add torbutton design dir from git.
Andrew Lewman

Andrew Lewman commited on 2009-12-31 03:42:43
Zeige 7 geänderte Dateien mit 4390 Einfügungen und 0 Löschungen.

... ...
@@ -0,0 +1,120 @@
1
+- Investigation of Privacy Mode:
2
+  - Good:
3
+    - Cookies Cleared+memory only
4
+    - Cache cleared and memory-only
5
+    - History not available via javascript or CSS
6
+    - Safe because currently unsupported:
7
+      - Geolocation not supported in browser
8
+      - DOM Storage not supported
9
+      - HTML5 Storage not supported
10
+    - Http auth is cleared
11
+    - Do they have a session store?
12
+      - Yes. It is disabled.
13
+    - Form history disabled
14
+      - But non-private entries still available
15
+    - Malware and phishing protection
16
+      - Per-url check?
17
+        - Doesn't seem like it..
18
+  - Bad:
19
+    - RLZ Identifier sent with all queries even in Incognito mode
20
+      - http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=107684
21
+    - Flash cookies not cleared
22
+    - Google gears are still available
23
+      - Do they have their own storage?
24
+        - Yes. Completely ignores private mode.
25
+    - Safebrowsing API key not cleared?
26
+      - but updates may not happen "under" the incognito window
27
+    - Desktop resolution available
28
+    - Browser resolution is available
29
+    - SSL session keys
30
+      - Not cleared!
31
+      - They clear trusted certs tho
32
+    - Timezone not spoofed
33
+
34
+- Misc Features we definitely need:
35
+  - Incognito-specific proxy settings
36
+    - Browser proxy settings currently do not apply immediately
37
+  - Plugin enable/disable controls
38
+  - Spoof user agent
39
+  - Referer alteration API
40
+  - Autolaunching of remote apps needs to be disabled
41
+  - API to opt-out of all the opt-in tracking for incognito mode
42
+  - Cookie API would be nice
43
+  - Need network.security.ports.banned
44
+    - http://www.remote.org/jochen/sec/hfpa/hfpa.pdf
45
+  - Resize windows (content-window side possibly ok)
46
+
47
+- Future investigation
48
+  - Non-private form history still available
49
+    - Forms seem to not be auto-filled, but this may be different
50
+      for some fields?
51
+  - How evil is google update? will it happen over incognito?
52
+    - http://en.wikipedia.org/wiki/Google_Updater#Google_Updater
53
+    - http://en.wikipedia.org/wiki/SRWare_Iron#Differences_from_Chrome
54
+    - http://foliovision.com/2008/12/09/adwords-ppc-organic-rlz/
55
+  - Test in more detail with sysinternals for disk writes
56
+  - What about safebrowsing requests? Can they bypass proxy?
57
+  - Video tag supports H264 and ogg via ffmpeg
58
+    - Hrmm.. proxy bypass ability?
59
+
60
+- Test results. Used Incognito Mode with the test suites from:
61
+  https://www.torproject.org/torbutton/design/#SingleStateTesting
62
+  - Decloak.net:
63
+    - Recovers IP and DNS via Java
64
+    - Recovers IP via flash
65
+  - Deanonymizer.com
66
+    - Failed NNTP and FTP quicktime
67
+  - JohnDo's hated some headers
68
+  - Mr. T got a lot of shit wrong...
69
+  - http://labs.isecpartners.com/breadcrumbs/breadcrumbs.html
70
+
71
+- Comparison with Torora
72
+  - http://github.com/mwenge/torora/tree/master/doc/DESIGN.torora
73
+  - Good ideas for both chrome and torbutton:
74
+    - Cache/Cookie expiry every 24hrs
75
+    - Random preturbation on Date() object..
76
+      - No longer possible without js hooks :/
77
+      - Possible if Chrome allows non-delatable shadowing of window.Date()
78
+        from user scripts. ECMA says it should
79
+
80
+==========================================
81
+
82
+- Incognito Issues:
83
+  - SSL session keys
84
+    - Not cleared!
85
+  - Flash cookies not cleared
86
+    - Better Privacy? Permissions?
87
+  - Google gears are still available
88
+    - Do they have their own storage?
89
+      - Yes. Completely ignores private mode.
90
+  - RLZ override/disable for incognito
91
+  - Opt out of opt-in tracking?
92
+  - Source code:
93
+    http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/profile.cc
94
+
95
+- Privacy Enhancing API Wishlist (remove existing items):
96
+  - http://code.google.com/chrome/extensions/devguide.html
97
+  - Prefs (copy-on-write for incognito mode)
98
+    - Incognito-specific proxy settings
99
+      - Should not be used for safebrowsing or app/addon update
100
+    - pref to disable autolaunch of apps/warn user
101
+    - network.security.ports.banned
102
+    - User agent (that also govern navigator.*)
103
+      - could be done (better) via http headers and good hook support
104
+  - Core APIs:
105
+    - Per-Plugin enable/disable controls
106
+    - Cookie API
107
+    - Cache control
108
+    - HTTP header alteration ("on-modify-request")
109
+      - Referrer, accept, user agent
110
+  - Javascript hooks:
111
+    - http://code.google.com/chrome/extensions/content_scripts.html
112
+      - Bleh, these suck... Too limited.
113
+    - ECMA compliance
114
+    - desktop+screen resolution
115
+    - Date hooking
116
+    - navigator.* hooking
117
+
118
+- Posted at:
119
+  - http://groups.google.com/group/chromium-extensions/t/ceba26ca9e2f6a78
120
+
... ...
@@ -0,0 +1,195 @@
1
+First pass: Quick Review of Firefox Features
2
+- Video Tag
3
+  - Docs:
4
+    - https://developer.mozilla.org/En/HTML/Element/Audio
5
+    - https://developer.mozilla.org/En/HTML/Element/Video
6
+    - https://developer.mozilla.org/En/HTML/Element/Source
7
+    - https://developer.mozilla.org/En/Manipulating_video_using_canvas
8
+    - https://developer.mozilla.org/En/nsIDOMHTMLMediaElement
9
+    - https://developer.mozilla.org/En/Media_formats_supported_by_the_audio_and_video_elements
10
+    - http://en.flossmanuals.net/TheoraCookbook
11
+  - nsIContentPolicy is checked on load
12
+  - Uses NSIChannels for initial load
13
+  - Wrapped in nsHTMLMediaElement::mDecoder
14
+    - is nsOggDecoder() or nsWaveDecoder()
15
+    - liboggplay
16
+  - Governed by media.* prefs
17
+  - Preliminary audit shows they do not use the liboggplay tcp functions
18
+- Geolocation
19
+  - Wifi:
20
+    - https://developer.mozilla.org/En/Monitoring_WiFi_access_points
21
+    - Requires security policy to allow. Then still prompted
22
+  - navigator.geolocation
23
+    - Governed by geo.enabled
24
+    - "2 week access token" is set
25
+      - geo.wifi.access_token.. Clearing is prob a good idea
26
+    - http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
27
+    - https://developer.mozilla.org/En/Using_geolocation
28
+- DNS prefetching after toggle
29
+  - prefetch pref? Always disable for now?
30
+    - network.dns.disablePrefetch
31
+    - Also disabled in netwerk/dns/src/nsDNSService2.cpp when manual proxies
32
+      are set..
33
+    - This should prevent prefetching of non-tor urls in tor mode..
34
+    - But the reverse is unclear.
35
+    - DocShell attribute!!1 YAY
36
+      - http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell
37
+      - "Takes effect for the NEXT document loaded...."
38
+        - Do we win this race? hrmm.. If we do, the tor->nontor direction
39
+          should also be safe.
40
+  - Content policy called?
41
+    - No. See content/html/content/src/nsHTMLDNSPrefetch.cpp
42
+- Storage
43
+  - https://developer.mozilla.org/en/Storage
44
+  - "It is available to trusted callers, meaning extensions and Firefox
45
+    components only."
46
+- New content policy
47
+  - Content Security Policy. Addon-only
48
+- "Offline resources"
49
+  - https://developer.mozilla.org/en/Offline_resources_in_Firefox
50
+  - https://developer.mozilla.org/en/nsIApplicationCache
51
+  - browser.cache.offline.enable toggles
52
+  - browser.cache.disk.enable does not apply. Seperate "device".
53
+  - Does our normal cache clearing mechanism apply?
54
+    - We call nsICacheService.evictEntries()
55
+    - May need: nsOfflineCacheDevice::EvictEntries(NULL)
56
+  - Code is smart enough to behave cleanly if we simply set
57
+    browser.cache.offline.enable or enable private browsing.
58
+- Mouse gesture and other new DOM events
59
+- Fonts
60
+  - Remote fonts obey content policy. Good.
61
+  - XXX: Are they cached independent of regular cache? Prob not.
62
+  - Hrmm can probe for installed fonts:
63
+    http://remysharp.com/2008/07/08/how-to-detect-if-a-font-is-installed-only-using-javascript/
64
+    http://www.lalit.org/lab/javascript-css-font-detect
65
+    http://www.ajaxupdates.com/cssjavascript-font-detector/
66
+    http://code.google.com/p/jquery-fontavailable/
67
+- Drag and drop
68
+  - https://developer.mozilla.org/En/DragDrop/Drag_and_Drop
69
+  - https://developer.mozilla.org/En/DragDrop/Drag_Operations
70
+  - https://developer.mozilla.org/En/DragDrop/Dragging_and_Dropping_Multiple_Items
71
+  - https://developer.mozilla.org/En/DragDrop/Recommended_Drag_Types
72
+  - https://developer.mozilla.org/En/DragDrop/DataTransfer
73
+  - Should be no different than normal url handling..
74
+- Local Storage
75
+  - https://developer.mozilla.org/en/DOM/Storage#localStorage
76
+  - Disabled by dom storage pref..
77
+  - Private browsing mode has its own DB
78
+    - Memory only?
79
+  - Disk Avoidance of gStorage and local storage:
80
+    - mSessionOnly set via nsDOMStorage::CanUseStorage()
81
+      - Seems to be set to true if cookies are session-only or private
82
+        browsing mode
83
+        - Our cookies are NOT session-only with dual cookie jars
84
+          - but this is ok if we clear the session storage..
85
+            - XXX: Technically clearing session storage may break
86
+              sites if cookies remain though
87
+      - nsDOMStoragePersistentDB not used if mSessionOnly
88
+  - Can clear with nsDOMStorage::ClearAll() or nsIDOMStorage2::clear()?
89
+    - These only work for a particular storage. There's both global now
90
+      and per-origin storage instances
91
+    - Each docshell has tons of storages for each origin contained in it
92
+    - Toggling dom.storage.enabled does not clear existing storage
93
+    - Oh HOT! cookie-changed to clear cookies clears all storages!
94
+      - happens for both ff3.0 and 3.5 in dom/src/storage/nsDOMStorage.cpp
95
+  - Conclusion:
96
+    - can safely enable dom storage
97
+      - May have minor buggy usability issues unless we preserve it
98
+        when user is preserving cookies..
99
+
100
+Second Pass: Verification of all Torbutton Assumptions
101
+- "Better privacy controls"
102
+  - Basically UI stuff for prefs we set already
103
+  - address bar search disable option is interesting, but not
104
+    torbutton's job to toggle. Users will hate us.
105
+- Private browsing
106
+  - https://developer.mozilla.org/En/Supporting_private_browsing_mode
107
+    - We should consider an option (off by default) to enable PBM during
108
+      toggle
109
+      - It is a good idea because it will let our users use DOM storage
110
+        safely and also may cause their plugins and other addons to be
111
+        safe
112
+      - Doing it always will cause the user to lose fine-grained control
113
+        of many settings
114
+        - Also we'll need to prevent them from leaving without toggling tor
115
+        - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
116
+          "private-browsing")
117
+          - XXX:  clear mozilla.org/security/sdr;1. We should too! Wtf is it??
118
+            - Neg. Best to let them handle this. Users will be annoyed
119
+              at having to re-enter their passwords..
120
+          - They also clear the console service..
121
+          - Recommend watching private-browsing-cancel-vote and blocking if
122
+            we are performing a db operation
123
+            - Maybe we want to block transitions during our toggle for safety
124
+          - XXX: They also clear general.open_location.last_url
125
+          - XXX: mozilla.org/permissionmanager
126
+          - XXX: mozilla.org/content-pref/service
127
+          - XXX: Sets browser.zoom.siteSpecific to false
128
+          - Interesting.. They clear their titles.. I wonder if some
129
+            window managers log titles.. But that level of surveillance is
130
+            unbeatable..
131
+            - XXX: Unless there is some way for flash or script to read titles?
132
+          - They empty the clipboard..
133
+            - Can js access the clipboard?? ...
134
+            - Yes, but needs special pref+confirmation box
135
+              - http://www.dynamic-tools.net/toolbox/copyToClipboard/
136
+          - They clear cache..
137
+          - Cookies:
138
+            - Use in-memory table that is different than their default
139
+              - This could fuck up our cookie storage options
140
+              - We could maybe prevent them from getting this
141
+                event by wrapping nsCookieService::Observe(). Lullz..
142
+          - NavHistory:
143
+            - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
144
+              awesomebar choices for feedback.. Is this done on disk?
145
+            - Don't add history entries
146
+            - We should block this observe event too if we can..
147
+          - The session store stops storing tabs
148
+            - We could block this observe
149
+          - XXX: They expunge private temporary files on exit from PMB
150
+            - This is not done normally until browser exit or
151
+              "on-profile-change"
152
+            - emits browser:purge-domain-data.. Mostly just for session
153
+              editing it appears
154
+            - Direct component query for pbs.privateBrowsingEnabled
155
+              - This is where we have no ability to provide certain option
156
+                control
157
+              - browser.js seems to prevent user from allowing blocked
158
+                popups?
159
+              - Some items in some places context menu get blocked:
160
+                - Can't delete items from history? placesContext_deleteHost
161
+              - nsCookiePermission::InPrivateBrowsing() calls direct
162
+                - but is irellevant
163
+              - Form history cannot be saved while in PBM.. :(
164
+              - User won't be prompted for adding login passwords..
165
+              - Can't remember prefs on content types
166
+              - Many components read this value upon init:
167
+                - This fucks up our observer game if tor starts enabled
168
+                - NavHistory and cookie and dl manager
169
+                - We could just wrap the bool on startup and lie
170
+                  and emit later... :/
171
+                  - Or! emit an exit and an enter always at startup if tor is
172
+                    enabled.
173
+  - Read iSec report
174
+  - Compare to Chrome
175
+    - API use cases
176
+- SessionStore
177
+  - Has been reworked with observers and write methods. Should use those.
178
+- security.enable_ssl2 to clear session id
179
+  - Still cleared
180
+- browser.sessionstore.max_tabs_undo
181
+  - Yep.
182
+- SafeBrowsing Update Key removed on cookie clear still?
183
+  - Yep.
184
+- Livemark updates have kill events now
185
+- Test if nsICertStore is still buggy...
186
+
187
+Third Pass: Exploit Auditing
188
+- Remote fonts
189
+- SVG with HTML
190
+- Javascript threads+locking
191
+- Ogg theora and vorbis codecs
192
+- SQLite
193
+
194
+
195
+- https://developer.mozilla.org/en/Firefox_3_for_developers
... ...
@@ -0,0 +1 @@
1
+xsltproc  --output index.html.en  --stringparam section.autolabel.max.depth 2 --stringparam  section.autolabel 1 /usr/share/sgml/docbook/xsl-stylesheets-1.75.2/xhtml/docbook.xsl design.xml 
... ...
@@ -0,0 +1,2640 @@
1
+<?xml version="1.0" encoding="ISO-8859-1"?>
2
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3
+     "file:///usr/share/sgml/docbook/xml-dtd-4.4-1.0-30.1/docbookx.dtd">
4
+
5
+<article id="design">
6
+ <articleinfo>
7
+  <title>Torbutton Design Documentation</title>
8
+   <author>
9
+    <firstname>Mike</firstname><surname>Perry</surname>
10
+    <affiliation>
11
+     <address><email>mikeperry.fscked/org</email></address>
12
+    </affiliation>
13
+   </author>
14
+   <pubdate>Dec 15 2009</pubdate>
15
+ </articleinfo>
16
+
17
+<sect1>
18
+  <title>Introduction</title>
19
+  <para>
20
+
21
+This document describes the goals, operation, and testing procedures of the
22
+Torbutton Firefox extension. It is current as of Torbutton 1.2.4.
23
+
24
+  </para>
25
+  <sect2 id="adversary">
26
+   <title>Adversary Model</title>
27
+   <para>
28
+
29
+A Tor web browser adversary has a number of goals, capabilities, and attack
30
+types that can be used to guide us towards a set of requirements for the
31
+Torbutton extension. Let's start with the goals.
32
+
33
+   </para>
34
+   <sect3 id="adversarygoals">
35
+    <title>Adversary Goals</title>
36
+    <orderedlist>
37
+<!-- These aren't really commands.. But it's the closest I could find in an
38
+acceptable style.. Don't really want to make my own stylesheet -->
39
+     <listitem><command>Bypassing proxy settings</command>
40
+     <para>The adversary's primary goal is direct compromise and bypass of 
41
+Tor, causing the user to directly connect to an IP of the adversary's
42
+choosing.</para>
43
+     </listitem>
44
+     <listitem><command>Correlation of Tor vs Non-Tor Activity</command>
45
+     <para>If direct proxy bypass is not possible, the adversary will likely
46
+happily settle for the ability to correlate something a user did via Tor with
47
+their non-Tor activity. This can be done with cookies, cache identifiers,
48
+javascript events, and even CSS. Sometimes the fact that a user uses Tor may
49
+be enough for some authorities.</para>
50
+     </listitem>
51
+     <listitem><command>History disclosure</command>
52
+     <para>
53
+The adversary may also be interested in history disclosure: the ability to
54
+query a user's history to see if they have issued certain censored search
55
+queries, or visited censored sites.
56
+     </para>
57
+     </listitem>
58
+     <listitem><command>Location information</command>
59
+     <para>
60
+
61
+Location information such as timezone and locality can be useful for the
62
+adversary to determine if a user is in fact originating from one of the
63
+regions they are attempting to control, or to zero-in on the geographical
64
+location of a particular dissident or whistleblower.
65
+
66
+     </para>
67
+     </listitem>
68
+     <listitem><command>Miscellaneous anonymity set reduction</command>
69
+     <para>
70
+
71
+Anonymity set reduction is also useful in attempting to zero in on a
72
+particular individual. If the dissident or whistleblower is using a rare build
73
+of Firefox for an obscure operating system, this can be very useful
74
+information for tracking them down, or at least <link
75
+linkend="fingerprinting">tracking their activities</link>.
76
+
77
+     </para>
78
+     </listitem>
79
+     <listitem><command>History records and other on-disk
80
+information</command>
81
+     <para>
82
+In some cases, the adversary may opt for a heavy-handed approach, such as
83
+seizing the computers of all Tor users in an area (especially after narrowing
84
+the field by the above two pieces of information). History records and cache
85
+data are the primary goals here.
86
+     </para>
87
+     </listitem>
88
+    </orderedlist>
89
+   </sect3>
90
+
91
+   <sect3 id="adversarypositioning">
92
+    <title>Adversary Capabilities - Positioning</title>
93
+    <para>
94
+The adversary can position themselves at a number of different locations in
95
+order to execute their attacks.
96
+    </para>
97
+    <orderedlist>
98
+     <listitem><command>Exit Node or Upstream Router</command>
99
+     <para>
100
+The adversary can run exit nodes, or alternatively, they may control routers
101
+upstream of exit nodes. Both of these scenarios have been observed in the
102
+wild.
103
+     </para>
104
+     </listitem>
105
+     <listitem><command>Adservers and/or Malicious Websites</command>
106
+     <para>
107
+The adversary can also run websites, or more likely, they can contract out
108
+ad space from a number of different adservers and inject content that way. For
109
+some users, the adversary may be the adservers themselves. It is not
110
+inconceivable that adservers may try to subvert or reduce a user's anonymity 
111
+through Tor for marketing purposes.
112
+     </para>
113
+     </listitem>
114
+     <listitem><command>Local Network/ISP/Upstream Router</command>
115
+     <para>
116
+The adversary can also inject malicious content at the user's upstream router
117
+when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
118
+activity.
119
+     </para>
120
+     </listitem>
121
+     <listitem><command>Physical Access</command>
122
+     <para>
123
+Some users face adversaries with intermittent or constant physical access.
124
+Users in Internet cafes, for example, face such a threat. In addition, in
125
+countries where simply using tools like Tor is illegal, users may face
126
+confiscation of their computer equipment for excessive Tor usage or just
127
+general suspicion.
128
+     </para>
129
+     </listitem>
130
+    </orderedlist>
131
+   </sect3>
132
+
133
+   <sect3 id="attacks">
134
+    <title>Adversary Capabilities - Attacks</title>
135
+    <para>
136
+
137
+The adversary can perform the following attacks from a number of different 
138
+positions to accomplish various aspects of their goals. It should be noted
139
+that many of these attacks (especially those involving IP address leakage) are
140
+often performed by accident by websites that simply have Javascript, dynamic 
141
+CSS elements, and plugins. Others are performed by adservers seeking to
142
+correlate users' activity across different IP addresses, and still others are
143
+performed by malicious agents on the Tor network and at national firewalls.
144
+
145
+    </para>
146
+    <orderedlist>
147
+     <listitem><command>Inserting Javascript</command>
148
+     <para>
149
+If not properly disabled, Javascript event handlers and timers
150
+can cause the browser to perform network activity after Tor has been disabled,
151
+thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
152
+a user's non-Tor IP address. Javascript
153
+also allows the adversary to execute <ulink
154
+url="http://whattheinternetknowsaboutyou.com/">history disclosure attacks</ulink>:
155
+to query the history via the different attributes of 'visited' links to search
156
+for particular google queries, sites, or even to <ulink
157
+url="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/">profile
158
+users based on gender and other classifications</ulink>. Finally,
159
+Javascript can be used to query the user's timezone via the
160
+<function>Date()</function> object, and to reduce the anonymity set by querying
161
+the <function>navigator</function> object for operating system, CPU, locale, 
162
+and user agent information.
163
+     </para>
164
+     </listitem>
165
+
166
+     <listitem><command>Inserting Plugins</command>
167
+     <para>
168
+
169
+Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
170
+capable of performing network activity that the author has
171
+investigated is also capable of performing network activity independent of
172
+browser proxy settings - and often independent of its own proxy settings.
173
+Sites that have plugin content don't even have to be malicious to obtain a
174
+user's
175
+Non-Tor IP (it usually leaks by itself), though <ulink
176
+url="http://decloak.net">plenty of active
177
+exploits</ulink> are possible as well. In addition, plugins can be used to store unique identifiers that are more
178
+difficult to clear than standard cookies. 
179
+<ulink url="http://epic.org/privacy/cookies/flash.html">Flash-based
180
+cookies</ulink> fall into this category, but there are likely numerous other
181
+examples.
182
+
183
+     </para>
184
+     </listitem>
185
+     <listitem><command>Inserting CSS</command>
186
+     <para>
187
+
188
+CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
189
+Non-Tor IP address, via the usage of
190
+<ulink url="http://www.tjkdesign.com/articles/css%20pop%20ups/">CSS
191
+popups</ulink> - essentially CSS-based event handlers that fetch content via
192
+CSS's onmouseover attribute. If these popups are allowed to perform network
193
+activity in a different Tor state than they were loaded in, they can easily
194
+correlate Tor and Non-Tor activity and reveal a user's IP address. In
195
+addition, CSS can also be used without Javascript to perform <ulink
196
+url="http://ha.ckers.org/weird/CSS-history.cgi">CSS-only history disclosure
197
+attacks</ulink>.
198
+     </para>
199
+     </listitem>
200
+     <listitem><command>Read and insert cookies</command>
201
+     <para>
202
+
203
+An adversary in a position to perform MITM content alteration can inject
204
+document content elements to both read and inject cookies for
205
+arbitrary domains. In fact, many "SSL secured" websites are vulnerable to this
206
+sort of <ulink url="http://seclists.org/bugtraq/2007/Aug/0070.html">active
207
+sidejacking</ulink>.
208
+
209
+     </para>
210
+     </listitem>
211
+     <listitem><command>Create arbitrary cached content</command>
212
+     <para>
213
+
214
+Likewise, the browser cache can also be used to <ulink
215
+url="http://crypto.stanford.edu/sameorigin/safecachetest.html">store unique
216
+identifiers</ulink>. Since by default the cache has no same-origin policy,
217
+these identifiers can be read by any domain, making them an ideal target for
218
+adserver-class adversaries.
219
+
220
+     </para>
221
+     </listitem>
222
+     <listitem id="fingerprinting"><command>Fingerprint users based on browser
223
+attributes</command>
224
+<para>
225
+
226
+There is an absurd amount of information available to websites via attributes
227
+of the browser. This information can be used to reduce anonymity set, or even
228
+<ulink url="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html">uniquely
229
+fingerprint individual users</ulink>. </para>
230
+<para>
231
+For illustration, let's perform a
232
+back-of-the-envelope calculation on the number of anonymity sets for just the
233
+resolution information available in the <ulink
234
+url="http://developer.mozilla.org/en/docs/DOM:window">window</ulink> and
235
+<ulink
236
+url="http://developer.mozilla.org/en/docs/DOM:window.screen">window.screen</ulink>
237
+objects. Browser window resolution information provides something like
238
+(1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution
239
+information contributes about another factor of 5 (for about 5 resolutions in
240
+typical use). In addition, the dimensions and position of the desktop taskbar
241
+are available, which can reveal hints on OS information. This boosts the count
242
+by a factor of 5 (for each of the major desktop taskbars - Windows, OSX, KDE
243
+and Gnome, and None). Subtracting the browser content window
244
+size from the browser outer window size provide yet more information.
245
+Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give
246
+2<superscript>3</superscript>=8). Interface effects such as titlebar fontsize
247
+and window manager settings gives a factor of about 9 (say 3 common font sizes
248
+for the titlebar and 3 common sizes for browser GUI element fonts).
249
+Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~=
250
+2<superscript>29</superscript>, or a 29 bit identifier based on resolution
251
+information alone. </para>
252
+
253
+<para>
254
+
255
+Of course, this space is non-uniform and prone to incremental changes.
256
+However, if a bit vector space consisting of the above extracted attributes
257
+were used instead of the hash approach from <ulink
258
+url="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html">The Hacker
259
+Webzine article above</ulink>, minor changes in browser window resolution will
260
+no longer generate totally new identifiers. 
261
+
262
+</para>
263
+<para>
264
+
265
+To add insult to injury, <ulink
266
+url="http://pseudo-flaw.net/content/tor/torbutton/">chrome URL disclosure
267
+attacks</ulink> mean that each and every extension on <ulink
268
+url="https://addons.mozilla.org">addons.mozilla.org</ulink> adds another bit
269
+to that 2<superscript>29</superscript>. With hundreds of popular extensions
270
+and thousands of extensions total, it is easy to see that this sort of
271
+information is an impressively powerful identifier if used properly by a
272
+competent and determined adversary such as an ad network.  Again, a
273
+nearest-neighbor bit vector space approach here would also gracefully handle
274
+incremental changes to installed extensions.
275
+
276
+</para>
277
+
278
+     </listitem>
279
+     <listitem><command>Remotely or locally exploit browser and/or
280
+OS</command>
281
+     <para>
282
+Last, but definitely not least, the adversary can exploit either general 
283
+browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
284
+install malware and surveillance software. An adversary with physical access
285
+can perform similar actions. Regrettably, this last attack capability is
286
+outside of Torbutton's ability to defend against, but it is worth mentioning
287
+for completeness.
288
+     </para>
289
+     </listitem>
290
+    </orderedlist>
291
+   </sect3>
292
+
293
+  </sect2>
294
+
295
+  <sect2 id="requirements">
296
+   <title>Torbutton Requirements</title>
297
+<note>
298
+
299
+Since many settings satisfy multiple requirements, this design document is
300
+organized primarily by Torbutton components and settings. However, if you are
301
+the type that would rather read the document from the requirements
302
+perspective, it is in fact possible to search for each of the following
303
+requirement phrases in the text to find the relevant features that help meet
304
+that requirement.
305
+
306
+</note>
307
+   <para>
308
+
309
+From the above Adversary Model, a number of requirements become clear. 
310
+
311
+   </para>
312
+
313
+<orderedlist> 
314
+<!-- These aren't really commands.. But it's the closest I could find in an
315
+acceptable style.. Don't really want to make my own stylesheet -->
316
+ <listitem id="proxy"><command>Proxy Obedience</command> 
317
+ <para>The browser
318
+MUST NOT bypass Tor proxy settings for any content.</para></listitem>
319
+ <listitem id="isolation"><command>Network Isolation</command>
320
+ <para>Pages MUST NOT perform any network activity in a Tor state different
321
+ from the state they were originally loaded in.</para></listitem>
322
+ <listitem id="state"><command>State Separation</command>
323
+ <para>Browser state (cookies, cache, history, 'DOM storage'), accumulated in
324
+ one Tor state MUST NOT be accessible via the network in
325
+ another Tor state.</para></listitem>
326
+ <listitem id="undiscoverability"><command>Tor Undiscoverability</command><para>With
327
+the advent of bridge support in Tor 0.2.0.x, there are now a class of Tor
328
+users whose network fingerprint does not obviously betray the fact that they
329
+are using Tor. This should extend to the browser as well - Torbutton MUST NOT 
330
+reveal its presence while Tor is disabled.</para></listitem>
331
+ <listitem id="disk"><command>Disk Avoidance</command><para>The browser SHOULD NOT write any Tor-related state to disk, or store it
332
+ in memory beyond the duration of one Tor toggle.</para></listitem>
333
+ <listitem id="location"><command>Location Neutrality</command><para>The browser SHOULD NOT leak location-specific information, such as
334
+ timezone or locale via Tor.</para></listitem>
335
+ <listitem id="setpreservation"><command>Anonymity Set
336
+Preservation</command><para>The browser SHOULD NOT leak any other anonymity set reducing information 
337
+ (such as user agent, extension presence, and resolution information)
338
+automatically via Tor. The assessment of the attacks above should make it clear
339
+that anonymity set reduction is a very powerful method of tracking and
340
+eventually identifying anonymous users.
