any information to be written outside of the
projects/en/torbrowser/design/index.html.en 703) bundle directory. This is to ensure that the user is able to completely and
projects/en/torbrowser/design/index.html.en 704) safely remove the bundle without leaving other traces of Tor usage on their
projects/en/torbrowser/design/index.html.en 705) computer.
projects/en/torbrowser/design/index.html.en 706)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 707) </p><p>
projects/torbrowser/design/index.html.en 708)
projects/torbrowser/design/index.html.en 709) To ensure TBB directory isolation, we set
projects/torbrowser/design/index.html.en 710) <span class="command"><strong>browser.download.useDownloadDir</strong></span>,
projects/torbrowser/design/index.html.en 711) <span class="command"><strong>browser.shell.checkDefaultBrowser</strong></span>, and
projects/torbrowser/design/index.html.en 712) <span class="command"><strong>browser.download.manager.addToRecentDocs</strong></span>. We also set the
projects/torbrowser/design/index.html.en 713) $HOME environment variable to be the TBB extraction directory.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 714) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="identifier-linkability"></a>4.5. Cross-Origin Identifier Unlinkability</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 715)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 716) The Cross-Origin Identifier Unlinkability design requirement is satisfied
projects/torbrowser/design/index.html.en 717) through first party isolation of all browser identifier sources. First party
projects/torbrowser/design/index.html.en 718) isolation means that all identifier sources and browser state are scoped
projects/torbrowser/design/index.html.en 719) (isolated) using the URL bar domain. This scoping is performed in
projects/torbrowser/design/index.html.en 720) combination with any additional third party scope. When first party isolation
projects/torbrowser/design/index.html.en 721) is used with explicit identifier storage that already has a constrained third
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 722) party scope (such as cookies and DOM storage), this approach is
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 723) referred to as "double-keying".
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 724)
projects/en/torbrowser/design/index.html.en 725) </p><p>
projects/en/torbrowser/design/index.html.en 726)
projects/en/torbrowser/design/index.html.en 727) The benefit of this approach comes not only in the form of reduced
projects/en/torbrowser/design/index.html.en 728) linkability, but also in terms of simplified privacy UI. If all stored browser
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 729) state and permissions become associated with the URL bar origin, the six or
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 730) seven different pieces of privacy UI governing these identifiers and
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 731) permissions can become just one piece of UI. For instance, a window that lists
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 732) the URL bar origin for which browser state exists, possibly with a
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 733) context-menu option to drill down into specific types of state or permissions.
projects/torbrowser/design/index.html.en 734) An example of this simplification can be seen in Figure 1.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 735)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 736) </p><div class="figure"><a id="idp55052928"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 737)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 738) This example UI is a mock-up of how isolating identifiers to the URL bar
projects/torbrowser/design/index.html.en 739) origin can simplify the privacy UI for all data - not just cookies. Once
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 740) browser identifiers and site permissions operate on a URL bar basis, the same
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 741) privacy window can represent browsing history, DOM Storage, HTTP Auth, search
projects/torbrowser/design/index.html.en 742) form history, login values, and so on within a context menu for each site.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 743)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 744) </div></div></div><br class="figure-break" /><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55056352"></a>Identifier Unlinkability Defenses in the Tor Browser</h4></div></div></div><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 745)
projects/torbrowser/design/index.html.en 746) Unfortunately, many aspects of browser state can serve as identifier storage,
projects/torbrowser/design/index.html.en 747) and no other browser vendor or standards body has invested the effort to
projects/torbrowser/design/index.html.en 748) enumerate or otherwise deal with these vectors for third party tracking. As
projects/torbrowser/design/index.html.en 749) such, we have had to enumerate and isolate these identifier sources on a
projects/torbrowser/design/index.html.en 750) piecemeal basis. Here is the list that we have discovered and dealt with to
projects/torbrowser/design/index.html.en 751) date:
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 752)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 753) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 754)
projects/torbrowser/design/index.html.en 755) All cookies MUST be double-keyed to the URL bar origin and third-party
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 756) origin. There exists a <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=565965" target="_top">Mozilla bug</a>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 757) that contains a prototype patch, but it lacks UI, and does not apply to modern
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 758) Firefox versions.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 759)
projects/en/torbrowser/design/index.html.en 760) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 761)
projects/en/torbrowser/design/index.html.en 762) As a stopgap to satisfy our design requirement of unlinkability, we currently
projects/en/torbrowser/design/index.html.en 763) entirely disable 3rd party cookies by setting
projects/en/torbrowser/design/index.html.en 764) <span class="command"><strong>network.cookie.cookieBehavior</strong></span> to 1. We would prefer that
|
Comments from Georg + proxy...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 765) third party content continue to function, but we believe the requirement for
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 766) unlinkability trumps that desire.
projects/en/torbrowser/design/index.html.en 767)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 768) </p></li><li class="listitem"><span class="command"><strong>Cache</strong></span><p>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 769)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 770) In Firefox, there are actually two distinct caching mechanisms: One for
projects/torbrowser/design/index.html.en 771) general content (HTML, Javascript, CSS), and one specifically for images. The
projects/torbrowser/design/index.html.en 772) content cache is isolated to the URL bar domain by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=7c58be929777d386a03e1faaee648909151fd951" target="_top">altering
projects/torbrowser/design/index.html.en 773) each cache key</a> to include an additional ID that includes the URL bar
projects/torbrowser/design/index.html.en 774) domain. This functionality can be observed by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key used for each cache
projects/torbrowser/design/index.html.en 775) entry. Each third party element should have an additional "id=string"
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 776) property prepended, which will list the FQDN that was used to source it.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 777)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 778) </p><p>
projects/torbrowser/design/index.html.en 779)
projects/torbrowser/design/index.html.en 780) Additionally, because the image cache is a separate entity from the content
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 781) cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=d8b98a75fb200268c40886d876adc19e00b933bf" target="_top">isolate
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 782) this cache per URL bar domain</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 783)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 784) </p></li><li class="listitem"><span class="command"><strong>HTTP Authentication</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 785)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 786) HTTP Authorization headers can be used to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 787) third party tracking identifiers</a>. To prevent this, we remove HTTP
projects/torbrowser/design/index.html.en 788) authentication tokens for third party elements through a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=b8ce4a0760759431f146c71184c89fbd5e1a27e4" target="_top">patch
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 789) to nsHTTPChannel</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 790)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 791) </p></li><li class="listitem"><span class="command"><strong>DOM Storage</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 792)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 793) DOM storage for third party domains MUST be isolated to the URL bar origin,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 794) to prevent linkability between sites. This functionality is provided through a
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 795) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=97490c4a90ca1c43374486d9ec0c5593d5fe5720" target="_top">patch
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 796) to Firefox</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 797)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 798) </p></li><li class="listitem"><span class="command"><strong>Flash cookies</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 799)
projects/torbrowser/design/index.html.en 800) Users should be able to click-to-play flash objects from trusted sites. To
projects/torbrowser/design/index.html.en 801) make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 802) cookies using the <a class="ulink" href="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html" target="_top">Flash
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 803) settings manager</a>.
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 804)
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 805) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 806)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 807) We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">having
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 808) difficulties</a> causing Flash player to use this settings
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 809) file on Windows, so Flash remains difficult to enable.
|
Describe our efforts agains...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 810)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 811) </p></li><li class="listitem"><span class="command"><strong>SSL+TLS session resumption</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 812)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 813) TLS session resumption tickets and SSL Session IDs MUST be limited to the URL
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 814) bar origin.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 815)
projects/en/torbrowser/design/index.html.en 816) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 817)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 818) We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 819) Identity</a>, we disable TLS Session Tickets via the Firefox Pref
projects/torbrowser/design/index.html.en 820) <span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 821) IDs via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=a01fb747d4b8b24687de538cb6a1304fe27d9d88" target="_top">patch
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 822) to Firefox</a>. To compensate for the increased round trip latency from disabling
projects/torbrowser/design/index.html.en 823) these performance optimizations, we also enable
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 824) <a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 825) False Start</a> via the Firefox Pref
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 826) <span class="command"><strong>security.ssl.enable_false_start</strong></span>.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 827) </p></li><li class="listitem"><span class="command"><strong>Tor circuit and HTTP connection linkability</strong></span><p>
projects/torbrowser/design/index.html.en 828)
projects/torbrowser/design/index.html.en 829) Tor circuits and HTTP connections from a third party in one URL bar origin
projects/torbrowser/design/index.html.en 830) MUST NOT be reused for that same third party in another URL bar origin.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 831)
projects/torbrowser/design/index.html.en 832) </p><p>
projects/torbrowser/design/index.html.en 833)
projects/torbrowser/design/index.html.en 834) This isolation functionality is provided by the combination of a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=b3ea705cc35b79a9ba27323cb3e32d5d004ea113" target="_top">Firefox
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 835) patch to allow SOCKS usernames and passwords</a>, as well as a Torbutton
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 836) component that <a class="ulink" href="" target="_top">sets
projects/torbrowser/design/index.html.en 837) the SOCKS username and password for each request</a>. The Tor client has
projects/torbrowser/design/index.html.en 838) logic to prevent connections with different SOCKS usernames and passwords from
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 839) using the same Tor circuit. Firefox has existing logic to ensure that connections with
projects/torbrowser/design/index.html.en 840) SOCKS proxies do not re-use existing HTTP Keep-Alive connections unless the
projects/torbrowser/design/index.html.en 841) proxy settings match. We extended this logic to cover SOCKS username and
projects/torbrowser/design/index.html.en 842) password authentication, providing us with HTTP Keep-Alive unlinkability.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 843)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 844) </p></li><li class="listitem"><span class="command"><strong>SharedWorkers</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 845)
projects/torbrowser/design/index.html.en 846) <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>
projects/torbrowser/design/index.html.en 847) are a special form of Javascript Worker Threads that have a shared scope
projects/torbrowser/design/index.html.en 848) between all threads from the same Javascript origin.
projects/torbrowser/design/index.html.en 849) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 850)
projects/torbrowser/design/index.html.en 851) SharedWorker scope MUST be isolated to the URL bar domain. A SharedWorker
projects/torbrowser/design/index.html.en 852) launched from a third party from one URL bar domain MUST NOT have access to
projects/torbrowser/design/index.html.en 853) the objects created by that same third party loaded under another URL bar domain.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 854)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 855) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 856)
projects/torbrowser/design/index.html.en 857) For now, we disable SharedWorkers via the pref
projects/torbrowser/design/index.html.en 858) <span class="command"><strong>dom.workers.sharedWorkers.enabled</strong></span>.
projects/torbrowser/design/index.html.en 859)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 860) </p></li><li class="listitem"><span class="command"><strong>blob: URIs (URL.createObjectURL)</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 861)
projects/torbrowser/design/index.html.en 862) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>
projects/torbrowser/design/index.html.en 863) API allows a site to load arbitrary content into a random UUID that is stored
projects/torbrowser/design/index.html.en 864) in the user's browser, and this content can be accessed via a URL of the form
projects/torbrowser/design/index.html.en 865) <span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the
projects/torbrowser/design/index.html.en 866) web. While this UUID value is neither under control of the site nor
projects/torbrowser/design/index.html.en 867) predictable, it can still be used to tag a set of users that are of high
projects/torbrowser/design/index.html.en 868) interest to an adversary.
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 869)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 870) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 871)
projects/torbrowser/design/index.html.en 872) URIs created with URL.createObjectURL MUST be limited in scope to the first
projects/torbrowser/design/index.html.en 873) party URL bar domain that created them. We provide this isolation in Tor
projects/torbrowser/design/index.html.en 874) Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=0d67ab406bdd3cf095802cb25c081641aa1f0bcc" target="_top">direct
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 875) patch to Firefox</a> and disable URL.createObjectURL in the WebWorker
projects/torbrowser/design/index.html.en 876) context as a stopgap, due to an edge case with enforcing this isolation in
projects/torbrowser/design/index.html.en 877) WebWorkers.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 878)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 879) </p></li><li class="listitem"><span class="command"><strong>SPDY</strong></span><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 880)
projects/torbrowser/design/index.html.en 881) Because SPDY can store identifiers, it is disabled through the
projects/torbrowser/design/index.html.en 882) Firefox preference <span class="command"><strong>network.http.spdy.enabled</strong></span>.
projects/torbrowser/design/index.html.en 883)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 884) </p></li><li class="listitem"><span class="command"><strong>Automated cross-origin redirects</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 885)
projects/torbrowser/design/index.html.en 886) To prevent attacks aimed at subverting the Cross-Origin Identifier
projects/torbrowser/design/index.html.en 887) Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 888) MUST NOT store any identifiers (cookies, cache, DOM storage, HTTP auth, etc)
projects/torbrowser/design/index.html.en 889) for cross-origin redirect intermediaries that do not prompt for user input.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 890) For example, if a user clicks on a bit.ly URL that redirects to a
projects/torbrowser/design/index.html.en 891) doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 892) cnn.com should be retained after the redirect chain completes.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 893)
projects/torbrowser/design/index.html.en 894) </p><p>
projects/torbrowser/design/index.html.en 895)
|
Update design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 896) Non-automated redirect chains that require user input at some step (such as
projects/torbrowser/design/index.html.en 897) federated login systems) SHOULD still allow identifiers to persist.
