Browse code

Merge branch 'master' of git-rw.torproject.org:project/web/webwml into 25017

hiromipaw authored on 30/01/2018 13:43:06
Showing 6 changed files
... ...
@@ -15,7 +15,7 @@
15 15
 # website component, and set it to needs_review.
16 16
 
17 17
 export STABLETAG=tor-0.3.2.9
18
-#export DEVTAG=tor-0.3.2.8-rc
18
+export DEVTAG=tor-0.3.3.1-alpha
19 19
 
20 20
 WMLBASE=.
21 21
 SUBDIRS=docs eff projects press about download getinvolved donate docs/torbutton
22 22
deleted file mode 100644
... ...
@@ -1,47 +0,0 @@
1
-## translation metadata
2
-# Revision: $Revision$
3
-# Translation-Priority: 3-low
4
-
5
-#include "head.wmi" TITLE="Tor Project: CentOS/Fedora Instructions" CHARSET="UTF-8"
6
-<div id="content" class="clearfix">
7
-  <div id="breadcrumbs">
8
-    <a href="<page index>">Home &raquo; </a>
9
-    <a href="<page docs/documentation>">Documentation &raquo; </a>
10
-    <a href="<page docs/rpms>">RPMs</a>
11
-  </div>
12
-  <div id="maincol"> 
13
-    <a id="rpms"></a>
14
-    <h2><a class="anchor" href="#rpms">Tor packages for RPM-based
15
-    linux distributions.</a></h2>
16
-    <br>
17
-    
18
-    <h3>Fedora, RHEL, CentOS, Scientific Linux packages</h3>
19
-
20
-    <p>Use native Fedora packages for the Fedora distribution or <a href="https://fedoraproject.org/wiki/EPEL">EPEL</a>
21
-    packages for distribitons derived from RHEL.
22
-    </p>
23
-
24
-    
25
-    <a id="source"></a>
26
-    <h2><a class="anchor" href="#source">Building from source</a></h2>
27
-    <br>
28
-    
29
-    <p>
30
-    If you'd like to build from source, please follow the <a
31
-    href="<gitblob>doc/contrib/tor-rpm-creation.txt">RPM creation instructions</a>.
32
-    </p>
33
-    
34
-    <hr>
35
-    
36
-    <p>If you have suggestions for improving this document, please <a
37
-    href="<page about/contact>">send them to us</a>. Thanks!</p>
38
-  </div>
39
-  <!-- END MAINCOL -->
40
-  <div id = "sidecol">
41
-#include "side.wmi"
42
-#include "info.wmi"
43
-  </div>
44
-  <!-- END SIDECOL -->
45
-</div>
46
-<!-- END CONTENT -->
47
-#include <foot.wmi>  
48 0
\ No newline at end of file
... ...
@@ -39,9 +39,6 @@
39 39
           {'url'  => 'docs/debian',
40 40
            'txt'  => 'Installing Tor on Debian/Ubuntu',
41 41
           },
42
-          {'url'  => 'docs/rpms',
43
-           'txt'  => 'Installing Tor on Fedora/CentOS',
44
-          },
45 42
           {'url'  => 'docs/tor-doc-unix',
46 43
            'txt'  => 'Installing Tor Source',
47 44
           },
... ...
@@ -1,5 +1,5 @@
1 1
 <define-tag version-stable whitespace=delete>0.3.2.9</define-tag>
2
-<!-- <define-tag version-alpha whitespace=delete>0.3.2.8-rc</define-tag> -->
2
+<define-tag version-alpha whitespace=delete>0.3.3.1-alpha</define-tag>
3 3
 
4 4
 <define-tag version-torbrowserdevelopbranch whitespace=delete>maint-7.5</define-tag>
5 5
 
... ...
@@ -1,20 +1,8 @@
1 1
 [
2
-"7.0.11",
3
-"7.0.11-MacOS",
4
-"7.0.11-Linux",
5
-"7.0.11-Windows",
6 2
 "7.5",
7 3
 "7.5-MacOS",
8 4
 "7.5-Linux",
9 5
 "7.5-Windows",
10
-"7.5a9",
11
-"7.5a9-MacOS",
12
-"7.5a9-Linux",
13
-"7.5a9-Windows",
14
-"7.5a10",
15
-"7.5a10-MacOS",
16
-"7.5a10-Linux",
17
-"7.5a10-Windows",
18 6
 "8.0a1",
19 7
 "8.0a1-MacOS",
20 8
 "8.0a1-Linux",
... ...
@@ -1,5 +1,5 @@
1 1
 <?xml version="1.0" encoding="UTF-8"?>
2
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Georg</span> <span class="surname">Koppen</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gk#torproject org">gk#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">January 24th, 2018</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idm29">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idm1107">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idm1139">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idm1146">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idm1189">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm29"></a>1. Introduction</h2></div></div></div><p>
2
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Georg</span> <span class="surname">Koppen</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gk#torproject org">gk#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">January 25th, 2018</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idm29">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idm1144">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idm1176">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idm1183">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idm1226">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm29"></a>1. Introduction</h2></div></div></div><p>
3 3
 