341
+</para></listitem>
342
+ <listitem id="updates"><command>Update Safety</command><para>The browser
343
+SHOULD NOT perform unauthenticated updates or upgrades via Tor.</para></listitem>
344
+ <listitem id="interoperate"><command>Interoperability</command><para>Torbutton SHOULD interoperate with third-party proxy switchers that
345
+ enable the user to switch between a number of different proxies. It MUST
346
+ provide full Tor protection in the event a third-party proxy switcher has
347
+ enabled the Tor proxy settings.</para></listitem>
348
+</orderedlist>
349
+  </sect2>
350
+  <sect2 id="layout">
351
+   <title>Extension Layout</title>
352
+
353
+<para>Firefox extensions consist of two main categories of code: 'Components' and
354
+'Chrome'. Components are a fancy name for classes that implement a given
355
+interface or interfaces. In Firefox, components <ulink
356
+url="https://developer.mozilla.org/en/XPCOM">can be
357
+written</ulink> in C++,
358
+Javascript, or a mixture of both. Components have two identifiers: their
359
+'<ulink
360
+url="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005005">Contract
361
+ID</ulink>' (a human readable path-like string), and their '<ulink
362
+url="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005329">Class
363
+ID</ulink>' (a GUID hex-string). In addition, the interfaces they implement each have a hex
364
+'Interface ID'. It is possible to 'hook' system components - to reimplement
365
+their interface members with your own wrappers - but only if the rest of the
366
+browser refers to the component by its Contract ID. If the browser refers to
367
+the component by Class ID, it bypasses your hooks in that use case.
368
+Technically, it may be possible to hook Class IDs by unregistering the
369
+original component, and then re-registering your own, but this relies on
370
+obsolete and deprecated interfaces and has proved to be less than
371
+stable.</para>
372
+
373
+<para>'Chrome' is a combination of XML and Javascript used to describe a window.
374
+Extensions are allowed to create 'overlays' that are 'bound' to existing XML
375
+window definitions, or they can create their own windows. The DTD for this XML
376
+is called <ulink
377
+url="http://developer.mozilla.org/en/docs/XUL_Reference">XUL</ulink>.</para>
378
+  </sect2>
379
+</sect1>
380
+<sect1>
381
+  <title>Components</title>
382
+  <para>
383
+
384
+Torbutton installs components for two purposes: hooking existing components to
385
+reimplement their interfaces; and creating new components that provide
386
+services to other pieces of the extension.
387
+
388
+  </para>
389
+
390
+  <sect2>
391
+   <title>Hooked Components</title>
392
+
393
+<para>Torbutton makes extensive use of Contract ID hooking, and implements some
394
+of its own standalone components as well.  Let's discuss the hooked components
395
+first.</para>
396
+
397
+<sect3 id="sessionstore">
398
+ <title><ulink
399
+url="http://developer.mozilla.org/en/docs/nsISessionStore">@mozilla.org/browser/sessionstore;1</ulink> -
400
+<ulink
401
+url="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore36.js">components/nsSessionStore36.js</ulink></title>
402
+
403
+<para>These components address the <link linkend="disk">Disk Avoidance</link>
404
+requirements of Torbutton. As stated in the requirements, Torbutton needs to
405
+prevent Tor tabs from being written to disk by the Firefox session store for a
406
+number of reasons, primary among them is the fact that Firefox can crash at
407
+any time, and a restart can cause you to fetch tabs in the incorrect Tor
408
+state.</para>
409
+
410
+<para>These components illustrate a complication with Firefox hooking: you can
411
+only hook member functions of a class if they are published in an
412
+interface that the class implements. Unfortunately, the sessionstore has no
413
+published interface that is amenable to disabling the writing out of Tor tabs
414
+in specific. As such, Torbutton had to include the <emphasis>entire</emphasis>
415
+nsSessionStore from both Firefox 2.0, 3.0, 3.5 and 3.6
416
+with a couple of modifications to prevent tabs that were loaded with Tor
417
+enabled from being written to disk, and some version detection code to
418
+determine which component to load. The <ulink
419
+url="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore36.diff">diff against the original session
420
+store</ulink> is included in the git repository.</para>
421
+</sect3>
422
+<sect3 id="appblocker">
423
+ <title><ulink
424
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-protocol-service%3B1">@mozilla.org/uriloader/external-protocol-service;1
425
+</ulink>, <ulink
426
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-helper-app-service%3B1">@mozilla.org/uriloader/external-helper-app-service;1</ulink>,
427
+and <ulink url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/mime%3B1">@mozilla.org/mime;1</ulink>
428
+- <ulink
429
+  url="https://git.torproject.org/checkout/torbutton/master/src/components/external-app-blocker.js">components/external-app-blocker.js</ulink></title>
430
+ <para>
431
+Due to <link linkend="FirefoxBugs">Firefox Bug</link> <ulink
432
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=440892">440892</ulink> allowing Firefox 3.x to automatically launch some
433
+applications without user intervention, Torbutton had to wrap the three
434
+components involved in launching external applications to provide user
435
+confirmation before doing so while Tor is enabled. Since external applications
436
+do not obey proxy settings, they can be manipulated to automatically connect
437
+back to arbitrary servers outside of Tor with no user intervention. Fixing
438
+this issue helps to satisfy Torbutton's <link linkend="proxy">Proxy
439
+Obedience</link> Requirement.
440
+ </para>
441
+</sect3>
442
+<sect3>
443
+<title><ulink
444
+url="http://lxr.mozilla.org/seamonkey/source/browser/components/sessionstore/src/nsSessionStartup.js">@mozilla.org/browser/sessionstartup;1</ulink> -
445
+    <ulink
446
+url="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js">components/crash-observer.js</ulink></title>
447
+
448
+<para>This component wraps the Firefox Session Startup component that is in
449
+charge of <ulink
450
+url="http://developer.mozilla.org/en/docs/Session_store_API">restoring saved
451
+sessions</ulink>. The wrapper's only job is to intercept the
452
+<function>doRestore()</function> function, which is called by Firefox if it is determined that the
453
+browser crashed and the session needs to be restored. The wrapper notifies the
454
+Torbutton chrome that the browser crashed by setting the pref
455
+<command>extensions.torbutton.crashed</command>, or that it is a normal
456
+startup via the pref <command>extensions.torbutton.noncrashed</command>. The Torbutton Chrome <ulink
457
+url="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29">listens for a
458
+preference change</ulink> for this value and then does the appropriate cleanup. This
459
+includes setting the Tor state to the one the user selected for crash recovery
460
+in the preferences window (<command>extensions.torbutton.restore_tor</command>), and
461
+restoring cookies for the corresponding cookie jar, if it exists.</para>
462
+
463
+<para>By performing this notification, this component assists in the 
464
+<link linkend="proxy">Proxy Obedience</link>, and <link
465
+linkend="isolation">Network Isolation</link> requirements.
466
+</para>
467
+
468
+
469
+</sect3>
470
+<sect3>
471
+<title><ulink url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2">@mozilla.org/browser/global-history;2</ulink>
472
+- <ulink
473
+  url="https://git.torproject.org/checkout/torbutton/master/src/components/ignore-history.js">components/ignore-history.js</ulink></title>
474
+
475
+<para>This component was contributed by <ulink
476
+url="http://www.collinjackson.com/">Collin Jackson</ulink> as a method for defeating
477
+CSS and Javascript-based methods of history disclosure. The global-history
478
+component is what is used by Firefox to determine if a link was visited or not
479
+(to apply the appropriate style to the link). By hooking the <ulink
480
+url="https://developer.mozilla.org/en/nsIGlobalHistory2#isVisited.28.29">isVisited</ulink>
481
+and <ulink 
482
+url="https://developer.mozilla.org/en/nsIGlobalHistory2#addURI.28.29">addURI</ulink>
483
+methods, Torbutton is able to selectively prevent history items from being
484
+added or being displayed as visited, depending on the Tor state and the user's
485
+preferences.
486
+</para>
487
+<para>
488
+This component helps satisfy the <link linkend="state">State Separation</link>
489
+and <link linkend="disk">Disk Avoidance</link> requirements of Torbutton.
490
+</para>
491
+</sect3>
492
+<sect3 id="livemarks">
493
+<title><ulink
494
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2">@mozilla.org/browser/livemark-service;2</ulink>
495
+- <ulink
496
+  url="https://git.torproject.org/checkout/torbutton/master/src/components/block-livemarks.js">components/block-livemarks.js</ulink></title>
497
+<para>
498
+
499
+The <ulink
500
+url="http://www.mozilla.com/en-US/firefox/livebookmarks.html">livemark</ulink> service
501
+is started by a timer that runs 5 seconds after Firefox
502
+startup. As a result, we cannot simply call the stopUpdateLivemarks() method to
503
+disable it. We must wrap the component to prevent this start() call from
504
+firing in the event the browser starts in Tor mode.
505
+
506
+</para>
507
+<para>
508
+This component helps satisfy the <link linkend="isolation">Network
509
+Isolation</link> and <link linkend="setpreservation">Anonymity Set
510
+Preservation</link> requirements.
511
+</para>
512
+</sect3>
513
+</sect2>
514
+<sect2>
515
+<title>New Components</title>
516
+
517
+<para>Torbutton creates four new components that are used throughout the
518
+extension. These components do not hook any interfaces, nor are they used
519
+anywhere besides Torbutton itself.</para>
520
+
521
+<sect3>
522
+<title><ulink
523
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js">@torproject.org/cookie-jar-selector;2
524
+- components/cookie-jar-selector.js</ulink></title>
525
+
526
+<para>The cookie jar selector (also based on code from <ulink
527
+url="http://www.collinjackson.com/">Collin
528
+Jackson</ulink>) is used by the Torbutton chrome to switch between
529
+Tor and Non-Tor cookies. Its operations are simple: sync cookies to disk, then
530
+move the current cookies.txt file to the appropriate backup location
531
+(cookies-tor.txt or cookies-nontor.txt), and then moving the other cookie jar
532
+into place.</para>
533
+
534
+<para>
535
+This component helps to address the <link linkend="state">State
536
+Isolation</link> requirement of Torbutton.
537
+</para>
538
+
539
+</sect3>
540
+<sect3>
541
+<title><ulink
542
+url="https://git.torproject.org/checkout/torbutton/master/src/components/torbutton-logger.js">@torproject.org/torbutton-logger;1
543
+- components/torbutton-logger.js</ulink></title>
544
+
545
+<para>The torbutton logger component allows on-the-fly redirection of torbutton
546
+logging messages to either Firefox stderr
547
+(<command>extensions.torbutton.logmethod=0</command>), the Javascript error console
548
+(<command>extensions.torbutton.logmethod=1</command>), or the DebugLogger extension (if
549
+available - <command>extensions.torbutton.logmethod=2</command>). It also allows you to
550
+change the loglevel on the fly by changing
551
+<command>extensions.torbutton.loglevel</command> (1-5, 1 is most verbose).
552
+</para>
553
+</sect3>
554
+<sect3 id="windowmapper">
555
+
556
+<title><ulink
557
+url="https://git.torproject.org/checkout/torbutton/master/src/components/window-mapper.js">@torproject.org/content-window-mapper;1
558
+- components/window-mapper.js</ulink></title>
559
+
560
+<para>Torbutton tags Firefox <ulink
561
+url="https://developer.mozilla.org/en/XUL_Tutorial/Tabboxes">tabs</ulink> with a special variable that indicates the Tor
562
+state the tab was most recently used under to fetch a page. The problem is
563
+that for many Firefox events, it is not possible to determine the tab that is
564
+actually receiving the event. The Torbutton window mapper allows the Torbutton
565
+chrome and other components to look up a <ulink
566
+url="https://developer.mozilla.org/en/XUL/tabbrowser">browser
567
+tab</ulink> for a given <ulink
568
+url="https://developer.mozilla.org/en/nsIDOMWindow">HTML content
569
+window</ulink>. It does this by traversing all windows and all browsers, until it
570
+finds the browser with the requested <ulink
571
+url="https://developer.mozilla.org/en/XUL/tabbrowser#p-contentWindow">contentWindow</ulink> element. Since the content policy
572
+and page loading in general can generate hundreds of these lookups, this
573
+result is cached inside the component.
574
+</para>
575
+</sect3>
576
+<sect3 id="contentpolicy">
577
+<title><ulink
578
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js">@torproject.org/cssblocker;1
579
+- components/cssblocker.js</ulink></title>
580
+
581
+<para>This is a key component to Torbutton's security measures. When Tor is
582
+toggled, Javascript is disabled, and pages are instructed to stop loading.
583
+However, CSS is still able to perform network operations by loading styles for
584
+onmouseover events and other operations. In addition, favicons can still be
585
+loaded by the browser. The cssblocker component prevents this by implementing
586
+and registering an <ulink
587
+url="https://developer.mozilla.org/en/nsIContentPolicy">nsIContentPolicy</ulink>.
588
+When an nsIContentPolicy is registered, Firefox checks every attempted network
589
+request against its <ulink
590
+url="https://developer.mozilla.org/en/nsIContentPolicy#shouldLoad()">shouldLoad</ulink>
591
+member function to determine if the load should proceed. In Torbutton's case,
592
+the content policy looks up the appropriate browser tab using the <link
593
+linkend="windowmapper">window mapper</link>,
594
+and checks that tab's load tag against the current Tor state. If the tab was
595
+loaded in a different state than the current state, the fetch is denied.
596
+Otherwise, it is allowed.</para> This helps to achieve the <link
597
+linkend="isolation">Network
598
+Isolation</link> requirements of Torbutton.
599
+
600
+<para>In addition, the content policy also blocks website javascript from
601
+<ulink url="http://pseudo-flaw.net/content/tor/torbutton/">querying for
602
+versions and existence of extension chrome</ulink> while Tor is enabled, and
603
+also masks the presence of Torbutton to website javascript while Tor is
604
+disabled. </para>
605
+
606
+<para>
607
+
608
+Finally, some of the work that logically belongs to the content policy is
609
+instead handled by the <command>torbutton_http_observer</command> and
610
+<command>torbutton_weblistener</command> in <ulink
611
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js">torbutton.js</ulink>. These two objects handle blocking of
612
+Firefox 3 favicon loads, popups, and full page plugins, which for whatever
613
+reason are not passed to the Firefox content policy itself (see Firefox Bugs 
614
+<ulink
615
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=437014">437014</ulink> and 
616
+<ulink
617
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=401296">401296</ulink>).
618
+
619
+</para>
620
+
621
+<!-- 
622
+FIXME: Hrmm, the content policy doesn't really lend itself well to display 
623
+this way.. People looking for this much detail should consult the source.
624
+
625
+<para>
626
+    <table rowheader="firstcol" frame='all'><title>Access Permissions Table</title>
627
+    <tgroup cols='5' align='left' colsep='1' rowsep='1'>
628
+       <tbody>
629
+       <row>
630
+         <entry></entry>
631
+         <entry>chrome/resource</entry>
632
+         <entry>a3</entry>
633
+         <entry>a4</entry>
634
+         <entry>a5</entry>
635
+       </row>
636
+       <row>
637
+         <entry>file</entry>
638
+         <entry>b2</entry>
639
+         <entry>b3</entry>
640
+         <entry>b4</entry>
641
+         <entry>b5</entry>
642
+       </row>
643
+       <row>
644
+         <entry>c1</entry>
645
+         <entry>c2</entry>
646
+         <entry>c3</entry>
647
+         <entry>c4</entry>
648
+         <entry>c5</entry>
649
+       </row>
650
+       <row>
651
+         <entry>d1</entry>
652
+         <entry>d2</entry>
653
+         <entry>d3</entry>
654
+         <entry>d4</entry>
655
+         <entry>d5</entry>
656
+       </row>
657
+       </tbody>
658
+       </tgroup>
659
+       </table>
660
+</para>
661
+-->
662
+
663
+<para>
664
+
665
+This helps to fulfill both the <link
666
+linkend="setpreservation">Anonymity Set Preservation</link> and the <link
667
+linkend="undiscoverability">Tor Undiscoverability</link> requirements of
668
+Torbutton.</para>
669
+
670
+</sect3>
671
+</sect2>
672
+</sect1>
673
+<sect1>
674
+ <title>Chrome</title>
675
+
676
+<para>The chrome is where all the torbutton graphical elements and windows are
677
+located. Each window is described as an <ulink
678
+url="http://developer.mozilla.org/en/docs/XUL_Reference">XML file</ulink>, with zero or more Javascript
679
+files attached. The scope of these Javascript files is their containing
680
+window.</para>
681
+
682
+<sect2 id="browseroverlay">
683
+<title>Browser Overlay - <ulink
684
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.xul">torbutton.xul</ulink></title>
685
+
686
+<para>The browser overlay, torbutton.xul, defines the toolbar button, the status
687
+bar, and events for toggling the button. The overlay code is in <ulink
688
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js">chrome/content/torbutton.js</ulink>.
689
+It contains event handlers for preference update, shutdown, upgrade, and
690
+location change events.</para>
691
+
692
+<para>The <ulink
693
+url="https://developer.mozilla.org/en/nsIWebProgressListener#onLocationChange">location
694
+change</ulink> <ulink
695
+url="https://developer.mozilla.org/en/nsIWebProgress">webprogress
696
+listener</ulink>, <command>torbutton_weblistener</command> is one of the most
697
+important parts of the chrome from a security standpoint. It is a <ulink
698
+url="https://developer.mozilla.org/en/nsIWebProgressListener">webprogress
699
+listener</ulink> that handles receiving an event every time a page load or
700
+iframe load occurs. This class eventually calls down to
701
+<function>torbutton_update_tags()</function> and
702
+<function>torbutton_hookdoc()</function>, which apply the browser Tor load
703
+state tags, plugin permissions, and install the Javascript hooks to hook the
704
+<ulink
705
+url="https://developer.mozilla.org/en/DOM/window.screen">window.screen</ulink>
706
+object to obfuscate browser and desktop resolution information.
707
+
708
+</para>
709
+
710
+<para>
711
+The browser overlay helps to satisfy a number of Torbutton requirements. These
712
+are better enumerated in each of the Torbutton preferences below. However,
713
+there are also a number of Firefox preferences set in
714
+<function>torbutton_update_status()</function> that aren't governed by any
715
+Torbutton setting. These are:
716
+</para>
717
+<orderedlist>
718
+
719
+<!--
720
+Not set any more.
721
+ <listitem><ulink
722
+url="http://kb.mozillazine.org/Browser.bookmarks.livemark_refresh_seconds">browser.bookmarks.livemark_refresh_seconds</ulink>
723
+<para>
724
+This pref is set in an attempt to disable the fetching of LiveBookmarks via
725
+Tor. Since users can potentially collect a large amount of live bookmarks to
726
+very personal sites (blogs of friends, wikipedia articles they maintain,
727
+comment feeds of their own blog), it is not possible to cleanly isolate these
728
+fetches and they are simply disabled during Tor usage.
729
+This helps to address the <link
730
+linkend="state">State Separation</link> requirement.
731
+Unfortunately <ulink
732
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=436250">Firefox Bug
733
+436250</ulink> prevents this from
734
+functioning completely correctly.
735
+</para>
736
+  </listitem>
737
+-->
738
+
739
+ <listitem><ulink
740
+url="http://kb.mozillazine.org/Network.security.ports.banned">network.security.ports.banned</ulink>
741
+ <para>
742
+Torbutton sets this setting to add ports 8123, 8118, 9050 and 9051 (which it
743
+reads from <command>extensions.torbutton.banned_ports</command>) to the list
744
+of ports Firefox is forbidden to access. These ports are Polipo, Privoxy, Tor,
745
+and the Tor control port, respectively. This is set for both Tor and Non-Tor
746
+usage, and prevents websites from attempting to do http fetches from these
747
+ports to see if they are open, which addresses the <link
748
+linkend="undiscoverability">Tor Undiscoverability</link> requirement.
749
+ </para>
750
+ </listitem>
751
+ <listitem><ulink url="http://kb.mozillazine.org/Browser.send_pings">browser.send_pings</ulink>
752
+ <para>
753
+This setting is currently always disabled. If anyone ever complains saying
754
+that they *want* their browser to be able to send ping notifications to a
755
+page or arbitrary link, I'll make this a pref or Tor-only. But I'm not holding
756
+my breath. I haven't checked if the content policy is called for pings, but if
757
+not, this setting helps with meeting the <link linkend="isolation">Network
758
+Isolation</link> requirement.
759
+ </para>
760
+ </listitem>
761
+ <listitem><ulink
762
+url="http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups">browser.safebrowsing.remoteLookups</ulink>
763
+ <para>
764
+Likewise for this setting. I find it hard to imagine anyone who wants to ask
765
+Google in real time if each URL they visit is safe, especially when the list
766
+of unsafe URLs is downloaded anyway. This helps fulfill the <link
767
+linkend="disk">Disk Avoidance</link> requirement, by preventing your entire
768
+browsing history from ending up on Google's disks.
769
+ </para>
770
+ </listitem>
771
+ <listitem><ulink
772
+url="http://kb.mozillazine.org/Browser.safebrowsing.enabled">browser.safebrowsing.enabled</ulink>
773
+ <para>
774
+Safebrowsing does <ulink
775
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=360387">unauthenticated
776
+updates under Firefox 2</ulink>, so it is disabled during Tor usage. 
777
+This helps fulfill the <link linkend="updates">Update
778
+Safety</link> requirement. Firefox 3 has the fix for that bug, and so
779
+safebrowsing updates are enabled during Tor usage.
780
+ </para>
781
+ </listitem>
782
+ <listitem><ulink
783
+url="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29">network.protocol-handler.warn-external.(protocol)</ulink>
784
+ <para>
785
+If Tor is enabled, we need to prevent random external applications from
786
+launching without at least warning the user. This group of settings only
787
+partially accomplishes this, however. Applications can still be launched via
788
+plugins. The mechanisms for handling this are described under the "Disable
789
+Plugins During Tor Usage" preference. This helps fulfill the <link
790
+linkend="proxy">Proxy Obedience</link> requirement, by preventing external
791
+applications from accessing network resources at the command of Tor-fetched
792
+pages. Unfortunately, due to <link linkend="FirefoxBugs">Firefox Bug</link>
793
+<ulink
794
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=440892">440892</ulink>,
795
+these prefs are no longer obeyed. They are set still anyway out of respect for
796
+the dead.
797
+ </para>
798
+</listitem>
799
+  <listitem><ulink
800
+url="http://kb.mozillazine.org/Browser.sessionstore.max_tabs_undo">browser.sessionstore.max_tabs_undo</ulink>
801
+   <para>
802
+
803
+To help satisfy the Torbutton <link linkend="state">State Separation</link>
804
+and <link linkend="isolation">Network Isolation</link> requirements,
805
+Torbutton needs to purge the Undo Tab history on toggle to prevent repeat
806
+"Undo Close" operations from accidentally restoring tabs from a different Tor
807
+State. This purge is accomplished by setting this preference to 0 and then
808
+restoring it to the previous user value upon toggle.
809
+
810
+   </para>
811
+  </listitem>
812
+
813
+  <listitem><command>security.enable_ssl2</command>
814
+   <para>
815
+TLS Session IDs can persist for an indefinite duration, providing an
816
+identifier that is sent to TLS sites that can be used to link activity. This
817
+is particularly troublesome now that we have certificate verification in place
818
+in Firefox 3: The OCSP server can use this Session ID to build a history of
819
+TLS sites someone visits, and also correlate their activity as users move from
820
+network to network (such as home to work to coffee shop, etc), inside and
821
+outside of Tor. To handle this and to help satisfy our <link
822
+linkend="state">State Separation Requirement</link>, we currently 
823
+toggle
824
+<command>security.enable_ssl2</command>, which clears the SSL Session ID
825
+cache via the pref observer at <ulink
826
+url="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp#2134">nsNSSComponent.cpp
827
+line 2134</ulink>. This is an arcane and potentially fragile fix. It would be
828
+better if there were a more standard interface for accomplishing the same
829
+thing. <link linkend="FirefoxBugs">Firefox Bug</link> <ulink
830
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=448747">448747</ulink> has
831
+been filed for this.
832
+
833
+   </para>
834
+  </listitem>
835
+
836
+  <listitem><command><ulink url="http://www.mozilla.com/en-US/firefox/geolocation/">geo.enabled</ulink></command>
837
+   <para>
838
+
839
+Torbutton disables Geolocation support in Firefox 3.5 and above whenever tor
840
+is enabled. This helps Torbutton maintain its
841
+<link linkend="location">Location Neutrality</link> requirement.
842
+While Firefox does prompt before divulging geolocational information,
843
+the assumption is that Tor users will never want to give their
844
+location away during Tor usage, and even allowing websites to prompt
845
+them to do so will only cause confusion and accidents to happen. Moreover,
846
+just because users may approve a site to know their location in non-Tor mode
847
+does not mean they want it divulged during Tor mode.
848
+
849
+   </para>
850
+  </listitem>
851
+
852
+  <listitem><command><ulink
853
+url="http://kb.mozillazine.org/Browser.zoom.siteSpecific">browser.zoom.siteSpecific</ulink></command>
854
+   <para>
855
+
856
+Firefox actually remembers your zoom settings for certain sites. CSS
857
+and Javascript rule can use this to recognize previous visitors to a site.
858
+This helps Torbutton fulfill its <link linkend="state">State Separation</link>
859
+requirement.
860
+
861
+   </para>
862
+  </listitem>
863
+
864
+  <listitem><command><ulink
865
+url="https://developer.mozilla.org/en/controlling_dns_prefetching">network.dns.disablePrefetch</ulink></command>
866
+   <para>
867
+
868
+Firefox 3.5 and above implement prefetching of DNS resolution for hostnames in
869
+links on a page to decrease page load latency. While Firefox does typically
870
+disable this behavior when proxies are enabled, we set this pref for added
871
+safety during Tor usage. Additionally, to prevent Tor-loaded tabs from having
872
+their links prefetched after a toggle to Non-Tor mode occurs,
873
+we also set the docShell attribute
874
+<ulink
875
+url="http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell">
876
+allowDNSPrefetch</ulink> to false on Tor loaded tabs. This happens in the same
877
+positions in the code as those for disabling plugins via the allowPlugins
878
+docShell attribute. This helps Torbutton fulfill its <link
879
+linkend="isolation">Network Isolation</link> requirement.
880
+
881
+   </para>
882
+  </listitem>
883
+
884
+  <listitem><command><ulink
885
+url="http://kb.mozillazine.org/Browser.cache.offline.enable">browser.cache.offline.enable</ulink></command>
886
+   <para>
887
+
888
+Firefox has the ability to store web applications in a special cache to allow
889
+them to continue to operate while the user is offline. Since this subsystem
890
+is actually different than the normal disk cache, it must be dealt with
891
+separately. Thus, Torbutton sets this preference to false whenever Tor is
892
+enabled. This helps Torbutton fulfill its <link linkend="disk">Disk
893
+Avoidance</link> and <link linkend="state">State Separation</link>
894
+requirements.
895
+
896
+   </para>
897
+  </listitem>
898
+
899
+<!-- FIXME: We should make it possible to search for ALL modified FF prefs -->
900
+
901
+</orderedlist>
902
+</sect2>
903
+<sect2>
904
+ <title>Preferences Window - <ulink
905
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.xul">preferences.xul</ulink></title>
906
+
907
+<para>The preferences window of course lays out the Torbutton preferences, with
908
+handlers located in <ulink
909
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.js">chrome/content/preferences.js</ulink>.</para>
910
+</sect2>
911
+<sect2>
912
+ <title>Other Windows</title>
913
+
914
+<para>There are additional windows that describe popups for right clicking on
915
+the status bar, the toolbutton, and the about page.</para>
916
+
917
+</sect2>
918
+</sect1>
919
+
920
+<sect1>
921
+ <title>Toggle Code Path</title>
922
+ <para>
923
+
924
+The act of toggling is connected to <function>torbutton_toggle()</function>
925
+via the <ulink
926
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.xul">torbutton.xul</ulink>
927
+and <ulink
928
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/popup.xul">popup.xul</ulink>
929
+overlay files. Most of the work in the toggling process is present in <ulink
930
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js">torbutton.js</ulink> 
931
+
932
+</para>
933
+<para>
934
+
935
+Toggling is a 3 stage process: Button Click, Proxy Update, and
936
+Settings Update. These stages are reflected in the prefs
937
+<command>extensions.torbutton.tor_enabled</command>,
938
+<command>extensions.torbutton.proxies_applied</command>, and
939
+<command>extensions.torbutton.settings_applied</command>. The reason for the
940
+three stage preference update is to ensure immediate enforcement of <link
941
+linkend="isolation">Network Isolation</link> via the <link
942
+linkend="contentpolicy">content policy</link>. Since the content window
943
+javascript runs on a different thread than the chrome javascript, it is
944
+important to properly convey the stages to the content policy to avoid race
945
+conditions and leakage, especially with <ulink
946
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=409737">Firefox Bug 
947
+409737</ulink> unfixed. The content policy does not allow any network activity
948
+whatsoever during this three stage transition.
949
+
950
+ </para>
951
+ <sect2>
952
+  <title>Button Click</title>
953
+  <para>
954
+
955
+This is the first step in the toggling process. When the user clicks the
956
+toggle button or the toolbar, <function>torbutton_toggle()</function> is
957
+called. This function checks the current Tor status by comparing the current
958
+proxy settings to the selected Tor settings, and then sets the proxy settings
959
+to the opposite state, and sets the pref
960
+<command>extensions.torbutton.tor_enabled</command> to reflect the new state.
961
+It is this proxy pref update that gives notification via the <ulink
962
+url="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29">pref
963
+observer</ulink>
964
+<command>torbutton_unique_pref_observer</command> to perform the rest of the
965
+toggle.