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 898)
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 899) </p><p><span class="command"><strong>Implementation status:</strong></span>
projects/torbrowser/design/index.html.en 900)
projects/torbrowser/design/index.html.en 901) There are numerous ways for the user to be redirected, and the Firefox API
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 902) support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 903) open</a> to implement what we can.
projects/torbrowser/design/index.html.en 904)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 905) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 906)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 907) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 908) a magical DOM property that for some reason is allowed to retain a persistent value
projects/en/torbrowser/design/index.html.en 909) for the lifespan of a browser tab. It is possible to utilize this property for
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 910) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 911) storage</a>.
projects/en/torbrowser/design/index.html.en 912)
projects/en/torbrowser/design/index.html.en 913) </p><p>
projects/en/torbrowser/design/index.html.en 914)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 915) In order to eliminate non-consensual linkability but still allow for sites
projects/torbrowser/design/index.html.en 916) that utilize this property to function, we reset the window.name property of
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 917) tabs in Torbutton every time we encounter a blank Referer. This behavior
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 918) allows window.name to persist for the duration of a click-driven navigation
projects/torbrowser/design/index.html.en 919) session, but as soon as the user enters a new URL or navigates between
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 920) HTTPS/HTTP schemes, the property is cleared.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 921)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 922) </p></li><li class="listitem"><span class="command"><strong>Auto form-fill</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 923)
projects/torbrowser/design/index.html.en 924) We disable the password saving functionality in the browser as part of our
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 925) <a class="link" href="#disk-avoidance" title="4.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 926) since users may decide to re-enable disk history records and password saving,
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 927) we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 928) preference to false to prevent saved values from immediately populating
projects/torbrowser/design/index.html.en 929) fields upon page load. Since Javascript can read these values as soon as they
projects/torbrowser/design/index.html.en 930) appear, setting this preference prevents automatic linkability from stored passwords.
projects/torbrowser/design/index.html.en 931)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 932) </p></li><li class="listitem"><span class="command"><strong>HSTS supercookies</strong></span><p>
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 933)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 934) An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 935) supercookies</a>. Since HSTS effectively stores one bit of information per domain
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 936) name, an adversary in possession of numerous domains can use them to construct
projects/torbrowser/design/index.html.en 937) cookies based on stored HSTS state.
projects/torbrowser/design/index.html.en 938)
projects/torbrowser/design/index.html.en 939) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 940)
projects/torbrowser/design/index.html.en 941) There appears to be three options for us: 1. Disable HSTS entirely, and rely
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 942) instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 943) Restrict the number of HSTS-enabled third parties allowed per URL bar origin.
|
Additional comments from Ge...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 944) 3. Prevent third parties from storing HSTS rules. We have not yet decided upon
projects/torbrowser/design/index.html.en 945) the best approach.
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 946)
projects/torbrowser/design/index.html.en 947) </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 948) cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 949) defend against the creation of these cookies between <span class="command"><strong>New
projects/torbrowser/design/index.html.en 950) Identity</strong></span> invocations.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 951) </p></li></ol></div><p>
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 952) For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 953) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 954)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 955) Browser fingerprinting is the act of inspecting browser behaviors and features in
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 956) an attempt to differentiate and track individual users.
projects/torbrowser/design/index.html.en 957) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 958)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 959) Fingerprinting attacks are typically broken up into passive and active
projects/torbrowser/design/index.html.en 960) vectors. Passive fingerprinting makes use of any information the browser
projects/torbrowser/design/index.html.en 961) provides automatically to a website without any specific action on the part of
projects/torbrowser/design/index.html.en 962) the website. Active fingerprinting makes use of any information that can be
projects/torbrowser/design/index.html.en 963) extracted from the browser by some specific website action, usually involving
projects/torbrowser/design/index.html.en 964) Javascript. Some definitions of browser fingerprinting also include
projects/torbrowser/design/index.html.en 965) supercookies and cookie-like identifier storage, but we deal with those issues
projects/torbrowser/design/index.html.en 966) separately in the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on
projects/torbrowser/design/index.html.en 967) identifier linkability</a>.
projects/torbrowser/design/index.html.en 968) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 969) For the most part, however, we do not differentiate between passive or active
projects/torbrowser/design/index.html.en 970) fingerprinting sources, since many active fingerprinting mechanisms are very
projects/torbrowser/design/index.html.en 971) rapid, and can be obfuscated or disguised as legitimate functionality.
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 972)
projects/torbrowser/design/index.html.en 973) </p><p>
projects/torbrowser/design/index.html.en 974)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 975) Instead, we believe fingerprinting can only be rationally addressed if we
projects/torbrowser/design/index.html.en 976) understand where the problem comes from, what sources of issues are the most
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 977) severe, what types of defenses are suitable for which sources, and have a
projects/torbrowser/design/index.html.en 978) consistent strategy for designing defenses that maximizes our ability to study
projects/torbrowser/design/index.html.en 979) defense efficacy. The following subsections address these issues from a high
projects/torbrowser/design/index.html.en 980) level, and we then conclude with a list of our current specific defenses.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 981)
projects/torbrowser/design/index.html.en 982) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p>
projects/torbrowser/design/index.html.en 983)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 984) All browser fingerprinting issues arise from one of four primary sources:
projects/torbrowser/design/index.html.en 985) end-user configuration details, device and hardware characteristics, operating
projects/torbrowser/design/index.html.en 986) system vendor and version differences, and browser vendor and version
projects/torbrowser/design/index.html.en 987) differences. Additionally, user behavior itself provides one more source of
projects/torbrowser/design/index.html.en 988) potential fingerprinting.
projects/torbrowser/design/index.html.en 989)
projects/torbrowser/design/index.html.en 990) </p><p>
projects/torbrowser/design/index.html.en 991)
projects/torbrowser/design/index.html.en 992) In order to help prioritize and inform defenses, we now list these sources in
projects/torbrowser/design/index.html.en 993) order from most severe to least severe in terms of the amount of information
projects/torbrowser/design/index.html.en 994) they reveal, and describe them in more detail.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 995)
projects/torbrowser/design/index.html.en 996) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p>
projects/torbrowser/design/index.html.en 997)
projects/torbrowser/design/index.html.en 998) End-user configuration details are by far the most severe threat to
projects/torbrowser/design/index.html.en 999) fingerprinting, as they will quickly provide enough information to uniquely
projects/torbrowser/design/index.html.en 1000) identify a user. We believe it is essential to avoid exposing platform
projects/torbrowser/design/index.html.en 1001) configuration details to website content at all costs. We also discourage
projects/torbrowser/design/index.html.en 1002) excessive fine-grained customization of Tor Browser by minimizing and
projects/torbrowser/design/index.html.en 1003) aggregating user-facing privacy and security options, as well as by
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1004) discouraging the use of additional plugins and addons. When it is necessary to
projects/torbrowser/design/index.html.en 1005) expose configuration details in the course of providing functionality, we
projects/torbrowser/design/index.html.en 1006) strive to do so only on a per-site basis via site permissions, to avoid
projects/torbrowser/design/index.html.en 1007) linkability.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1008)
projects/torbrowser/design/index.html.en 1009) </p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p>
projects/torbrowser/design/index.html.en 1010)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1011) Device and hardware characteristics can be determined in three ways: they can
projects/torbrowser/design/index.html.en 1012) be reported explicitly by the browser, they can be inferred through browser
projects/torbrowser/design/index.html.en 1013) functionality, or they can be extracted through statistical measurements of
projects/torbrowser/design/index.html.en 1014) system performance. We are most concerned with the cases where this
projects/torbrowser/design/index.html.en 1015) information is either directly reported or can be determined via a single use
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1016) of an API or feature, and prefer to either alter functionality to prevent
projects/torbrowser/design/index.html.en 1017) exposing the most variable aspects of these characteristics, place such
projects/torbrowser/design/index.html.en 1018) features behind site permissions, or disable them entirely.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1019)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1020) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1021)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1022) On the other hand, because statistical inference of system performance
projects/torbrowser/design/index.html.en 1023) requires many iterations to achieve accuracy in the face of noise and
projects/torbrowser/design/index.html.en 1024) concurrent activity, we are less concerned with this mechanism of extracting
projects/torbrowser/design/index.html.en 1025) this information. We also expect that reducing the resolution of Javascript's
projects/torbrowser/design/index.html.en 1026) time sources will significantly increase the duration of execution required to
projects/torbrowser/design/index.html.en 1027) extract accurate results, and thus make statistical approaches both
projects/torbrowser/design/index.html.en 1028) unattractive and highly noticeable due to excessive resource consumption.
projects/torbrowser/design/index.html.en 1029)
projects/torbrowser/design/index.html.en 1030) </p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en 1031)
projects/torbrowser/design/index.html.en 1032) Operating system vendor and version differences permeate many different
projects/torbrowser/design/index.html.en 1033) aspects of the browser. While it is possible to address these issues with some
projects/torbrowser/design/index.html.en 1034) effort, the relative lack of diversity in operating systems causes us to
projects/torbrowser/design/index.html.en 1035) primarily focus our efforts on passive operating system fingerprinting
projects/torbrowser/design/index.html.en 1036) mechanisms at this point in time. For the purposes of protecting user
projects/torbrowser/design/index.html.en 1037) anonymity, it is not strictly essential that the operating system be
projects/torbrowser/design/index.html.en 1038) completely concealed, though we recognize that it is useful to reduce this
projects/torbrowser/design/index.html.en 1039) differentiation ability where possible, especially for cases where the
projects/torbrowser/design/index.html.en 1040) specific version of a system can be inferred.
projects/torbrowser/design/index.html.en 1041)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1042) </p></li><li class="listitem"><span class="command"><strong>User Behavior</strong></span><p>
projects/torbrowser/design/index.html.en 1043)
projects/torbrowser/design/index.html.en 1044) While somewhat outside the scope of browser fingerprinting, for completeness
projects/torbrowser/design/index.html.en 1045) it is important to mention that users themselves theoretically might be
projects/torbrowser/design/index.html.en 1046) fingerprinted through their behavior while interacting with a website. This
projects/torbrowser/design/index.html.en 1047) behavior includes e.g. keystrokes, mouse movements, click speed, and writing
projects/torbrowser/design/index.html.en 1048) style. Basic vectors such as keystroke and mouse usage fingerprinting can be
projects/torbrowser/design/index.html.en 1049) mitigated by altering Javascript's notion of time. More advanced issues like
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1050) writing style fingerprinting are the domain of <a class="ulink" href="https://github.com/psal/anonymouth/blob/master/README.md" target="_top">other tools</a>.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1051)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1052) </p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p>
projects/torbrowser/design/index.html.en 1053)
projects/torbrowser/design/index.html.en 1054) Due to vast differences in feature set and implementation behavior even
projects/torbrowser/design/index.html.en 1055) between different versions of the same browser, browser vendor and version
projects/torbrowser/design/index.html.en 1056) differences are simply not possible to conceal in any realistic way. It
projects/torbrowser/design/index.html.en 1057) is only possible to minimize the differences among different installations of
projects/torbrowser/design/index.html.en 1058) the same browser vendor and version. We make no effort to mimic any other
projects/torbrowser/design/index.html.en 1059) major browser vendor, and in fact most of our fingerprinting defenses serve to
projects/torbrowser/design/index.html.en 1060) differentiate Tor Browser users from normal Firefox users. Because of this,
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1061) any study that lumps browser vendor and version differences into its analysis
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1062) of the fingerprintability of a population is largely useless for evaluating
projects/torbrowser/design/index.html.en 1063) either attacks or defenses. Unfortunately, this includes popular large-scale
projects/torbrowser/design/index.html.en 1064) studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>.
projects/torbrowser/design/index.html.en 1065)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1066) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses-general"></a>General Fingerprinting Defenses</h4></div></div></div><p>
projects/torbrowser/design/index.html.en 1067)
projects/torbrowser/design/index.html.en 1068) To date, the Tor Browser team has concerned itself only with developing
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1069) defenses for APIs that have already been standardized and deployed. Once an
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1070) API or feature has been standardized and widely deployed, defenses to the
projects/torbrowser/design/index.html.en 1071) associated fingerprinting issues tend to have only a few options available to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1072) compensate for the lack of up-front privacy design. In our experience, so far
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1073) these options have been limited to value spoofing, subsystem modification or
projects/torbrowser/design/index.html.en 1074) reimplementation, virtualization, site permissions, and feature removal. We
projects/torbrowser/design/index.html.en 1075) will now describe these options and the fingerprinting sources they tend to
projects/torbrowser/design/index.html.en 1076) work best with.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1077)
projects/torbrowser/design/index.html.en 1078) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Value Spoofing</strong></span><p>
projects/torbrowser/design/index.html.en 1079)
projects/torbrowser/design/index.html.en 1080) Value spoofing can be used for simple cases where the browser directly
projects/torbrowser/design/index.html.en 1081) provides some aspect of the user's configuration details, devices, hardware,
projects/torbrowser/design/index.html.en 1082) or operating system directly to a website. It becomes less useful when the
projects/torbrowser/design/index.html.en 1083) fingerprinting method relies on behavior to infer aspects of the hardware or
projects/torbrowser/design/index.html.en 1084) operating system, rather than obtain them directly.