4 4
 This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
5 5
 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser
... ...
@@ -1746,6 +1746,21 @@ to the surface. That is achieved by a direct
1746 1746
 Firefox patch</a> which reports back <span class="command"><strong>1</strong></span> for the first two
1747 1747
 properties and <span class="command"><strong>0.0</strong></span> for the two last ones.
1748 1748
 
1749
+      </p></li><li class="listitem"><span class="command"><strong>Battery Status API</strong></span><p>
1750
+
1751
+The Battery Status API provides access to information about the system's battery
1752
+charge level. From Firefox 52 on it is disabled for web content. Initially, it
1753
+was possible on Linux to get a double-precision floating point value for the
1754
+charge level, which means there was a large number of possible values making it
1755
+almost behave like an identifier allowing to track a user cross-origin. But
1756
+still after that got fixed (and on other platforms where the precision was just
1757
+two significant digits anyway) the risk for tracking users remained as combined
1758
+with the <span class="command"><strong>chargingTime</strong></span> and <span class="command"><strong>dischargingTime</strong></span>
1759
+the possible values <a class="ulink" href="https://senglehardt.com/papers/iwpe17_battery_status_case_study.pdf" target="_top">
1760
+got estimated to be in the millons</a> under normal conditions. We avoid all
1761
+those possible issues with disabling the Battery Status API by setting
1762
+<span class="command"><strong>dom.battery.enabled</strong></span> to <span class="command"><strong>false</strong></span>.
1763
+
1749 1764
       </p></li><li class="listitem"><span class="command"><strong>System Uptime</strong></span><p>
1750 1765
 
1751 1766
 It is possible to get the system uptime of a Tor Browser user by querying the
... ...
@@ -1853,10 +1868,15 @@ against timing-based side channel fingerprinting risks.
1853 1868
 Due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=863246" target="_top">bugs
1854 1869
 </a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1120398" target="_top">
1855 1870
 in Firefox</a> it is possible to detect the locale and the platform of a
1856
-Tor Browser user. Moreover, it is possible to find out the extensions a user has
1857
-installed. This is done by including resource:// and/or chrome:// URIs into
1858
-web content which point to resources included in Tor Browser itself or in
1859
-installed extensions.
1871
+Tor Browser user. Moreover, it is possible to
1872
+<a class="ulink" href="https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf" target="_top">
1873
+find out the extensions</a> a user has installed. This is done by
1874
+including resource:// and/or chrome:// URIs into web content, which point to
1875
+resources included in Tor Browser itself or in installed extensions, and
1876
+exploiting the different behavior resulting out of that: the browser raises
1877
+an exception if a webpage requests a resource but the extension is not
1878
+installed. This does not happen if the extension is indeed installed but the
1879
+resource path does not exist.
1860 1880
       </p><p>
1861 1881
 
1862 1882
 We believe that it should be impossible for web content to extract information
... ...
@@ -1986,6 +2006,27 @@ uniform but rather <a class="ulink" href="https://bugs.torproject.org/22127" tar
1986 2006
 a bucket approach</a> as we currently do in our defense against screen
1987 2007
 size exfiltration.
1988 2008
 
2009
+      </p></li><li class="listitem"><span class="command"><strong>Web Audio API</strong></span><p>
2010
+
2011
+The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Audio_API" target="_top">
2012
+Web Audio API</a> provides several means to aid in fingerprinting users.
2013
+At the simplest level it allows differentiating between users having the API
2014
+available and those who don't by checking for an <span class="command"><strong>AudioContext</strong></span>
2015
+or <span class="command"><strong>OscillatorNode</strong></span> object. However, there are more bits of
2016
+information that the Web Audio API reveals if audio signals generated with an
2017
+<span class="command"><strong>OscillatorNode</strong></span> are processed as
2018
+<a class="ulink" href="https://senglehardt.com/papers/ccs16_online_tracking.pdf" target="_top">hardware
2019
+and software differences</a> influence those results.
2020
+
2021
+      </p><p>
2022
+
2023
+We disable the Web Audio API by setting <span class="command"><strong>dom.webaudio.enabled</strong></span>
2024
+to <span class="command"><strong>false</strong></span>. That has the positive side effect that it disables
2025
+one of several means to perform
2026
+<a class="ulink" href="https://petsymposium.org/2017/papers/issue2/paper18-2017-2-source.pdf" target="_top">
2027
+ultrasound cross-device tracking</a> as well, which is based on having
2028
+<span class="command"><strong>AudioContext</strong></span> available.
2029
+
1989 2030
       </p></li><li class="listitem"><span class="command"><strong>MediaError.message</strong></span><p>
1990 2031
 