966
+
967
+  </para>
968
+ </sect2>
969
+ <sect2>
970
+  <title>Proxy Update</title>
971
+  <para>
972
+
973
+When Torbutton receives any proxy change notifications via its
974
+<command>torbutton_unique_pref_observer</command>, it calls
975
+<function>torbutton_set_status()</function> which checks against the Tor
976
+settings to see if the Tor proxy settings match the current settings. If so,
977
+it calls <function>torbutton_update_status()</function>, which determines if
978
+the Tor state has actually changed, and sets
979
+<command>extensions.torbutton.proxies_applied</command> to the appropriate Tor
980
+state value, and ensures that
981
+<command>extensions.torbutton.tor_enabled</command> is also set to the correct
982
+value. This is decoupled from the button click functionalty via the pref
983
+observer so that other addons (such as SwitchProxy) can switch the proxy
984
+settings between multiple proxies.
985
+
986
+  </para>
987
+ </sect2>
988
+ <sect2>
989
+  <title>Settings Update</title>
990
+  <para>
991
+
992
+The next stage is also handled by
993
+<function>torbutton_update_status()</function>. This function sets scores of
994
+Firefox preferences, saving the original values to prefs under
995
+<command>extensions.torbutton.saved.*</command>, and performs the history
996
+clearing, cookie jaring, and ssl certificate jaring work of Torbutton. At the
997
+end of its work, it sets
998
+<command>extensions.torbutton.settings_applied</command>, which signifies the
999
+completion of the toggle operation to the <link
1000
+linkend="contentpolicy">content policy</link>.
1001
+
1002
+  </para>
1003
+ </sect2>
1004
+</sect1>
1005
+
1006
+<sect1>
1007
+ <title>Description of Options</title>
1008
+<!-- FIXME: Review+update these during FF3.5 audit -->
1009
+<para>This section provides a detailed description of Torbutton's options. Each
1010
+option is presented as the string from the preferences window, a summary, the
1011
+preferences it touches, and the effect this has on the components, chrome, and
1012
+browser properties.</para>
1013
+ <sect2>
1014
+  <title>Test Settings</title>
1015
+  <para>
1016
+This button under the Proxy Settings tab provides a way to verify that the 
1017
+proxy settings are correct, and actually do route through the Tor network. It
1018
+performs this check by issuing an <ulink
1019
+url="http://developer.mozilla.org/en/docs/XMLHttpRequest">XMLHTTPRequest</ulink>
1020
+for <ulink
1021
+url="https://check.torproject.org/?TorButton=True">https://check.torproject.org/?Torbutton=True</ulink>.
1022
+This is a special page that returns very simple, yet well-formed XHTML that
1023
+Torbutton can easily inspect for a hidden link with an id of
1024
+<command>TorCheckResult</command> and a target of <command>success</command>
1025
+or <command>failure</command> to indicate if the
1026
+user hit the page from a Tor IP, a non-Tor IP. This check is handled in
1027
+<function>torbutton_test_settings()</function> in <ulink
1028
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js">torbutton.js</ulink>.
1029
+Presenting the results to the user is handled by the <ulink
1030
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.xul">preferences
1031
+window</ulink>
1032
+callback <function>torbutton_prefs_test_settings()</function> in <ulink
1033
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.js">preferences.js</ulink>.  
1034
+
1035
+  </para>
1036
+ </sect2>
1037
+ <sect2 id="plugins">
1038
+  <title>Disable plugins on Tor Usage (crucial)</title>
1039
+ <para>Option: <command>extensions.torbutton.no_tor_plugins</command></para>
1040
+
1041
+ <para>Java and plugins <ulink
1042
+url="http://java.sun.com/j2se/1.5.0/docs/api/java/net/class-use/NetworkInterface.html">can query</ulink> the <ulink
1043
+url="http://www.rgagnon.com/javadetails/java-0095.html">local IP
1044
+address</ulink> and report it back to the
1045
+remote site. They can also <ulink
1046
+url="http://decloak.net">bypass proxy settings</ulink> and directly connect to a
1047
+remote site without Tor. Every browser plugin we have tested with Firefox has
1048
+some form of network capability, and every one ignores proxy settings or worse - only
1049
+partially obeys them. This includes but is not limited to:
1050
+QuickTime, Windows Media Player, RealPlayer, mplayerplug-in, AcroRead, and
1051
+Flash. 
1052
+
1053
+ </para>
1054
+ <para>
1055
+Enabling this preference causes the above mentioned Torbutton chrome web progress
1056
+ listener <command>torbutton_weblistener</command> to disable Java via <command>security.enable_java</command> and to disable
1057
+ plugins via the browser <ulink
1058
+ url="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell">docShell</ulink>
1059
+ attribute <command>allowPlugins</command>. These flags are set every time a new window is
1060
+ created (<function>torbutton_tag_new_browser()</function>), every time a web
1061
+load
1062
+event occurs
1063
+ (<function>torbutton_update_tags()</function>), and every time the tor state is changed
1064
+ (<function>torbutton_update_status()</function>). As a backup measure, plugins are also
1065
+ prevented from loading by the content policy in <ulink
1066
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js">@torproject.org/cssblocker;1</ulink> if Tor is
1067
+ enabled and this option is set.
1068
+ </para>
1069
+
1070
+ <para>All of this turns out to be insufficient if the user directly clicks
1071
+on a plugin-handled mime-type. <ulink
1072
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=401296">In this case</ulink>,
1073
+the browser decides that maybe it should ignore all these other settings and
1074
+load the plugin anyways, because maybe the user really did want to load it
1075
+(never mind this same load-style could happen automatically  with meta-refresh
1076
+or any number of other ways..). To handle these cases, Torbutton stores a list
1077
+of plugin-handled mime-types, and sets the pref
1078
+<command>plugin.disable_full_page_plugin_for_types</command> to this list.
1079
+Additionally, (since nothing can be assumed when relying on Firefox
1080
+preferences and internals) if it detects a load of one of them from the web
1081
+progress listener, it cancels the request, tells the associated DOMWindow to
1082
+stop loading, clears the document, AND throws an exception. Anything short of
1083
+all this and the plugin managed to find some way to load.
1084
+ </para>
1085
+
1086
+<!--
1087
+
1088
+FIXME: Hrmm, technically this behavior is not covered by this pref.
1089
+
1090
+ <para>
1091
+Furthermore, with version 3.0 and above, Firefox
1092
+<ulink
1093
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=440892">began ignoring</ulink>
1094
+
1095
+<ulink
1096
+url="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29">network.protocol-handler.warn-external.(protocol)</ulink>
1097
+prefs, which caused us to have to <link linkend="appblocker">wrap the external
1098
+app launcher components</link> to prevent external apps from being loaded to
1099
+bypass proxy settings.
1100
+ </para>
1101
+-->
1102
+
1103
+ <para>
1104
+ All this could be avoided, of course, if Firefox would either <ulink
1105
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=401296">obey
1106
+ allowPlugins</ulink> for directly visited URLs, or notify its content policy for such
1107
+ loads either <ulink
1108
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=309524">via</ulink> <ulink
1109
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=380556">shouldProcess</ulink> or shouldLoad. The fact that it does not is
1110
+ not very encouraging.
1111
+ </para>
1112
+
1113
+
1114
+ <para>
1115
+
1116
+Since most plugins completely ignore browser proxy settings, the actions
1117
+performed by this setting are crucial to satisfying the <link
1118
+linkend="proxy">Proxy Obedience</link> requirement.
1119
+
1120
+ </para>
1121
+</sect2>
1122
+<sect2>
1123
+ <title>Isolate Dynamic Content to Tor State (crucial)</title>
1124
+
1125
+ <para>Option: <command>extensions.torbutton.isolate_content</command></para>
1126
+
1127
+<para>Enabling this preference is what enables the <ulink
1128
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js">@torproject.org/cssblocker;1</ulink> content policy
1129
+mentioned above, and causes it to block content load attempts in pages an
1130
+opposite Tor state from the current state. Freshly loaded <ulink
1131
+url="https://developer.mozilla.org/en/XUL/tabbrowser">browser
1132
+tabs</ulink> are tagged
1133
+with a <command>__tb_load_state</command> member in
1134
+<function>torbutton_update_tags()</function> and this
1135
+value is compared against the current tor state in the content policy.</para>
1136
+
1137
+<para>It also kills all Javascript in each page loaded under that state by
1138
+toggling the <command>allowJavascript</command> <ulink
1139
+url="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell">docShell</ulink> property, and issues a
1140
+<ulink
1141
+url="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIWebNavigation#stop()">webNavigation.stop(webNavigation.STOP_ALL)</ulink> to each browser tab (the
1142
+equivalent of hitting the STOP button).</para>
1143
+
1144
+<para>
1145
+
1146
+Unfortunately, <ulink
1147
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=409737">Firefox bug
1148
+409737</ulink> prevents <command>docShell.allowJavascript</command> from killing
1149
+all event handlers, and event handlers registered with <ulink
1150
+url="http://developer.mozilla.org/en/docs/DOM:element.addEventListener">addEventListener()</ulink>
1151
+are still able to execute. The <link linkend="contentpolicy">Torbutton Content
1152
+Policy</link> should prevent such code from performing network activity within
1153
+the current tab, but activity that happens via a popup window or via a
1154
+Javascript redirect can still slip by. For this reason, Torbutton blocks
1155
+popups by checking for a valid <ulink
1156
+url="http://developer.mozilla.org/en/docs/DOM:window.opener">window.opener</ulink>
1157
+attribute in <function>torbutton_check_progress()</function>. If the window
1158
+has an opener from a different Tor state, its load is blocked. The content
1159
+policy also takes similar action to prevent Javascript redirects. This also
1160
+has the side effect/feature of preventing the user from following any links
1161
+from a page loaded in an opposite Tor state.
1162
+
1163
+</para>
1164
+
1165
+<para>
1166
+This setting is responsible for satisfying the <link
1167
+linkend="isolation">Network Isolation</link> requirement.
1168
+</para>
1169
+
1170
+</sect2>
1171
+<sect2 id="jshooks">
1172
+
1173
+<title>Hook Dangerous Javascript</title>
1174
+
1175
+ <para>Option: <command>extensions.torbutton.kill_bad_js</command></para>
1176
+
1177
+<para>This setting enables injection of the <ulink
1178
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/jshooks.js">Javascript
1179
+hooking code</ulink>. This is done in the chrome in
1180
+<function>torbutton_hookdoc()</function>, which is called ultimately by both the 
1181
+<ulink
1182
+url="https://developer.mozilla.org/en/nsIWebProgressListener">webprogress
1183
+listener</ulink> <command>torbutton_weblistener</command> and the <link
1184
+linkend="contentpolicy">content policy</link> (the latter being a hack to handle
1185
+javascript: urls).
1186
+
1187
+In the Firefox 2 days, this option did a lot more than
1188
+it does now. It used to be responsible for timezone and improved useragent
1189
+spoofing, and history object cloaking. However, now it only provides
1190
+obfuscation of the <ulink
1191
+url="https://developer.mozilla.org/en/DOM/window.screen">window.screen</ulink>
1192
+object to mask your browser and desktop resolution.
1193
+The resolution hooks
1194
+effectively make the Firefox browser window appear to websites as if the renderable area
1195
+takes up the entire desktop, has no toolbar or other GUI element space, and
1196
+the desktop itself has no toolbars.
1197
+These hooks drastically reduce the amount of information available to do <link
1198
+linkend="fingerprinting">anonymity set reduction attacks</link> and help to
1199
+meet the <link linkend="setpreservation">Anonymity Set Preservation</link>
1200
+requirements. Unfortunately, Gregory Fleischer discovered it is still possible
1201
+to retrieve the original screen values by using <ulink
1202
+url="http://pseudo-flaw.net/tor/torbutton/unmask-sandbox-xpcnativewrapper.html">XPCNativeWrapper</ulink>
1203
+or <ulink
1204
+url="http://pseudo-flaw.net/tor/torbutton/unmask-components-lookupmethod.html">Components.lookupMethod</ulink>.
1205
+We are still looking for a workaround as of Torbutton 1.2.4.
1206
+
1207
+<!-- FIXME: Don't forget to update this -->
1208
+
1209
+</para>
1210
+</sect2>
1211
+<sect2>
1212
+<title>Resize windows to multiples of 50px during Tor usage (recommended)</title>
1213
+
1214
+ <para>Option: <command>extensions.torbutton.resize_windows</command></para>
1215
+
1216
+<para>
1217
+
1218
+This option drastically cuts down on the number of distinct anonymity sets
1219
+that divide the Tor web userbase. Without this setting, the dimensions for a
1220
+typical browser window range from 600-1200 horizontal pixels and 400-1000
1221
+vertical pixels, or about 600x600 = 360000 different sets. Resizing the
1222
+browser window to multiples of 50 on each side reduces the number of sets by
1223
+50^2, bringing the total number of sets to 144. Of course, the distribution
1224
+among these sets are not uniform, but scaling by 50 will improve the situation
1225
+due to this non-uniformity for users in the less common resolutions.
1226
+Obviously the ideal situation would be to lie entirely about the browser
1227
+window size, but this will likely cause all sorts of rendering issues, and is
1228
+also not implementable in a foolproof way from extension land.
1229
+
1230
+</para>
1231
+<para>
1232
+
1233
+The implementation of this setting is spread across a couple of different
1234
+locations in the Torbutton javascript <link linkend="browseroverlay">browser
1235
+overlay</link>. Since resizing minimized windows causes them to be restored,
1236
+and since maximized windows remember their previous size to the pixel, windows
1237
+must be resized before every document load (at the time of browser tagging)
1238
+via <function>torbutton_check_round()</function>, called by
1239
+<function>torbutton_update_tags()</function>. To prevent drift, the extension
1240
+tracks the original values of the windows and uses this to perform the
1241
+rounding on document load. In addition, to prevent the user from resizing a
1242
+window to a non-50px multiple, a resize listener
1243
+(<function>torbutton_do_resize()</function>) is installed on every new browser
1244
+window to record the new size and round it to a 50px multiple while Tor is
1245
+enabled. In all cases, the browser's contentWindow.innerWidth and innerHeight
1246
+are set. This ensures that there is no discrepancy between the 50 pixel cutoff
1247
+and the actual renderable area of the browser (so that it is not possible to
1248
+infer toolbar size/presence by the distance to the nearest 50 pixel roundoff).
1249
+
1250
+</para>
1251
+<para>
1252
+This setting helps to meet the <link
1253
+linkend="setpreservation">Anonymity Set Preservation</link> requirements.
1254
+</para>
1255
+</sect2>
1256
+<sect2>
1257
+<title>Disable Updates During Tor</title>
1258
+
1259
+  <para>Option: <command>extensions.torbutton.no_updates</command></para>
1260
+
1261
+  <para>This setting causes Torbutton to disable the four <ulink
1262
+url="http://wiki.mozilla.org/Update:Users/Checking_For_Updates#Preference_Controls_and_State">Firefox
1263
+update settings</ulink> during Tor
1264
+  usage: <command>extensions.update.enabled</command>,
1265
+<command>app.update.enabled</command>,
1266
+  <command>app.update.auto</command>, and
1267
+<command>browser.search.update</command>.  These prevent the
1268
+  browser from updating extensions, checking for Firefox upgrades, and
1269
+  checking for search plugin updates while Tor is enabled.
1270
+  </para>
1271
+<para>
1272
+This setting satisfies the <link
1273
+linkend="updates">Update Safety</link> requirement.
1274
+</para>
1275
+</sect2>
1276
+<sect2>
1277
+
1278
+<title>Disable Search Suggestions during Tor (recommended)</title>
1279
+
1280
+  <para>Option: <command>extensions.torbutton.no_search</command></para>
1281
+
1282
+<para>
1283
+This setting causes Torbutton to disable <ulink
1284
+url="http://kb.mozillazine.org/Browser.search.suggest.enabled"><command>browser.search.suggest.enabled</command></ulink>
1285
+during Tor usage.
1286
+This governs if you get Google search suggestions during Tor
1287
+usage. Your Google cookie is transmitted with google search suggestions, hence
1288
+this is recommended to be disabled.
1289
+
1290
+</para>
1291
+<para>
1292
+While this setting doesn't satisfy any Torbutton requirements, the fact that
1293
+cookies are transmitted for partially typed queries does not seem desirable
1294
+for Tor usage.
1295
+</para>
1296
+</sect2>
1297
+<sect2>
1298
+<title>Disable livemarks updates during Tor usage (recommended)</title>
1299
+  <para>Option:
1300
+   <simplelist>
1301
+   <member><command>extensions.torbutton.disable_livemarks</command></member>
1302
+   </simplelist>
1303
+  </para>
1304
+
1305
+<para>
1306
+This option causes Torbutton to prevent Firefox from loading <ulink
1307
+url="http://www.mozilla.com/firefox/livebookmarks.html">Livemarks</ulink> during
1308
+Tor usage. Because people often have very personalized Livemarks (such as RSS
1309
+feeds of Wikipedia articles they maintain, etc). This is accomplished both by
1310
+<link linkend="livemarks">wrapping the livemark-service component</link> and
1311
+by calling stopUpdateLivemarks() on the <ulink
1312
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2">Livemark
1313
+service</ulink> when Tor is enabled.
1314
+
1315
+</para>
1316
+
1317
+<para>
1318
+This helps satisfy the <link linkend="isolation">Network
1319
+Isolation</link> and <link linkend="setpreservation">Anonymity Set
1320
+Preservation</link> requirements.
1321
+</para>
1322
+
1323
+</sect2>
1324
+<sect2>
1325
+<title>Block Tor/Non-Tor access to network from file:// urls (recommended)</title>
1326
+  <para>Options:
1327
+   <simplelist>
1328
+   <member><command>extensions.torbutton.block_tor_file_net</command></member>
1329
+   <member><command>extensions.torbutton.block_nontor_file_net</command></member>
1330
+   </simplelist>
1331
+  </para>
1332
+
1333
+<para>
1334
+
1335
+These settings prevent file urls from performing network operations during the
1336
+respective Tor states. Firefox 2's implementation of same origin policy allows
1337
+file urls to read and <ulink
1338
+url="http://www.gnucitizen.org/blog/content-disposition-hacking/">submit
1339
+arbitrary files from the local filesystem</ulink> to arbitrary websites. To
1340
+make matters worse, the 'Content-Disposition' header can be injected
1341
+arbitrarily by exit nodes to trick users into running arbitrary html files in
1342
+the local context. These preferences cause the <link
1343
+linkend="contentpolicy">content policy</link> to block access to any network
1344
+resources from File urls during the appropriate Tor state.
1345
+
1346
+</para>
1347
+<para>
1348
+
1349
+This preference helps to ensure Tor's <link linkend="isolation">Network
1350
+Isolation</link> requirement, by preventing file urls from executing network
1351
+operations in opposite Tor states. Also, allowing pages to submit arbitrary
1352
+files to arbitrary sites just generally seems like a bad idea.
1353
+
1354
+</para>
1355
+</sect2>
1356
+<sect2>
1357
+
1358
+<title>Close all Tor/Non-Tor tabs and windows on toggle (optional)</title>
1359
+
1360
+  <para>Options:
1361
+   <simplelist>
1362
+   <member><command>extensions.torbutton.close_nontor</command></member>
1363
+   <member><command>extensions.torbutton.close_tor</command></member>
1364
+   </simplelist>
1365
+  </para>
1366
+
1367
+<para>
1368
+
1369
+These settings cause Torbutton to enumerate through all windows and close all
1370
+tabs in each window for the appropriate Tor state. This code can be found in
1371
+<function>torbutton_update_status()</function>.  The main reason these settings
1372
+exist is as a backup mechanism in the event of any Javascript or content policy
1373
+leaks due to <ulink
1374
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=409737">Firefox Bug
1375
+409737</ulink>.  Torbutton currently tries to block all Javascript network
1376
+activity via the content policy, but until that bug is fixed, there is some
1377
+risk that there are alternate ways to bypass the policy. This option is
1378
+available as an extra assurance of <link linkend="isolation">Network
1379
+Isolation</link> for those who would like to be sure that when Tor is toggled
1380
+all page activity has ceased. It also serves as a potential future workaround
1381
+in the event a content policy failure is discovered, and provides an additional
1382
+level of protection for the <link linkend="disk">Disk Avoidance</link>
1383
+protection so that browser state is not sitting around waiting to be swapped
1384
+out longer than necessary.
1385
+
1386
+</para>
1387
+<para>
1388
+While this setting doesn't satisfy any Torbutton requirements, the fact that
1389
+cookies are transmitted for partially typed queries does not seem desirable
1390
+for Tor usage.
1391
+</para>
1392
+</sect2>
1393
+
1394
+<sect2>
1395
+<title>Isolate Access to History navigation to Tor state (crucial)</title>
1396
+  <para>Option: <command>extensions.torbutton.block_js_history</command></para>
1397
+  <para>
1398
+This setting determines if Torbutton installs an <ulink
1399
+url="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistoryListener">nsISHistoryListener</ulink>
1400
+attached to the <ulink
1401
+url="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory">sessionHistory</ulink> of 
1402
+of each browser's <ulink
1403
+url="https://developer.mozilla.org/en/XUL%3aProperty%3awebNavigation">webNavigatator</ulink>.
1404
+The nsIShistoryListener is instantiated with a reference to the containing
1405
+browser window and blocks the back, forward, and reload buttons on the browser
1406
+navigation bar when Tor is in an opposite state than the one to load the
1407
+current tab. In addition, Tor clears the session history during a new document
1408
+load if this setting is enabled. 
1409
+
1410
+  </para>
1411
+  <para>
1412
+
1413
+This is marked as a crucial setting in part
1414
+because Javascript access to the history object is indistinguishable from 
1415
+user clicks, and because
1416
+<ulink
1417
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=409737">Firefox Bug
1418
+409737</ulink> allows javascript to execute in opposite Tor states, javascript
1419
+can issue reloads after Tor toggle to reveal your original IP. Even without
1420
+this bug, however, Javascript is still able to access previous pages in your
1421
+session history that may have been loaded under a different Tor state, to
1422
+attempt to correlate your activity.
1423
+
1424
+   </para>
1425
+   <para>
1426
+
1427
+This setting helps to fulfill Torbutton's <link linkend="state">State
1428
+Separation</link> and (until Bug 409737 is fixed) <link linkend="isolation">Network Isolation</link>
1429
+requirements.
1430
+
1431
+   </para>
1432
+</sect2>
1433
+
1434
+
1435
+<sect2>
1436
+<title>History Access Settings</title>
1437
+
1438
+  <para>Options:
1439
+  <simplelist>
1440
+   <member><command>extensions.torbutton.block_thread</command></member>
1441
+   <member><command>extensions.torbutton.block_nthread</command></member>
1442
+   <member><command>extensions.torbutton.block_thwrite</command></member>
1443
+   <member><command>extensions.torbutton.block_nthwrite</command></member>
1444
+  </simplelist>
1445
+  </para>
1446
+
1447
+<para>These four settings govern the behavior of the <ulink
1448
+url="https://git.torproject.org/checkout/torbutton/master/src/components/ignore-history.js">components/ignore-history.js</ulink>
1449
+history blocker component mentioned above. By hooking the browser's view of
1450
+the history itself via the <ulink
1451
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2">@mozilla.org/browser/global-history;2</ulink>
1452
+and <ulink
1453
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/nav-history-service;1">@mozilla.org/browser/nav-history-service;1</ulink>
1454
+components, this mechanism defeats all document-based <ulink
1455
+url="http://whattheinternetknowsaboutyou.com/">history disclosure
1456
+attacks</ulink>, including <ulink
1457
+url="http://ha.ckers.org/weird/CSS-history.cgi">CSS-only attacks</ulink>.
1458
+
1459
+The component also hooks functions involved in writing history to disk via
1460
+both the <ulink
1461
+url="http://developer.mozilla.org/en/docs/Places_migration_guide#History">Places
1462
+Database</ulink> and the older Firefox 2 mechanisms.
1463
+
1464
+</para>
1465
+
1466
+<para>
1467
+This setting helps to satisfy the <link
1468
+linkend="state">State Separation</link> and <link
1469
+linkend="disk">Disk Avoidance</link> requirements.
1470
+</para>
1471
+
1472
+</sect2>
1473
+<sect2>
1474
+
1475
+<title>Clear History During Tor Toggle (optional)</title>
1476
+
1477
+<para>Option: <command>extensions.torbutton.clear_history</command></para>
1478
+
1479
+<para>This setting governs if Torbutton calls
1480
+<ulink
1481
+url="https://developer.mozilla.org/en/nsIBrowserHistory#removeAllPages.28.29">nsIBrowserHistory.removeAllPages</ulink>
1482
+and <ulink
1483
+url="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory">nsISHistory.PurgeHistory</ulink>
1484
+for each tab on Tor toggle.</para>
1485
+<para>
1486
+This setting is an optional way to help satisfy the <link
1487
+linkend="state">State Separation</link> requirement.
1488
+</para>
1489
+
1490
+</sect2>
1491
+<sect2>
1492
+
1493
+<title>Block Password+Form saving during Tor/Non-Tor</title>
1494
+
1495
+<para>Options:
1496
+  <simplelist>
1497
+  <member><command>extensions.torbutton.block_tforms</command></member>
1498
+  <member><command>extensions.torbutton.block_ntforms</command></member>
1499
+  </simplelist>
1500
+  </para>
1501
+
1502
+<para>These settings govern if Torbutton disables
1503
+<command>browser.formfill.enable</command>
1504
+and <command>signon.rememberSignons</command> during Tor and Non-Tor usage.
1505
+Since form fields can be read at any time by Javascript, this setting is a lot
1506
+more important than it seems.
1507
+</para>
1508
+
1509
+<para>
1510
+This setting helps to satisfy the <link
1511
+linkend="state">State Separation</link> and <link
1512
+linkend="disk">Disk Avoidance</link> requirements.
1513
+</para>
1514
+
1515
+</sect2>
1516
+<sect2>
1517
+  <title>Block Tor disk cache and clear all cache on Tor Toggle</title>
1518
+
1519
+  <para>Option: <command>extensions.torbutton.clear_cache</command>
1520
+  </para>
1521
+
1522
+<para>This option causes Torbutton to call <ulink
1523
+url="https://developer.mozilla.org/en/nsICacheService#evictEntries.28.29">nsICacheService.evictEntries(0)</ulink>
1524
+on Tor toggle to remove all entries from the cache. In addition, this setting
1525
+causes Torbutton to set <ulink
1526
+url="http://kb.mozillazine.org/Browser.cache.disk.enable">browser.cache.disk.enable</ulink> to false.
1527
+</para>
1528
+<para>
1529
+This setting helps to satisfy the <link
1530
+linkend="state">State Separation</link> and <link
1531
+linkend="disk">Disk Avoidance</link> requirements.
1532
+</para>
1533
+
1534
+</sect2>
1535
+<sect2>
1536
+  <title>Block disk and memory cache during Tor</title>
1537
+
1538
+<para>Option: <command>extensions.torbutton.block_cache</command></para>
1539
+
1540
+<para>This setting
1541
+causes Torbutton to set <ulink
1542
+url="http://kb.mozillazine.org/Browser.cache.memory.enable">browser.cache.memory.enable</ulink>,
1543
+<ulink
1544
+url="http://kb.mozillazine.org/Browser.cache.disk.enable">browser.cache.disk.enable</ulink> and
1545
+<ulink
1546
+url="http://kb.mozillazine.org/Network.http.use-cache">network.http.use-cache</ulink> to false during tor usage.
1547
+</para>
1548
+<para>
1549
+This setting helps to satisfy the <link
1550
+linkend="state">State Separation</link> and <link
1551
+linkend="disk">Disk Avoidance</link> requirements.
1552
+</para>
1553
+
1554
+</sect2>
1555
+<sect2>
1556
+  <title>Clear Cookies on Tor Toggle</title>
1557
+
1558
+<para>Option: <command>extensions.torbutton.clear_cookies</command>
1559
+  </para>
1560
+
1561
+<para>
1562
+
1563
+This setting causes Torbutton to call <ulink
1564
+url="https://developer.mozilla.org/en/nsICookieManager#removeAll.28.29">nsICookieManager.removeAll()</ulink> on
1565
+every Tor toggle. In addition, this sets <ulink
1566
+url="http://kb.mozillazine.org/Network.cookie.lifetimePolicy">network.cookie.lifetimePolicy</ulink>
1567
+to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
1568
+which prevents them from being written to disk. 
1569
+
1570
+</para>
1571
+<para>
1572
+This setting helps to satisfy the <link
1573
+linkend="state">State Separation</link> and <link
1574
+linkend="disk">Disk Avoidance</link> requirements.
1575
+</para>
1576
+
1577
+</sect2>
1578
+<sect2>
1579
+  
1580
+  <title>Store Non-Tor cookies in a protected jar</title>
1581
+
1582
+<para>Option: <command>extensions.torbutton.cookie_jars</command>
1583
+  </para>
1584
+
1585
+<para>
1586
+
1587
+This setting causes Torbutton to use <ulink
1588
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js">@torproject.org/cookie-jar-selector;2</ulink> to store
1589
+non-tor cookies in a cookie jar during Tor usage, and clear the Tor cookies
1590
+before restoring the jar.
1591
+</para>
1592
+<para>
1593
+This setting also sets <ulink
1594
+url="http://kb.mozillazine.org/Network.cookie.lifetimePolicy">network.cookie.lifetimePolicy</ulink>
1595
+to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
1596
+which prevents them from being written to disk. 
1597
+
1598
+</para>
1599
+
1600
+<para>
1601
+This setting helps to satisfy the <link
1602
+linkend="state">State Separation</link> and <link
1603
+linkend="disk">Disk Avoidance</link> requirements.