projects/torbrowser/design/index.html.en 1085)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1086) </p></li><li class="listitem"><span class="command"><strong>Subsystem Modification or Reimplementation</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1087)
projects/torbrowser/design/index.html.en 1088) In cases where simple spoofing is not enough to properly conceal underlying
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1089) device characteristics or operating system details, the underlying subsystem
projects/torbrowser/design/index.html.en 1090) that provides the functionality for a feature or API may need to be modified
projects/torbrowser/design/index.html.en 1091) or completely reimplemented. This is most common in cases where customizable
projects/torbrowser/design/index.html.en 1092) or version-specific aspects of the user's operating system are visible through
projects/torbrowser/design/index.html.en 1093) the browser's featureset or APIs, usually because the browser directly exposes
projects/torbrowser/design/index.html.en 1094) OS-provided implementations of underlying features. In these cases, such
projects/torbrowser/design/index.html.en 1095) OS-provided implementations must be replaced by a generic implementation, or
projects/torbrowser/design/index.html.en 1096) at least modified by an implementation wrapper layer that makes effort to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1097) conceal any user-customized aspects of the system.
projects/torbrowser/design/index.html.en 1098)
projects/torbrowser/design/index.html.en 1099) </p></li><li class="listitem"><span class="command"><strong>Virtualization</strong></span><p>
projects/torbrowser/design/index.html.en 1100)
projects/torbrowser/design/index.html.en 1101) Virtualization is needed when simply reimplementing a feature in a different
projects/torbrowser/design/index.html.en 1102) way is insufficient to fully conceal the underlying behavior. This is most
projects/torbrowser/design/index.html.en 1103) common in instances of device and hardware fingerprinting, but since the
projects/torbrowser/design/index.html.en 1104) notion of time can also be virtualized, virtualization also can apply to any
projects/torbrowser/design/index.html.en 1105) instance where an accurate measurement of wall clock time is required for a
projects/torbrowser/design/index.html.en 1106) fingerprinting vector to attain high accuracy.
projects/torbrowser/design/index.html.en 1107)
projects/torbrowser/design/index.html.en 1108) </p></li><li class="listitem"><span class="command"><strong>Site Permissions</strong></span><p>
projects/torbrowser/design/index.html.en 1109)
projects/torbrowser/design/index.html.en 1110) In the event that reimplementation or virtualization is too expensive in terms
projects/torbrowser/design/index.html.en 1111) of performance or engineering effort, and the relative expected usage of a
projects/torbrowser/design/index.html.en 1112) feature is rare, site permissions can be used to prevent the usage of a
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1113) feature for cross-site tracking. Unfortunately, site permissions become less
projects/torbrowser/design/index.html.en 1114) effective once a feature is already widely overused and abused by many
projects/torbrowser/design/index.html.en 1115) websites, since warning fatigue typically sets in for most users after just a
projects/torbrowser/design/index.html.en 1116) few permission requests.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1117)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1118) </p></li><li class="listitem"><span class="command"><strong>Feature or Functionality Removal</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1119)
projects/torbrowser/design/index.html.en 1120) Due to the current bias in favor of invasive APIs that expose the maximum
projects/torbrowser/design/index.html.en 1121) amount of platform information, some features and APIs are simply not
projects/torbrowser/design/index.html.en 1122) salvageable in their current form. When such invasive features serve only a
projects/torbrowser/design/index.html.en 1123) narrow domain or use case, or when there are alternate ways of accomplishing
projects/torbrowser/design/index.html.en 1124) the same task, these features and/or certain aspects of their functionality
projects/torbrowser/design/index.html.en 1125) may be simply removed.
projects/torbrowser/design/index.html.en 1126)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1127) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55149888"></a>Strategies for Defense: Randomization versus Uniformity</h4></div></div></div><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1128)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1129) When applying a form of defense to a specific fingerprinting vector or source,
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1130) there are two general strategies available: either the implementation for all
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1131) users of a single browser version can be made to behave as uniformly as
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1132) possible, or the user agent can attempt to randomize its behavior so that
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1133) each interaction between a user and a site provides a different fingerprint.
projects/torbrowser/design/index.html.en 1134)
projects/torbrowser/design/index.html.en 1135) </p><p>
projects/torbrowser/design/index.html.en 1136)
projects/torbrowser/design/index.html.en 1137) Although <a class="ulink" href="http://research.microsoft.com/pubs/209989/tr1.pdf" target="_top">some
projects/torbrowser/design/index.html.en 1138) research suggests</a> that randomization can be effective, so far striving
projects/torbrowser/design/index.html.en 1139) for uniformity has generally proved to be a better strategy for Tor Browser
projects/torbrowser/design/index.html.en 1140) for the following reasons:
projects/torbrowser/design/index.html.en 1141)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1142) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Evaluation and measurement difficulties</strong></span><p>
projects/torbrowser/design/index.html.en 1143)
projects/torbrowser/design/index.html.en 1144) The fact that randomization causes behaviors to differ slightly with every
projects/torbrowser/design/index.html.en 1145) site visit makes it appealing at first glance, but this same property makes it
projects/torbrowser/design/index.html.en 1146) very difficult to objectively measure its effectiveness. By contrast, an
projects/torbrowser/design/index.html.en 1147) implementation that strives for uniformity is very simple to evaluate. Despite
projects/torbrowser/design/index.html.en 1148) their current flaws, a properly designed version of <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> or <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a> could report the entropy and
projects/torbrowser/design/index.html.en 1149) uniqueness rates for all users of a single user agent version, without the
projects/torbrowser/design/index.html.en 1150) need for complicated statistics about the variance of the measured behaviors.
projects/torbrowser/design/index.html.en 1151)
projects/torbrowser/design/index.html.en 1152) </p><p>
projects/torbrowser/design/index.html.en 1153)
projects/torbrowser/design/index.html.en 1154) Randomization (especially incomplete randomization) may also provide a false
projects/torbrowser/design/index.html.en 1155) sense of security. When a fingerprinting attempt makes naive use of randomized
projects/torbrowser/design/index.html.en 1156) information, a fingerprint will appear unstable, but may not actually be
projects/torbrowser/design/index.html.en 1157) sufficiently randomized to impede a dedicated adversary. Sophisticated
projects/torbrowser/design/index.html.en 1158) fingerprinting mechanisms may either ignore randomized information, or
projects/torbrowser/design/index.html.en 1159) incorporate knowledge of the distribution and range of randomized values into
projects/torbrowser/design/index.html.en 1160) the creation of a more stable fingerprint (by either removing the randomness,
projects/torbrowser/design/index.html.en 1161) modeling it, or averaging it out).
projects/torbrowser/design/index.html.en 1162)
projects/torbrowser/design/index.html.en 1163) </p></li><li class="listitem"><span class="command"><strong>Randomization is not a shortcut</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1164)
projects/torbrowser/design/index.html.en 1165) While many end-user configuration details that the browser currently exposes
projects/torbrowser/design/index.html.en 1166) may be safely replaced by false information, randomization of these details
projects/torbrowser/design/index.html.en 1167) must be just as exhaustive as an approach that seeks to make these behaviors
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1168) uniform. When confronting either strategy, the adversary can still make use of
projects/torbrowser/design/index.html.en 1169) any details which have not been altered to be either sufficiently uniform or
projects/torbrowser/design/index.html.en 1170) sufficiently random.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1171)
projects/torbrowser/design/index.html.en 1172) </p><p>
projects/torbrowser/design/index.html.en 1173)
projects/torbrowser/design/index.html.en 1174) Furthermore, the randomization approach seems to break down when it is applied
projects/torbrowser/design/index.html.en 1175) to deeper issues where underlying system functionality is directly exposed. In
projects/torbrowser/design/index.html.en 1176) particular, it is not clear how to randomize the capabilities of hardware
projects/torbrowser/design/index.html.en 1177) attached to a computer in such a way that it either convincingly behaves like
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1178) other hardware, or such that the exact properties of the hardware that vary
projects/torbrowser/design/index.html.en 1179) from user to user are sufficiently randomized. Similarly, truly concealing
projects/torbrowser/design/index.html.en 1180) operating system version differences through randomization may require
projects/torbrowser/design/index.html.en 1181) multiple reimplementations of the underlying operating system functionality to
projects/torbrowser/design/index.html.en 1182) ensure that every operating system version is covered by the range of possible
projects/torbrowser/design/index.html.en 1183) behaviors.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1184)
|
More Tor Browser design doc...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1185) </p></li><li class="listitem"><span class="command"><strong>Usability issues</strong></span><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1186)
projects/torbrowser/design/index.html.en 1187) When randomization is introduced to features that affect site behavior, it can
projects/torbrowser/design/index.html.en 1188) be very distracting for this behavior to change between visits of a given
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1189) site. For the simplest cases, this will lead to minor visual nuisances.
projects/torbrowser/design/index.html.en 1190) However, when this information affects reported functionality or hardware
projects/torbrowser/design/index.html.en 1191) characteristics, sometimes a site will function one way on one visit, and
projects/torbrowser/design/index.html.en 1192) another way on a subsequent visit.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1193)
projects/torbrowser/design/index.html.en 1194) </p></li><li class="listitem"><span class="command"><strong>Performance costs</strong></span><p>
projects/torbrowser/design/index.html.en 1195)
projects/torbrowser/design/index.html.en 1196) Randomizing involves performance costs. This is especially true if the
projects/torbrowser/design/index.html.en 1197) fingerprinting surface is large (like in a modern browser) and one needs more
projects/torbrowser/design/index.html.en 1198) elaborate randomizing strategies (including randomized virtualization) to
projects/torbrowser/design/index.html.en 1199) ensure that the randomization fully conceals the true behavior. Many calls to
projects/torbrowser/design/index.html.en 1200) a cryptographically secure random number generator during the course of a page
projects/torbrowser/design/index.html.en 1201) load will both serve to exhaust available entropy pools, as well as lead to
projects/torbrowser/design/index.html.en 1202) increased computation while loading a page.
projects/torbrowser/design/index.html.en 1203)
projects/torbrowser/design/index.html.en 1204) </p></li><li class="listitem"><span class="command"><strong>Increased vulnerability surface</strong></span><p>
projects/torbrowser/design/index.html.en 1205)
projects/torbrowser/design/index.html.en 1206) Improper randomization might introduce a new fingerprinting vector, as the
projects/torbrowser/design/index.html.en 1207) process of generating the values for the fingerprintable attributes could be
projects/torbrowser/design/index.html.en 1208) itself susceptible to side-channel attacks, analysis, or exploitation.
projects/torbrowser/design/index.html.en 1209)
projects/torbrowser/design/index.html.en 1210) </p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Specific Fingerprinting Defenses in the Tor Browser</h4></div></div></div><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1211)
projects/torbrowser/design/index.html.en 1212) The following defenses are listed roughly in order of most severe
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1213) fingerprinting threat first. This ordering is based on the above intuition
projects/torbrowser/design/index.html.en 1214) that user configurable aspects of the computer are the most severe source of
projects/torbrowser/design/index.html.en 1215) fingerprintability, followed by device characteristics and hardware, and then
projects/torbrowser/design/index.html.en 1216) finally operating system vendor and version information.