1991 2032
 The <span class="command"><strong>MediaError</strong></span> object allows the user agent to report errors
... ...
@@ -2039,14 +2080,41 @@ datareporting.healthreport.about.reportUrlUnified</strong></span> to <span class
2039 2080
 data:text/plain,</strong></span>. The same is done with <span class="command"><strong>
2040 2081
 datareporting.healthreport.about.reportUrl</strong></span> and the new tiles feature
2041 2082
 related <span class="command"><strong>browser.newtabpage.directory.ping</strong></span> and <span class="command"><strong>
2042
-browser.newtabpage.directory.source</strong></span> preferences. Additionally, we
2043
-disable the UITour backend by setting <span class="command"><strong>browser.uitour.enabled</strong></span>
2044
-to <span class="command"><strong>false</strong></span>. Finally, we provide <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=9f24ce35cd8776a0f7c3a4d54992ecb0eaad6311" target="_top">a patch</a>
2083
+browser.newtabpage.directory.source</strong></span> preferences.
2084
+<span class="command"><strong>browser.newtabpage.remote</strong></span> is set to <span class="command"><strong>false</strong></span>
2085
+in this context as well, as a defense-in-depth given that this feature is
2086
+already of by default. Additionally, we disable the UITour backend by setting
2087
+<span class="command"><strong>browser.uitour.enabled</strong></span> to <span class="command"><strong>false</strong></span> and avoid
2088
+getting Mozilla experiments installed into Tor Browser by flipping
2089
+<span class="command"><strong>experiments.enabled</strong></span> to <span class="command"><strong>false</strong></span>. On the
2090
+update side we prevent the browser from pinging the new
2091
+<a class="ulink" href="https://wiki.mozilla.org/Firefox/Kinto" target="_top">Kinto</a> service for
2092
+blocklist updates as it is not used for it yet anyway. This is done by setting
2093
+<span class="command"><strong>services.blocklist.update_enabled</strong></span> to <span class="command"><strong>false</strong></span>.
2094
+The captive portal detection code is disabled as well as it phones home to
2095
+Mozilla. We set <span class="command"><strong>network.captive-portal-service.enabled</strong></span> to
2096
+<span class="command"><strong>false</strong></span> to achieve that. Unrelated to that we make sure that
2097
+Mozilla does not get bothered with TLS error reports from Tor Browser users by
2098
+hiding the respective checkbox with
2099
+<span class="command"><strong>security.ssl.errorReporting.enabled</strong></span> set to
2100
+<span class="command"><strong>false</strong></span>. And while we have the Push API disabled as there are
2101
+no Service Workers available in Tor Browser yet, we remove the value for
2102
+<span class="command"><strong>dom.push.serverURL</strong></span> as a defense-in-depth. Finally, we provide
2103
+<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=9f24ce35cd8776a0f7c3a4d54992ecb0eaad6311" target="_top">a patch</a>
2045 2104
 to prevent Mozilla's websites from querying whether particular extensions are
2046 2105
 installed and what their state in Tor Browser is by using the
2047 2106
 <span class="command"><strong>window.navigator.AddonManager</strong></span> API. As a defense-in-depth the
2048 2107
 patch makes sure that not only Mozilla's websites can't get at that information
2049 2108
 but that the whitelist governing this access is empty in general.
2109
+
2110
+      </p><p>
2111
+
2112
+We have <a class="ulink" href="https://wiki.mozilla.org/Security/Safe_Browsing" target="_top">Safebrowsing</a>
2113
+disabled in Tor Browser. In order to avoid pinging providers for list updates we
2114
+remove the entries for <span class="command"><strong>browser.safebrowsing.provider.mozilla.updateURL</strong></span>
2115
+and <span class="command"><strong>browser.safebrowsing.provider.mozilla.gethashURL</strong></span> (and the
2116
+values for Google related preferences as well).
2117
+
2050 2118
       </p></li><li class="listitem"><span class="command"><strong>Operating System Type Fingerprinting</strong></span><p>
2051 2119
 
2052 2120
 As we mentioned in the introduction of this section, OS type fingerprinting is
... ...
@@ -2070,13 +2138,11 @@ tag on our bug tracker</a>.
2070 2138
 