1604
+</para>
1605
+
1606
+
1607
+</sect2>
1608
+<sect2>
1609
+
1610
+  <title>Store both Non-Tor and Tor cookies in a protected jar (dangerous)</title>
1611
+
1612
+<para>Option: <command>extensions.torbutton.dual_cookie_jars</command>
1613
+  </para>
1614
+
1615
+<para>
1616
+
1617
+This setting causes Torbutton to use <ulink
1618
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js">@torproject.org/cookie-jar-selector;2</ulink> to store
1619
+both Tor and Non-Tor cookies into protected jars.
1620
+</para>
1621
+
1622
+<para>
1623
+This setting helps to satisfy the <link
1624
+linkend="state">State Separation</link> requirement.
1625
+</para>
1626
+
1627
+
1628
+</sect2>
1629
+
1630
+
1631
+<sect2>
1632
+
1633
+  <title>Manage My Own Cookies (dangerous)</title>
1634
+
1635
+<para>Options: None</para>
1636
+<para>This setting disables all Torbutton cookie handling by setting the above
1637
+cookie prefs all to false.</para>
1638
+</sect2>
1639
+<sect2>
1640
+
1641
+<sect2>
1642
+  <title>Do not write Tor/Non-Tor cookies to disk</title>
1643
+  <para>Options:
1644
+  <simplelist>
1645
+  <member><command>extensions.torbutton.tor_memory_jar</command></member>
1646
+  <member><command>extensions.torbutton.nontor_memory_jar</command></member>
1647
+  </simplelist>
1648
+  </para>
1649
+
1650
+<para>
1651
+These settings (contributed by arno) cause Torbutton to set <ulink
1652
+url="http://kb.mozillazine.org/Network.cookie.lifetimePolicy">network.cookie.lifetimePolicy</ulink>
1653
+to 2 during the appropriate Tor state, and to store cookies acquired in that
1654
+state into a Javascript
1655
+<ulink
1656
+url="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Processing_XML_with_E4X">E4X</ulink>
1657
+object as opposed to writing them to disk.
1658
+</para>
1659
+
1660
+<para>
1661
+This allows Torbutton to provide an option to preserve a user's 
1662
+cookies while still satisfying the <link linkend="disk">Disk Avoidance</link>
1663
+requirement.
1664
+</para>
1665
+</sect2>
1666
+
1667
+
1668
+  <title>Disable DOM Storage during Tor usage (crucial)</title>
1669
+
1670
+<para>Option: <command>extensions.torbutton.disable_domstorage</command>
1671
+  </para>
1672
+
1673
+<para>
1674
+
1675
+This setting causes Torbutton to toggle <command>dom.storage.enabled</command> during Tor
1676
+usage to prevent 
1677
+<ulink
1678
+  url="http://developer.mozilla.org/en/docs/DOM:Storage">DOM Storage</ulink> from
1679
+  being used to store persistent information across Tor states.</para>
1680
+<para>
1681
+This setting helps to satisfy the <link
1682
+linkend="state">State Separation</link> requirement.
1683
+</para>
1684
+
1685
+</sect2>
1686
+
1687
+<sect2>
1688
+  <title>Clear HTTP Auth on Tor Toggle (recommended)</title>
1689
+<para>Option: <command>extensions.torbutton.clear_http_auth</command>
1690
+  </para>
1691
+
1692
+<para>
1693
+This setting causes Torbutton to call <ulink
1694
+url="http://www.oxymoronical.com/experiments/apidocs/interface/nsIHttpAuthManager">nsIHttpAuthManager.clearAll()</ulink>
1695
+every time Tor is toggled.
1696
+</para>
1697
+
1698
+<para>
1699
+This setting helps to satisfy the <link
1700
+linkend="state">State Separation</link> requirement.
1701
+</para>
1702
+</sect2>
1703
+
1704
+<sect2>
1705
+
1706
+  <title>Clear cookies on Tor/Non-Tor shutdown</title>
1707
+
1708
+<para>Option: <command>extensions.torbutton.shutdown_method</command>
1709
+  </para>
1710
+
1711
+<para> This option variable can actually take 3 values: 0, 1, and 2. 0 means no
1712
+cookie clearing, 1 means clear only during Tor-enabled shutdown, and 2 means
1713
+clear for both Tor and Non-Tor shutdown. When set to 1 or 2, Torbutton listens
1714
+for the <ulink
1715
+url="http://developer.mozilla.org/en/docs/Observer_Notifications#Application_shutdown">quit-application-granted</ulink> event in
1716
+<function>torbutton_uninstall_observer()</function> and use <ulink
1717
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js">@torproject.org/cookie-jar-selector;2</ulink>
1718
+to clear out all cookies and all cookie jars upon shutdown.  </para>
1719
+<para>
1720
+This setting helps to satisfy the <link
1721
+linkend="state">State Separation</link> requirement.
1722
+</para>
1723
+
1724
+
1725
+</sect2>
1726
+<sect2>
1727
+
1728
+  <title>Reload cookie jar/clear cookies on Firefox crash</title>
1729
+  <para>Options:
1730
+  <simplelist>
1731
+    <member><command>extensions.torbutton.reload_crashed_jar</command></member>
1732
+    <member><command>extensions.torbutton.crashed</command></member>
1733
+  </simplelist>
1734
+  </para>
1735
+
1736
+  <para>This is no longer a user visible option, and is enabled by default. In
1737
+the event of a crash, the Torbutton <ulink
1738
+url="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js">components/crash-observer.js</ulink> 
1739
+  component will notify the Chrome (via the
1740
+  <command>extensions.torbutton.crashed</command> pref and a <ulink
1741
+url="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29">pref
1742
+observer</ulink> in
1743
+the chrome that listens for this update), and Torbutton will load the
1744
+  correct jar for the current Tor state via the <ulink
1745
+url="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js">@torproject.org/cookie-jar-selector;2</ulink>
1746
+  component.</para>
1747
+
1748
+<para>
1749
+This setting helps to satisfy the <link
1750
+linkend="state">State Separation</link> requirement in the event of Firefox
1751
+crashes.
1752
+</para>
1753
+
1754
+</sect2>
1755
+
1756
+
1757
+<sect2>
1758
+  <title>On crash recovery or session restored startup, restore via: Tor, Non-Tor</title>
1759
+  <para>Options:
1760
+  <simplelist>
1761
+   <member><command>extensions.torbutton.restore_tor</command></member>
1762
+   <member><command>extensions.torbutton.crashed</command></member>
1763
+   <member><command>extensions.torbutton.normal_exit</command></member>
1764
+  </simplelist>
1765
+  </para>
1766
+
1767
+  <para>This option works with the Torbutton <ulink
1768
+url="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js">crash-observer.js</ulink> 
1769
+  to set the Tor state after a crash is detected (via the 
1770
+  <command>extensions.torbutton.crashed</command> pref). To confirm for
1771
+false positives (such as session restore failures, upgrade, normal
1772
+session restore, etc), Torbutton also sets the pref
1773
+extensions.torbutton.normal_exit in torbutton_uninstall_observer() during 
1774
+Firefox exit and checks this value as well during startup.  
1775
+</para>
1776
+<para>
1777
+
1778
+Since the Tor state after a Firefox crash is unknown/indeterminate, this
1779
+setting helps to satisfy the <link linkend="state">State Separation</link>
1780
+requirement in the event of Firefox crashes by ensuring all cookies,
1781
+settings and saved sessions are reloaded from a fixed Tor state.
1782
+ 
1783
+</para>
1784
+</sect2>
1785
+
1786
+<sect2>
1787
+  <title>On normal startup, set state to: Tor, Non-Tor, Shutdown State</title>
1788
+
1789
+  <para>Options:
1790
+  <simplelist>
1791
+   <member><command>extensions.torbutton.startup_state</command></member>
1792
+  <member><command>extensions.torbutton.noncrashed</command></member>
1793
+   <member><command>extensions.torbutton.normal_exit</command></member>
1794
+  </simplelist>
1795
+  </para>
1796
+
1797
+  <para>This option also works with the Torbutton <ulink
1798
+url="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js">crash-observer.js</ulink> 
1799
+  to set the Tor state after a normal startup is detected (via the 
1800
+  <command>extensions.torbutton.noncrashed</command> pref). To confirm for
1801
+false positives
1802
+(such as session restore failures, etc), Torbutton also sets the pref
1803
+extensions.torbutton.normal_exit in torbutton_uninstall_observer() during
1804
+Firefox exit and checks this value as well during startup.
1805
+  
1806
+</para>
1807
+
1808
+</sect2>
1809
+
1810
+<sect2>
1811
+  <title>Prevent session store from saving Non-Tor/Tor-loaded tabs</title>
1812
+
1813
+  <para>Options: 
1814
+  <simplelist>
1815
+    <member><command>extensions.torbutton.nonontor_sessionstore</command></member>
1816
+    <member><command>extensions.torbutton.notor_sessionstore</command></member>
1817
+  </simplelist>
1818
+  </para>
1819
+
1820
+  <para>If these options are enabled, the <ulink
1821
+url="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore3.js">replacement nsSessionStore.js</ulink>
1822
+  component checks the <command>__tb_tor_fetched</command> tag of tabs before writing them
1823
+  out. If the tag is from a blocked Tor state, the tab is not written to disk.
1824
+  </para>
1825
+<para>
1826
+This setting helps to satisfy the <link linkend="disk">Disk Avoidance</link>
1827
+requirement, and also helps to satisfy the <link
1828
+linkend="state">State Separation</link> requirement in the event of Firefox
1829
+crashes.
1830
+
1831
+</para>
1832
+
1833
+</sect2>
1834
+
1835
+<sect2>
1836
+
1837
+  <title>Set user agent during Tor usage (crucial)</title>
1838
+  <para>Options:
1839
+   <simplelist>
1840
+    <member><command>extensions.torbutton.set_uagent</command></member>
1841
+    <member><command>extensions.torbutton.platform_override</command></member>
1842
+    <member><command>extensions.torbutton.oscpu_override</command></member>
1843
+    <member><command>extensions.torbutton.buildID_override</command></member>
1844
+    <member><command>extensions.torbutton.productsub_override</command></member>
1845
+    <member><command>extensions.torbutton.appname_override</command></member>
1846
+    <member><command>extensions.torbutton.appversion_override</command></member>
1847
+    <member><command>extensions.torbutton.useragent_override</command></member>
1848
+    <member><command>extensions.torbutton.useragent_vendor</command></member>
1849
+    <member><command>extensions.torbutton.useragent_vendorSub</command></member>
1850
+  </simplelist>
1851
+   </para>
1852
+
1853
+<para>On face, user agent switching appears to be straight-forward in Firefox.
1854
+It provides several options for controlling the browser user agent string:
1855
+<command>general.appname.override</command>,
1856
+<command>general.appversion.override</command>,
1857
+<command>general.platform.override</command>,
1858
+<command>general.oscpu.override</command>,
1859
+<command>general.productSub.override</command>,
1860
+<command>general.buildID.override</command>,
1861
+<command>general.useragent.override</command>,
1862
+<command>general.useragent.vendor</command>, and
1863
+<command>general.useragent.vendorSub</command>. If
1864
+the Torbutton preference <command>extensions.torbutton.set_uagent</command> is
1865
+true, Torbutton copies all of the other above prefs into their corresponding
1866
+browser preferences during Tor usage.</para>
1867
+
1868
+
1869
+<para>
1870
+
1871
+It also turns out that it is possible to detect the original Firefox version
1872
+by <ulink url="http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/">inspecting
1873
+certain resource:// files</ulink>. These cases are handled by Torbutton's
1874
+<link linkend="contentpolicy">content policy</link>.
1875
+
1876
+</para>
1877
+
1878
+<para>
1879
+This setting helps to satisfy the <link
1880
+linkend="setpreservation">Anonymity Set Preservation</link> requirement.
1881
+</para>
1882
+
1883
+
1884
+</sect2>
1885
+<sect2>
1886
+
1887
+  <title>Spoof US English Browser</title>
1888
+<para>Options:
1889
+<simplelist>
1890
+ <member><command>extensions.torbutton.spoof_english</command></member>
1891
+ <member><command>extensions.torbutton.spoof_charset</command></member>
1892
+ <member><command>extensions.torbutton.spoof_language</command></member>
1893
+</simplelist>
1894
+</para>
1895
+
1896
+<para> This option causes Torbutton to set
1897
+<command>general.useragent.locale</command>
1898
+<command>intl.accept_languages</command> to the value specified in
1899
+<command>extensions.torbutton.spoof_locale</command>,
1900
+<command>extensions.torbutton.spoof_charset</command> and
1901
+<command>extensions.torbutton.spoof_language</command> during Tor usage, as
1902
+well as hooking <command>navigator.language</command> via its <link
1903
+linkend="jshooks">javascript hooks</link>.
1904
+ </para>
1905
+<para>
1906
+This setting helps to satisfy the <link
1907
+linkend="setpreservation">Anonymity Set Preservation</link> and <link
1908
+linkend="location">Location Neutrality</link> requirements.
1909
+</para>
1910
+
1911
+</sect2>
1912
+<sect2>
1913
+
1914
+  <title>Don't send referrer during Tor Usage</title>
1915
+
1916
+<para>Option: <command>extensions.torbutton.disable_referer</command>
1917
+</para>
1918
+
1919
+<para> 
1920
+This option causes Torbutton to set <ulink
1921
+url="http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer">network.http.sendSecureXSiteReferrer</ulink> and
1922
+<ulink
1923
+url="http://kb.mozillazine.org/Network.http.sendRefererHeader">network.http.sendRefererHeader</ulink> during Tor usage.</para>
1924
+
1925
+<para>
1926
+This setting also does not directly satisfy any Torbutton requirement, but
1927
+some may desire to mask their referrer for general privacy concerns.
1928
+</para>
1929
+</sect2>
1930
+
1931
+<sect2>
1932
+
1933
+  <title>Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</title>
1934
+
1935
+<para>Options:
1936
+<simplelist>
1937
+ <member><command>extensions.torbutton.jar_certs</command></member>
1938
+ <member><command>extensions.torbutton.jar_ca_certs</command></member>
1939
+</simplelist>
1940
+</para>
1941
+<para>
1942
+
1943
+These settings govern if Torbutton attempts to isolate the user's SSL
1944
+certificates into separate jars for each Tor state. This isolation is
1945
+implemented in <function>torbutton_jar_certs()</function> in <ulink
1946
+url="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js">chrome/content/torbutton.js</ulink>,
1947
+which calls <function>torbutton_jar_cert_type()</function> and
1948
+<function>torbutton_unjar_cert_type()</function> for each certificate type in
1949
+the <ulink
1950
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/nsscertcache;1">@mozilla.org/security/nsscertcache;1</ulink>.
1951
+Certificates are deleted from and imported to the <ulink
1952
+url="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/x509certdb;1">@mozilla.org/security/x509certdb;1</ulink>.
1953
+</para>
1954
+
1955
+<para>
1956
+The first time this pref is used, a backup of the user's certificates is
1957
+created in their profile directory under the name
1958
+<filename>cert8.db.bak</filename>. This file can be copied back to
1959
+<filename>cert8.db</filename> to fully restore the original state of the
1960
+user's certificates in the event of any error.
1961
+</para>
1962
+
1963
+<para>
1964
+Since exit nodes and malicious sites can insert content elements sourced to
1965
+specific SSL sites to query if a user has a certain certificate,
1966
+this setting helps to satisfy the <link linkend="state">State
1967
+Separation</link> requirement of Torbutton. Unfortunately, <ulink
1968
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=435159">Firefox Bug
1969
+435159</ulink> prevents it from functioning correctly in the event of rapid Tor toggle, so it
1970
+is currently not exposed via the preferences UI.
1971
+
1972
+</para>
1973
+
1974
+</sect2>
1975
+</sect1>
1976
+
1977
+<sect1 id="FirefoxBugs">
1978
+  <title>Relevant Firefox Bugs</title>
1979
+  <para>
1980
+
1981
+  </para>
1982
+  <sect2 id="FirefoxSecurity">
1983
+   <title>Bugs impacting security</title>
1984
+   <para>
1985
+
1986
+Torbutton has to work around a number of Firefox bugs that impact its
1987
+security. Most of these are mentioned elsewhere in this document, but they
1988
+have also been gathered here for reference. Several of these have fixes in
1989
+Firefox3.0/trunk, but are listed because they still have not been backported
1990
+to FF2.0. In order of decreasing severity, they are:
1991
+
1992
+   </para>
1993
+   <orderedlist>
1994
+
1995
+   <listitem><ulink
1996
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=392274">Bug 392274 - Timezone
1997
+config/chrome API</ulink>
1998
+   <para>
1999
+
2000
+The lack of a config or API to configure the timezone requires Torbutton to
2001
+<link linkend="jshooks">insert client content window javascript</link> to hook
2002
+the Date object. Additionally, a way to <ulink
2003
+url="http://pseudo-flaw.net/tor/torbutton/unmask-date.html">remove the Date
2004
+hooks</ulink> was discovered by Greg Fleischer. Worse, on Firefox 3,
2005
+javascript sandboxing prevents most of the javascript hooks from being
2006
+installed, including the Date hooks. On Windows and Linux, you can set the TZ
2007
+environment variable to "UTC" as a workaround. Firefox will obey this
2008
+environment variable for your Timezone on those platforms, but on Windows this
2009
+does not take effect until browser restart. A fix for this has landed in
2010
+Firefox 3.5, but still has not been backported to Firefox 3.0. The lack of an
2011
+easy way to reliably spoof the timezone interferes with Torbutton's ability to
2012
+fulfill its <link linkend="location">Location Neutrality</link> requirement.
2013
+
2014
+
2015
+   </para>
2016
+   </listitem>
2017
+<!--
2018
+FIXME: This one is fixed, but we need to make use of the new API in FF3.5
2019
+
2020
+     <listitem><ulink
2021
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=436250">Bug 436250 - Livemarks can't be
2022
+disabled at runtime</ulink>
2023
+      <para>
2024
+
2025
+The RSS Feed based "Livemarks"/"Live Bookmarks" update frequency is controlled
2026
+by the pref <command>browser.bookmarks.livemark_refresh_seconds</command>.
2027
+However, changing this preference does not cancel any pending timers, which
2028
+means that at least one livemarks pref fetch will happen over Tor, and once
2029
+this pref is set to disable livemarks for Tor, changing it back will never
2030
+cause the service to start back up again. The
2031
+leakage of Livemarks interferes with Torbutton's ability to fulfill
2032
+the <link linkend="isolation">Network Isolation</link> requirement.
2033
+
2034
+      </para>
2035
+     </listitem>
2036
+-->
2037
+
2038
+     <listitem><ulink
2039
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=435159">Bug 435159 -
2040
+nsNSSCertificateDB::DeleteCertificate has race conditions</ulink>
2041
+      <para>
2042
+
2043
+In Torbutton 1.2.0rc1, code was added to attempt to isolate SSL certificates
2044
+the user has installed. Unfortunately, the method call to delete a certificate
2045
+from the current certificate database acts lazily: it only sets a variable
2046
+that marks a cert for deletion later, and it is not cleared if that
2047
+certificate is re-added. This means that if the Tor state is toggled quickly,
2048
+that certificate could remain present until it is re-inserted (causing an
2049
+error dialog), and worse, it would still be deleted after that.  The lack of
2050
+this functionality is considered a Torbutton security bug because cert
2051
+isolation is considered a <link linkend="state">State Separation</link>
2052
+feature.
2053
+
2054
+      </para>
2055
+     </listitem>
2056
+
2057
+     <listitem><ulink
2058
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=409737">Bug 409737 -
2059
+javascript.enabled and docShell.allowJavascript do not disable all event
2060
+handlers</ulink>
2061
+     <para>
2062
+
2063
+This bug allows pages to execute javascript via addEventListener and perhaps
2064
+other callbacks. In order to prevent this bug from enabling an attacker to
2065
+break the <link linkend="isolation">Network Isolation</link> requirement,
2066
+Torbutton 1.1.13 began blocking popups and history manipulation from different
2067
+Tor states.  So long as there are no ways to open popups or redirect the user
2068
+to a new page, the <link linkend="contentpolicy">Torbutton content
2069
+policy</link> should block Javascript network access. However, if there are
2070
+ways to open popups or perform redirects such that Torbutton cannot block
2071
+them, pages may still have free reign to break that requirement and reveal a
2072
+user's original IP address.
2073
+
2074
+     </para>
2075
+     </listitem>
2076
+     <listitem><ulink
2077
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=448743">Bug 448743 -
2078
+Decouple general.useragent.locale from spoofing of navigator.language</ulink>
2079
+     <para>
2080
+
2081
+Currently, Torbutton spoofs the <command>navigator.language</command>
2082
+attribute via <link linkend="jshooks">Javascript hooks</link>. Unfortunately,
2083
+these do not work on Firefox 3. It would be ideal to have
2084
+a pref to set this value (something like a
2085
+<command>general.useragent.override.locale</command>),
2086
+to avoid fragmenting the anonymity set of users of foreign locales. This issue
2087
+impedes Torbutton from fully meeting its <link
2088
+linkend="setpreservation">Anonymity Set Preservation</link>
2089
+requirement on Firefox 3.
2090
+
2091
+     </para>
2092
+     </listitem>
2093
+    </orderedlist>
2094
+  </sect2>
2095
+  <sect2 id="FirefoxWishlist">
2096
+   <title>Bugs blocking functionality</title>
2097
+   <para>
2098
+The following bugs impact Torbutton and similar extensions' functionality.
2099
+   </para>
2100
+
2101
+    <orderedlist>
2102
+   <listitem><ulink
2103
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=445696">Bug 445696 -
2104
+Extensions cannot determine if firefox is fullScreen</ulink>
2105
+   <para>
2106
+
2107
+The windowState property of <ulink
2108
+url="https://developer.mozilla.org/en/XUL/window">ChromeWindows</ulink> does not accurately reflect the true
2109
+state of the window in some cases on Linux. This causes Torbutton to attempt
2110
+to resize maximized and minimized windows when it should not.
2111
+
2112
+   </para>
2113
+   </listitem>
2114
+   <listitem><ulink
2115
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=290456">Bug 290456 -
2116
+Block/clear Flash MX "cookies" as well</ulink>
2117
+   <para>
2118
+
2119
+Today, it is possible to allow plugins if you have a transparent proxy such as
2120
+<ulink url="http://anonymityanywhere.com/incognito/">Incognito</ulink> to prevent proxy bypass. However, flash cookies can still be used to
2121
+link your Tor and Non-Tor activity, and this reveal your IP to an adversary
2122
+that does so. This can be solved by manually removing your flash cookies (like
2123
+<ulink
2124
+url="https://addons.mozilla.org/en-US/firefox/addon/6623">BetterPrivacy</ulink> does), but
2125
+it would be nice if there was a standard way to do this from a Firefox API.
2126
+
2127
+   </para>
2128
+   </listitem>
2129
+   <listitem><ulink
2130
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=417869">Bug 417869 -
2131
+Browser context is difficult to obtain from many XPCOM callbacks</ulink>
2132
+   <para>
2133
+
2134
+It is difficult to determine which tabbrowser many XPCOM callbacks originate
2135
+from, and in some cases absolutely no context information is provided at all.
2136
+While this doesn't have much of an effect on Torbutton, it does make writing
2137
+extensions that would like to do per-tab settings and content filters (such as
2138
+FoxyProxy) difficult to impossible to implement securely.
2139
+
2140
+   </para>
2141
+   </listitem>
2142
+   <listitem><ulink
2143
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=418321">Bug 418321 -
2144
+Components do not expose disk interfaces</ulink>
2145
+   <para>
2146
+
2147
+Several components currently provide no way of reimplementing their disk
2148
+access to easily satisfy Torbutton's <link linkend="disk">Disk
2149
+Avoidance</link> requirements. Workarounds exist, but they are <link
2150
+linkend="sessionstore">clunky</link>, and
2151
+some of them involve disabling functionality during Tor usage.
2152
+
2153
+   </para>
2154
+   </listitem>
2155
+
2156
+<!--
2157
+FIXME: Need to use new observer methods if possible
2158
+   <listitem><ulink
2159
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=448741">Bug 448741 -
2160
+nsISessionStore uses private methods and is not extensible</ulink>
2161
+   <para>
2162
+
2163
+Similar to the above bug, in the specific case of the sessionstore component,
2164
+the API is not amenable to Contract ID hooking, and this requires that
2165
+Torbutton include modified copies of this component for Firefox 2 and 3, which
2166
+has <ulink
2167
+url="https://bugs.torproject.org/flyspray/index.php?do=details&amp;id=722">raised
2168
+objections</ulink> from some developers.
2169
+
2170
+   </para>
2171
+   </listitem>
2172
+   <listitem><ulink
2173
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=439384">Bug 439384 -
2174
+"profile-do-change" event does not cause cookie table reload</ulink>
2175
+   <para>
2176
+
2177
+In Firefox 3, the change to the new SQLlite database for cookie storage has a
2178
+bug that prevents Torbutton's cookie jaring from working properly. The
2179
+"profile-do-change" observer event no longer properly causes either a sync or
2180
+reload of the cookie database from disk after it is copied into place.
2181
+Torbutton currently works around this by issuing the SQLLite queries manually
2182
+to store and rebuild the cookie database.
2183
+
2184
+   </para>
2185
+   </listitem>
2186
+
2187
+   <listitem><ulink
2188
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=248970">Bug 248970 (PrivateBrowsing) - Private Browsing mode (global toggle for
2189
+saving/caching everything)</ulink>
2190
+   <para>
2191
+
2192
+This bug catalogs the discussion of a 'Private Mode' in Firefox that would
2193
+perform many, but not all, of the activities of Torbutton. It would be useful
2194
+to leverage the resulting setting to simplify Torbutton. This bug is listed so
2195
+we can track this progress and ensure that it doesn't end up defining
2196
+behaviors contrary to and incompatible with Torbutton's requirements (though a
2197
+subset of the <link linkend="requirements">requirements</link> is of course fine).
2198
+
2199
+   </para>
2200
+   </listitem>
2201
+-->
2202
+
2203
+
2204
+
2205
+  </orderedlist>
2206
+  </sect2>
2207
+  <sect2 id="FirefoxMiscBugs">
2208
+   <title>Low Priority Bugs</title>
2209
+   <para>
2210
+The following bugs have an effect upon Torbutton, but are superseded by more
2211
+practical and more easily fixable variant bugs above; or have stable, simple
2212
+workarounds.
2213
+  </para>
2214
+
2215
+    <orderedlist>
2216
+    <listitem><ulink
2217
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=435151">Bug 435151 - XPCSafeJSObjectWrapper breaks evalInSandbox</ulink>
2218
+     <para>
2219
+
2220
+Under Firefox 3, the XPCSafeJSObjectWrapper breaks when you try to use
2221
+constructors of classes defined from within the scope of the sandbox, among
2222
+other things. This prevents Torbutton from applying the Timezone hooks under
2223
+Firefox 3, but a better solution for Torbutton's specific date hooking needs 
2224
+would be a fix for the above mentioned Bug 392274. Of course, many more
2225
+extensions may be interested in the sandbox hooking functionality working
2226
+properly though.
2227
+
2228
+     </para>
2229
+     </listitem>
2230
+     <listitem><ulink
2231
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=440892">Bug 440892 -
2232
+network.protocol-handler.warn-external are ignored</ulink>
2233
+     <para>
2234
+
2235
+Sometime in the Firefox 3 development cycle, the preferences that governed
2236
+warning a user when external apps were launched got disconnected from the code
2237
+that does the launching. Torbutton depended on these prefs to prevent websites
2238
+from launching specially crafted documents and application arguments that
2239
+caused Proxy Bypass. We currently work around this issue by <link
2240
+linkend="appblocker">wrapping the app launching components</link> to present a
2241
+popup before launching external apps while Tor is enabled. While this works,
2242
+it would be nice if these prefs were either fixed or removed.
2243
+
2244
+     </para>
2245
+     </listitem>
2246
+    <listitem><ulink
2247
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=437014">Bug 437014 -
2248
+nsIContentPolicy::shouldLoad no longer called for favicons</ulink>
2249
+    <para>
2250
+
2251
+Firefox 3.0 stopped calling the shouldLoad call of content policy for favicon
2252
+loads. Torbutton had relied on this call to block favicon loads for opposite
2253
+Tor states. The workaround it employs for Firefox 3 is to cancel the request
2254
+when it arrives in the <command>torbutton_http_observer</command> used for
2255
+blocking full page plugin loads. This seems to work just fine, but is a bit
2256
+dirty.
2257
+
2258
+    </para>
2259
+    </listitem>
2260
+<!--
2261
+    <listitem><ulink
2262
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=437016">Bug 437016 -
2263
+nsIContentPolicy::shouldLoad not called for livemarks</ulink>
2264
+    <para>
2265
+
2266
+An alternative fix for the livemarks bug above would be to block livemarks
2267
+fetches from the content policy. Unfortunately shouldLoad is not called for
2268
+livemarks fetches.
2269
+
2270
+    </para>
2271
+    </listitem>
2272
+-->
2273
+   <listitem><ulink
2274
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=418986">Bug 418986 - window.screen
2275
+provides a large amount of identifiable information</ulink>
2276
+   <para>
2277
+
2278
+As <link linkend="fingerprinting">mentioned above</link>, a large amount of
2279
+information is available from <ulink
2280
+url="http://developer.mozilla.org/en/docs/DOM:window.screen">window.screen</ulink>.
2281
+Currently, there is no way to obscure this information without Javascript
2282
+hooking. This bug is a feature request to provide some other method to change
2283
+these values.
2284
+
2285
+   </para>
2286
+   </listitem>
2287
+ 
2288
+     <listitem><ulink
2289
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=309524">Bug 309524</ulink>
2290
+and <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=380556">Bug
2291
+380556</ulink> - nsIContentPolicy::shouldProcess is not called.
2292
+     <para>
2293
+
2294
+This is a call that would be useful to develop a better workaround for the
2295
+allowPlugins issue above. If the content policy were called before a URL was
2296
+handed over to a plugin or helper app, it would make the workaround for the
2297
+above allowPlugins bug a lot cleaner. Obviously this bug is not as severe as
2298
+the others though, but it might be nice to have this API as a backup.