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1217)
projects/torbrowser/design/index.html.en 1218) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1219)
projects/torbrowser/design/index.html.en 1220) Where our actual implementation differs from an ideal solution, we separately
projects/torbrowser/design/index.html.en 1221) describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation
projects/torbrowser/design/index.html.en 1222) Status</strong></span>.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1223)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1224) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Plugins</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1225)
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1226) Plugins add to fingerprinting risk via two main vectors: their mere presence
projects/torbrowser/design/index.html.en 1227) in window.navigator.plugins (because they are optional, end-user installed
projects/torbrowser/design/index.html.en 1228) third party software), as well as their internal functionality.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1229)
projects/en/torbrowser/design/index.html.en 1230) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1231)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1232) All plugins that have not been specifically audited or sandboxed MUST be
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1233) disabled. To reduce linkability potential, even sandboxed plugins should not
projects/en/torbrowser/design/index.html.en 1234) be allowed to load objects until the user has clicked through a click-to-play
projects/en/torbrowser/design/index.html.en 1235) barrier. Additionally, version information should be reduced or obfuscated
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1236) until the plugin object is loaded. For flash, we wish to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3974" target="_top">provide a
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1237) settings.sol file</a> to disable Flash cookies, and to restrict P2P
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1238) features that are likely to bypass proxy settings. We'd also like to restrict
projects/torbrowser/design/index.html.en 1239) access to fonts and other system information (such as IP address and MAC
projects/torbrowser/design/index.html.en 1240) address) in such a sandbox.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1241)
projects/en/torbrowser/design/index.html.en 1242) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1243)
projects/en/torbrowser/design/index.html.en 1244) Currently, we entirely disable all plugins in Tor Browser. However, as a
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1245) compromise due to the popularity of Flash, we allow users to re-enable Flash,
projects/torbrowser/design/index.html.en 1246) and flash objects are blocked behind a click-to-play barrier that is available
projects/torbrowser/design/index.html.en 1247) only after the user has specifically enabled plugins. Flash is the only plugin
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1248) available, the rest are entirely
projects/torbrowser/design/index.html.en 1249) blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience
projects/torbrowser/design/index.html.en 1250) section</a>. We also set the Firefox
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1251) preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
projects/torbrowser/design/index.html.en 1252) leaking plugin installation information.
projects/torbrowser/design/index.html.en 1253)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1254) </p></li><li class="listitem"><span class="command"><strong>HTML5 Canvas Image Extraction</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1255)
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1256) After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5
projects/torbrowser/design/index.html.en 1257) Canvas</a> is the single largest fingerprinting threat browsers face
projects/torbrowser/design/index.html.en 1258) today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1259) studies</a> show that the Canvas can provide an easy-access fingerprinting
projects/torbrowser/design/index.html.en 1260) target: The adversary simply renders WebGL, font, and named color data to a
projects/torbrowser/design/index.html.en 1261) Canvas element, extracts the image buffer, and computes a hash of that image
projects/torbrowser/design/index.html.en 1262) data. Subtle differences in the video card, font packs, and even font and
projects/torbrowser/design/index.html.en 1263) graphics library versions allow the adversary to produce a stable, simple,
projects/torbrowser/design/index.html.en 1264) high-entropy fingerprint of a computer. In fact, the hash of the rendered
projects/torbrowser/design/index.html.en 1265) image can be used almost identically to a tracking cookie by the web server.
projects/torbrowser/design/index.html.en 1266)
projects/torbrowser/design/index.html.en 1267) </p><p>
projects/torbrowser/design/index.html.en 1268)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1269) In some sense, the canvas can be seen as the union of many other
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1270) fingerprinting vectors. If WebGL is normalized through software rendering,
projects/torbrowser/design/index.html.en 1271) system colors were standardized, and the browser shipped a fixed collection of
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1272) fonts (see later points in this list), it might not be necessary to create a
projects/torbrowser/design/index.html.en 1273) canvas permission. However, until then, to reduce the threat from this vector,
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1274) we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=6a169ef0166b268b1a27546a17b3d7470330917d" target="_top">prompt before returning valid image data</a> to the Canvas APIs,
projects/torbrowser/design/index.html.en 1275) and for <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=7d51acca6383732480b49ccdb5506ad6fb92e651" target="_top">access to isPointInPath and related functions</a>.
projects/torbrowser/design/index.html.en 1276) If the user hasn't previously allowed the site in the URL bar to access Canvas
projects/torbrowser/design/index.html.en 1277) image data, pure white image data is returned to the Javascript APIs.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1278)
projects/torbrowser/design/index.html.en 1279) </p><p>
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1280) </p></li><li class="listitem"><span class="command"><strong>Open TCP Port and Local Network Fingerprinting</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1281)
projects/torbrowser/design/index.html.en 1282) In Firefox, by using either WebSockets or XHR, it is possible for remote
projects/torbrowser/design/index.html.en 1283) content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1284) the list of TCP ports open on 127.0.0.1</a>, as well as on any other
projects/torbrowser/design/index.html.en 1285) machines on the local network. In other browsers, this can be accomplished by
projects/torbrowser/design/index.html.en 1286) DOM events on image or script tags. This open vs filtered vs closed port list
projects/torbrowser/design/index.html.en 1287) can provide a very unique fingerprint of a machine, because it essentially
projects/torbrowser/design/index.html.en 1288) enables the detection of many different popular third party applications and
projects/torbrowser/design/index.html.en 1289) optional system services (Skype, Bitcoin, Bittorrent and other P2P software,
projects/torbrowser/design/index.html.en 1290) SSH ports, SMB and related LAN services, CUPS and printer daemon config ports,
projects/torbrowser/design/index.html.en 1291) mail servers, and so on). It is also possible to determine when ports are
projects/torbrowser/design/index.html.en 1292) closed versus filtered/blocked (and thus probe custom firewall configuration).
projects/torbrowser/design/index.html.en 1293)
projects/torbrowser/design/index.html.en 1294) </p><p>
projects/torbrowser/design/index.html.en 1295)
projects/torbrowser/design/index.html.en 1296) In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even
projects/torbrowser/design/index.html.en 1297) these requests are still sent by Firefox to our SOCKS proxy (ie we set
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1298) <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local
projects/torbrowser/design/index.html.en 1299) Tor client then rejects them, since it is configured to proxy for internal IP
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1300) addresses by default. Access to the local network is forbidden via the same
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1301) mechanism. We also disable the WebRTC API as mentioned previously, since even
projects/torbrowser/design/index.html.en 1302) if it were usable over Tor, it still currently provides the local IP address
projects/torbrowser/design/index.html.en 1303) and associated network information to websites.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1304)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1305) </p></li><li class="listitem"><span class="command"><strong>Invasive Authentication Mechanisms (NTLM and SPNEGO)</strong></span><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1306)
projects/torbrowser/design/index.html.en 1307) Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in
projects/torbrowser/design/index.html.en 1308) some cases the current username. The only reason why these aren't a more
projects/torbrowser/design/index.html.en 1309) serious problem is that they typically involve user interaction, and likely
projects/torbrowser/design/index.html.en 1310) aren't an attractive vector for this reason. However, because it is not clear
projects/torbrowser/design/index.html.en 1311) if certain carefully-crafted error conditions in these protocols could cause
projects/torbrowser/design/index.html.en 1312) them to reveal machine information and still fail silently prior to the
projects/torbrowser/design/index.html.en 1313) password prompt, these authentication mechanisms should either be disabled, or
projects/torbrowser/design/index.html.en 1314) placed behind a site permission before their use. We simply disable them.
projects/torbrowser/design/index.html.en 1315)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1316) </p></li><li class="listitem"><span class="command"><strong>USB Device ID Enumeration via the GamePad API</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1317)
projects/torbrowser/design/index.html.en 1318) The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad
projects/torbrowser/design/index.html.en 1319) API</a> provides web pages with the <a class="ulink" href="https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.html#widl-Gamepad-id" target="_top">USB
projects/torbrowser/design/index.html.en 1320) device id, product id, and driver name</a> of all connected game
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1321) controllers, as well as detailed information about their capabilities.
projects/torbrowser/design/index.html.en 1322) </p><p>
projects/torbrowser/design/index.html.en 1323)
projects/torbrowser/design/index.html.en 1324) It's our opinion that this API needs to be completely redesigned to provide an
projects/torbrowser/design/index.html.en 1325) abstract notion of a game controller rather than offloading all of the
projects/torbrowser/design/index.html.en 1326) complexity associated with handling specific game controller models to web
projects/torbrowser/design/index.html.en 1327) content authors. For systems without a game controller, a standard controller
projects/torbrowser/design/index.html.en 1328) can be virtualized through the keyboard, which will serve to both improve
projects/torbrowser/design/index.html.en 1329) usability by normalizing user interaction with different games, as well as
projects/torbrowser/design/index.html.en 1330) eliminate fingerprinting vectors. Barring that, this API should be behind a
projects/torbrowser/design/index.html.en 1331) site permission in Private Browsing Modes. For now though, we simply disable
projects/torbrowser/design/index.html.en 1332) it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1333)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1334) </p></li><li class="listitem"><span class="command"><strong>Fonts</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1335)
projects/en/torbrowser/design/index.html.en 1336) According to the Panopticlick study, fonts provide the most linkability when
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1337) they are provided as an enumerable list in file system order, via either the
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1338) Flash or Java plugins. However, it is still possible to use CSS and/or
projects/en/torbrowser/design/index.html.en 1339) Javascript to query for the existence of specific fonts. With a large enough
projects/en/torbrowser/design/index.html.en 1340) pre-built list to query, a large amount of fingerprintable information may
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1341) still be available, especially given that additional fonts often end up
projects/torbrowser/design/index.html.en 1342) installed by third party software and for multilingual support.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1343)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1344) </p><p><span class="command"><strong>Design Goal:</strong></span> The sure-fire way to address font
projects/torbrowser/design/index.html.en 1345) linkability is to ship the browser with a font for every language, typeface,
projects/torbrowser/design/index.html.en 1346) and style, and to only use those fonts at the exclusion of system fonts. We are
projects/torbrowser/design/index.html.en 1347) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/13313" target="_top">currently
projects/torbrowser/design/index.html.en 1348) investigating</a> this approach, and our current favorite font sets for
projects/torbrowser/design/index.html.en 1349) this purpose are the <a class="ulink" href="http://www.droidfonts.com/droidfonts/" target="_top">Droid
projects/torbrowser/design/index.html.en 1350) fonts</a>, the <a class="ulink" href="http://hangeul.naver.com/" target="_top">Nanum fonts</a>,
projects/torbrowser/design/index.html.en 1351) and <a class="ulink" href="https://fedorahosted.org/lohit/" target="_top">Lohit fonts</a>. The Droid
projects/torbrowser/design/index.html.en 1352) font set is fairly complete by itself, but Nanum and Lohit have smaller
projects/torbrowser/design/index.html.en 1353) versions of many South Asian languages. When combined in a way that chooses the
projects/torbrowser/design/index.html.en 1354) smallest font implementations for each locale, these three font sets provide
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1355) coverage for the all languages used on Wikipedia with more than
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1356) 10,000 articles, and several others as well, in approximately 3MB of compressed
projects/torbrowser/design/index.html.en 1357) overhead. The <a class="ulink" href="https://www.google.com/get/noto/" target="_top">Noto font
projects/torbrowser/design/index.html.en 1358) set</a> is another font set that aims for complete coverage, but is
projects/torbrowser/design/index.html.en 1359) considerably larger than the combination of the Droid, Nanum, and Lohit fonts.
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1360)
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1361) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1362)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1363) In the meantime while we investigate shipping our own fonts, we disable
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1364) plugins, which prevents font name enumeration. Additionally, we limit both the
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1365) number of font queries from CSS, as well as the total number of fonts that can
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1366) be used in a document <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=e78bc05159a79c1358fa9c64e565af9d98c141ee" target="_top">with
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1367) a Firefox patch</a>. We create two prefs,
|
Update design doc to descri...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1368) <span class="command"><strong>browser.display.max_font_attempts</strong></span> and
projects/torbrowser/design/index.html.en 1369) <span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
projects/torbrowser/design/index.html.en 1370) limits are reached, the browser behaves as if
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1371) <span class="command"><strong>browser.display.use_document_fonts</strong></span> was set.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1372)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1373) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1374)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1375) To improve rendering, we exempt remote <a class="ulink" href="https://developer.mozilla.org/en-US/docs/CSS/@font-face" target="_top">@font-face
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1376) fonts</a> from these counts, and if a font-family CSS rule lists a remote
projects/torbrowser/design/index.html.en 1377) font (in any order), we use that font instead of any of the named local fonts.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1378)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1379) </p></li><li class="listitem"><span class="command"><strong>Monitor, Widget, and OS Desktop Resolution</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1380)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1381) Both CSS and Javascript have access to a lot of information about the screen
projects/torbrowser/design/index.html.en 1382) resolution, usable desktop size, OS widget size, toolbar size, title bar size,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1383) and OS desktop widget sizing information that are not at all relevant to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1384) rendering and serve only to provide information for fingerprinting. Since many
projects/torbrowser/design/index.html.en 1385) aspects of desktop widget positioning and size are user configurable, these
projects/torbrowser/design/index.html.en 1386) properties yield customized information about the computer, even beyond the
projects/torbrowser/design/index.html.en 1387) monitor size.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1388)
projects/en/torbrowser/design/index.html.en 1389) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1390)
projects/en/torbrowser/design/index.html.en 1391) Our design goal here is to reduce the resolution information down to the bare
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1392) minimum required for properly rendering inside a content window. We intend to
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1393) report all rendering information correctly with respect to the size and
projects/en/torbrowser/design/index.html.en 1394) properties of the content window, but report an effective size of 0 for all
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1395) border material, and also report that the desktop is only as big as the inner
projects/torbrowser/design/index.html.en 1396) content window. Additionally, new browser windows are sized such that their
projects/torbrowser/design/index.html.en 1397) content windows are one of a few fixed sizes based on the user's desktop
projects/torbrowser/design/index.html.en 1398) resolution. In addition, to further reduce resolution-based fingerprinting, we
projects/torbrowser/design/index.html.en 1399) are <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7256" target="_top">investigating
projects/torbrowser/design/index.html.en 1400) zoom/viewport-based mechanisms</a> that might allow us to always report the
projects/torbrowser/design/index.html.en 1401) same desktop resolution regardless of the actual size of the content window,
projects/torbrowser/design/index.html.en 1402) and simply scale to make up the difference. Until then, the user should also
projects/torbrowser/design/index.html.en 1403) be informed that maximizing their windows can lead to fingerprintability under
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1404) this scheme.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1405)
projects/en/torbrowser/design/index.html.en 1406) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1407)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1408) We automatically resize new browser windows to a 200x100 pixel multiple using
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1409) a window observer <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/chrome/content/torbutton.js#n3361" target="_top">based
projects/torbrowser/design/index.html.en 1410) on desktop resolution</a>. To minimize the effect of the long tail of large
projects/torbrowser/design/index.html.en 1411) monitor sizes, we also cap the window size at 1000 pixels in each direction.