2071 2139
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
2072 2140
 
2073
-At least three HTML5 features have different implementation status across the
2074
-major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
2075
-API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
2141
+At least two HTML5 features have a different implementation status across the
2142
+major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
2076 2143
 Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
2077
-<span class="command"><strong>dom.battery.enabled</strong></span>,
2078
-<span class="command"><strong>dom.network.enabled</strong></span>, and
2079
-<span class="command"><strong>device.sensors.enabled</strong></span>.
2144
+<span class="command"><strong>dom.network.enabled</strong></span> and
2145
+<span class="command"><strong>device.sensors.enabled</strong></span>, setting both to <span class="command"><strong>false</strong></span>.
2080 2146
 
2081 2147
      </p></li></ol></div><p>
2082 2148
 For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
... ...
@@ -2086,11 +2152,11 @@ In order to avoid long-term linkability, we provide a "New Identity" context
2086 2152
 menu option in Torbutton. This context menu option is active if Torbutton can
2087 2153
 read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
2088 2154
 
2089
-   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1011"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
2155
+   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1048"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
2090 2156
 
2091 2157
 All linkable identifiers and browser state MUST be cleared by this feature.
2092 2158
 
2093
-    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1014"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2159
+    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1051"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2094 2160
 
2095 2161
 First, Torbutton disables JavaScript in all open tabs and windows by using
2096 2162
 both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavaScript</a>
... ...
@@ -2195,7 +2261,7 @@ images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
2195 2261
 Fingerprinting</a> is a statistical attack to attempt to recognize specific
2196 2262
 encrypted website activity.
2197 2263
 
2198
-     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1072"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2264
+     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1109"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2199 2265
 
2200 2266
 We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
2201 2267
 for classification. This mechanism would either impact the true and false
... ...
@@ -2217,7 +2283,7 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href
2217 2283
 defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
2218 2284
 network, making them also effectively no-overhead.
2219 2285
 
2220
-     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1084"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2286
+     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idm1121"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
2221 2287
 Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&amp;id=b9fa77472aa67e26bd46a5ca889b20ce3448f9d1" target="_top">randomize
2222 2288
 pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
2223 2289
 Many sites do not support it, and even sites that advertise support for
... ...
@@ -2282,7 +2348,7 @@ contend with. For this reason, we have deployed a build system
2282 2348
 that allows anyone to use our source code to reproduce byte-for-byte identical
2283 2349
 binary packages to the ones that we distribute.
2284 2350
 
2285
-  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1107"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
2351
+  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1144"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
2286 2352
 
2287 2353
 The GNU toolchain has been working on providing reproducible builds for some
2288 2354
 time, however a large software project such as Firefox typically ends up
... ...
@@ -2390,7 +2456,7 @@ particular: libgmp) attempt to detect the current CPU to determine which
2390 2456
 optimizations to compile in. This CPU type is uniform on our KVM instances,
2391 2457
 but differs under LXC.
2392 2458
 
2393
-   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1139"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
2459
+   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1176"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
2394 2460
 
2395 2461
 The build process generates a single sha256sums-unsigned-build.txt file that
2396 2462
 contains a sorted list of the SHA-256 hashes of every package produced for that
... ...
@@ -2423,7 +2489,7 @@ In order to verify package integrity, the signature must be stripped off using
2423 2489
 the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
2424 2490
 Verification</a> page.
2425 2491
 
2426
-    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1146"></a>5.3. Anonymous Verification</h3></div></div></div><p>
2492
+    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idm1183"></a>5.3. Anonymous Verification</h3></div></div></div><p>
2427 2493
 
2428 2494
 Due to the fact that bit-identical packages can be produced by anyone, the
2429 2495
 security of this build system extends beyond the security of the official
... ...
@@ -2517,7 +2583,7 @@ through the source URL parameters.
2517 2583
   </p><p>
2518 2584
 
2519 2585
 We believe the Referer header should be made explicit, and believe that Referrer
2520
-Policy provides a <a class="ulink" href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header" target="_top">
2586
+Policy, which is available since Firefox 52, provides a <a class="ulink" href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header" target="_top">
2521 2587
 decent step in this direction</a>. If a site wishes to transmit its URL to
2522 2588
 third party content elements during load or during link-click, it should have
2523 2589
 to specify this as a property of the associated <a class="ulink" href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/" target="_top">
... ...
@@ -2559,7 +2625,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t
2559 2625
 ourselves</a>, as they are comparatively rare and can be handled with site
2560 2626
 permissions.
2561 2627
 
2562
-   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm1189"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://web.archive.org/web/20130213034335/http://web-send.org:80/" target="_top">Web-Send Introducer</a><p>
2628
+   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idm1226"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://web.archive.org/web/20130213034335/http://web-send.org:80/" target="_top">Web-Send Introducer</a><p>
2563 2629
 
2564 2630
 Web-Send is a browser-based link sharing and federated login widget that is
2565 2631
 designed to operate without relying on third-party tracking or abusing other