2299
+
2300
+     </para>
2301
+     </listitem>
2302
+
2303
+     <listitem><ulink
2304
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=401296">Bug 401296 - docShell.allowPlugins
2305
+not honored for direct links</ulink> (Perhaps subset of <ulink
2306
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=282106">Bug 282106</ulink>?)
2307
+     <para>
2308
+
2309
+Similar to the javascript plugin disabling attribute, the plugin disabling
2310
+attribute is also not perfect &mdash; it is ignored for direct links to plugin
2311
+handled content, as well as meta-refreshes to plugin handled content.  This
2312
+requires Torbutton to listen to a number of different http events to intercept
2313
+plugin-related mime type URLs and cancel their requests. Again, since plugins
2314
+are quite horrible about obeying proxy settings, loading a plugin pretty much
2315
+ensures a way to break the <link linkend="isolation">Network Isolation</link>
2316
+requirement and reveal a user's original IP address. Torbutton's code to
2317
+perform this workaround has been subverted at least once already by Kyle
2318
+Williams.
2319
+
2320
+     </para>
2321
+     </listitem>
2322
+     <listitem><ulink
2323
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=448747">Bug 448747 -
2324
+Provide Mechanism to clear TLS Session IDs</ulink>
2325
+     <para>
2326
+
2327
+As <link linkend="browseroverlay">mentioned above</link>, Torbutton currently
2328
+toggles <command>security.enable_ssl2</command> to clear the SSL
2329
+Session ID cache via the pref observer at <ulink
2330
+url="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp#2134">nsNSSComponent.cpp
2331
+line 2134</ulink>. This is an arcane and potentially fragile fix. It would be
2332
+better if there were a more standard interface for accomplishing the same
2333
+thing.
2334
+
2335
+     </para>
2336
+     </listitem>
2337
+
2338
+   <listitem><ulink
2339
+url="https://bugzilla.mozilla.org/show_bug.cgi?id=419598">Bug 419598 - 'var
2340
+Date' is deletable</ulink>
2341
+     <para>
2342
+
2343
+Based on Page 62 of the <ulink
2344
+url="http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf">ECMA-262
2345
+Javascript spec</ulink>, it seems like it should be possible to do something
2346
+like the following to prevent the Date object from being unmasked:
2347
+<screen>
2348
+with(window) {
2349
+    var Date = fakeDate;
2350
+    var otherVariable = 42;
2351
+}
2352
+
2353
+delete window.Date; // Should fail. Instead succeeds, revealing original Date.
2354
+delete window.otherVariable; // Fails, leaving window.otherVariable set to 42.
2355
+</screen>
2356
+
2357
+From the ECMA-262 spec:
2358
+
2359
+<blockquote>
2360
+If the variable statement occurs inside a FunctionDeclaration, the variables
2361
+are defined with function-local scope in that function, as described in
2362
+s10.1.3. Otherwise, they are defined with global scope (that is, they are
2363
+created as members of the global object, as described in 10.1.3) using
2364
+property attributes { DontDelete }. Variables are created when the execution
2365
+scope is entered. A Block does not define a new execution scope. Only Program
2366
+and FunctionDeclaration produce a new scope. Variables are initialized to
2367
+undefined when created. A variable with an Initialiser is assigned the value
2368
+of its AssignmentExpression when the VariableStatement is executed, not when
2369
+the variable is created.
2370
+</blockquote>
2371
+
2372
+In fact, this is exactly how the with statement with a variable declaration
2373
+behaves <emphasis>for all other variables other than ones that shadow system
2374
+variables</emphasis>. Some variables (such as
2375
+<command>window.screen</command>, and <command>window.history</command>) can't
2376
+even be shadowed in this way, and give an error about lacking a setter. If
2377
+such shadowing were possible, it would greatly simplify the Javascript hooking
2378
+code, which currently relies on undocumented semantics of
2379
+<command>__proto__</command> to copy the original values in the event of a
2380
+delete. This <command>__proto__</command> hack unfortunately does not work for
2381
+the Date object though.
2382
+
2383
+     </para>
2384
+    </listitem>
2385
+
2386
+  </orderedlist>
2387
+  </sect2>
2388
+</sect1>
2389
+
2390
+<sect1 id="TestPlan">
2391
+  <title>Testing</title>
2392
+  <para>
2393
+
2394
+The purpose of this section is to cover all the known ways that Tor browser
2395
+security can be subverted from a penetration testing perspective. The hope
2396
+is that it will be useful both for creating a &quot;Tor Safety Check&quot;
2397
+page, and for developing novel tests and actively attacking Torbutton with the
2398
+goal of finding vulnerabilities in either it or the Mozilla components,
2399
+interfaces and settings upon which it relies.
2400
+
2401
+  </para>
2402
+  <sect2 id="SingleStateTesting">
2403
+   <title>Single state testing</title>
2404
+   <para>
2405
+
2406
+Torbutton is a complicated piece of software. During development, changes to
2407
+one component can affect a whole slough of unrelated features.  A number of
2408
+aggregated test suites exist that can be used to test for regressions in
2409
+Torbutton and to help aid in the development of Torbutton-like addons and
2410
+other privacy modifications of other browsers. Some of these test suites exist
2411
+as a single automated page, while others are a series of pages you must visit
2412
+individually. They are provided here for reference and future regression
2413
+testing, and also in the hope that some brave soul will one day decide to
2414
+combine them into a comprehensive automated test suite.
2415
+
2416
+     <orderedlist>
2417
+      <listitem><ulink url="http://decloak.net/">Decloak.net</ulink>
2418
+       <para>
2419
+
2420
+Decloak.net is the canonical source of plugin and external-application based
2421
+proxy-bypass exploits. It is a fully automated test suite maintained by <ulink
2422
+url="http://digitaloffense.net/">HD Moore</ulink> as a service for people to
2423
+use to test their anonymity systems.
2424
+
2425
+       </para>
2426
+      </listitem>
2427
+      <listitem><ulink url="http://deanonymizer.com/">Deanonymizer.com</ulink>
2428
+       <para>
2429
+
2430
+Deanonymizer.com is another automated test suite that tests for proxy bypass
2431
+and other information disclosure vulnerabilities. It is maintained by Kyle
2432
+Williams, the author of <ulink url="http://www.janusvm.com/">JanusVM</ulink>
2433
+and <ulink url="http://www.januspa.com/">JanusPA</ulink>.
2434
+
2435
+       </para>
2436
+      </listitem>
2437
+      <listitem><ulink url="https://www.jondos.de/en/anontest">JonDos
2438
+AnonTest</ulink>
2439
+       <para>
2440
+
2441
+The <ulink url="https://www.jondos.de">JonDos people</ulink> also provide an
2442
+anonymity tester. It is more focused on HTTP headers than plugin bypass, and
2443
+points out a couple of headers Torbutton could do a better job with
2444
+obfuscating.
2445
+
2446
+       </para>
2447
+      </listitem>
2448
+      <listitem><ulink url="http://browserspy.dk">Browserspy.dk</ulink>
2449
+       <para>
2450
+
2451
+Browserspy.dk provides a tremendous collection of browser fingerprinting and
2452
+general privacy tests. Unfortunately they are only available one page at a
2453
+time, and there is not really solid feedback on good vs bad behavior in
2454
+the test results.
2455
+
2456
+       </para>
2457
+      </listitem>
2458
+      <listitem><ulink url="http://analyze.privacy.net/">Privacy
2459
+Analyzer</ulink>
2460
+       <para>
2461
+
2462
+The Privacy Analyzer provides a dump of all sorts of browser attributes and
2463
+settings that it detects, including some information on your origin IP
2464
+address. Its page layout and lack of good vs bad test result feedback makes it
2465
+not as useful as a user-facing testing tool, but it does provide some
2466
+interesting checks in a single page.
2467
+
2468
+       </para>
2469
+      </listitem>
2470
+      <listitem><ulink url="http://ha.ckers.org/mr-t/">Mr. T</ulink>
2471
+       <para>
2472
+
2473
+Mr. T is a collection of browser fingerprinting and deanonymization exploits
2474
+discovered by the <ulink url="http://ha.ckers.org">ha.ckers.org</ulink> crew
2475
+and others. It is also not as user friendly as some of the above tests, but it
2476
+is a useful collection.
2477
+
2478
+       </para>
2479
+      </listitem>
2480
+      <listitem>Gregory Fleischer's <ulink
2481
+url="http://pseudo-flaw.net/content/tor/torbutton/">Torbutton</ulink> and
2482
+<ulink
2483
+url="http://pseudo-flaw.net/content/defcon/dc-17-demos/d.html">Defcon
2484
+17</ulink> Test Cases
2485
+       <para>
2486
+
2487
+Gregory Fleischer has been hacking and testing Firefox and Torbutton privacy
2488
+issues for the past 2 years. He has an excellent collection of all his test
2489
+cases that can be used for regression testing. In his Defcon work, he
2490
+demonstrates ways to infer Firefox version based on arcane browser properties.
2491
+We are still trying to determine the best way to address some of those test
2492
+cases.
2493
+
2494
+       </para>
2495
+      </listitem>
2496
+      <listitem><ulink url="https://torcheck.xenobite.eu/index.php">Xenobite's
2497
+TorCheck Page</ulink>
2498
+       <para>
2499
+
2500
+This page checks to ensure you are using a valid Tor exit node and checks for
2501
+some basic browser properties related to privacy. It is not very fine-grained
2502
+or complete, but it is automated and could be turned into something useful
2503
+with a bit of work.
2504
+
2505
+       </para>
2506
+      </listitem>
2507
+     </orderedlist>
2508
+    </para>
2509
+  </sect2>
2510
+  <sect2>
2511
+   <title>Multi-state testing</title>
2512
+   <para>
2513
+
2514
+The tests in this section are geared towards a page that would instruct the
2515
+user to toggle their Tor state after the fetch and perform some operations:
2516
+mouseovers, stray clicks, and potentially reloads.
2517
+
2518
+   </para>
2519
+   <sect3>
2520
+    <title>Cookies and Cache Correlation</title>
2521
+    <para>
2522
+The most obvious test is to set a cookie, ask the user to toggle tor, and then
2523
+have them reload the page. The cookie should no longer be set if they are
2524
+using the default Torbutton settings. In addition, it is possible to leverage
2525
+the cache to <ulink
2526
+url="http://crypto.stanford.edu/sameorigin/safecachetest.html">store unique
2527
+identifiers</ulink>. The default settings of Torbutton should also protect
2528
+against these from persisting across Tor Toggle.
2529
+
2530
+    </para>
2531
+   </sect3>
2532
+   <sect3>
2533
+    <title>Javascript timers and event handlers</title>
2534
+    <para>
2535
+
2536
+Javascript can set timers and register event handlers in the hopes of fetching
2537
+URLs after the user has toggled Torbutton. 
2538
+    </para>
2539
+   </sect3>
2540
+   <sect3>
2541
+    <title>CSS Popups and non-script Dynamic Content</title>
2542
+    <para>
2543
+
2544
+Even if Javascript is disabled, CSS is still able to 
2545
+<ulink url="http://www.tjkdesign.com/articles/css%20pop%20ups/">create popup-like
2546
+windows</ulink>
2547
+via the 'onmouseover' CSS attribute, which can cause arbitrary browser
2548
+activity as soon as the mouse enters into the content window. It is also
2549
+possible for meta-refresh tags to set timers long enough to make it likely
2550
+that the user has toggled Tor before fetching content.
2551
+
2552
+    </para>
2553
+   </sect3>
2554
+  </sect2>
2555
+  <sect2 id="HackTorbutton">
2556
+   <title>Active testing (aka How to Hack Torbutton)</title>
2557
+   <para>
2558
+
2559
+The idea behind active testing is to discover vulnerabilities in Torbutton to
2560
+bypass proxy settings, run script in an opposite Tor state, store unique
2561
+identifiers, leak location information, or otherwise violate <link
2562
+linkend="requirements">its requirements</link>. Torbutton has ventured out
2563
+into a strange and new security landscape. It depends on Firefox mechanisms
2564
+that haven't necessarily been audited for security, certainly not for the
2565
+threat model that Torbutton seeks to address. As such, it and the interfaces
2566
+it depends upon still need a 'trial by fire' typical of new technologies. This
2567
+section of the document was written with the intention of making that period
2568
+as fast as possible. Please help us get through this period by considering
2569
+these attacks, playing with them, and reporting what you find (and potentially
2570
+submitting the test cases back to be run in the standard batch of Torbutton
2571
+tests.
2572
+
2573
+   </para>
2574
+   <sect3>
2575
+    <title>Some suggested vectors to investigate</title>
2576
+    <para>
2577
+    <itemizedlist>
2578
+     <listitem>Strange ways to register Javascript <ulink
2579
+url="http://en.wikipedia.org/wiki/DOM_Events">events</ulink> and <ulink
2580
+url="http://www.devshed.com/c/a/JavaScript/Using-Timers-in-JavaScript/">timeouts</ulink> should
2581
+be verified to actually be ineffective after Tor has been toggled.</listitem>
2582
+     <listitem>Other ways to cause Javascript to be executed after
2583
+<command>javascript.enabled</command> has been toggled off.</listitem>
2584
+     <listitem>Odd ways to attempt to load plugins. Kyle Williams has had
2585
+some success with direct loads/meta-refreshes of plugin-handled URLs.</listitem>
2586
+     <listitem>The Date and Timezone hooks should be verified to work with
2587
+crazy combinations of iframes, nested iframes, iframes in frames, frames in
2588
+iframes, and popups being loaded and
2589
+reloaded in rapid succession, and/or from one another. Think race conditions and deep, 
2590
+parallel nesting, involving iframes from both <ulink
2591
+url="http://en.wikipedia.org/wiki/Same_origin_policy">same-origin and
2592
+non-same-origin</ulink> domains.</listitem>
2593
+     <listitem>In addition, there may be alternate ways and other
2594
+methods to query the timezone, or otherwise use some of the Date object's
2595
+methods in combination to deduce the timezone offset. Of course, the author
2596
+tried his best to cover all the methods he could foresee, but it's always good
2597
+to have another set of eyes try it out.</listitem>
2598
+     <listitem>Similarly, is there any way to confuse the <link
2599
+linkend="contentpolicy">content policy</link>
2600
+mentioned above to cause it to allow certain types of page fetches? For
2601
+example, it was recently discovered that favicons are not fetched by the
2602
+content, but the chrome itself, hence the content policy did not look up the
2603
+correct window to determine the current Tor tag for the favicon fetch. Are
2604
+there other things that can do this? Popups? Bookmarklets? Active bookmarks? </listitem>
2605
+     <listitem>Alternate ways to store and fetch unique identifiers. For example, <ulink
2606
+url="http://developer.mozilla.org/en/docs/DOM:Storage">DOM Storage</ulink>
2607
+caught us off guard. 
2608
+It was
2609
+also discovered by <ulink url="http://pseudo-flaw.net">Gregory
2610
+Fleischer</ulink> that <ulink
2611
+url="http://pseudo-flaw.net/content/tor/torbutton/">content window access to
2612
+chrome</ulink> can be used to build <link linkend="fingerprinting">unique
2613
+identifiers</link>. 
2614
+Are there any other
2615
+arcane or experimental ways that Firefox provides to create and store unique
2616
+identifiers? Or perhaps unique identifiers can be queried or derived from
2617
+properties of the machine/browser that Javascript has access to? How unique
2618
+can these identifiers be?
2619
+     </listitem>
2620
+     <listitem>Is it possible to get the browser to write some history to disk
2621
+(aside from swap) that can be retrieved later? By default, Torbutton should
2622
+write no history, cookie, or other browsing activity information to the
2623
+harddisk.</listitem>
2624
+     <listitem>Do popup windows make it easier to break any of the above
2625
+behavior? Are javascript events still canceled in popups? What about recursive
2626
+popups from Javascript, data, and other funky URL types? What about CSS
2627
+popups? Are they still blocked after Tor is toggled?</listitem>
2628
+     <listitem>Chrome-escalation attacks. The interaction between the
2629
+Torbutton chrome Javascript and the client content window javascript is pretty
2630
+well-defined and carefully constructed, but perhaps there is a way to smuggle
2631
+javascript back in a return value, or otherwise inject network-loaded
2632
+javascript into the chrome (and thus gain complete control of the browser).
2633
+</listitem>
2634
+</itemizedlist>
2635
+
2636
+    </para>
2637
+   </sect3>
2638
+  </sect2>
2639
+</sect1>
2640
+</article>
... ...
@@ -0,0 +1,1434 @@
1
+<?xml version="1.0" encoding="UTF-8"?>
2
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Torbutton Design Documentation</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="Torbutton Design Documentation"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>Torbutton Design Documentation</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry.fscked/org">mikeperry.fscked/org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Dec 15 2009</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2510984">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt><dt><span class="sect2"><a href="#requirements">1.2. Torbutton Requirements</a></span></dt><dt><span class="sect2"><a href="#layout">1.3. Extension Layout</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2541734">2. Components</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2509118">2.1. Hooked Components</a></span></dt><dt><span class="sect2"><a href="#id2513073">2.2. New Components</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2511168">3. Chrome</a></span></dt><dd><dl><dt><span class="sect2"><a href="#browseroverlay">3.1. Browser Overlay - torbutton.xul</a></span></dt><dt><span class="sect2"><a href="#id2521151">3.2. Preferences Window - preferences.xul</a></span></dt><dt><span class="sect2"><a href="#id2524897">3.3. Other Windows</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2538737">4. Toggle Code Path</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2519814">4.1. Button Click</a></span></dt><dt><span class="sect2"><a href="#id2519526">4.2. Proxy Update</a></span></dt><dt><span class="sect2"><a href="#id2504564">4.3. Settings Update</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2519462">5. Description of Options</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id2542642">5.1. Test Settings</a></span></dt><dt><span class="sect2"><a href="#plugins">5.2. Disable plugins on Tor Usage (crucial)</a></span></dt><dt><span class="sect2"><a href="#id2536168">5.3. Isolate Dynamic Content to Tor State (crucial)</a></span></dt><dt><span class="sect2"><a href="#jshooks">5.4. Hook Dangerous Javascript</a></span></dt><dt><span class="sect2"><a href="#id2530601">5.5. Resize windows to multiples of 50px during Tor usage (recommended)</a></span></dt><dt><span class="sect2"><a href="#id2513266">5.6. Disable Updates During Tor</a></span></dt><dt><span class="sect2"><a href="#id2505201">5.7. Disable Search Suggestions during Tor (recommended)</a></span></dt><dt><span class="sect2"><a href="#id2505239">5.8. Disable livemarks updates during Tor usage (recommended)</a></span></dt><dt><span class="sect2"><a href="#id2505311">5.9. Block Tor/Non-Tor access to network from file:// urls (recommended)</a></span></dt><dt><span class="sect2"><a href="#id2505383">5.10. Close all Tor/Non-Tor tabs and windows on toggle (optional)</a></span></dt><dt><span class="sect2"><a href="#id2505464">5.11. Isolate Access to History navigation to Tor state (crucial)</a></span></dt><dt><span class="sect2"><a href="#id2505548">5.12. History Access Settings</a></span></dt><dt><span class="sect2"><a href="#id2505661">5.13. Clear History During Tor Toggle (optional)</a></span></dt><dt><span class="sect2"><a href="#id2505706">5.14. Block Password+Form saving during Tor/Non-Tor</a></span></dt><dt><span class="sect2"><a href="#id2547259">5.15. Block Tor disk cache and clear all cache on Tor Toggle</a></span></dt><dt><span class="sect2"><a href="#id2547309">5.16. Block disk and memory cache during Tor</a></span></dt><dt><span class="sect2"><a href="#id2547362">5.17. Clear Cookies on Tor Toggle</a></span></dt><dt><span class="sect2"><a href="#id2547413">5.18. Store Non-Tor cookies in a protected jar</a></span></dt><dt><span class="sect2"><a href="#id2547469">5.19. Store both Non-Tor and Tor cookies in a protected jar (dangerous)</a></span></dt><dt><span class="sect2"><a href="#id2547508">5.20. Manage My Own Cookies (dangerous)</a></span></dt><dt><span class="sect2"><a href="#id2547523">5.21. Disable DOM Storage during Tor usage (crucial)</a></span></dt><dt><span class="sect2"><a href="#id2547627">5.22. Clear HTTP Auth on Tor Toggle (recommended)</a></span></dt><dt><span class="sect2"><a href="#id2547664">5.23. Clear cookies on Tor/Non-Tor shutdown</a></span></dt><dt><span class="sect2"><a href="#id2547718">5.24. Reload cookie jar/clear cookies on Firefox crash</a></span></dt><dt><span class="sect2"><a href="#id2547794">5.25. On crash recovery or session restored startup, restore via: Tor, Non-Tor</a></span></dt><dt><span class="sect2"><a href="#id2547866">5.26. On normal startup, set state to: Tor, Non-Tor, Shutdown State</a></span></dt><dt><span class="sect2"><a href="#id2547925">5.27. Prevent session store from saving Non-Tor/Tor-loaded tabs</a></span></dt><dt><span class="sect2"><a href="#id2547990">5.28. Set user agent during Tor usage (crucial)</a></span></dt><dt><span class="sect2"><a href="#id2548164">5.29. Spoof US English Browser</a></span></dt><dt><span class="sect2"><a href="#id2548257">5.30. Don't send referrer during Tor Usage</a></span></dt><dt><span class="sect2"><a href="#id2548297">5.31. Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</a></span></dt></dl></dd><dt><span class="sect1"><a href="#FirefoxBugs">6. Relevant Firefox Bugs</a></span></dt><dd><dl><dt><span class="sect2"><a href="#FirefoxSecurity">6.1. Bugs impacting security</a></span></dt><dt><span class="sect2"><a href="#FirefoxWishlist">6.2. Bugs blocking functionality</a></span></dt><dt><span class="sect2"><a href="#FirefoxMiscBugs">6.3. Low Priority Bugs</a></span></dt></dl></dd><dt><span class="sect1"><a href="#TestPlan">7. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">7.1. Single state testing</a></span></dt><dt><span class="sect2"><a href="#id2549304">7.2. Multi-state testing</a></span></dt><dt><span class="sect2"><a href="#HackTorbutton">7.3. Active testing (aka How to Hack Torbutton)</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2510984"></a>1. Introduction</h2></div></div></div><p>
4
+
5
+This document describes the goals, operation, and testing procedures of the
6
+Torbutton Firefox extension. It is current as of Torbutton 1.2.4.
7
+
8
+  </p><div class="sect2" title="1.1. Adversary Model"><div class="titlepage"><div><div><h3 class="title"><a id="adversary"></a>1.1. Adversary Model</h3></div></div></div><p>
9
+
10
+A Tor web browser adversary has a number of goals, capabilities, and attack
11
+types that can be used to guide us towards a set of requirements for the
12
+Torbutton extension. Let's start with the goals.
13
+
14
+   </p><div class="sect3" title="Adversary Goals"><div class="titlepage"><div><div><h4 class="title"><a id="adversarygoals"></a>Adversary Goals</h4></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of 
15
+Tor, causing the user to directly connect to an IP of the adversary's
16
+choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely
17
+happily settle for the ability to correlate something a user did via Tor with
18
+their non-Tor activity. This can be done with cookies, cache identifiers,
19
+javascript events, and even CSS. Sometimes the fact that a user uses Tor may
20
+be enough for some authorities.</p></li><li class="listitem"><span class="command"><strong>History disclosure</strong></span><p>
21
+The adversary may also be interested in history disclosure: the ability to
22
+query a user's history to see if they have issued certain censored search
23
+queries, or visited censored sites.
24
+     </p></li><li class="listitem"><span class="command"><strong>Location information</strong></span><p>
25
+
26
+Location information such as timezone and locality can be useful for the
27
+adversary to determine if a user is in fact originating from one of the
28
+regions they are attempting to control, or to zero-in on the geographical
29
+location of a particular dissident or whistleblower.
30
+
31
+     </p></li><li class="listitem"><span class="command"><strong>Miscellaneous anonymity set reduction</strong></span><p>
32
+
33
+Anonymity set reduction is also useful in attempting to zero in on a
34
+particular individual. If the dissident or whistleblower is using a rare build
35
+of Firefox for an obscure operating system, this can be very useful
36
+information for tracking them down, or at least <a class="link" href="#fingerprinting">tracking their activities</a>.
37
+
38
+     </p></li><li class="listitem"><span class="command"><strong>History records and other on-disk
39
+information</strong></span><p>
40
+In some cases, the adversary may opt for a heavy-handed approach, such as
41
+seizing the computers of all Tor users in an area (especially after narrowing
42
+the field by the above two pieces of information). History records and cache
43
+data are the primary goals here.
44
+     </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h4 class="title"><a id="adversarypositioning"></a>Adversary Capabilities - Positioning</h4></div></div></div><p>
45
+The adversary can position themselves at a number of different locations in
46
+order to execute their attacks.
47
+    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p>
48
+The adversary can run exit nodes, or alternatively, they may control routers
49
+upstream of exit nodes. Both of these scenarios have been observed in the
50
+wild.
51
+     </p></li><li class="listitem"><span class="command"><strong>Adservers and/or Malicious Websites</strong></span><p>
52
+The adversary can also run websites, or more likely, they can contract out
53
+ad space from a number of different adservers and inject content that way. For
54
+some users, the adversary may be the adservers themselves. It is not
55
+inconceivable that adservers may try to subvert or reduce a user's anonymity 
56
+through Tor for marketing purposes.
57
+     </p></li><li class="listitem"><span class="command"><strong>Local Network/ISP/Upstream Router</strong></span><p>
58
+The adversary can also inject malicious content at the user's upstream router
59
+when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor
60
+activity.
61
+     </p></li><li class="listitem"><span class="command"><strong>Physical Access</strong></span><p>
62
+Some users face adversaries with intermittent or constant physical access.
63
+Users in Internet cafes, for example, face such a threat. In addition, in
64
+countries where simply using tools like Tor is illegal, users may face
65
+confiscation of their computer equipment for excessive Tor usage or just
66
+general suspicion.
67
+     </p></li></ol></div></div><div class="sect3" title="Adversary Capabilities - Attacks"><div class="titlepage"><div><div><h4 class="title"><a id="attacks"></a>Adversary Capabilities - Attacks</h4></div></div></div><p>
68
+
69
+The adversary can perform the following attacks from a number of different 
70
+positions to accomplish various aspects of their goals. It should be noted
71
+that many of these attacks (especially those involving IP address leakage) are
72
+often performed by accident by websites that simply have Javascript, dynamic 
73
+CSS elements, and plugins. Others are performed by adservers seeking to
74
+correlate users' activity across different IP addresses, and still others are
75
+performed by malicious agents on the Tor network and at national firewalls.
76
+
77
+    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Inserting Javascript</strong></span><p>
78
+If not properly disabled, Javascript event handlers and timers
79
+can cause the browser to perform network activity after Tor has been disabled,
80
+thus allowing the adversary to correlate Tor and Non-Tor activity and reveal
81
+a user's non-Tor IP address. Javascript
82
+also allows the adversary to execute <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure attacks</a>:
83
+to query the history via the different attributes of 'visited' links to search
84
+for particular google queries, sites, or even to <a class="ulink" href="http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/" target="_top">profile
85
+users based on gender and other classifications</a>. Finally,
86
+Javascript can be used to query the user's timezone via the
87
+<code class="function">Date()</code> object, and to reduce the anonymity set by querying
88
+the <code class="function">navigator</code> object for operating system, CPU, locale, 
89
+and user agent information.
90
+     </p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
91
+
92
+Plugins are abysmal at obeying the proxy settings of the browser. Every plugin
93
+capable of performing network activity that the author has
94
+investigated is also capable of performing network activity independent of
95
+browser proxy settings - and often independent of its own proxy settings.
96
+Sites that have plugin content don't even have to be malicious to obtain a
97
+user's
98
+Non-Tor IP (it usually leaks by itself), though <a class="ulink" href="http://decloak.net" target="_top">plenty of active
99
+exploits</a> are possible as well. In addition, plugins can be used to store unique identifiers that are more
100
+difficult to clear than standard cookies. 
101
+<a class="ulink" href="http://epic.org/privacy/cookies/flash.html" target="_top">Flash-based
102
+cookies</a> fall into this category, but there are likely numerous other
103
+examples.
104
+
105
+     </p></li><li class="listitem"><span class="command"><strong>Inserting CSS</strong></span><p>
106
+
107
+CSS can also be used to correlate Tor and Non-Tor activity and reveal a user's
108
+Non-Tor IP address, via the usage of
109
+<a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">CSS
110
+popups</a> - essentially CSS-based event handlers that fetch content via
111
+CSS's onmouseover attribute. If these popups are allowed to perform network
112
+activity in a different Tor state than they were loaded in, they can easily
113
+correlate Tor and Non-Tor activity and reveal a user's IP address. In
114
+addition, CSS can also be used without Javascript to perform <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only history disclosure
115
+attacks</a>.
116
+     </p></li><li class="listitem"><span class="command"><strong>Read and insert cookies</strong></span><p>
117
+
118
+An adversary in a position to perform MITM content alteration can inject
119
+document content elements to both read and inject cookies for
120
+arbitrary domains. In fact, many "SSL secured" websites are vulnerable to this
121
+sort of <a class="ulink" href="http://seclists.org/bugtraq/2007/Aug/0070.html" target="_top">active
122
+sidejacking</a>.
123
+
124
+     </p></li><li class="listitem"><span class="command"><strong>Create arbitrary cached content</strong></span><p>
125
+
126
+Likewise, the browser cache can also be used to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
127
+identifiers</a>. Since by default the cache has no same-origin policy,
128
+these identifiers can be read by any domain, making them an ideal target for
129
+adserver-class adversaries.