projects/torbrowser/design/index.html.en 1412) Additionally, we patch Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5" target="_top">for
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1413) window.screen</a>, and to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=a5648c8d80f396caf294d761cc4a9a76c0b33a9d" target="_top">report
projects/torbrowser/design/index.html.en 1414) a window.devicePixelRatio of 1.0</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=3c02858027634ffcfbd97047dfdf170c19ca29ec" target="_top">patch
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1415) DOM events to return content window relative points</a>.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1416)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1417) We also force popups to open in new tabs (via
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1418) <span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid
projects/torbrowser/design/index.html.en 1419) full-screen popups inferring information about the browser resolution. In
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1420) addition, we prevent auto-maximizing on browser start, and inform users that
projects/torbrowser/design/index.html.en 1421) maximized windows are detrimental to privacy in this mode.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1422)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1423) </p></li><li class="listitem"><span class="command"><strong>Display Media information</strong></span><p>
|
Update design doc to descri...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1424)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1425) Beyond simple resolution information, a large amount of so-called "Media"
projects/torbrowser/design/index.html.en 1426) information is also exported to content. Even without Javascript, CSS has
projects/torbrowser/design/index.html.en 1427) access to a lot of information about the device orientation, system theme
|
More fingerprinting clarifi...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1428) colors, and other desktop and display features that are not at all relevant to
projects/torbrowser/design/index.html.en 1429) rendering and also user configurable. Most of this
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1430) information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS
projects/torbrowser/design/index.html.en 1431) Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several
projects/torbrowser/design/index.html.en 1432) user and OS theme defined color values</a> to CSS as well.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1433)
projects/torbrowser/design/index.html.en 1434) </p><p><span class="command"><strong>Design Goal:</strong></span>
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1435)
projects/torbrowser/design/index.html.en 1436) CSS should not be able infer anything that the user has configured about their
projects/torbrowser/design/index.html.en 1437) computer. Additionally, it should not be able to infer machine-specific
projects/torbrowser/design/index.html.en 1438) details such as screen orientation or type.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1439)
projects/torbrowser/design/index.html.en 1440) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1441)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1442) We patch
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1443) Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=cf8956b4460107c5b0053c8fc574e34b0a30ec1e" target="_top">report
projects/torbrowser/design/index.html.en 1444) a fixed set of system colors to content window CSS</a>, and <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=bbc138486e0489b0d559343fa0522df4ee3b3533" target="_top">prevent
projects/torbrowser/design/index.html.en 1445) detection of font smoothing on OSX</a>. We also always
projects/torbrowser/design/index.html.en 1446) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=e17d60442ab0db92664ff68d90fe7bf737374912" target="_top">report
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1447) landscape-primary</a> for the screen orientation.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1448)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1449) </p></li><li class="listitem"><span class="command"><strong>WebGL</strong></span><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1450)
projects/torbrowser/design/index.html.en 1451) WebGL is fingerprintable both through information that is exposed about the
projects/torbrowser/design/index.html.en 1452) underlying driver and optimizations, as well as through performance
projects/torbrowser/design/index.html.en 1453) fingerprinting.
projects/torbrowser/design/index.html.en 1454)
projects/torbrowser/design/index.html.en 1455) </p><p>
projects/torbrowser/design/index.html.en 1456)
projects/torbrowser/design/index.html.en 1457) Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed
projects/torbrowser/design/index.html.en 1458) vulnerability surface</a>, we deploy a similar strategy against WebGL as
projects/torbrowser/design/index.html.en 1459) for plugins. First, WebGL Canvases have click-to-play placeholders (provided
projects/torbrowser/design/index.html.en 1460) by NoScript), and do not run until authorized by the user. Second, we
projects/torbrowser/design/index.html.en 1461) obfuscate driver information by setting the Firefox preferences
projects/torbrowser/design/index.html.en 1462) <span class="command"><strong>webgl.disable-extensions</strong></span> and
projects/torbrowser/design/index.html.en 1463) <span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information
projects/torbrowser/design/index.html.en 1464) provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,
projects/torbrowser/design/index.html.en 1465) <span class="command"><strong>getSupportedExtensions()</strong></span>, and
projects/torbrowser/design/index.html.en 1466) <span class="command"><strong>getExtension()</strong></span>.
projects/torbrowser/design/index.html.en 1467)
projects/torbrowser/design/index.html.en 1468) </p><p>
projects/torbrowser/design/index.html.en 1469)
projects/torbrowser/design/index.html.en 1470) Another option for WebGL might be to use software-only rendering, using a
projects/torbrowser/design/index.html.en 1471) library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of
projects/torbrowser/design/index.html.en 1472) such a library would avoid hardware-specific rendering differences.
projects/torbrowser/design/index.html.en 1473)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1474) </p></li><li class="listitem"><span class="command"><strong>User Agent and HTTP Headers</strong></span><p><span class="command"><strong>Design Goal:</strong></span>
|
Update design doc to descri...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1475)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1476) All Tor Browser users MUST provide websites with an identical user agent and
projects/torbrowser/design/index.html.en 1477) HTTP header set for a given request type. We omit the Firefox minor revision,
projects/torbrowser/design/index.html.en 1478) and report a popular Windows platform. If the software is kept up to date,
projects/torbrowser/design/index.html.en 1479) these headers should remain identical across the population even when updated.
projects/torbrowser/design/index.html.en 1480)
projects/torbrowser/design/index.html.en 1481) </p><p><span class="command"><strong>Implementation Status:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1482)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1483) Firefox provides several options for controlling the browser user agent string
projects/torbrowser/design/index.html.en 1484) which we leverage. We also set similar prefs for controlling the
projects/torbrowser/design/index.html.en 1485) Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1486) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=e9841ee41e7f3f1535be2d605084c41ee9faf6c2" target="_top">remove
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1487) content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1488) used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem"><span class="command"><strong>Locale Fingerprinting</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1489)
projects/torbrowser/design/index.html.en 1490) In Tor Browser, we provide non-English users the option of concealing their OS
projects/torbrowser/design/index.html.en 1491) and browser locale from websites. It is debatable if this should be as high of
projects/torbrowser/design/index.html.en 1492) a priority as information specific to the user's computer, but for
projects/torbrowser/design/index.html.en 1493) completeness, we attempt to maintain this property.
projects/torbrowser/design/index.html.en 1494)
projects/torbrowser/design/index.html.en 1495) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1496)
projects/torbrowser/design/index.html.en 1497) We set the fallback character set to set to windows-1252 for all locales, via
projects/torbrowser/design/index.html.en 1498) <span class="command"><strong>intl.charset.default</strong></span>. We also patch Firefox to allow us to
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1499) <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=4545ecd6dc2ca7d10aefe36b81658547ea97b800" target="_top">instruct
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1500) the JS engine</a> to use en-US as its internal C locale for all Date, Math,
projects/torbrowser/design/index.html.en 1501) and exception handling.
projects/torbrowser/design/index.html.en 1502)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1503) </p></li><li class="listitem"><span class="command"><strong>Timezone and Clock Offset</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1504)
projects/torbrowser/design/index.html.en 1505) While the latency in Tor connections varies anywhere from milliseconds to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1506) a few seconds, it is still possible for the remote site to detect large
projects/torbrowser/design/index.html.en 1507) differences between the user's clock and an official reference time source.
projects/torbrowser/design/index.html.en 1508)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1509) </p><p><span class="command"><strong>Design Goal:</strong></span>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1510)
|
Update TBB design doc with...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1511) All Tor Browser users MUST report the same timezone to websites. Currently, we
projects/torbrowser/design/index.html.en 1512) choose UTC for this purpose, although an equally valid argument could be made
projects/torbrowser/design/index.html.en 1513) for EDT/EST due to the large English-speaking population density (coupled with
projects/torbrowser/design/index.html.en 1514) the fact that we spoof a US English user agent). Additionally, the Tor
projects/torbrowser/design/index.html.en 1515) software should detect if the users clock is significantly divergent from the
projects/torbrowser/design/index.html.en 1516) clocks of the relays that it connects to, and use this to reset the clock
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1517) values used in Tor Browser to something reasonably accurate. Alternatively,
projects/torbrowser/design/index.html.en 1518) the browser can obtain this clock skew via a mechanism similar to that used in
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1519) <a class="ulink" href="https://github.com/ioerror/tlsdate" target="_top">tlsdate</a>.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1520)
projects/en/torbrowser/design/index.html.en 1521) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1522)
projects/en/torbrowser/design/index.html.en 1523) We set the timezone using the TZ environment variable, which is supported on
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1524) all platforms.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1525)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1526) </p></li><li class="listitem"><span class="command"><strong>Javascript Performance Fingerprinting</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1527)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1528) <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1529) fingerprinting</a> is the act of profiling the performance
projects/en/torbrowser/design/index.html.en 1530) of various Javascript functions for the purpose of fingerprinting the
projects/en/torbrowser/design/index.html.en 1531) Javascript engine and the CPU.
projects/en/torbrowser/design/index.html.en 1532)
projects/en/torbrowser/design/index.html.en 1533) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1534)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1535) We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3059" target="_top">several potential
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1536) mitigation approaches</a> to reduce the accuracy of performance
projects/en/torbrowser/design/index.html.en 1537) fingerprinting without risking too much damage to functionality. Our current
projects/en/torbrowser/design/index.html.en 1538) favorite is to reduce the resolution of the Event.timeStamp and the Javascript
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1539) Date() object, while also introducing jitter. We believe that Javascript time
projects/torbrowser/design/index.html.en 1540) resolution may be reduced all the way up to the second before it seriously
projects/torbrowser/design/index.html.en 1541) impacts site operation. Our goal with this quantization is to increase the
projects/torbrowser/design/index.html.en 1542) amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found
projects/torbrowser/design/index.html.en 1543) that even with the default precision in most browsers, they required up to 120
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1544) seconds of amortization and repeated trials to get stable results from their
projects/en/torbrowser/design/index.html.en 1545) feature set. We intend to work with the research community to establish the
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1546) optimum trade-off between quantization+jitter and amortization time, as well
projects/torbrowser/design/index.html.en 1547) as identify highly variable Javascript operations. As long as these attacks
projects/torbrowser/design/index.html.en 1548) take several seconds or more to execute, they are unlikely to be appealing to
projects/torbrowser/design/index.html.en 1549) advertisers, and are also very likely to be noticed if deployed against a
projects/torbrowser/design/index.html.en 1550) large number of people.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1551)
projects/en/torbrowser/design/index.html.en 1552) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1553)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1554) Currently, our mitigation against performance fingerprinting is to
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1555) disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1556) Timing</a> through the Firefox preference
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1557) <span class="command"><strong>dom.enable_performance</strong></span>, and to disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla
projects/torbrowser/design/index.html.en 1558) Video Statistics</a> API extensions via the preference
projects/torbrowser/design/index.html.en 1559) <span class="command"><strong>media.video_stats.enabled</strong></span>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1560)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1561) </p></li><li class="listitem"><span class="command"><strong>Keystroke Fingerprinting</strong></span><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1562)
projects/en/torbrowser/design/index.html.en 1563) Keystroke fingerprinting is the act of measuring key strike time and key
projects/en/torbrowser/design/index.html.en 1564) flight time. It is seeing increasing use as a biometric.
projects/en/torbrowser/design/index.html.en 1565)
projects/en/torbrowser/design/index.html.en 1566) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/en/torbrowser/design/index.html.en 1567)
projects/en/torbrowser/design/index.html.en 1568) We intend to rely on the same mechanisms for defeating Javascript performance
projects/en/torbrowser/design/index.html.en 1569) fingerprinting: timestamp quantization and jitter.
projects/en/torbrowser/design/index.html.en 1570)
projects/en/torbrowser/design/index.html.en 1571) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/en/torbrowser/design/index.html.en 1572) We have no implementation as of yet.