130
+
131
+     </p></li><li class="listitem"><a id="fingerprinting"></a><span class="command"><strong>Fingerprint users based on browser
132
+attributes</strong></span><p>
133
+
134
+There is an absurd amount of information available to websites via attributes
135
+of the browser. This information can be used to reduce anonymity set, or even
136
+<a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">uniquely
137
+fingerprint individual users</a>. </p><p>
138
+For illustration, let's perform a
139
+back-of-the-envelope calculation on the number of anonymity sets for just the
140
+resolution information available in the <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window" target="_top">window</a> and
141
+<a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.screen" target="_top">window.screen</a>
142
+objects. Browser window resolution information provides something like
143
+(1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution
144
+information contributes about another factor of 5 (for about 5 resolutions in
145
+typical use). In addition, the dimensions and position of the desktop taskbar
146
+are available, which can reveal hints on OS information. This boosts the count
147
+by a factor of 5 (for each of the major desktop taskbars - Windows, OSX, KDE
148
+and Gnome, and None). Subtracting the browser content window
149
+size from the browser outer window size provide yet more information.
150
+Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give
151
+2<sup>3</sup>=8). Interface effects such as titlebar fontsize
152
+and window manager settings gives a factor of about 9 (say 3 common font sizes
153
+for the titlebar and 3 common sizes for browser GUI element fonts).
154
+Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~=
155
+2<sup>29</sup>, or a 29 bit identifier based on resolution
156
+information alone. </p><p>
157
+
158
+Of course, this space is non-uniform and prone to incremental changes.
159
+However, if a bit vector space consisting of the above extracted attributes
160
+were used instead of the hash approach from <a class="ulink" href="http://mandark.fr/0x000000/articles/Total_Recall_On_Firefox..html" target="_top">The Hacker
161
+Webzine article above</a>, minor changes in browser window resolution will
162
+no longer generate totally new identifiers. 
163
+
164
+</p><p>
165
+
166
+To add insult to injury, <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">chrome URL disclosure
167
+attacks</a> mean that each and every extension on <a class="ulink" href="https://addons.mozilla.org" target="_top">addons.mozilla.org</a> adds another bit
168
+to that 2<sup>29</sup>. With hundreds of popular extensions
169
+and thousands of extensions total, it is easy to see that this sort of
170
+information is an impressively powerful identifier if used properly by a
171
+competent and determined adversary such as an ad network.  Again, a
172
+nearest-neighbor bit vector space approach here would also gracefully handle
173
+incremental changes to installed extensions.
174
+
175
+</p></li><li class="listitem"><span class="command"><strong>Remotely or locally exploit browser and/or
176
+OS</strong></span><p>
177
+Last, but definitely not least, the adversary can exploit either general 
178
+browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
179
+install malware and surveillance software. An adversary with physical access
180
+can perform similar actions. Regrettably, this last attack capability is
181
+outside of Torbutton's ability to defend against, but it is worth mentioning
182
+for completeness.
183
+     </p></li></ol></div></div></div><div class="sect2" title="1.2. Torbutton Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="requirements"></a>1.2. Torbutton Requirements</h3></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3>
184
+
185
+Since many settings satisfy multiple requirements, this design document is
186
+organized primarily by Torbutton components and settings. However, if you are
187
+the type that would rather read the document from the requirements
188
+perspective, it is in fact possible to search for each of the following
189
+requirement phrases in the text to find the relevant features that help meet
190
+that requirement.
191
+
192
+</div><p>
193
+
194
+From the above Adversary Model, a number of requirements become clear. 
195
+
196
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="proxy"></a><span class="command"><strong>Proxy Obedience</strong></span><p>The browser
197
+MUST NOT bypass Tor proxy settings for any content.</p></li><li class="listitem"><a id="isolation"></a><span class="command"><strong>Network Isolation</strong></span><p>Pages MUST NOT perform any network activity in a Tor state different
198
+ from the state they were originally loaded in.</p></li><li class="listitem"><a id="state"></a><span class="command"><strong>State Separation</strong></span><p>Browser state (cookies, cache, history, 'DOM storage'), accumulated in
199
+ one Tor state MUST NOT be accessible via the network in
200
+ another Tor state.</p></li><li class="listitem"><a id="undiscoverability"></a><span class="command"><strong>Tor Undiscoverability</strong></span><p>With
201
+the advent of bridge support in Tor 0.2.0.x, there are now a class of Tor
202
+users whose network fingerprint does not obviously betray the fact that they
203
+are using Tor. This should extend to the browser as well - Torbutton MUST NOT 
204
+reveal its presence while Tor is disabled.</p></li><li class="listitem"><a id="disk"></a><span class="command"><strong>Disk Avoidance</strong></span><p>The browser SHOULD NOT write any Tor-related state to disk, or store it
205
+ in memory beyond the duration of one Tor toggle.</p></li><li class="listitem"><a id="location"></a><span class="command"><strong>Location Neutrality</strong></span><p>The browser SHOULD NOT leak location-specific information, such as
206
+ timezone or locale via Tor.</p></li><li class="listitem"><a id="setpreservation"></a><span class="command"><strong>Anonymity Set
207
+Preservation</strong></span><p>The browser SHOULD NOT leak any other anonymity set reducing information 
208
+ (such as user agent, extension presence, and resolution information)
209
+automatically via Tor. The assessment of the attacks above should make it clear
210
+that anonymity set reduction is a very powerful method of tracking and
211
+eventually identifying anonymous users.
212
+</p></li><li class="listitem"><a id="updates"></a><span class="command"><strong>Update Safety</strong></span><p>The browser
213
+SHOULD NOT perform unauthenticated updates or upgrades via Tor.</p></li><li class="listitem"><a id="interoperate"></a><span class="command"><strong>Interoperability</strong></span><p>Torbutton SHOULD interoperate with third-party proxy switchers that
214
+ enable the user to switch between a number of different proxies. It MUST
215
+ provide full Tor protection in the event a third-party proxy switcher has
216
+ enabled the Tor proxy settings.</p></li></ol></div></div><div class="sect2" title="1.3. Extension Layout"><div class="titlepage"><div><div><h3 class="title"><a id="layout"></a>1.3. Extension Layout</h3></div></div></div><p>Firefox extensions consist of two main categories of code: 'Components' and
217
+'Chrome'. Components are a fancy name for classes that implement a given
218
+interface or interfaces. In Firefox, components <a class="ulink" href="https://developer.mozilla.org/en/XPCOM" target="_top">can be
219
+written</a> in C++,
220
+Javascript, or a mixture of both. Components have two identifiers: their
221
+'<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005005" target="_top">Contract
222
+ID</a>' (a human readable path-like string), and their '<a class="ulink" href="http://www.mozilla.org/projects/xpcom/book/cxc/html/quicktour2.html#1005329" target="_top">Class
223
+ID</a>' (a GUID hex-string). In addition, the interfaces they implement each have a hex
224
+'Interface ID'. It is possible to 'hook' system components - to reimplement
225
+their interface members with your own wrappers - but only if the rest of the
226
+browser refers to the component by its Contract ID. If the browser refers to
227
+the component by Class ID, it bypasses your hooks in that use case.
228
+Technically, it may be possible to hook Class IDs by unregistering the
229
+original component, and then re-registering your own, but this relies on
230
+obsolete and deprecated interfaces and has proved to be less than
231
+stable.</p><p>'Chrome' is a combination of XML and Javascript used to describe a window.
232
+Extensions are allowed to create 'overlays' that are 'bound' to existing XML
233
+window definitions, or they can create their own windows. The DTD for this XML
234
+is called <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XUL</a>.</p></div></div><div class="sect1" title="2. Components"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2541734"></a>2. Components</h2></div></div></div><p>
235
+
236
+Torbutton installs components for two purposes: hooking existing components to
237
+reimplement their interfaces; and creating new components that provide
238
+services to other pieces of the extension.
239
+
240
+  </p><div class="sect2" title="2.1. Hooked Components"><div class="titlepage"><div><div><h3 class="title"><a id="id2509118"></a>2.1. Hooked Components</h3></div></div></div><p>Torbutton makes extensive use of Contract ID hooking, and implements some
241
+of its own standalone components as well.  Let's discuss the hooked components
242
+first.</p><div class="sect3" title="@mozilla.org/browser/sessionstore;1 - components/nsSessionStore36.js"><div class="titlepage"><div><div><h4 class="title"><a id="sessionstore"></a><a class="ulink" href="http://developer.mozilla.org/en/docs/nsISessionStore" target="_top">@mozilla.org/browser/sessionstore;1</a> -
243
+<a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore36.js" target="_top">components/nsSessionStore36.js</a></h4></div></div></div><p>These components address the <a class="link" href="#disk">Disk Avoidance</a>
244
+requirements of Torbutton. As stated in the requirements, Torbutton needs to
245
+prevent Tor tabs from being written to disk by the Firefox session store for a
246
+number of reasons, primary among them is the fact that Firefox can crash at
247
+any time, and a restart can cause you to fetch tabs in the incorrect Tor
248
+state.</p><p>These components illustrate a complication with Firefox hooking: you can
249
+only hook member functions of a class if they are published in an
250
+interface that the class implements. Unfortunately, the sessionstore has no
251
+published interface that is amenable to disabling the writing out of Tor tabs
252
+in specific. As such, Torbutton had to include the <span class="emphasis"><em>entire</em></span>
253
+nsSessionStore from both Firefox 2.0, 3.0, 3.5 and 3.6
254
+with a couple of modifications to prevent tabs that were loaded with Tor
255
+enabled from being written to disk, and some version detection code to
256
+determine which component to load. The <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore36.diff" target="_top">diff against the original session
257
+store</a> is included in the git repository.</p></div><div class="sect3" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="appblocker"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-protocol-service%3B1" target="_top">@mozilla.org/uriloader/external-protocol-service;1
258
+</a>, <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/uriloader/external-helper-app-service%3B1" target="_top">@mozilla.org/uriloader/external-helper-app-service;1</a>,
259
+and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/mime%3B1" target="_top">@mozilla.org/mime;1</a>
260
+- <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/external-app-blocker.js" target="_top">components/external-app-blocker.js</a></h4></div></div></div><p>
261
+Due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a> allowing Firefox 3.x to automatically launch some
262
+applications without user intervention, Torbutton had to wrap the three
263
+components involved in launching external applications to provide user
264
+confirmation before doing so while Tor is enabled. Since external applications
265
+do not obey proxy settings, they can be manipulated to automatically connect
266
+back to arbitrary servers outside of Tor with no user intervention. Fixing
267
+this issue helps to satisfy Torbutton's <a class="link" href="#proxy">Proxy
268
+Obedience</a> Requirement.
269
+ </p></div><div class="sect3" title="@mozilla.org/browser/sessionstartup;1 - components/crash-observer.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2523615"></a><a class="ulink" href="http://lxr.mozilla.org/seamonkey/source/browser/components/sessionstore/src/nsSessionStartup.js" target="_top">@mozilla.org/browser/sessionstartup;1</a> -
270
+    <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js" target="_top">components/crash-observer.js</a></h4></div></div></div><p>This component wraps the Firefox Session Startup component that is in
271
+charge of <a class="ulink" href="http://developer.mozilla.org/en/docs/Session_store_API" target="_top">restoring saved
272
+sessions</a>. The wrapper's only job is to intercept the
273
+<code class="function">doRestore()</code> function, which is called by Firefox if it is determined that the
274
+browser crashed and the session needs to be restored. The wrapper notifies the
275
+Torbutton chrome that the browser crashed by setting the pref
276
+<span class="command"><strong>extensions.torbutton.crashed</strong></span>, or that it is a normal
277
+startup via the pref <span class="command"><strong>extensions.torbutton.noncrashed</strong></span>. The Torbutton Chrome <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">listens for a
278
+preference change</a> for this value and then does the appropriate cleanup. This
279
+includes setting the Tor state to the one the user selected for crash recovery
280
+in the preferences window (<span class="command"><strong>extensions.torbutton.restore_tor</strong></span>), and
281
+restoring cookies for the corresponding cookie jar, if it exists.</p><p>By performing this notification, this component assists in the 
282
+<a class="link" href="#proxy">Proxy Obedience</a>, and <a class="link" href="#isolation">Network Isolation</a> requirements.
283
+</p></div><div class="sect3" title="@mozilla.org/browser/global-history;2 - components/ignore-history.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2535078"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
284
+- <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/ignore-history.js" target="_top">components/ignore-history.js</a></h4></div></div></div><p>This component was contributed by <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin Jackson</a> as a method for defeating
285
+CSS and Javascript-based methods of history disclosure. The global-history
286
+component is what is used by Firefox to determine if a link was visited or not
287
+(to apply the appropriate style to the link). By hooking the <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#isVisited.28.29" target="_top">isVisited</a>
288
+and <a class="ulink" href="https://developer.mozilla.org/en/nsIGlobalHistory2#addURI.28.29" target="_top">addURI</a>
289
+methods, Torbutton is able to selectively prevent history items from being
290
+added or being displayed as visited, depending on the Tor state and the user's
291
+preferences.
292
+</p><p>
293
+This component helps satisfy the <a class="link" href="#state">State Separation</a>
294
+and <a class="link" href="#disk">Disk Avoidance</a> requirements of Torbutton.
295
+</p></div><div class="sect3" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js"><div class="titlepage"><div><div><h4 class="title"><a id="livemarks"></a><a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">@mozilla.org/browser/livemark-service;2</a>
296
+- <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/block-livemarks.js" target="_top">components/block-livemarks.js</a></h4></div></div></div><p>
297
+
298
+The <a class="ulink" href="http://www.mozilla.com/en-US/firefox/livebookmarks.html" target="_top">livemark</a> service
299
+is started by a timer that runs 5 seconds after Firefox
300
+startup. As a result, we cannot simply call the stopUpdateLivemarks() method to
301
+disable it. We must wrap the component to prevent this start() call from
302
+firing in the event the browser starts in Tor mode.
303
+
304
+</p><p>
305
+This component helps satisfy the <a class="link" href="#isolation">Network
306
+Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
307
+Preservation</a> requirements.
308
+</p></div></div><div class="sect2" title="2.2. New Components"><div class="titlepage"><div><div><h3 class="title"><a id="id2513073"></a>2.2. New Components</h3></div></div></div><p>Torbutton creates four new components that are used throughout the
309
+extension. These components do not hook any interfaces, nor are they used
310
+anywhere besides Torbutton itself.</p><div class="sect3" title="@torproject.org/cookie-jar-selector;2 - components/cookie-jar-selector.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2541606"></a><a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2
311
+- components/cookie-jar-selector.js</a></h4></div></div></div><p>The cookie jar selector (also based on code from <a class="ulink" href="http://www.collinjackson.com/" target="_top">Collin
312
+Jackson</a>) is used by the Torbutton chrome to switch between
313
+Tor and Non-Tor cookies. Its operations are simple: sync cookies to disk, then
314
+move the current cookies.txt file to the appropriate backup location
315
+(cookies-tor.txt or cookies-nontor.txt), and then moving the other cookie jar
316
+into place.</p><p>
317
+This component helps to address the <a class="link" href="#state">State
318
+Isolation</a> requirement of Torbutton.
319
+</p></div><div class="sect3" title="@torproject.org/torbutton-logger;1 - components/torbutton-logger.js"><div class="titlepage"><div><div><h4 class="title"><a id="id2528340"></a><a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/torbutton-logger.js" target="_top">@torproject.org/torbutton-logger;1
320
+- components/torbutton-logger.js</a></h4></div></div></div><p>The torbutton logger component allows on-the-fly redirection of torbutton
321
+logging messages to either Firefox stderr
322
+(<span class="command"><strong>extensions.torbutton.logmethod=0</strong></span>), the Javascript error console
323
+(<span class="command"><strong>extensions.torbutton.logmethod=1</strong></span>), or the DebugLogger extension (if
324
+available - <span class="command"><strong>extensions.torbutton.logmethod=2</strong></span>). It also allows you to
325
+change the loglevel on the fly by changing
326
+<span class="command"><strong>extensions.torbutton.loglevel</strong></span> (1-5, 1 is most verbose).
327
+</p></div><div class="sect3" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js"><div class="titlepage"><div><div><h4 class="title"><a id="windowmapper"></a><a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/window-mapper.js" target="_top">@torproject.org/content-window-mapper;1
328
+- components/window-mapper.js</a></h4></div></div></div><p>Torbutton tags Firefox <a class="ulink" href="https://developer.mozilla.org/en/XUL_Tutorial/Tabboxes" target="_top">tabs</a> with a special variable that indicates the Tor
329
+state the tab was most recently used under to fetch a page. The problem is
330
+that for many Firefox events, it is not possible to determine the tab that is
331
+actually receiving the event. The Torbutton window mapper allows the Torbutton
332
+chrome and other components to look up a <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
333
+tab</a> for a given <a class="ulink" href="https://developer.mozilla.org/en/nsIDOMWindow" target="_top">HTML content
334
+window</a>. It does this by traversing all windows and all browsers, until it
335
+finds the browser with the requested <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser#p-contentWindow" target="_top">contentWindow</a> element. Since the content policy
336
+and page loading in general can generate hundreds of these lookups, this
337
+result is cached inside the component.
338
+</p></div><div class="sect3" title="@torproject.org/cssblocker;1 - components/cssblocker.js"><div class="titlepage"><div><div><h4 class="title"><a id="contentpolicy"></a><a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1
339
+- components/cssblocker.js</a></h4></div></div></div><p>This is a key component to Torbutton's security measures. When Tor is
340
+toggled, Javascript is disabled, and pages are instructed to stop loading.
341
+However, CSS is still able to perform network operations by loading styles for
342
+onmouseover events and other operations. In addition, favicons can still be
343
+loaded by the browser. The cssblocker component prevents this by implementing
344
+and registering an <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy" target="_top">nsIContentPolicy</a>.
345
+When an nsIContentPolicy is registered, Firefox checks every attempted network
346
+request against its <a class="ulink" href="https://developer.mozilla.org/en/nsIContentPolicy#shouldLoad()" target="_top">shouldLoad</a>
347
+member function to determine if the load should proceed. In Torbutton's case,
348
+the content policy looks up the appropriate browser tab using the <a class="link" href="#windowmapper" title="@torproject.org/content-window-mapper;1 - components/window-mapper.js">window mapper</a>,
349
+and checks that tab's load tag against the current Tor state. If the tab was
350
+loaded in a different state than the current state, the fetch is denied.
351
+Otherwise, it is allowed.</p> This helps to achieve the <a class="link" href="#isolation">Network
352
+Isolation</a> requirements of Torbutton.
353
+
354
+<p>In addition, the content policy also blocks website javascript from
355
+<a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">querying for
356
+versions and existence of extension chrome</a> while Tor is enabled, and
357
+also masks the presence of Torbutton to website javascript while Tor is
358
+disabled. </p><p>
359
+
360
+Finally, some of the work that logically belongs to the content policy is
361
+instead handled by the <span class="command"><strong>torbutton_http_observer</strong></span> and
362
+<span class="command"><strong>torbutton_weblistener</strong></span> in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>. These two objects handle blocking of
363
+Firefox 3 favicon loads, popups, and full page plugins, which for whatever
364
+reason are not passed to the Firefox content policy itself (see Firefox Bugs 
365
+<a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">437014</a> and 
366
+<a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">401296</a>).
367
+
368
+</p><p>
369
+
370
+This helps to fulfill both the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirements of
371
+Torbutton.</p></div></div></div><div class="sect1" title="3. Chrome"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2511168"></a>3. Chrome</h2></div></div></div><p>The chrome is where all the torbutton graphical elements and windows are
372
+located. Each window is described as an <a class="ulink" href="http://developer.mozilla.org/en/docs/XUL_Reference" target="_top">XML file</a>, with zero or more Javascript
373
+files attached. The scope of these Javascript files is their containing
374
+window.</p><div class="sect2" title="3.1. Browser Overlay - torbutton.xul"><div class="titlepage"><div><div><h3 class="title"><a id="browseroverlay"></a>3.1. Browser Overlay - <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a></h3></div></div></div><p>The browser overlay, torbutton.xul, defines the toolbar button, the status
375
+bar, and events for toggling the button. The overlay code is in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>.
376
+It contains event handlers for preference update, shutdown, upgrade, and
377
+location change events.</p><p>The <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener#onLocationChange" target="_top">location
378
+change</a> <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgress" target="_top">webprogress
379
+listener</a>, <span class="command"><strong>torbutton_weblistener</strong></span> is one of the most
380
+important parts of the chrome from a security standpoint. It is a <a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
381
+listener</a> that handles receiving an event every time a page load or
382
+iframe load occurs. This class eventually calls down to
383
+<code class="function">torbutton_update_tags()</code> and
384
+<code class="function">torbutton_hookdoc()</code>, which apply the browser Tor load
385
+state tags, plugin permissions, and install the Javascript hooks to hook the
386
+<a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
387
+object to obfuscate browser and desktop resolution information.
388
+
389
+</p><p>
390
+The browser overlay helps to satisfy a number of Torbutton requirements. These
391
+are better enumerated in each of the Torbutton preferences below. However,
392
+there are also a number of Firefox preferences set in
393
+<code class="function">torbutton_update_status()</code> that aren't governed by any
394
+Torbutton setting. These are:
395
+</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.security.ports.banned" target="_top">network.security.ports.banned</a><p>
396
+Torbutton sets this setting to add ports 8123, 8118, 9050 and 9051 (which it
397
+reads from <span class="command"><strong>extensions.torbutton.banned_ports</strong></span>) to the list
398
+of ports Firefox is forbidden to access. These ports are Polipo, Privoxy, Tor,
399
+and the Tor control port, respectively. This is set for both Tor and Non-Tor
400
+usage, and prevents websites from attempting to do http fetches from these
401
+ports to see if they are open, which addresses the <a class="link" href="#undiscoverability">Tor Undiscoverability</a> requirement.
402
+ </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.send_pings" target="_top">browser.send_pings</a><p>
403
+This setting is currently always disabled. If anyone ever complains saying
404
+that they *want* their browser to be able to send ping notifications to a
405
+page or arbitrary link, I'll make this a pref or Tor-only. But I'm not holding
406
+my breath. I haven't checked if the content policy is called for pings, but if
407
+not, this setting helps with meeting the <a class="link" href="#isolation">Network
408
+Isolation</a> requirement.
409
+ </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups" target="_top">browser.safebrowsing.remoteLookups</a><p>
410
+Likewise for this setting. I find it hard to imagine anyone who wants to ask
411
+Google in real time if each URL they visit is safe, especially when the list
412
+of unsafe URLs is downloaded anyway. This helps fulfill the <a class="link" href="#disk">Disk Avoidance</a> requirement, by preventing your entire
413
+browsing history from ending up on Google's disks.
414
+ </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.safebrowsing.enabled" target="_top">browser.safebrowsing.enabled</a><p>
415
+Safebrowsing does <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=360387" target="_top">unauthenticated
416
+updates under Firefox 2</a>, so it is disabled during Tor usage. 
417
+This helps fulfill the <a class="link" href="#updates">Update
418
+Safety</a> requirement. Firefox 3 has the fix for that bug, and so
419
+safebrowsing updates are enabled during Tor usage.
420
+ </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29" target="_top">network.protocol-handler.warn-external.(protocol)</a><p>
421
+If Tor is enabled, we need to prevent random external applications from
422
+launching without at least warning the user. This group of settings only
423
+partially accomplishes this, however. Applications can still be launched via
424
+plugins. The mechanisms for handling this are described under the "Disable
425
+Plugins During Tor Usage" preference. This helps fulfill the <a class="link" href="#proxy">Proxy Obedience</a> requirement, by preventing external
426
+applications from accessing network resources at the command of Tor-fetched
427
+pages. Unfortunately, due to <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a>
428
+<a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">440892</a>,
429
+these prefs are no longer obeyed. They are set still anyway out of respect for
430
+the dead.
431
+ </p></li><li class="listitem"><a class="ulink" href="http://kb.mozillazine.org/Browser.sessionstore.max_tabs_undo" target="_top">browser.sessionstore.max_tabs_undo</a><p>
432
+
433
+To help satisfy the Torbutton <a class="link" href="#state">State Separation</a>
434
+and <a class="link" href="#isolation">Network Isolation</a> requirements,
435
+Torbutton needs to purge the Undo Tab history on toggle to prevent repeat
436
+"Undo Close" operations from accidentally restoring tabs from a different Tor
437
+State. This purge is accomplished by setting this preference to 0 and then
438
+restoring it to the previous user value upon toggle.
439
+
440
+   </p></li><li class="listitem"><span class="command"><strong>security.enable_ssl2</strong></span><p>
441
+TLS Session IDs can persist for an indefinite duration, providing an
442
+identifier that is sent to TLS sites that can be used to link activity. This
443
+is particularly troublesome now that we have certificate verification in place
444
+in Firefox 3: The OCSP server can use this Session ID to build a history of
445
+TLS sites someone visits, and also correlate their activity as users move from
446
+network to network (such as home to work to coffee shop, etc), inside and
447
+outside of Tor. To handle this and to help satisfy our <a class="link" href="#state">State Separation Requirement</a>, we currently 
448
+toggle
449
+<span class="command"><strong>security.enable_ssl2</strong></span>, which clears the SSL Session ID
450
+cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp#2134" target="_top">nsNSSComponent.cpp
451
+line 2134</a>. This is an arcane and potentially fragile fix. It would be
452
+better if there were a more standard interface for accomplishing the same
453
+thing. <a class="link" href="#FirefoxBugs" title="6. Relevant Firefox Bugs">Firefox Bug</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448747" target="_top">448747</a> has
454
+been filed for this.
455
+
456
+   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://www.mozilla.com/en-US/firefox/geolocation/" target="_top">geo.enabled</a></strong></span><p>
457
+
458
+Torbutton disables Geolocation support in Firefox 3.5 and above whenever tor
459
+is enabled. This helps Torbutton maintain its
460
+<a class="link" href="#location">Location Neutrality</a> requirement.
461
+While Firefox does prompt before divulging geolocational information,
462
+the assumption is that Tor users will never want to give their
463
+location away during Tor usage, and even allowing websites to prompt
464
+them to do so will only cause confusion and accidents to happen. Moreover,
465
+just because users may approve a site to know their location in non-Tor mode
466
+does not mean they want it divulged during Tor mode.
467
+
468
+   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.zoom.siteSpecific" target="_top">browser.zoom.siteSpecific</a></strong></span><p>
469
+
470
+Firefox actually remembers your zoom settings for certain sites. CSS
471
+and Javascript rule can use this to recognize previous visitors to a site.
472
+This helps Torbutton fulfill its <a class="link" href="#state">State Separation</a>
473
+requirement.
474
+
475
+   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="https://developer.mozilla.org/en/controlling_dns_prefetching" target="_top">network.dns.disablePrefetch</a></strong></span><p>
476
+
477
+Firefox 3.5 and above implement prefetching of DNS resolution for hostnames in
478
+links on a page to decrease page load latency. While Firefox does typically
479
+disable this behavior when proxies are enabled, we set this pref for added
480
+safety during Tor usage. Additionally, to prevent Tor-loaded tabs from having
481
+their links prefetched after a toggle to Non-Tor mode occurs,
482
+we also set the docShell attribute
483
+<a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell" target="_top">
484
+allowDNSPrefetch</a> to false on Tor loaded tabs. This happens in the same
485
+positions in the code as those for disabling plugins via the allowPlugins
486
+docShell attribute. This helps Torbutton fulfill its <a class="link" href="#isolation">Network Isolation</a> requirement.
487
+
488
+   </p></li><li class="listitem"><span class="command"><strong><a class="ulink" href="http://kb.mozillazine.org/Browser.cache.offline.enable" target="_top">browser.cache.offline.enable</a></strong></span><p>
489
+
490
+Firefox has the ability to store web applications in a special cache to allow
491
+them to continue to operate while the user is offline. Since this subsystem
492
+is actually different than the normal disk cache, it must be dealt with
493
+separately. Thus, Torbutton sets this preference to false whenever Tor is
494
+enabled. This helps Torbutton fulfill its <a class="link" href="#disk">Disk
495
+Avoidance</a> and <a class="link" href="#state">State Separation</a>
496
+requirements.
497
+
498
+   </p></li></ol></div></div><div class="sect2" title="3.2. Preferences Window - preferences.xul"><div class="titlepage"><div><div><h3 class="title"><a id="id2521151"></a>3.2. Preferences Window - <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.xul" target="_top">preferences.xul</a></h3></div></div></div><p>The preferences window of course lays out the Torbutton preferences, with
499
+handlers located in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.js" target="_top">chrome/content/preferences.js</a>.</p></div><div class="sect2" title="3.3. Other Windows"><div class="titlepage"><div><div><h3 class="title"><a id="id2524897"></a>3.3. Other Windows</h3></div></div></div><p>There are additional windows that describe popups for right clicking on
500
+the status bar, the toolbutton, and the about page.</p></div></div><div class="sect1" title="4. Toggle Code Path"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2538737"></a>4. Toggle Code Path</h2></div></div></div><p>
501
+
502
+The act of toggling is connected to <code class="function">torbutton_toggle()</code>
503
+via the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.xul" target="_top">torbutton.xul</a>
504
+and <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/popup.xul" target="_top">popup.xul</a>
505
+overlay files. Most of the work in the toggling process is present in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js" target="_top">torbutton.js</a> 
506
+
507
+</p><p>
508
+
509
+Toggling is a 3 stage process: Button Click, Proxy Update, and
510
+Settings Update. These stages are reflected in the prefs
511
+<span class="command"><strong>extensions.torbutton.tor_enabled</strong></span>,
512
+<span class="command"><strong>extensions.torbutton.proxies_applied</strong></span>, and
513
+<span class="command"><strong>extensions.torbutton.settings_applied</strong></span>. The reason for the
514
+three stage preference update is to ensure immediate enforcement of <a class="link" href="#isolation">Network Isolation</a> via the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>. Since the content window
515
+javascript runs on a different thread than the chrome javascript, it is
516
+important to properly convey the stages to the content policy to avoid race
517
+conditions and leakage, especially with <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug 
518
+409737</a> unfixed. The content policy does not allow any network activity
519
+whatsoever during this three stage transition.