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1573) </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1574)
projects/torbrowser/design/index.html.en 1575) As we mentioned in the introduction of this section, OS type fingerprinting is
projects/torbrowser/design/index.html.en 1576) currently considered a lower priority, due simply to the numerous ways that
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1577) characteristics of the operating system type may leak into content, and the
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1578) comparatively low contribution of OS to overall entropy. In particular, there
projects/torbrowser/design/index.html.en 1579) are likely to be many ways to measure the differences in widget size,
projects/torbrowser/design/index.html.en 1580) scrollbar size, and other rendered details on a page. Also, directly exported
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1581) OS routines (such as those from the standard C math library) expose
projects/torbrowser/design/index.html.en 1582) differences in their implementations through their return values.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1583)
projects/torbrowser/design/index.html.en 1584) </p><p><span class="command"><strong>Design Goal:</strong></span>
projects/torbrowser/design/index.html.en 1585)
projects/torbrowser/design/index.html.en 1586) We intend to reduce or eliminate OS type fingerprinting to the best extent
projects/torbrowser/design/index.html.en 1587) possible, but recognize that the effort for reward on this item is not as high
projects/torbrowser/design/index.html.en 1588) as other areas. The entropy on the current OS distribution is somewhere around
projects/torbrowser/design/index.html.en 1589) 2 bits, which is much lower than other vectors which can also be used to
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1590) fingerprint configuration and user-specific information. You can see the
projects/torbrowser/design/index.html.en 1591) major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os
projects/torbrowser/design/index.html.en 1592) tag on our bug tracker</a>.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1593)
projects/torbrowser/design/index.html.en 1594) </p><p><span class="command"><strong>Implementation Status:</strong></span>
projects/torbrowser/design/index.html.en 1595)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1596) At least three HTML5 features have different implementation status across the
projects/torbrowser/design/index.html.en 1597) major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
projects/torbrowser/design/index.html.en 1598) API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
projects/torbrowser/design/index.html.en 1599) Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
projects/torbrowser/design/index.html.en 1600) <span class="command"><strong>dom.battery.enabled</strong></span>,
projects/torbrowser/design/index.html.en 1601) <span class="command"><strong>dom.network.enabled</strong></span>, and
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1602) <span class="command"><strong>device.sensors.enabled</strong></span>.
|
Describe OS type fingerprin...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1603)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1604) </p></li></ol></div><p>
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1605) For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1606) </p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1607)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1608) In order to avoid long-term linkability, we provide a "New Identity" context
projects/torbrowser/design/index.html.en 1609) menu option in Torbutton. This context menu option is active if Torbutton can
projects/torbrowser/design/index.html.en 1610) read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1611)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1612) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55268352"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1613)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1614) All linkable identifiers and browser state MUST be cleared by this feature.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1615)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1616) </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55269600"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1617)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1618) First, Torbutton disables Javascript in all open tabs and windows by using
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1619) both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>
projects/torbrowser/design/index.html.en 1620) attribute as well as <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDOMWindowUtils#suppressEventHandling%28%29" target="_top">nsIDOMWindowUtil.suppressEventHandling()</a>.
projects/torbrowser/design/index.html.en 1621) We then stop all page activity for each tab using <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIWebNavigation#stop%28%29" target="_top">browser.webNavigation.stop(nsIWebNavigation.STOP_ALL)</a>.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1622) We then clear the site-specific Zoom by temporarily disabling the preference
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1623) <span class="command"><strong>browser.zoom.siteSpecific</strong></span>, and clear the GeoIP wifi token URL
projects/torbrowser/design/index.html.en 1624) <span class="command"><strong>geo.wifi.access_token</strong></span> and the last opened URL prefs (if
projects/torbrowser/design/index.html.en 1625) they exist). Each tab is then closed.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1626)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1627) </p><p>
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1628)
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1629) After closing all tabs, we then emit "<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#Private_browsing_notifications" target="_top">browser:purge-session-history</a>"
projects/torbrowser/design/index.html.en 1630) (which instructs addons and various Firefox components to clear their session
projects/torbrowser/design/index.html.en 1631) state), and then manually clear the following state: searchbox and findbox
projects/torbrowser/design/index.html.en 1632) text, HTTP auth, SSL state, OCSP state, site-specific content preferences
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1633) (including HSTS state), content and image cache, offline cache, offline
projects/torbrowser/design/index.html.en 1634) storage, Cookies, crypto tokens, DOM storage, the safe browsing key, and the
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1635) Google wifi geolocation token (if it exists). We also clear NoScript's site
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1636) and temporary permissions, and all other browser site permissions.
|
Add design doc draft.
Mike Perry authored 12 years ago
|
projects/en/torbrowser/design/index.html.en 1637)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1638) </p><p>
|
Update TBB design doc based...
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1639)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1640) After the state is cleared, we then close all remaining HTTP keep-alive
projects/torbrowser/design/index.html.en 1641) connections and then send the NEWNYM signal to the Tor control port to cause a
projects/torbrowser/design/index.html.en 1642) new circuit to be created.
projects/torbrowser/design/index.html.en 1643) </p><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1644)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1645) Finally, a fresh browser window is opened, and the current browser window is
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1646) closed (this does not spawn a new Firefox process, only a new window). Upon
projects/torbrowser/design/index.html.en 1647) the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage
projects/torbrowser/design/index.html.en 1648) collector</a>, which has the effect of immediately purging any blob:UUID
projects/torbrowser/design/index.html.en 1649) URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>.
projects/torbrowser/design/index.html.en 1650)
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1651) </p></blockquote></div><div class="blockquote"><blockquote class="blockquote">
projects/torbrowser/design/index.html.en 1652) If the user chose to "protect" any cookies by using the Torbutton Cookie
projects/torbrowser/design/index.html.en 1653) Protections UI, those cookies are not cleared as part of the above.
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1654) </blockquote></div></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1655)
projects/torbrowser/design/index.html.en 1656) In addition to the above mechanisms that are devoted to preserving privacy
projects/torbrowser/design/index.html.en 1657) while browsing, we also have a number of technical mechanisms to address other
projects/torbrowser/design/index.html.en 1658) privacy and security issues.
projects/torbrowser/design/index.html.en 1659)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1660) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p>
projects/torbrowser/design/index.html.en 1661)
projects/torbrowser/design/index.html.en 1662) In order to provide vulnerability surface reduction for users that need high
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1663) security, we have implemented a "Security Slider" to allow users to make a
projects/torbrowser/design/index.html.en 1664) tradeoff between usability and security while minimizing the total number of
projects/torbrowser/design/index.html.en 1665) choices (to reduce fingerprinting). Using metrics collected from
projects/torbrowser/design/index.html.en 1666) Mozilla's bug tracker, we analyzed the vulnerability counts of core
projects/torbrowser/design/index.html.en 1667) components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1668) gathered from a study performed by iSec Partners</a> to inform which
projects/torbrowser/design/index.html.en 1669) features should be disabled at which security levels.
projects/torbrowser/design/index.html.en 1670)
projects/torbrowser/design/index.html.en 1671) </p><p>
projects/torbrowser/design/index.html.en 1672)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1673) The Security Slider consists of four positions:
projects/torbrowser/design/index.html.en 1674)
projects/torbrowser/design/index.html.en 1675) </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low</strong></span><p>
projects/torbrowser/design/index.html.en 1676)
projects/torbrowser/design/index.html.en 1677) At this security level, the preferences are the Tor Browser defaults.
projects/torbrowser/design/index.html.en 1678)
projects/torbrowser/design/index.html.en 1679) </p></li><li class="listitem"><span class="command"><strong>Medium-Low</strong></span><p>
projects/torbrowser/design/index.html.en 1680)
projects/torbrowser/design/index.html.en 1681) At this security level, we disable the ION JIT
projects/torbrowser/design/index.html.en 1682) (<span class="command"><strong>javascript.options.ion.content</strong></span>), TypeInference JIT
projects/torbrowser/design/index.html.en 1683) (<span class="command"><strong>javascript.options.typeinference</strong></span>), ASM.JS
projects/torbrowser/design/index.html.en 1684) (<span class="command"><strong>javascript.options.asmjs</strong></span>), WebAudio
projects/torbrowser/design/index.html.en 1685) (<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML
projects/torbrowser/design/index.html.en 1686) (<span class="command"><strong>mathml.disabled</strong></span>), block remote JAR files
projects/torbrowser/design/index.html.en 1687) (<span class="command"><strong>network.jar.block-remote-files</strong></span>), and make HTML5 audio and
projects/torbrowser/design/index.html.en 1688) video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>).
projects/torbrowser/design/index.html.en 1689)
projects/torbrowser/design/index.html.en 1690) </p></li><li class="listitem"><span class="command"><strong>Medium-High</strong></span><p>
projects/torbrowser/design/index.html.en 1691)
projects/torbrowser/design/index.html.en 1692) This security level inherits the preferences from the Medium-Low level, and
projects/torbrowser/design/index.html.en 1693) additionally disables the baseline JIT
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1694) (<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), disables Graphite
projects/torbrowser/design/index.html.en 1695) (<span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>) and SVG OpenType font
projects/torbrowser/design/index.html.en 1696) rendering (<span class="command"><strong>gfx.font_rendering.opentype_svg.enabled</strong></span>) and only
projects/torbrowser/design/index.html.en 1697) allows Javascript to run if it is loaded over HTTPS and the URL bar is HTTPS
projects/torbrowser/design/index.html.en 1698) (by setting <span class="command"><strong>noscript.global</strong></span> to false and
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1699) <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true).
projects/torbrowser/design/index.html.en 1700)
projects/torbrowser/design/index.html.en 1701) </p></li><li class="listitem"><span class="command"><strong>High</strong></span><p>
projects/torbrowser/design/index.html.en 1702)
projects/torbrowser/design/index.html.en 1703) This security level inherits the preferences from the Medium-Low and
projects/torbrowser/design/index.html.en 1704) Medium-High levels, and additionally disables remote fonts
projects/torbrowser/design/index.html.en 1705) (<span class="command"><strong>noscript.forbidFonts</strong></span>), completely disables Javascript (by
projects/torbrowser/design/index.html.en 1706) unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG
projects/torbrowser/design/index.html.en 1707) images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
projects/torbrowser/design/index.html.en 1708)
projects/torbrowser/design/index.html.en 1709) </p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1710)
projects/torbrowser/design/index.html.en 1711) <a class="link" href="#website-traffic-fingerprinting">Website Traffic
projects/torbrowser/design/index.html.en 1712) Fingerprinting</a> is a statistical attack to attempt to recognize specific
projects/torbrowser/design/index.html.en 1713) encrypted website activity.
projects/torbrowser/design/index.html.en 1714)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1715) </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55303936"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1716)
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1717) We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1718) for classification. This mechanism would either impact the true and false
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1719) positive accuracy rates, <span class="emphasis"><em>or</em></span> reduce the number of web pages
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1720) that could be classified at a given accuracy rate.
projects/torbrowser/design/index.html.en 1721)
projects/torbrowser/design/index.html.en 1722) </p><p>
projects/torbrowser/design/index.html.en 1723)
projects/torbrowser/design/index.html.en 1724) Ideally, this mechanism would be as light-weight as possible, and would be
projects/torbrowser/design/index.html.en 1725) tunable in terms of overhead. We suspect that it may even be possible to
projects/torbrowser/design/index.html.en 1726) deploy a mechanism that reduces feature extraction resolution without any
projects/torbrowser/design/index.html.en 1727) network overhead. In the no-overhead category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf" target="_top">HTTPOS</a> and
projects/torbrowser/design/index.html.en 1728) <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">better
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1729) use of HTTP pipelining and/or SPDY</a>.
projects/torbrowser/design/index.html.en 1730) In the tunable/low-overhead
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1731) category, we have <a class="ulink" href="http://freehaven.net/anonbib/cache/ShWa-Timing06.pdf" target="_top">Adaptive
projects/torbrowser/design/index.html.en 1732) Padding</a> and <a class="ulink" href="http://www.cs.sunysb.edu/~xcai/fp.pdf" target="_top">
projects/torbrowser/design/index.html.en 1733) Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/7028" target="_top">tune such
projects/torbrowser/design/index.html.en 1734) defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1735) network, making them also effectively no-overhead.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1736)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1737) </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp55310832"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1738) Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=20a59cec9886cf2575b1fd8e92b43e31ba053fbd" target="_top">randomize
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1739) pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
projects/torbrowser/design/index.html.en 1740) Many sites do not support it, and even sites that advertise support for
projects/torbrowser/design/index.html.en 1741) pipelining may simply return error codes for successive requests, effectively
projects/torbrowser/design/index.html.en 1742) forcing the browser into non-pipelined behavior. Firefox also has code to back
projects/torbrowser/design/index.html.en 1743) off and reduce or eliminate the pipeline if this happens. These
projects/torbrowser/design/index.html.en 1744) shortcomings and fallback behaviors are the primary reason that Google
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1745) developed SPDY as opposed to simply extending HTTP to improve pipelining. It
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1746) turns out that we could actually deploy exit-side proxies that allow us to
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1747) <a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use
|
TBB Design Doc: Mention use...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1748) SPDY from the client to the exit node</a>. This would make our defense not
projects/torbrowser/design/index.html.en 1749) only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1750)
projects/torbrowser/design/index.html.en 1751) </p><p>
projects/torbrowser/design/index.html.en 1752)
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1753) Knowing this, we created this defense as an <a class="ulink" href="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting" target="_top">experimental
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1754) research prototype</a> to help evaluate what could be done in the best
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1755) case with full server support. Unfortunately, the bias in favor of compelling
projects/torbrowser/design/index.html.en 1756) attack papers has caused academia to ignore this request thus far, instead
projects/torbrowser/design/index.html.en 1757) publishing only cursory (yet "devastating") evaluations that fail to provide
projects/torbrowser/design/index.html.en 1758) even simple statistics such as the rates of actual pipeline utilization during
projects/torbrowser/design/index.html.en 1759) their evaluations, in addition to the other shortcomings and shortcuts <a class="link" href="#website-traffic-fingerprinting">mentioned earlier</a>. We can
projects/torbrowser/design/index.html.en 1760) accept that our defense might fail to work as well as others (in fact we
projects/torbrowser/design/index.html.en 1761) expect it), but unfortunately the very same shortcuts that provide excellent
projects/torbrowser/design/index.html.en 1762) attack results also allow the conclusion that all defenses are broken forever.