520
+
521
+ </p><div class="sect2" title="4.1. Button Click"><div class="titlepage"><div><div><h3 class="title"><a id="id2519814"></a>4.1. Button Click</h3></div></div></div><p>
522
+
523
+This is the first step in the toggling process. When the user clicks the
524
+toggle button or the toolbar, <code class="function">torbutton_toggle()</code> is
525
+called. This function checks the current Tor status by comparing the current
526
+proxy settings to the selected Tor settings, and then sets the proxy settings
527
+to the opposite state, and sets the pref
528
+<span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> to reflect the new state.
529
+It is this proxy pref update that gives notification via the <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">pref
530
+observer</a>
531
+<span class="command"><strong>torbutton_unique_pref_observer</strong></span> to perform the rest of the
532
+toggle.
533
+
534
+  </p></div><div class="sect2" title="4.2. Proxy Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2519526"></a>4.2. Proxy Update</h3></div></div></div><p>
535
+
536
+When Torbutton receives any proxy change notifications via its
537
+<span class="command"><strong>torbutton_unique_pref_observer</strong></span>, it calls
538
+<code class="function">torbutton_set_status()</code> which checks against the Tor
539
+settings to see if the Tor proxy settings match the current settings. If so,
540
+it calls <code class="function">torbutton_update_status()</code>, which determines if
541
+the Tor state has actually changed, and sets
542
+<span class="command"><strong>extensions.torbutton.proxies_applied</strong></span> to the appropriate Tor
543
+state value, and ensures that
544
+<span class="command"><strong>extensions.torbutton.tor_enabled</strong></span> is also set to the correct
545
+value. This is decoupled from the button click functionalty via the pref
546
+observer so that other addons (such as SwitchProxy) can switch the proxy
547
+settings between multiple proxies.
548
+
549
+  </p></div><div class="sect2" title="4.3. Settings Update"><div class="titlepage"><div><div><h3 class="title"><a id="id2504564"></a>4.3. Settings Update</h3></div></div></div><p>
550
+
551
+The next stage is also handled by
552
+<code class="function">torbutton_update_status()</code>. This function sets scores of
553
+Firefox preferences, saving the original values to prefs under
554
+<span class="command"><strong>extensions.torbutton.saved.*</strong></span>, and performs the history
555
+clearing, cookie jaring, and ssl certificate jaring work of Torbutton. At the
556
+end of its work, it sets
557
+<span class="command"><strong>extensions.torbutton.settings_applied</strong></span>, which signifies the
558
+completion of the toggle operation to the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
559
+
560
+  </p></div></div><div class="sect1" title="5. Description of Options"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2519462"></a>5. Description of Options</h2></div></div></div><p>This section provides a detailed description of Torbutton's options. Each
561
+option is presented as the string from the preferences window, a summary, the
562
+preferences it touches, and the effect this has on the components, chrome, and
563
+browser properties.</p><div class="sect2" title="5.1. Test Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2542642"></a>5.1. Test Settings</h3></div></div></div><p>
564
+This button under the Proxy Settings tab provides a way to verify that the 
565
+proxy settings are correct, and actually do route through the Tor network. It
566
+performs this check by issuing an <a class="ulink" href="http://developer.mozilla.org/en/docs/XMLHttpRequest" target="_top">XMLHTTPRequest</a>
567
+for <a class="ulink" href="https://check.torproject.org/?TorButton=True" target="_top">https://check.torproject.org/?Torbutton=True</a>.
568
+This is a special page that returns very simple, yet well-formed XHTML that
569
+Torbutton can easily inspect for a hidden link with an id of
570
+<span class="command"><strong>TorCheckResult</strong></span> and a target of <span class="command"><strong>success</strong></span>
571
+or <span class="command"><strong>failure</strong></span> to indicate if the
572
+user hit the page from a Tor IP, a non-Tor IP. This check is handled in
573
+<code class="function">torbutton_test_settings()</code> in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js" target="_top">torbutton.js</a>.
574
+Presenting the results to the user is handled by the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.xul" target="_top">preferences
575
+window</a>
576
+callback <code class="function">torbutton_prefs_test_settings()</code> in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/preferences.js" target="_top">preferences.js</a>.  
577
+
578
+  </p></div><div class="sect2" title="5.2. Disable plugins on Tor Usage (crucial)"><div class="titlepage"><div><div><h3 class="title"><a id="plugins"></a>5.2. Disable plugins on Tor Usage (crucial)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_tor_plugins</strong></span></p><p>Java and plugins <a class="ulink" href="http://java.sun.com/j2se/1.5.0/docs/api/java/net/class-use/NetworkInterface.html" target="_top">can query</a> the <a class="ulink" href="http://www.rgagnon.com/javadetails/java-0095.html" target="_top">local IP
579
+address</a> and report it back to the
580
+remote site. They can also <a class="ulink" href="http://decloak.net" target="_top">bypass proxy settings</a> and directly connect to a
581
+remote site without Tor. Every browser plugin we have tested with Firefox has
582
+some form of network capability, and every one ignores proxy settings or worse - only
583
+partially obeys them. This includes but is not limited to:
584
+QuickTime, Windows Media Player, RealPlayer, mplayerplug-in, AcroRead, and
585
+Flash. 
586
+
587
+ </p><p>
588
+Enabling this preference causes the above mentioned Torbutton chrome web progress
589
+ listener <span class="command"><strong>torbutton_weblistener</strong></span> to disable Java via <span class="command"><strong>security.enable_java</strong></span> and to disable
590
+ plugins via the browser <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a>
591
+ attribute <span class="command"><strong>allowPlugins</strong></span>. These flags are set every time a new window is
592
+ created (<code class="function">torbutton_tag_new_browser()</code>), every time a web
593
+load
594
+event occurs
595
+ (<code class="function">torbutton_update_tags()</code>), and every time the tor state is changed
596
+ (<code class="function">torbutton_update_status()</code>). As a backup measure, plugins are also
597
+ prevented from loading by the content policy in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> if Tor is
598
+ enabled and this option is set.
599
+ </p><p>All of this turns out to be insufficient if the user directly clicks
600
+on a plugin-handled mime-type. <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">In this case</a>,
601
+the browser decides that maybe it should ignore all these other settings and
602
+load the plugin anyways, because maybe the user really did want to load it
603
+(never mind this same load-style could happen automatically  with meta-refresh
604
+or any number of other ways..). To handle these cases, Torbutton stores a list
605
+of plugin-handled mime-types, and sets the pref
606
+<span class="command"><strong>plugin.disable_full_page_plugin_for_types</strong></span> to this list.
607
+Additionally, (since nothing can be assumed when relying on Firefox
608
+preferences and internals) if it detects a load of one of them from the web
609
+progress listener, it cancels the request, tells the associated DOMWindow to
610
+stop loading, clears the document, AND throws an exception. Anything short of
611
+all this and the plugin managed to find some way to load.
612
+ </p><p>
613
+ All this could be avoided, of course, if Firefox would either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">obey
614
+ allowPlugins</a> for directly visited URLs, or notify its content policy for such
615
+ loads either <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">via</a> <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">shouldProcess</a> or shouldLoad. The fact that it does not is
616
+ not very encouraging.
617
+ </p><p>
618
+
619
+Since most plugins completely ignore browser proxy settings, the actions
620
+performed by this setting are crucial to satisfying the <a class="link" href="#proxy">Proxy Obedience</a> requirement.
621
+
622
+ </p></div><div class="sect2" title="5.3. Isolate Dynamic Content to Tor State (crucial)"><div class="titlepage"><div><div><h3 class="title"><a id="id2536168"></a>5.3. Isolate Dynamic Content to Tor State (crucial)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.isolate_content</strong></span></p><p>Enabling this preference is what enables the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cssblocker.js" target="_top">@torproject.org/cssblocker;1</a> content policy
623
+mentioned above, and causes it to block content load attempts in pages an
624
+opposite Tor state from the current state. Freshly loaded <a class="ulink" href="https://developer.mozilla.org/en/XUL/tabbrowser" target="_top">browser
625
+tabs</a> are tagged
626
+with a <span class="command"><strong>__tb_load_state</strong></span> member in
627
+<code class="function">torbutton_update_tags()</code> and this
628
+value is compared against the current tor state in the content policy.</p><p>It also kills all Javascript in each page loaded under that state by
629
+toggling the <span class="command"><strong>allowJavascript</strong></span> <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3adocShell" target="_top">docShell</a> property, and issues a
630
+<a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIWebNavigation#stop()" target="_top">webNavigation.stop(webNavigation.STOP_ALL)</a> to each browser tab (the
631
+equivalent of hitting the STOP button).</p><p>
632
+
633
+Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox bug
634
+409737</a> prevents <span class="command"><strong>docShell.allowJavascript</strong></span> from killing
635
+all event handlers, and event handlers registered with <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:element.addEventListener" target="_top">addEventListener()</a>
636
+are still able to execute. The <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton Content
637
+Policy</a> should prevent such code from performing network activity within
638
+the current tab, but activity that happens via a popup window or via a
639
+Javascript redirect can still slip by. For this reason, Torbutton blocks
640
+popups by checking for a valid <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.opener" target="_top">window.opener</a>
641
+attribute in <code class="function">torbutton_check_progress()</code>. If the window
642
+has an opener from a different Tor state, its load is blocked. The content
643
+policy also takes similar action to prevent Javascript redirects. This also
644
+has the side effect/feature of preventing the user from following any links
645
+from a page loaded in an opposite Tor state.
646
+
647
+</p><p>
648
+This setting is responsible for satisfying the <a class="link" href="#isolation">Network Isolation</a> requirement.
649
+</p></div><div class="sect2" title="5.4. Hook Dangerous Javascript"><div class="titlepage"><div><div><h3 class="title"><a id="jshooks"></a>5.4. Hook Dangerous Javascript</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.kill_bad_js</strong></span></p><p>This setting enables injection of the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/jshooks.js" target="_top">Javascript
650
+hooking code</a>. This is done in the chrome in
651
+<code class="function">torbutton_hookdoc()</code>, which is called ultimately by both the 
652
+<a class="ulink" href="https://developer.mozilla.org/en/nsIWebProgressListener" target="_top">webprogress
653
+listener</a> <span class="command"><strong>torbutton_weblistener</strong></span> and the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> (the latter being a hack to handle
654
+javascript: urls).
655
+
656
+In the Firefox 2 days, this option did a lot more than
657
+it does now. It used to be responsible for timezone and improved useragent
658
+spoofing, and history object cloaking. However, now it only provides
659
+obfuscation of the <a class="ulink" href="https://developer.mozilla.org/en/DOM/window.screen" target="_top">window.screen</a>
660
+object to mask your browser and desktop resolution.
661
+The resolution hooks
662
+effectively make the Firefox browser window appear to websites as if the renderable area
663
+takes up the entire desktop, has no toolbar or other GUI element space, and
664
+the desktop itself has no toolbars.
665
+These hooks drastically reduce the amount of information available to do <a class="link" href="#fingerprinting">anonymity set reduction attacks</a> and help to
666
+meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
667
+requirements. Unfortunately, Gregory Fleischer discovered it is still possible
668
+to retrieve the original screen values by using <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-sandbox-xpcnativewrapper.html" target="_top">XPCNativeWrapper</a>
669
+or <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-components-lookupmethod.html" target="_top">Components.lookupMethod</a>.
670
+We are still looking for a workaround as of Torbutton 1.2.4.
671
+
672
+
673
+
674
+</p></div><div class="sect2" title="5.5. Resize windows to multiples of 50px during Tor usage (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2530601"></a>5.5. Resize windows to multiples of 50px during Tor usage (recommended)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.resize_windows</strong></span></p><p>
675
+
676
+This option drastically cuts down on the number of distinct anonymity sets
677
+that divide the Tor web userbase. Without this setting, the dimensions for a
678
+typical browser window range from 600-1200 horizontal pixels and 400-1000
679
+vertical pixels, or about 600x600 = 360000 different sets. Resizing the
680
+browser window to multiples of 50 on each side reduces the number of sets by
681
+50^2, bringing the total number of sets to 144. Of course, the distribution
682
+among these sets are not uniform, but scaling by 50 will improve the situation
683
+due to this non-uniformity for users in the less common resolutions.
684
+Obviously the ideal situation would be to lie entirely about the browser
685
+window size, but this will likely cause all sorts of rendering issues, and is
686
+also not implementable in a foolproof way from extension land.
687
+
688
+</p><p>
689
+
690
+The implementation of this setting is spread across a couple of different
691
+locations in the Torbutton javascript <a class="link" href="#browseroverlay" title="3.1. Browser Overlay - torbutton.xul">browser
692
+overlay</a>. Since resizing minimized windows causes them to be restored,
693
+and since maximized windows remember their previous size to the pixel, windows
694
+must be resized before every document load (at the time of browser tagging)
695
+via <code class="function">torbutton_check_round()</code>, called by
696
+<code class="function">torbutton_update_tags()</code>. To prevent drift, the extension
697
+tracks the original values of the windows and uses this to perform the
698
+rounding on document load. In addition, to prevent the user from resizing a
699
+window to a non-50px multiple, a resize listener
700
+(<code class="function">torbutton_do_resize()</code>) is installed on every new browser
701
+window to record the new size and round it to a 50px multiple while Tor is
702
+enabled. In all cases, the browser's contentWindow.innerWidth and innerHeight
703
+are set. This ensures that there is no discrepancy between the 50 pixel cutoff
704
+and the actual renderable area of the browser (so that it is not possible to
705
+infer toolbar size/presence by the distance to the nearest 50 pixel roundoff).
706
+
707
+</p><p>
708
+This setting helps to meet the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirements.
709
+</p></div><div class="sect2" title="5.6. Disable Updates During Tor"><div class="titlepage"><div><div><h3 class="title"><a id="id2513266"></a>5.6. Disable Updates During Tor</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_updates</strong></span></p><p>This setting causes Torbutton to disable the four <a class="ulink" href="http://wiki.mozilla.org/Update:Users/Checking_For_Updates#Preference_Controls_and_State" target="_top">Firefox
710
+update settings</a> during Tor
711
+  usage: <span class="command"><strong>extensions.update.enabled</strong></span>,
712
+<span class="command"><strong>app.update.enabled</strong></span>,
713
+  <span class="command"><strong>app.update.auto</strong></span>, and
714
+<span class="command"><strong>browser.search.update</strong></span>.  These prevent the
715
+  browser from updating extensions, checking for Firefox upgrades, and
716
+  checking for search plugin updates while Tor is enabled.
717
+  </p><p>
718
+This setting satisfies the <a class="link" href="#updates">Update Safety</a> requirement.
719
+</p></div><div class="sect2" title="5.7. Disable Search Suggestions during Tor (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505201"></a>5.7. Disable Search Suggestions during Tor (recommended)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.no_search</strong></span></p><p>
720
+This setting causes Torbutton to disable <a class="ulink" href="http://kb.mozillazine.org/Browser.search.suggest.enabled" target="_top"><span class="command"><strong>browser.search.suggest.enabled</strong></span></a>
721
+during Tor usage.
722
+This governs if you get Google search suggestions during Tor
723
+usage. Your Google cookie is transmitted with google search suggestions, hence
724
+this is recommended to be disabled.
725
+
726
+</p><p>
727
+While this setting doesn't satisfy any Torbutton requirements, the fact that
728
+cookies are transmitted for partially typed queries does not seem desirable
729
+for Tor usage.
730
+</p></div><div class="sect2" title="5.8. Disable livemarks updates during Tor usage (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505239"></a>5.8. Disable livemarks updates during Tor usage (recommended)</h3></div></div></div><p>Option:
731
+   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.disable_livemarks</strong></span></td></tr></table><p>
732
+  </p><p>
733
+This option causes Torbutton to prevent Firefox from loading <a class="ulink" href="http://www.mozilla.com/firefox/livebookmarks.html" target="_top">Livemarks</a> during
734
+Tor usage. Because people often have very personalized Livemarks (such as RSS
735
+feeds of Wikipedia articles they maintain, etc). This is accomplished both by
736
+<a class="link" href="#livemarks" title="@mozilla.org/browser/livemark-service;2 - components/block-livemarks.js">wrapping the livemark-service component</a> and
737
+by calling stopUpdateLivemarks() on the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/livemark-service;2" target="_top">Livemark
738
+service</a> when Tor is enabled.
739
+
740
+</p><p>
741
+This helps satisfy the <a class="link" href="#isolation">Network
742
+Isolation</a> and <a class="link" href="#setpreservation">Anonymity Set
743
+Preservation</a> requirements.
744
+</p></div><div class="sect2" title="5.9. Block Tor/Non-Tor access to network from file:// urls (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505311"></a>5.9. Block Tor/Non-Tor access to network from file:// urls (recommended)</h3></div></div></div><p>Options:
745
+   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tor_file_net</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nontor_file_net</strong></span></td></tr></table><p>
746
+  </p><p>
747
+
748
+These settings prevent file urls from performing network operations during the
749
+respective Tor states. Firefox 2's implementation of same origin policy allows
750
+file urls to read and <a class="ulink" href="http://www.gnucitizen.org/blog/content-disposition-hacking/" target="_top">submit
751
+arbitrary files from the local filesystem</a> to arbitrary websites. To
752
+make matters worse, the 'Content-Disposition' header can be injected
753
+arbitrarily by exit nodes to trick users into running arbitrary html files in
754
+the local context. These preferences cause the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a> to block access to any network
755
+resources from File urls during the appropriate Tor state.
756
+
757
+</p><p>
758
+
759
+This preference helps to ensure Tor's <a class="link" href="#isolation">Network
760
+Isolation</a> requirement, by preventing file urls from executing network
761
+operations in opposite Tor states. Also, allowing pages to submit arbitrary
762
+files to arbitrary sites just generally seems like a bad idea.
763
+
764
+</p></div><div class="sect2" title="5.10. Close all Tor/Non-Tor tabs and windows on toggle (optional)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505383"></a>5.10. Close all Tor/Non-Tor tabs and windows on toggle (optional)</h3></div></div></div><p>Options:
765
+   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.close_nontor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.close_tor</strong></span></td></tr></table><p>
766
+  </p><p>
767
+
768
+These settings cause Torbutton to enumerate through all windows and close all
769
+tabs in each window for the appropriate Tor state. This code can be found in
770
+<code class="function">torbutton_update_status()</code>.  The main reason these settings
771
+exist is as a backup mechanism in the event of any Javascript or content policy
772
+leaks due to <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
773
+409737</a>.  Torbutton currently tries to block all Javascript network
774
+activity via the content policy, but until that bug is fixed, there is some
775
+risk that there are alternate ways to bypass the policy. This option is
776
+available as an extra assurance of <a class="link" href="#isolation">Network
777
+Isolation</a> for those who would like to be sure that when Tor is toggled
778
+all page activity has ceased. It also serves as a potential future workaround
779
+in the event a content policy failure is discovered, and provides an additional
780
+level of protection for the <a class="link" href="#disk">Disk Avoidance</a>
781
+protection so that browser state is not sitting around waiting to be swapped
782
+out longer than necessary.
783
+
784
+</p><p>
785
+While this setting doesn't satisfy any Torbutton requirements, the fact that
786
+cookies are transmitted for partially typed queries does not seem desirable
787
+for Tor usage.
788
+</p></div><div class="sect2" title="5.11. Isolate Access to History navigation to Tor state (crucial)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505464"></a>5.11. Isolate Access to History navigation to Tor state (crucial)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_js_history</strong></span></p><p>
789
+This setting determines if Torbutton installs an <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistoryListener" target="_top">nsISHistoryListener</a>
790
+attached to the <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">sessionHistory</a> of 
791
+of each browser's <a class="ulink" href="https://developer.mozilla.org/en/XUL%3aProperty%3awebNavigation" target="_top">webNavigatator</a>.
792
+The nsIShistoryListener is instantiated with a reference to the containing
793
+browser window and blocks the back, forward, and reload buttons on the browser
794
+navigation bar when Tor is in an opposite state than the one to load the
795
+current tab. In addition, Tor clears the session history during a new document
796
+load if this setting is enabled. 
797
+
798
+  </p><p>
799
+
800
+This is marked as a crucial setting in part
801
+because Javascript access to the history object is indistinguishable from 
802
+user clicks, and because
803
+<a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Firefox Bug
804
+409737</a> allows javascript to execute in opposite Tor states, javascript
805
+can issue reloads after Tor toggle to reveal your original IP. Even without
806
+this bug, however, Javascript is still able to access previous pages in your
807
+session history that may have been loaded under a different Tor state, to
808
+attempt to correlate your activity.
809
+
810
+   </p><p>
811
+
812
+This setting helps to fulfill Torbutton's <a class="link" href="#state">State
813
+Separation</a> and (until Bug 409737 is fixed) <a class="link" href="#isolation">Network Isolation</a>
814
+requirements.
815
+
816
+   </p></div><div class="sect2" title="5.12. History Access Settings"><div class="titlepage"><div><div><h3 class="title"><a id="id2505548"></a>5.12. History Access Settings</h3></div></div></div><p>Options:
817
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_thread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthread</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_thwrite</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_nthwrite</strong></span></td></tr></table><p>
818
+  </p><p>These four settings govern the behavior of the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/ignore-history.js" target="_top">components/ignore-history.js</a>
819
+history blocker component mentioned above. By hooking the browser's view of
820
+the history itself via the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/global-history;2" target="_top">@mozilla.org/browser/global-history;2</a>
821
+and <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/browser/nav-history-service;1" target="_top">@mozilla.org/browser/nav-history-service;1</a>
822
+components, this mechanism defeats all document-based <a class="ulink" href="http://whattheinternetknowsaboutyou.com/" target="_top">history disclosure
823
+attacks</a>, including <a class="ulink" href="http://ha.ckers.org/weird/CSS-history.cgi" target="_top">CSS-only attacks</a>.
824
+
825
+The component also hooks functions involved in writing history to disk via
826
+both the <a class="ulink" href="http://developer.mozilla.org/en/docs/Places_migration_guide#History" target="_top">Places
827
+Database</a> and the older Firefox 2 mechanisms.
828
+
829
+</p><p>
830
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
831
+</p></div><div class="sect2" title="5.13. Clear History During Tor Toggle (optional)"><div class="titlepage"><div><div><h3 class="title"><a id="id2505661"></a>5.13. Clear History During Tor Toggle (optional)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_history</strong></span></p><p>This setting governs if Torbutton calls
832
+<a class="ulink" href="https://developer.mozilla.org/en/nsIBrowserHistory#removeAllPages.28.29" target="_top">nsIBrowserHistory.removeAllPages</a>
833
+and <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsISHistory" target="_top">nsISHistory.PurgeHistory</a>
834
+for each tab on Tor toggle.</p><p>
835
+This setting is an optional way to help satisfy the <a class="link" href="#state">State Separation</a> requirement.
836
+</p></div><div class="sect2" title="5.14. Block Password+Form saving during Tor/Non-Tor"><div class="titlepage"><div><div><h3 class="title"><a id="id2505706"></a>5.14. Block Password+Form saving during Tor/Non-Tor</h3></div></div></div><p>Options:
837
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.block_tforms</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.block_ntforms</strong></span></td></tr></table><p>
838
+  </p><p>These settings govern if Torbutton disables
839
+<span class="command"><strong>browser.formfill.enable</strong></span>
840
+and <span class="command"><strong>signon.rememberSignons</strong></span> during Tor and Non-Tor usage.
841
+Since form fields can be read at any time by Javascript, this setting is a lot
842
+more important than it seems.
843
+</p><p>
844
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
845
+</p></div><div class="sect2" title="5.15. Block Tor disk cache and clear all cache on Tor Toggle"><div class="titlepage"><div><div><h3 class="title"><a id="id2547259"></a>5.15. Block Tor disk cache and clear all cache on Tor Toggle</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cache</strong></span>
846
+  </p><p>This option causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICacheService#evictEntries.28.29" target="_top">nsICacheService.evictEntries(0)</a>
847
+on Tor toggle to remove all entries from the cache. In addition, this setting
848
+causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> to false.
849
+</p><p>
850
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
851
+</p></div><div class="sect2" title="5.16. Block disk and memory cache during Tor"><div class="titlepage"><div><div><h3 class="title"><a id="id2547309"></a>5.16. Block disk and memory cache during Tor</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.block_cache</strong></span></p><p>This setting
852
+causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Browser.cache.memory.enable" target="_top">browser.cache.memory.enable</a>,
853
+<a class="ulink" href="http://kb.mozillazine.org/Browser.cache.disk.enable" target="_top">browser.cache.disk.enable</a> and
854
+<a class="ulink" href="http://kb.mozillazine.org/Network.http.use-cache" target="_top">network.http.use-cache</a> to false during tor usage.
855
+</p><p>
856
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
857
+</p></div><div class="sect2" title="5.17. Clear Cookies on Tor Toggle"><div class="titlepage"><div><div><h3 class="title"><a id="id2547362"></a>5.17. Clear Cookies on Tor Toggle</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_cookies</strong></span>
858
+  </p><p>
859
+
860
+This setting causes Torbutton to call <a class="ulink" href="https://developer.mozilla.org/en/nsICookieManager#removeAll.28.29" target="_top">nsICookieManager.removeAll()</a> on
861
+every Tor toggle. In addition, this sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
862
+to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
863
+which prevents them from being written to disk. 
864
+
865
+</p><p>
866
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
867
+</p></div><div class="sect2" title="5.18. Store Non-Tor cookies in a protected jar"><div class="titlepage"><div><div><h3 class="title"><a id="id2547413"></a>5.18. Store Non-Tor cookies in a protected jar</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.cookie_jars</strong></span>
868
+  </p><p>
869
+
870
+This setting causes Torbutton to use <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store
871
+non-tor cookies in a cookie jar during Tor usage, and clear the Tor cookies
872
+before restoring the jar.
873
+</p><p>
874
+This setting also sets <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
875
+to 2 for Tor usage, which causes all cookies to be demoted to session cookies,
876
+which prevents them from being written to disk. 
877
+
878
+</p><p>
879
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> and <a class="link" href="#disk">Disk Avoidance</a> requirements.
880
+</p></div><div class="sect2" title="5.19. Store both Non-Tor and Tor cookies in a protected jar (dangerous)"><div class="titlepage"><div><div><h3 class="title"><a id="id2547469"></a>5.19. Store both Non-Tor and Tor cookies in a protected jar (dangerous)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.dual_cookie_jars</strong></span>
881
+  </p><p>
882
+
883
+This setting causes Torbutton to use <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a> to store
884
+both Tor and Non-Tor cookies into protected jars.
885
+</p><p>
886
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
887
+</p></div><div class="sect2" title="5.20. Manage My Own Cookies (dangerous)"><div class="titlepage"><div><div><h3 class="title"><a id="id2547508"></a>5.20. Manage My Own Cookies (dangerous)</h3></div></div></div><p>Options: None</p><p>This setting disables all Torbutton cookie handling by setting the above
888
+cookie prefs all to false.</p></div><div class="sect2" title="5.21. Disable DOM Storage during Tor usage (crucial)"><div class="titlepage"><div><div><h3 class="title"><a id="id2547523"></a>5.21. Disable DOM Storage during Tor usage (crucial)</h3></div></div></div><div class="sect2" title="5.21.1. Do not write Tor/Non-Tor cookies to disk"><div class="titlepage"><div><div><h3 class="title"><a id="id2547525"></a>5.21.1. Do not write Tor/Non-Tor cookies to disk</h3></div></div></div><p>Options:
889
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.tor_memory_jar</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.nontor_memory_jar</strong></span></td></tr></table><p>
890
+  </p><p>
891
+These settings (contributed by arno) cause Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Network.cookie.lifetimePolicy" target="_top">network.cookie.lifetimePolicy</a>
892
+to 2 during the appropriate Tor state, and to store cookies acquired in that
893
+state into a Javascript
894
+<a class="ulink" href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Processing_XML_with_E4X" target="_top">E4X</a>
895
+object as opposed to writing them to disk.
896
+</p><p>
897
+This allows Torbutton to provide an option to preserve a user's 
898
+cookies while still satisfying the <a class="link" href="#disk">Disk Avoidance</a>
899
+requirement.
900
+</p></div><p>Option: <span class="command"><strong>extensions.torbutton.disable_domstorage</strong></span>
901
+  </p><p>
902
+
903
+This setting causes Torbutton to toggle <span class="command"><strong>dom.storage.enabled</strong></span> during Tor
904
+usage to prevent 
905
+<a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:Storage" target="_top">DOM Storage</a> from
906
+  being used to store persistent information across Tor states.</p><p>
907
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
908
+</p></div><div class="sect2" title="5.22. Clear HTTP Auth on Tor Toggle (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2547627"></a>5.22. Clear HTTP Auth on Tor Toggle (recommended)</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.clear_http_auth</strong></span>
909
+  </p><p>
910
+This setting causes Torbutton to call <a class="ulink" href="http://www.oxymoronical.com/experiments/apidocs/interface/nsIHttpAuthManager" target="_top">nsIHttpAuthManager.clearAll()</a>
911
+every time Tor is toggled.
912
+</p><p>
913
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
914
+</p></div><div class="sect2" title="5.23. Clear cookies on Tor/Non-Tor shutdown"><div class="titlepage"><div><div><h3 class="title"><a id="id2547664"></a>5.23. Clear cookies on Tor/Non-Tor shutdown</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.shutdown_method</strong></span>
915
+  </p><p> This option variable can actually take 3 values: 0, 1, and 2. 0 means no
916
+cookie clearing, 1 means clear only during Tor-enabled shutdown, and 2 means
917
+clear for both Tor and Non-Tor shutdown. When set to 1 or 2, Torbutton listens
918
+for the <a class="ulink" href="http://developer.mozilla.org/en/docs/Observer_Notifications#Application_shutdown" target="_top">quit-application-granted</a> event in
919
+<code class="function">torbutton_uninstall_observer()</code> and use <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a>
920
+to clear out all cookies and all cookie jars upon shutdown.  </p><p>
921
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement.