projects/torbrowser/design/index.html.en 1763) So sadly, we are still left in the dark on this point.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1764)
projects/torbrowser/design/index.html.en 1765) </p></blockquote></div></div></li><li class="listitem"><span class="command"><strong>Privacy-preserving update notification</strong></span><p>
projects/torbrowser/design/index.html.en 1766)
projects/torbrowser/design/index.html.en 1767) In order to inform the user when their Tor Browser is out of date, we perform a
|
TBB design doc: Clarify web...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1768) privacy-preserving update check asynchronously in the background. The
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1769) check uses Tor to download the file <a class="ulink" href="https://check.torproject.org/RecommendedTBBVersions" target="_top">https://check.torproject.org/RecommendedTBBVersions</a>
projects/torbrowser/design/index.html.en 1770) and searches that version list for the current value for the local preference
projects/torbrowser/design/index.html.en 1771) <span class="command"><strong>torbrowser.version</strong></span>. If the value from our preference is
projects/torbrowser/design/index.html.en 1772) present in the recommended version list, the check is considered to have
projects/torbrowser/design/index.html.en 1773) succeeded and the user is up to date. If not, it is considered to have failed
projects/torbrowser/design/index.html.en 1774) and an update is needed. The check is triggered upon browser launch, new
projects/torbrowser/design/index.html.en 1775) window, and new tab, but is rate limited so as to happen no more frequently
projects/torbrowser/design/index.html.en 1776) than once every 1.5 hours.
projects/torbrowser/design/index.html.en 1777)
projects/torbrowser/design/index.html.en 1778) </p><p>
projects/torbrowser/design/index.html.en 1779)
projects/torbrowser/design/index.html.en 1780) If the check fails, we cache this fact, and update the Torbutton graphic to
projects/torbrowser/design/index.html.en 1781) display a flashing warning icon and insert a menu option that provides a link
projects/torbrowser/design/index.html.en 1782) to our download page. Additionally, we reset the value for the browser
projects/torbrowser/design/index.html.en 1783) homepage to point to a <a class="ulink" href="https://check.torproject.org/?lang=en-US&small=1&uptodate=0" target="_top">page that
projects/torbrowser/design/index.html.en 1784) informs the user</a> that their browser is out of
projects/torbrowser/design/index.html.en 1785) date.
projects/torbrowser/design/index.html.en 1786)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1787) </p><p>
projects/torbrowser/design/index.html.en 1788)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1789) We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&id=bcf51aae541fc28de251924ce9394224bd2b814c" target="_top">patched
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1790) the updater</a> to avoid sending OS and Kernel version information as part
projects/torbrowser/design/index.html.en 1791) of its update pings.
projects/torbrowser/design/index.html.en 1792)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1793) </p></li></ol></div></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BuildSecurity"></a>5. Build Security and Package Integrity</h2></div></div></div><p>
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1794)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1795) In the age of state-sponsored malware, <a class="ulink" href="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise" target="_top">we
projects/torbrowser/design/index.html.en 1796) believe</a> it is impossible to expect to keep a single build machine or
projects/torbrowser/design/index.html.en 1797) software signing key secure, given the class of adversaries that Tor has to
projects/torbrowser/design/index.html.en 1798) contend with. For this reason, we have deployed a build system
projects/torbrowser/design/index.html.en 1799) that allows anyone to use our source code to reproduce byte-for-byte identical
projects/torbrowser/design/index.html.en 1800) binary packages to the ones that we distribute.
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1801)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1802) </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55327360"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1803)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1804) The GNU toolchain has been working on providing reproducible builds for some
projects/torbrowser/design/index.html.en 1805) time, however a large software project such as Firefox typically ends up
projects/torbrowser/design/index.html.en 1806) embedding a large number of details about the machine it was built on, both
projects/torbrowser/design/index.html.en 1807) intentionally and inadvertently. Additionally, manual changes to the build
projects/torbrowser/design/index.html.en 1808) machine configuration can accumulate over time and are difficult for others to
projects/torbrowser/design/index.html.en 1809) replicate externally, which leads to difficulties with binary reproducibility.
|
Update TBB design doc.
Mike Perry authored 12 years ago
|
projects/torbrowser/design/index.html.en 1810)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1811) </p><p>
projects/torbrowser/design/index.html.en 1812) For this reason, we decided to leverage the work done by the <a class="ulink" href="http://gitian.org/" target="_top">Gitian Project</a> from the Bitcoin community.
projects/torbrowser/design/index.html.en 1813) Gitian is a wrapper around Ubuntu's virtualization tools that allows you to
projects/torbrowser/design/index.html.en 1814) specify an Ubuntu version, architecture, a set of additional packages, a set
projects/torbrowser/design/index.html.en 1815) of input files, and a bash build scriptlet in an YAML document called a
projects/torbrowser/design/index.html.en 1816) "Gitian Descriptor". This document is used to install a qemu-kvm image, and
projects/torbrowser/design/index.html.en 1817) execute your build scriptlet inside it.
projects/torbrowser/design/index.html.en 1818) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1819)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1820) We have created a <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/refs/heads/master" target="_top">set
projects/torbrowser/design/index.html.en 1821) of wrapper scripts</a> around Gitian to automate dependency download and
projects/torbrowser/design/index.html.en 1822) authentication, as well as transfer intermediate build outputs between the
projects/torbrowser/design/index.html.en 1823) stages of the build process. Because Gitian creates an Ubuntu build
projects/torbrowser/design/index.html.en 1824) environment, we must use cross-compilation to create packages for Windows and
projects/torbrowser/design/index.html.en 1825) Mac OS. For Windows, we use mingw-w64 as our cross compiler. For Mac OS, we
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1826) use crosstools-ng in combination with a binary redistribution of the Mac OS 10.6
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1827) SDK.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1828)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1829) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1830)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1831) The use of the Gitian system eliminates build non-determinism by normalizing
projects/torbrowser/design/index.html.en 1832) the build environment's hostname, username, build path, uname output,
projects/torbrowser/design/index.html.en 1833) toolchain versions, and time. On top of what Gitian provides, we also had to
projects/torbrowser/design/index.html.en 1834) address the following additional sources of non-determinism:
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1835)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1836) </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Filesystem and archive reordering</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1837)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1838) The most prevalent source of non-determinism in the components of Tor Browser
projects/torbrowser/design/index.html.en 1839) by far was various ways that archives (such as zip, tar, jar/ja, DMG, and
projects/torbrowser/design/index.html.en 1840) Firefox manifest lists) could be reordered. Many file archivers walk the
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1841) file system in inode structure order by default, which will result in ordering
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1842) differences between two different archive invocations, especially on machines
projects/torbrowser/design/index.html.en 1843) of different disk and hardware configurations.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1844)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1845) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1846)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1847) The fix for this is to perform an additional sorting step on the input list
projects/torbrowser/design/index.html.en 1848) for archives, but care must be taken to instruct libc and other sorting routines
projects/torbrowser/design/index.html.en 1849) to use a fixed locale to determine lexicographic ordering, or machines with
projects/torbrowser/design/index.html.en 1850) different locale settings will produce different sort results. We chose the
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1851) 'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
projects/torbrowser/design/index.html.en 1852) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
projects/torbrowser/design/index.html.en 1853) and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1854) to aid in reproducible archive creation.
projects/torbrowser/design/index.html.en 1855)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1856) </p></li><li class="listitem"><span class="command"><strong>Uninitialized memory in toolchain/archivers</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1857)
projects/torbrowser/design/index.html.en 1858) We ran into difficulties with both binutils and the DMG archive script using
projects/torbrowser/design/index.html.en 1859) uninitialized memory in certain data structures that ended up written to disk.
projects/torbrowser/design/index.html.en 1860) Our binutils fixes were merged upstream, but the DMG archive fix remains an
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1861) <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1862) patch</a>.
projects/torbrowser/design/index.html.en 1863)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1864) </p></li><li class="listitem"><span class="command"><strong>Fine-grained timestamps and timezone leaks</strong></span><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1865)
projects/torbrowser/design/index.html.en 1866) The standard way of controlling timestamps in Gitian is to use libfaketime,
projects/torbrowser/design/index.html.en 1867) which hooks time-related library calls to provide a fixed timestamp. However,
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1868) due to our use of wine to run py2exe for python-based pluggable transports,
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1869) pyc timestamps had to be addressed with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1870) script</a>. The timezone leaks were addressed by setting the
projects/torbrowser/design/index.html.en 1871) <span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1872)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1873) </p></li><li class="listitem"><span class="command"><strong>Deliberately generated entropy</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1874)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1875) In two circumstances, deliberately generated entropy was introduced in various
projects/torbrowser/design/index.html.en 1876) components of the build process. First, the BuildID Debuginfo identifier
projects/torbrowser/design/index.html.en 1877) (which associates detached debug files with their corresponding stripped
projects/torbrowser/design/index.html.en 1878) executables) was introducing entropy from some unknown source. We removed this
projects/torbrowser/design/index.html.en 1879) header using objcopy invocations in our build scriptlets, and opted to use GNU
projects/torbrowser/design/index.html.en 1880) DebugLink instead of BuildID for this association.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1881)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1882) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1883)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1884) Second, on Linux, Firefox builds detached signatures of its cryptographic
projects/torbrowser/design/index.html.en 1885) libraries using a temporary key for FIPS-140 certification. A rather insane
projects/torbrowser/design/index.html.en 1886) subsection of the FIPS-140 certification standard requires that you distribute
projects/torbrowser/design/index.html.en 1887) signatures for all of your cryptographic libraries. The Firefox build process
projects/torbrowser/design/index.html.en 1888) meets this requirement by generating a temporary key, using it to sign the
projects/torbrowser/design/index.html.en 1889) libraries, and discarding the private portion of that key. Because there are
projects/torbrowser/design/index.html.en 1890) many other ways to intercept the crypto outside of modifying the actual DLL
projects/torbrowser/design/index.html.en 1891) images, we opted to simply remove these signature files from distribution.
projects/torbrowser/design/index.html.en 1892) There simply is no way to verify code integrity on a running system without
projects/torbrowser/design/index.html.en 1893) both OS and co-processor assistance. Download package signatures make sense of
projects/torbrowser/design/index.html.en 1894) course, but we handle those another way (as mentioned above).
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1895)
projects/torbrowser/design/index.html.en 1896)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1897) </p></li><li class="listitem"><span class="command"><strong>LXC-specific leaks</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1898)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1899) Gitian provides an option to use LXC containers instead of full qemu-kvm
projects/torbrowser/design/index.html.en 1900) virtualization. Unfortunately, these containers can allow additional details
projects/torbrowser/design/index.html.en 1901) about the host OS to leak. In particular, umask settings as well as the
projects/torbrowser/design/index.html.en 1902) hostname and Linux kernel version can leak from the host OS into the LXC
projects/torbrowser/design/index.html.en 1903) container. We addressed umask by setting it explicitly in our Gitian
projects/torbrowser/design/index.html.en 1904) descriptor scriptlet, and addressed the hostname and kernel version leaks by
projects/torbrowser/design/index.html.en 1905) directly patching the aspects of the Firefox build process that included this
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1906) information into the build. It also turns out that some libraries (in
projects/torbrowser/design/index.html.en 1907) particular: libgmp) attempt to detect the current CPU to determine which
projects/torbrowser/design/index.html.en 1908) optimizations to compile in. This CPU type is uniform on our KVM instances,
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1909) but differs under LXC. We are also investigating currently
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1910) <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to
projects/torbrowser/design/index.html.en 1911) time-based dependency tracking</a> that only appear in LXC containers.
projects/torbrowser/design/index.html.en 1912)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1913) </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55349120"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1914)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1915) The build process generates a single sha256sums.txt file that contains a sorted
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1916) list of the SHA-256 hashes of every package produced for that build version. Each
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1917) official builder uploads this file and a GPG signature of it to a directory
projects/torbrowser/design/index.html.en 1918) on a Tor Project's web server. The build scripts have an optional matching
projects/torbrowser/design/index.html.en 1919) step that downloads these signatures, verifies them, and ensures that the
projects/torbrowser/design/index.html.en 1920) local builds match this file.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1921)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1922) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1923)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1924) When builds are published officially, the single sha256sums.txt file is
projects/torbrowser/design/index.html.en 1925) accompanied by a detached GPG signature from each official builder that
projects/torbrowser/design/index.html.en 1926) produced a matching build. The packages are additionally signed with detached
projects/torbrowser/design/index.html.en 1927) GPG signatures from an official signing key.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1928)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1929) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1930)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1931) The fact that the entire set of packages for a given version can be
projects/torbrowser/design/index.html.en 1932) authenticated by a single hash of the sha256sums.txt file will also allow us
projects/torbrowser/design/index.html.en 1933) to create a number of auxiliary authentication mechanisms for our packages,
projects/torbrowser/design/index.html.en 1934) beyond just trusting a single offline build machine and a single cryptographic
projects/torbrowser/design/index.html.en 1935) key's integrity. Interesting examples include providing multiple independent
projects/torbrowser/design/index.html.en 1936) cryptographic signatures for packages, listing the package hashes in the Tor
projects/torbrowser/design/index.html.en 1937) consensus, and encoding the package hashes in the Bitcoin blockchain.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1938)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1939) </p><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1940)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1941) The Windows releases are also signed by a hardware token provided by Digicert.
projects/torbrowser/design/index.html.en 1942) In order to verify package integrity, the signature must be stripped off using
projects/torbrowser/design/index.html.en 1943) the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
projects/torbrowser/design/index.html.en 1944) Verification</a> page.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1945)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1946) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp55353648"></a>5.3. Anonymous Verification</h3></div></div></div><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1947)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1948) Due to the fact that bit-identical packages can be produced by anyone, the
projects/torbrowser/design/index.html.en 1949) security of this build system extends beyond the security of the official
projects/torbrowser/design/index.html.en 1950) build machines. In fact, it is still possible for build integrity to be
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1951) achieved even if all official build machines are compromised.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1952)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1953) </p><p>
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1954)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1955) By default, all tor-specific dependencies and inputs to the build process are
projects/torbrowser/design/index.html.en 1956) downloaded over Tor, which allows build verifiers to remain anonymous and
projects/torbrowser/design/index.html.en 1957) hidden. Because of this, any individual can use our anonymity network to
projects/torbrowser/design/index.html.en 1958) privately download our source code, verify it against public signed, audited,
projects/torbrowser/design/index.html.en 1959) and mirrored git repositories, and reproduce our builds exactly, without being
projects/torbrowser/design/index.html.en 1960) subject to targeted attacks. If they notice any differences, they can alert
projects/torbrowser/design/index.html.en 1961) the public builders/signers, hopefully using a pseudonym or our anonymous
|
Updates to fingerprinting s...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1962) bug tracker account, to avoid revealing the fact that they are a build
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1963) verifier.
|
Update TBB design doc based...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1964)
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1965) </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p>
projects/torbrowser/design/index.html.en 1966)
projects/torbrowser/design/index.html.en 1967) We make use of the Firefox updater in order to provide automatic updates to
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1968) users. We make use of certificate pinning to ensure that update checks cannot
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1969) be tampered with, and we sign the individual MAR update files with an offline
projects/torbrowser/design/index.html.en 1970) signing key.
projects/torbrowser/design/index.html.en 1971)
projects/torbrowser/design/index.html.en 1972) </p><p>
projects/torbrowser/design/index.html.en 1973)
projects/torbrowser/design/index.html.en 1974) The Firefox updater also has code to ensure that it can reliably access the
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1975) update server to prevent availability attacks, and complains to the user after 48
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1976) hours go by without a successful response from the server. Additionally, we
projects/torbrowser/design/index.html.en 1977) use Tor's SOCKS username and password isolation to ensure that every new
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1978) request to the updater (provided the former got issued more than 10 minutes ago)
projects/torbrowser/design/index.html.en 1979) traverses a separate circuit, to avoid holdback attacks by exit nodes.
|
Update Tor Browser Design D...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1980)
|
Update design doc for TBB 4.0.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 1981) </p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 1982)
projects/torbrowser/design/index.html.en 1983) The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
projects/torbrowser/design/index.html.en 1984) upon the assumption that link-click navigation indicates user consent to
projects/torbrowser/design/index.html.en 1985) tracking between the linking site and the destination site. While this
projects/torbrowser/design/index.html.en 1986) definition is sufficient to allow us to eliminate cross-site third party
projects/torbrowser/design/index.html.en 1987) tracking with only minimal site breakage, it is our long-term goal to further
projects/torbrowser/design/index.html.en 1988) reduce cross-origin click navigation tracking to mechanisms that are
projects/torbrowser/design/index.html.en 1989) detectable by attentive users, so they can alert the general public if
projects/torbrowser/design/index.html.en 1990) cross-origin click navigation tracking is happening where it should not be.
projects/torbrowser/design/index.html.en 1991)
projects/torbrowser/design/index.html.en 1992) </p><p>
projects/torbrowser/design/index.html.en 1993)
projects/torbrowser/design/index.html.en 1994) In an ideal world, the mechanisms of tracking that can be employed during a
projects/torbrowser/design/index.html.en 1995) link click would be limited to the contents of URL parameters and other
projects/torbrowser/design/index.html.en 1996) properties that are fully visible to the user before they click. However, the
projects/torbrowser/design/index.html.en 1997) entrenched nature of certain archaic web features make it impossible for us to
projects/torbrowser/design/index.html.en 1998) achieve this transparency goal by ourselves without substantial site breakage.
projects/torbrowser/design/index.html.en 1999) So, instead we maintain a <a class="link" href="#deprecate" title="A.1. Deprecation Wishlist">Deprecation
projects/torbrowser/design/index.html.en 2000) Wishlist</a> of archaic web technologies that are currently being (ab)used
projects/torbrowser/design/index.html.en 2001) to facilitate federated login and other legitimate click-driven cross-domain
projects/torbrowser/design/index.html.en 2002) activity but that can one day be replaced with more privacy friendly,
projects/torbrowser/design/index.html.en 2003) auditable alternatives.
projects/torbrowser/design/index.html.en 2004)
projects/torbrowser/design/index.html.en 2005) </p><p>
projects/torbrowser/design/index.html.en 2006)
projects/torbrowser/design/index.html.en 2007) Because the total elimination of side channels during cross-origin navigation
projects/torbrowser/design/index.html.en 2008) will undoubtedly break federated login as well as destroy ad revenue, we
projects/torbrowser/design/index.html.en 2009) also describe auditable alternatives and promising web draft standards that would
projects/torbrowser/design/index.html.en 2010) preserve this functionality while still providing transparency when tracking is
projects/torbrowser/design/index.html.en 2011) occurring.
projects/torbrowser/design/index.html.en 2012)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2013) </p><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="deprecate"></a>A.1. Deprecation Wishlist</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>The Referer Header</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2014)
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2015) We haven't disabled or restricted the Referer ourselves because of the
projects/torbrowser/design/index.html.en 2016) non-trivial number of sites that rely on the Referer header to "authenticate"
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2017) image requests and deep-link navigation on their sites. Furthermore, there
projects/torbrowser/design/index.html.en 2018) seems to be no real privacy benefit to taking this action by itself in a
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2019) vacuum, because many sites have begun encoding Referer URL information into
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2020) GET parameters when they need it to cross HTTP to HTTPS scheme transitions.
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2021) Google's +1 buttons are the best example of this activity.
projects/torbrowser/design/index.html.en 2022)
projects/torbrowser/design/index.html.en 2023) </p><p>
projects/torbrowser/design/index.html.en 2024)
projects/torbrowser/design/index.html.en 2025) Because of the availability of these other explicit vectors, we believe the
|
TBB design doc: More review...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2026) main risk of the Referer header is through inadvertent and/or covert data
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2027) leakage. In fact, <a class="ulink" href="http://www2.research.att.com/~bala/papers/wosn09.pdf" target="_top">a great deal of
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2028) personal data</a> is inadvertently leaked to third parties through the
projects/torbrowser/design/index.html.en 2029) source URL parameters.
projects/torbrowser/design/index.html.en 2030)
projects/torbrowser/design/index.html.en 2031) </p><p>
projects/torbrowser/design/index.html.en 2032)
|
Update design document base...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2033) We believe the Referer header should be made explicit, and believe that CSP
projects/torbrowser/design/index.html.en 2034) 2.0 provides a <a class="ulink" href="http://www.w3.org/TR/CSP11/#directive-referrer" target="_top">decent step in this
projects/torbrowser/design/index.html.en 2035) direction</a>. If a site wishes to transmit its URL to third party content
projects/torbrowser/design/index.html.en 2036) elements during load or during link-click, it should have to specify this as a
projects/torbrowser/design/index.html.en 2037) property of the associated HTML tag or CSP policy. With an explicit property
projects/torbrowser/design/index.html.en 2038) or policy, it would then be possible for the user agent to inform the user if
projects/torbrowser/design/index.html.en 2039) they are about to click on a link that will transmit Referer information
projects/torbrowser/design/index.html.en 2040) (perhaps through something as subtle as a different color in the lower toolbar
projects/torbrowser/design/index.html.en 2041) for the destination URL). This same UI notification can also be used for links
projects/torbrowser/design/index.html.en 2042) with the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes" target="_top">"ping"</a>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2043) attribute.
projects/torbrowser/design/index.html.en 2044)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2045) </p></li><li class="listitem"><span class="command"><strong>window.name</strong></span><p>
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2046) <a class="ulink" href="https://developer.mozilla.org/En/DOM/Window.name" target="_top">window.name</a> is
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2047) a DOM property that for some reason is allowed to retain a persistent value
projects/torbrowser/design/index.html.en 2048) for the lifespan of a browser tab. It is possible to utilize this property for
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2049) <a class="ulink" href="http://www.thomasfrank.se/sessionvars.html" target="_top">identifier
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2050) storage</a> during click navigation. This is sometimes used for additional
projects/torbrowser/design/index.html.en 2051) XSRF protection and federated login.
projects/torbrowser/design/index.html.en 2052) </p><p>
projects/torbrowser/design/index.html.en 2053)
projects/torbrowser/design/index.html.en 2054) It's our opinion that the contents of window.name should not be preserved for
projects/torbrowser/design/index.html.en 2055) cross-origin navigation, but doing so may break federated login for some sites.
projects/torbrowser/design/index.html.en 2056)
|
Update Tor Browser design doc.
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2057) </p></li><li class="listitem"><span class="command"><strong>Javascript link rewriting</strong></span><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2058)
projects/torbrowser/design/index.html.en 2059) In general, it should not be possible for onclick handlers to alter the
projects/torbrowser/design/index.html.en 2060) navigation destination of 'a' tags, silently transform them into POST
projects/torbrowser/design/index.html.en 2061) requests, or otherwise create situations where a user believes they are
projects/torbrowser/design/index.html.en 2062) clicking on a link leading to one URL that ends up on another. This
projects/torbrowser/design/index.html.en 2063) functionality is deceptive and is frequently a vector for malware and phishing
projects/torbrowser/design/index.html.en 2064) attacks. Unfortunately, many legitimate sites also employ such transparent
projects/torbrowser/design/index.html.en 2065) link rewriting, and blanket disabling this functionality ourselves will simply
projects/torbrowser/design/index.html.en 2066) cause Tor Browser to fail to navigate properly on these sites.
projects/torbrowser/design/index.html.en 2067)
projects/torbrowser/design/index.html.en 2068) </p><p>
projects/torbrowser/design/index.html.en 2069)
projects/torbrowser/design/index.html.en 2070) Automated cross-origin redirects are one form of this behavior that is
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2071) possible for us to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">address
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2072) ourselves</a>, as they are comparatively rare and can be handled with site
projects/torbrowser/design/index.html.en 2073) permissions.
projects/torbrowser/design/index.html.en 2074)
|
One more TBB design doc upd...
Mike Perry authored 9 years ago
|
projects/torbrowser/design/index.html.en 2075) </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp55389664"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2076)
projects/torbrowser/design/index.html.en 2077) Web-Send is a browser-based link sharing and federated login widget that is
projects/torbrowser/design/index.html.en 2078) designed to operate without relying on third-party tracking or abusing other
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2079) cross-origin link-click side channels. It has a compelling list of <a class="ulink" href="http://web-send.org/features.html" target="_top">privacy and security features</a>,
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2080) especially if used as a "Like button" replacement.
projects/torbrowser/design/index.html.en 2081)
|
TBB design doc: Fix charset...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2082) </p></li><li class="listitem"><a class="ulink" href="https://developer.mozilla.org/en-US/docs/Persona" target="_top">Mozilla Persona</a><p>
|
Update design doc with FF17...
Mike Perry authored 11 years ago
|
projects/torbrowser/design/index.html.en 2083)
projects/torbrowser/design/index.html.en 2084) Mozilla's Persona is designed to provide decentralized, cryptographically
projects/torbrowser/design/index.html.en 2085) authenticated federated login in a way that does not expose the user to third
projects/torbrowser/design/index.html.en 2086) party tracking or require browser redirects or side channels. While it does
projects/torbrowser/design/index.html.en 2087) not directly provide the link sharing capabilities that Web-Send does, it is a
projects/torbrowser/design/index.html.en 2088) better solution to the privacy issues associated with federated login than
projects/torbrowser/design/index.html.en 2089) Web-Send is.
projects/torbrowser/design/index.html.en 2090)
|