922
+</p></div><div class="sect2" title="5.24. Reload cookie jar/clear cookies on Firefox crash"><div class="titlepage"><div><div><h3 class="title"><a id="id2547718"></a>5.24. Reload cookie jar/clear cookies on Firefox crash</h3></div></div></div><p>Options:
923
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.reload_crashed_jar</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.crashed</strong></span></td></tr></table><p>
924
+  </p><p>This is no longer a user visible option, and is enabled by default. In
925
+the event of a crash, the Torbutton <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js" target="_top">components/crash-observer.js</a> 
926
+  component will notify the Chrome (via the
927
+  <span class="command"><strong>extensions.torbutton.crashed</strong></span> pref and a <a class="ulink" href="https://developer.mozilla.org/en/NsIPrefBranch2#addObserver.28.29" target="_top">pref
928
+observer</a> in
929
+the chrome that listens for this update), and Torbutton will load the
930
+  correct jar for the current Tor state via the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/cookie-jar-selector.js" target="_top">@torproject.org/cookie-jar-selector;2</a>
931
+  component.</p><p>
932
+This setting helps to satisfy the <a class="link" href="#state">State Separation</a> requirement in the event of Firefox
933
+crashes.
934
+</p></div><div class="sect2" title="5.25. On crash recovery or session restored startup, restore via: Tor, Non-Tor"><div class="titlepage"><div><div><h3 class="title"><a id="id2547794"></a>5.25. On crash recovery or session restored startup, restore via: Tor, Non-Tor</h3></div></div></div><p>Options:
935
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.restore_tor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.crashed</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.normal_exit</strong></span></td></tr></table><p>
936
+  </p><p>This option works with the Torbutton <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js" target="_top">crash-observer.js</a> 
937
+  to set the Tor state after a crash is detected (via the 
938
+  <span class="command"><strong>extensions.torbutton.crashed</strong></span> pref). To confirm for
939
+false positives (such as session restore failures, upgrade, normal
940
+session restore, etc), Torbutton also sets the pref
941
+extensions.torbutton.normal_exit in torbutton_uninstall_observer() during 
942
+Firefox exit and checks this value as well during startup.  
943
+</p><p>
944
+
945
+Since the Tor state after a Firefox crash is unknown/indeterminate, this
946
+setting helps to satisfy the <a class="link" href="#state">State Separation</a>
947
+requirement in the event of Firefox crashes by ensuring all cookies,
948
+settings and saved sessions are reloaded from a fixed Tor state.
949
+ 
950
+</p></div><div class="sect2" title="5.26. On normal startup, set state to: Tor, Non-Tor, Shutdown State"><div class="titlepage"><div><div><h3 class="title"><a id="id2547866"></a>5.26. On normal startup, set state to: Tor, Non-Tor, Shutdown State</h3></div></div></div><p>Options:
951
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.startup_state</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.noncrashed</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.normal_exit</strong></span></td></tr></table><p>
952
+  </p><p>This option also works with the Torbutton <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/crash-observer.js" target="_top">crash-observer.js</a> 
953
+  to set the Tor state after a normal startup is detected (via the 
954
+  <span class="command"><strong>extensions.torbutton.noncrashed</strong></span> pref). To confirm for
955
+false positives
956
+(such as session restore failures, etc), Torbutton also sets the pref
957
+extensions.torbutton.normal_exit in torbutton_uninstall_observer() during
958
+Firefox exit and checks this value as well during startup.
959
+  
960
+</p></div><div class="sect2" title="5.27. Prevent session store from saving Non-Tor/Tor-loaded tabs"><div class="titlepage"><div><div><h3 class="title"><a id="id2547925"></a>5.27. Prevent session store from saving Non-Tor/Tor-loaded tabs</h3></div></div></div><p>Options: 
961
+  </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.nonontor_sessionstore</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.notor_sessionstore</strong></span></td></tr></table><p>
962
+  </p><p>If these options are enabled, the <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/components/nsSessionStore3.js" target="_top">replacement nsSessionStore.js</a>
963
+  component checks the <span class="command"><strong>__tb_tor_fetched</strong></span> tag of tabs before writing them
964
+  out. If the tag is from a blocked Tor state, the tab is not written to disk.
965
+  </p><p>
966
+This setting helps to satisfy the <a class="link" href="#disk">Disk Avoidance</a>
967
+requirement, and also helps to satisfy the <a class="link" href="#state">State Separation</a> requirement in the event of Firefox
968
+crashes.
969
+
970
+</p></div><div class="sect2" title="5.28. Set user agent during Tor usage (crucial)"><div class="titlepage"><div><div><h3 class="title"><a id="id2547990"></a>5.28. Set user agent during Tor usage (crucial)</h3></div></div></div><p>Options:
971
+   </p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.set_uagent</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.platform_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.oscpu_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.buildID_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.productsub_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appname_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.appversion_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_override</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendor</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.useragent_vendorSub</strong></span></td></tr></table><p>
972
+   </p><p>On face, user agent switching appears to be straight-forward in Firefox.
973
+It provides several options for controlling the browser user agent string:
974
+<span class="command"><strong>general.appname.override</strong></span>,
975
+<span class="command"><strong>general.appversion.override</strong></span>,
976
+<span class="command"><strong>general.platform.override</strong></span>,
977
+<span class="command"><strong>general.oscpu.override</strong></span>,
978
+<span class="command"><strong>general.productSub.override</strong></span>,
979
+<span class="command"><strong>general.buildID.override</strong></span>,
980
+<span class="command"><strong>general.useragent.override</strong></span>,
981
+<span class="command"><strong>general.useragent.vendor</strong></span>, and
982
+<span class="command"><strong>general.useragent.vendorSub</strong></span>. If
983
+the Torbutton preference <span class="command"><strong>extensions.torbutton.set_uagent</strong></span> is
984
+true, Torbutton copies all of the other above prefs into their corresponding
985
+browser preferences during Tor usage.</p><p>
986
+
987
+It also turns out that it is possible to detect the original Firefox version
988
+by <a class="ulink" href="http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/" target="_top">inspecting
989
+certain resource:// files</a>. These cases are handled by Torbutton's
990
+<a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>.
991
+
992
+</p><p>
993
+This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> requirement.
994
+</p></div><div class="sect2" title="5.29. Spoof US English Browser"><div class="titlepage"><div><div><h3 class="title"><a id="id2548164"></a>5.29. Spoof US English Browser</h3></div></div></div><p>Options:
995
+</p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.spoof_english</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_charset</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.spoof_language</strong></span></td></tr></table><p>
996
+</p><p> This option causes Torbutton to set
997
+<span class="command"><strong>general.useragent.locale</strong></span>
998
+<span class="command"><strong>intl.accept_languages</strong></span> to the value specified in
999
+<span class="command"><strong>extensions.torbutton.spoof_locale</strong></span>,
1000
+<span class="command"><strong>extensions.torbutton.spoof_charset</strong></span> and
1001
+<span class="command"><strong>extensions.torbutton.spoof_language</strong></span> during Tor usage, as
1002
+well as hooking <span class="command"><strong>navigator.language</strong></span> via its <a class="link" href="#jshooks" title="5.4. Hook Dangerous Javascript">javascript hooks</a>.
1003
+ </p><p>
1004
+This setting helps to satisfy the <a class="link" href="#setpreservation">Anonymity Set Preservation</a> and <a class="link" href="#location">Location Neutrality</a> requirements.
1005
+</p></div><div class="sect2" title="5.30. Don't send referrer during Tor Usage"><div class="titlepage"><div><div><h3 class="title"><a id="id2548257"></a>5.30. Don't send referrer during Tor Usage</h3></div></div></div><p>Option: <span class="command"><strong>extensions.torbutton.disable_referer</strong></span>
1006
+</p><p> 
1007
+This option causes Torbutton to set <a class="ulink" href="http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer" target="_top">network.http.sendSecureXSiteReferrer</a> and
1008
+<a class="ulink" href="http://kb.mozillazine.org/Network.http.sendRefererHeader" target="_top">network.http.sendRefererHeader</a> during Tor usage.</p><p>
1009
+This setting also does not directly satisfy any Torbutton requirement, but
1010
+some may desire to mask their referrer for general privacy concerns.
1011
+</p></div><div class="sect2" title="5.31. Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)"><div class="titlepage"><div><div><h3 class="title"><a id="id2548297"></a>5.31. Store SSL/CA Certs in separate jars for Tor/Non-Tor (recommended)</h3></div></div></div><p>Options:
1012
+</p><table border="0" summary="Simple list" class="simplelist"><tr><td><span class="command"><strong>extensions.torbutton.jar_certs</strong></span></td></tr><tr><td><span class="command"><strong>extensions.torbutton.jar_ca_certs</strong></span></td></tr></table><p>
1013
+</p><p>
1014
+
1015
+These settings govern if Torbutton attempts to isolate the user's SSL
1016
+certificates into separate jars for each Tor state. This isolation is
1017
+implemented in <code class="function">torbutton_jar_certs()</code> in <a class="ulink" href="https://git.torproject.org/checkout/torbutton/master/src/chrome/content/torbutton.js" target="_top">chrome/content/torbutton.js</a>,
1018
+which calls <code class="function">torbutton_jar_cert_type()</code> and
1019
+<code class="function">torbutton_unjar_cert_type()</code> for each certificate type in
1020
+the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/nsscertcache;1" target="_top">@mozilla.org/security/nsscertcache;1</a>.
1021
+Certificates are deleted from and imported to the <a class="ulink" href="http://www.oxymoronical.com/experiments/xpcomref/applications/Firefox/3.5/components/%40mozilla.org/security/x509certdb;1" target="_top">@mozilla.org/security/x509certdb;1</a>.
1022
+</p><p>
1023
+The first time this pref is used, a backup of the user's certificates is
1024
+created in their profile directory under the name
1025
+<code class="filename">cert8.db.bak</code>. This file can be copied back to
1026
+<code class="filename">cert8.db</code> to fully restore the original state of the
1027
+user's certificates in the event of any error.
1028
+</p><p>
1029
+Since exit nodes and malicious sites can insert content elements sourced to
1030
+specific SSL sites to query if a user has a certain certificate,
1031
+this setting helps to satisfy the <a class="link" href="#state">State
1032
+Separation</a> requirement of Torbutton. Unfortunately, <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Firefox Bug
1033
+435159</a> prevents it from functioning correctly in the event of rapid Tor toggle, so it
1034
+is currently not exposed via the preferences UI.
1035
+
1036
+</p></div></div><div class="sect1" title="6. Relevant Firefox Bugs"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="FirefoxBugs"></a>6. Relevant Firefox Bugs</h2></div></div></div><p>
1037
+
1038
+  </p><div class="sect2" title="6.1. Bugs impacting security"><div class="titlepage"><div><div><h3 class="title"><a id="FirefoxSecurity"></a>6.1. Bugs impacting security</h3></div></div></div><p>
1039
+
1040
+Torbutton has to work around a number of Firefox bugs that impact its
1041
+security. Most of these are mentioned elsewhere in this document, but they
1042
+have also been gathered here for reference. Several of these have fixes in
1043
+Firefox3.0/trunk, but are listed because they still have not been backported
1044
+to FF2.0. In order of decreasing severity, they are:
1045
+
1046
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=392274" target="_top">Bug 392274 - Timezone
1047
+config/chrome API</a><p>
1048
+
1049
+The lack of a config or API to configure the timezone requires Torbutton to
1050
+<a class="link" href="#jshooks" title="5.4. Hook Dangerous Javascript">insert client content window javascript</a> to hook
1051
+the Date object. Additionally, a way to <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/unmask-date.html" target="_top">remove the Date
1052
+hooks</a> was discovered by Greg Fleischer. Worse, on Firefox 3,
1053
+javascript sandboxing prevents most of the javascript hooks from being
1054
+installed, including the Date hooks. On Windows and Linux, you can set the TZ
1055
+environment variable to "UTC" as a workaround. Firefox will obey this
1056
+environment variable for your Timezone on those platforms, but on Windows this
1057
+does not take effect until browser restart. A fix for this has landed in
1058
+Firefox 3.5, but still has not been backported to Firefox 3.0. The lack of an
1059
+easy way to reliably spoof the timezone interferes with Torbutton's ability to
1060
+fulfill its <a class="link" href="#location">Location Neutrality</a> requirement.
1061
+
1062
+
1063
+   </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435159" target="_top">Bug 435159 -
1064
+nsNSSCertificateDB::DeleteCertificate has race conditions</a><p>
1065
+
1066
+In Torbutton 1.2.0rc1, code was added to attempt to isolate SSL certificates
1067
+the user has installed. Unfortunately, the method call to delete a certificate
1068
+from the current certificate database acts lazily: it only sets a variable
1069
+that marks a cert for deletion later, and it is not cleared if that
1070
+certificate is re-added. This means that if the Tor state is toggled quickly,
1071
+that certificate could remain present until it is re-inserted (causing an
1072
+error dialog), and worse, it would still be deleted after that.  The lack of
1073
+this functionality is considered a Torbutton security bug because cert
1074
+isolation is considered a <a class="link" href="#state">State Separation</a>
1075
+feature.
1076
+
1077
+      </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=409737" target="_top">Bug 409737 -
1078
+javascript.enabled and docShell.allowJavascript do not disable all event
1079
+handlers</a><p>
1080
+
1081
+This bug allows pages to execute javascript via addEventListener and perhaps
1082
+other callbacks. In order to prevent this bug from enabling an attacker to
1083
+break the <a class="link" href="#isolation">Network Isolation</a> requirement,
1084
+Torbutton 1.1.13 began blocking popups and history manipulation from different
1085
+Tor states.  So long as there are no ways to open popups or redirect the user
1086
+to a new page, the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">Torbutton content
1087
+policy</a> should block Javascript network access. However, if there are
1088
+ways to open popups or perform redirects such that Torbutton cannot block
1089
+them, pages may still have free reign to break that requirement and reveal a
1090
+user's original IP address.
1091
+
1092
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448743" target="_top">Bug 448743 -
1093
+Decouple general.useragent.locale from spoofing of navigator.language</a><p>
1094
+
1095
+Currently, Torbutton spoofs the <span class="command"><strong>navigator.language</strong></span>
1096
+attribute via <a class="link" href="#jshooks" title="5.4. Hook Dangerous Javascript">Javascript hooks</a>. Unfortunately,
1097
+these do not work on Firefox 3. It would be ideal to have
1098
+a pref to set this value (something like a
1099
+<span class="command"><strong>general.useragent.override.locale</strong></span>),
1100
+to avoid fragmenting the anonymity set of users of foreign locales. This issue
1101
+impedes Torbutton from fully meeting its <a class="link" href="#setpreservation">Anonymity Set Preservation</a>
1102
+requirement on Firefox 3.
1103
+
1104
+     </p></li></ol></div></div><div class="sect2" title="6.2. Bugs blocking functionality"><div class="titlepage"><div><div><h3 class="title"><a id="FirefoxWishlist"></a>6.2. Bugs blocking functionality</h3></div></div></div><p>
1105
+The following bugs impact Torbutton and similar extensions' functionality.
1106
+   </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=445696" target="_top">Bug 445696 -
1107
+Extensions cannot determine if firefox is fullScreen</a><p>
1108
+
1109
+The windowState property of <a class="ulink" href="https://developer.mozilla.org/en/XUL/window" target="_top">ChromeWindows</a> does not accurately reflect the true
1110
+state of the window in some cases on Linux. This causes Torbutton to attempt
1111
+to resize maximized and minimized windows when it should not.
1112
+
1113
+   </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=290456" target="_top">Bug 290456 -
1114
+Block/clear Flash MX "cookies" as well</a><p>
1115
+
1116
+Today, it is possible to allow plugins if you have a transparent proxy such as
1117
+<a class="ulink" href="http://anonymityanywhere.com/incognito/" target="_top">Incognito</a> to prevent proxy bypass. However, flash cookies can still be used to
1118
+link your Tor and Non-Tor activity, and this reveal your IP to an adversary
1119
+that does so. This can be solved by manually removing your flash cookies (like
1120
+<a class="ulink" href="https://addons.mozilla.org/en-US/firefox/addon/6623" target="_top">BetterPrivacy</a> does), but
1121
+it would be nice if there was a standard way to do this from a Firefox API.
1122
+
1123
+   </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=417869" target="_top">Bug 417869 -
1124
+Browser context is difficult to obtain from many XPCOM callbacks</a><p>
1125
+
1126
+It is difficult to determine which tabbrowser many XPCOM callbacks originate
1127
+from, and in some cases absolutely no context information is provided at all.
1128
+While this doesn't have much of an effect on Torbutton, it does make writing
1129
+extensions that would like to do per-tab settings and content filters (such as
1130
+FoxyProxy) difficult to impossible to implement securely.
1131
+
1132
+   </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=418321" target="_top">Bug 418321 -
1133
+Components do not expose disk interfaces</a><p>
1134
+
1135
+Several components currently provide no way of reimplementing their disk
1136
+access to easily satisfy Torbutton's <a class="link" href="#disk">Disk
1137
+Avoidance</a> requirements. Workarounds exist, but they are <a class="link" href="#sessionstore" title="@mozilla.org/browser/sessionstore;1 - components/nsSessionStore36.js">clunky</a>, and
1138
+some of them involve disabling functionality during Tor usage.
1139
+
1140
+   </p></li></ol></div></div><div class="sect2" title="6.3. Low Priority Bugs"><div class="titlepage"><div><div><h3 class="title"><a id="FirefoxMiscBugs"></a>6.3. Low Priority Bugs</h3></div></div></div><p>
1141
+The following bugs have an effect upon Torbutton, but are superseded by more
1142
+practical and more easily fixable variant bugs above; or have stable, simple
1143
+workarounds.
1144
+  </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=435151" target="_top">Bug 435151 - XPCSafeJSObjectWrapper breaks evalInSandbox</a><p>
1145
+
1146
+Under Firefox 3, the XPCSafeJSObjectWrapper breaks when you try to use
1147
+constructors of classes defined from within the scope of the sandbox, among
1148
+other things. This prevents Torbutton from applying the Timezone hooks under
1149
+Firefox 3, but a better solution for Torbutton's specific date hooking needs 
1150
+would be a fix for the above mentioned Bug 392274. Of course, many more
1151
+extensions may be interested in the sandbox hooking functionality working
1152
+properly though.
1153
+
1154
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=440892" target="_top">Bug 440892 -
1155
+network.protocol-handler.warn-external are ignored</a><p>
1156
+
1157
+Sometime in the Firefox 3 development cycle, the preferences that governed
1158
+warning a user when external apps were launched got disconnected from the code
1159
+that does the launching. Torbutton depended on these prefs to prevent websites
1160
+from launching specially crafted documents and application arguments that
1161
+caused Proxy Bypass. We currently work around this issue by <a class="link" href="#appblocker" title="@mozilla.org/uriloader/external-protocol-service;1 , @mozilla.org/uriloader/external-helper-app-service;1, and @mozilla.org/mime;1 - components/external-app-blocker.js">wrapping the app launching components</a> to present a
1162
+popup before launching external apps while Tor is enabled. While this works,
1163
+it would be nice if these prefs were either fixed or removed.
1164
+
1165
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=437014" target="_top">Bug 437014 -
1166
+nsIContentPolicy::shouldLoad no longer called for favicons</a><p>
1167
+
1168
+Firefox 3.0 stopped calling the shouldLoad call of content policy for favicon
1169
+loads. Torbutton had relied on this call to block favicon loads for opposite
1170
+Tor states. The workaround it employs for Firefox 3 is to cancel the request
1171
+when it arrives in the <span class="command"><strong>torbutton_http_observer</strong></span> used for
1172
+blocking full page plugin loads. This seems to work just fine, but is a bit
1173
+dirty.
1174
+
1175
+    </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=418986" target="_top">Bug 418986 - window.screen
1176
+provides a large amount of identifiable information</a><p>
1177
+
1178
+As <a class="link" href="#fingerprinting">mentioned above</a>, a large amount of
1179
+information is available from <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:window.screen" target="_top">window.screen</a>.
1180
+Currently, there is no way to obscure this information without Javascript
1181
+hooking. This bug is a feature request to provide some other method to change
1182
+these values.
1183
+
1184
+   </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=309524" target="_top">Bug 309524</a>
1185
+and <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380556" target="_top">Bug
1186
+380556</a> - nsIContentPolicy::shouldProcess is not called.
1187
+     <p>
1188
+
1189
+This is a call that would be useful to develop a better workaround for the
1190
+allowPlugins issue above. If the content policy were called before a URL was
1191
+handed over to a plugin or helper app, it would make the workaround for the
1192
+above allowPlugins bug a lot cleaner. Obviously this bug is not as severe as
1193
+the others though, but it might be nice to have this API as a backup.
1194
+
1195
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=401296" target="_top">Bug 401296 - docShell.allowPlugins
1196
+not honored for direct links</a> (Perhaps subset of <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=282106" target="_top">Bug 282106</a>?)
1197
+     <p>
1198
+
1199
+Similar to the javascript plugin disabling attribute, the plugin disabling
1200
+attribute is also not perfect — it is ignored for direct links to plugin
1201
+handled content, as well as meta-refreshes to plugin handled content.  This
1202
+requires Torbutton to listen to a number of different http events to intercept
1203
+plugin-related mime type URLs and cancel their requests. Again, since plugins
1204
+are quite horrible about obeying proxy settings, loading a plugin pretty much
1205
+ensures a way to break the <a class="link" href="#isolation">Network Isolation</a>
1206
+requirement and reveal a user's original IP address. Torbutton's code to
1207
+perform this workaround has been subverted at least once already by Kyle
1208
+Williams.
1209
+
1210
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=448747" target="_top">Bug 448747 -
1211
+Provide Mechanism to clear TLS Session IDs</a><p>
1212
+
1213
+As <a class="link" href="#browseroverlay" title="3.1. Browser Overlay - torbutton.xul">mentioned above</a>, Torbutton currently
1214
+toggles <span class="command"><strong>security.enable_ssl2</strong></span> to clear the SSL
1215
+Session ID cache via the pref observer at <a class="ulink" href="http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsNSSComponent.cpp#2134" target="_top">nsNSSComponent.cpp
1216
+line 2134</a>. This is an arcane and potentially fragile fix. It would be
1217
+better if there were a more standard interface for accomplishing the same
1218
+thing.
1219
+
1220
+     </p></li><li class="listitem"><a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=419598" target="_top">Bug 419598 - 'var
1221
+Date' is deletable</a><p>
1222
+
1223
+Based on Page 62 of the <a class="ulink" href="http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf" target="_top">ECMA-262
1224
+Javascript spec</a>, it seems like it should be possible to do something
1225
+like the following to prevent the Date object from being unmasked:
1226
+</p><pre class="screen">
1227
+with(window) {
1228
+    var Date = fakeDate;
1229
+    var otherVariable = 42;
1230
+}
1231
+
1232
+delete window.Date; // Should fail. Instead succeeds, revealing original Date.
1233
+delete window.otherVariable; // Fails, leaving window.otherVariable set to 42.
1234
+</pre><p>
1235
+
1236
+From the ECMA-262 spec:
1237
+
1238
+</p><div class="blockquote"><blockquote class="blockquote">
1239
+If the variable statement occurs inside a FunctionDeclaration, the variables
1240
+are defined with function-local scope in that function, as described in
1241
+s10.1.3. Otherwise, they are defined with global scope (that is, they are
1242
+created as members of the global object, as described in 10.1.3) using
1243
+property attributes { DontDelete }. Variables are created when the execution
1244
+scope is entered. A Block does not define a new execution scope. Only Program
1245
+and FunctionDeclaration produce a new scope. Variables are initialized to
1246
+undefined when created. A variable with an Initialiser is assigned the value
1247
+of its AssignmentExpression when the VariableStatement is executed, not when
1248
+the variable is created.
1249
+</blockquote></div><p>
1250
+
1251
+In fact, this is exactly how the with statement with a variable declaration
1252
+behaves <span class="emphasis"><em>for all other variables other than ones that shadow system
1253
+variables</em></span>. Some variables (such as
1254
+<span class="command"><strong>window.screen</strong></span>, and <span class="command"><strong>window.history</strong></span>) can't
1255
+even be shadowed in this way, and give an error about lacking a setter. If
1256
+such shadowing were possible, it would greatly simplify the Javascript hooking
1257
+code, which currently relies on undocumented semantics of
1258
+<span class="command"><strong>__proto__</strong></span> to copy the original values in the event of a
1259
+delete. This <span class="command"><strong>__proto__</strong></span> hack unfortunately does not work for
1260
+the Date object though.
1261
+
1262
+     </p></li></ol></div></div></div><div class="sect1" title="7. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="TestPlan"></a>7. Testing</h2></div></div></div><p>
1263
+
1264
+The purpose of this section is to cover all the known ways that Tor browser
1265
+security can be subverted from a penetration testing perspective. The hope
1266
+is that it will be useful both for creating a "Tor Safety Check"
1267
+page, and for developing novel tests and actively attacking Torbutton with the
1268
+goal of finding vulnerabilities in either it or the Mozilla components,
1269
+interfaces and settings upon which it relies.
1270
+
1271
+  </p><div class="sect2" title="7.1. Single state testing"><div class="titlepage"><div><div><h3 class="title"><a id="SingleStateTesting"></a>7.1. Single state testing</h3></div></div></div><p>
1272
+
1273
+Torbutton is a complicated piece of software. During development, changes to
1274
+one component can affect a whole slough of unrelated features.  A number of
1275
+aggregated test suites exist that can be used to test for regressions in
1276
+Torbutton and to help aid in the development of Torbutton-like addons and
1277
+other privacy modifications of other browsers. Some of these test suites exist
1278
+as a single automated page, while others are a series of pages you must visit
1279
+individually. They are provided here for reference and future regression
1280
+testing, and also in the hope that some brave soul will one day decide to
1281
+combine them into a comprehensive automated test suite.
1282
+
1283
+     </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://decloak.net/" target="_top">Decloak.net</a><p>
1284
+
1285
+Decloak.net is the canonical source of plugin and external-application based
1286
+proxy-bypass exploits. It is a fully automated test suite maintained by <a class="ulink" href="http://digitaloffense.net/" target="_top">HD Moore</a> as a service for people to
1287
+use to test their anonymity systems.
1288
+
1289
+       </p></li><li class="listitem"><a class="ulink" href="http://deanonymizer.com/" target="_top">Deanonymizer.com</a><p>
1290
+
1291
+Deanonymizer.com is another automated test suite that tests for proxy bypass
1292
+and other information disclosure vulnerabilities. It is maintained by Kyle
1293
+Williams, the author of <a class="ulink" href="http://www.janusvm.com/" target="_top">JanusVM</a>
1294
+and <a class="ulink" href="http://www.januspa.com/" target="_top">JanusPA</a>.
1295
+
1296
+       </p></li><li class="listitem"><a class="ulink" href="https://www.jondos.de/en/anontest" target="_top">JonDos
1297
+AnonTest</a><p>
1298
+
1299
+The <a class="ulink" href="https://www.jondos.de" target="_top">JonDos people</a> also provide an
1300
+anonymity tester. It is more focused on HTTP headers than plugin bypass, and
1301
+points out a couple of headers Torbutton could do a better job with
1302
+obfuscating.
1303
+
1304
+       </p></li><li class="listitem"><a class="ulink" href="http://browserspy.dk" target="_top">Browserspy.dk</a><p>
1305
+
1306
+Browserspy.dk provides a tremendous collection of browser fingerprinting and
1307
+general privacy tests. Unfortunately they are only available one page at a
1308
+time, and there is not really solid feedback on good vs bad behavior in
1309
+the test results.
1310
+
1311
+       </p></li><li class="listitem"><a class="ulink" href="http://analyze.privacy.net/" target="_top">Privacy
1312
+Analyzer</a><p>
1313
+
1314
+The Privacy Analyzer provides a dump of all sorts of browser attributes and
1315
+settings that it detects, including some information on your origin IP
1316
+address. Its page layout and lack of good vs bad test result feedback makes it
1317
+not as useful as a user-facing testing tool, but it does provide some
1318
+interesting checks in a single page.
1319
+
1320
+       </p></li><li class="listitem"><a class="ulink" href="http://ha.ckers.org/mr-t/" target="_top">Mr. T</a><p>
1321
+
1322
+Mr. T is a collection of browser fingerprinting and deanonymization exploits
1323
+discovered by the <a class="ulink" href="http://ha.ckers.org" target="_top">ha.ckers.org</a> crew
1324
+and others. It is also not as user friendly as some of the above tests, but it
1325
+is a useful collection.
1326
+
1327
+       </p></li><li class="listitem">Gregory Fleischer's <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">Torbutton</a> and
1328
+<a class="ulink" href="http://pseudo-flaw.net/content/defcon/dc-17-demos/d.html" target="_top">Defcon
1329
+17</a> Test Cases
1330
+       <p>
1331
+
1332
+Gregory Fleischer has been hacking and testing Firefox and Torbutton privacy
1333
+issues for the past 2 years. He has an excellent collection of all his test
1334
+cases that can be used for regression testing. In his Defcon work, he
1335
+demonstrates ways to infer Firefox version based on arcane browser properties.
1336
+We are still trying to determine the best way to address some of those test
1337
+cases.
1338
+
1339
+       </p></li><li class="listitem"><a class="ulink" href="https://torcheck.xenobite.eu/index.php" target="_top">Xenobite's
1340
+TorCheck Page</a><p>
1341
+
1342
+This page checks to ensure you are using a valid Tor exit node and checks for
1343
+some basic browser properties related to privacy. It is not very fine-grained
1344
+or complete, but it is automated and could be turned into something useful
1345
+with a bit of work.
1346
+
1347
+       </p></li></ol></div><p>
1348
+    </p></div><div class="sect2" title="7.2. Multi-state testing"><div class="titlepage"><div><div><h3 class="title"><a id="id2549304"></a>7.2. Multi-state testing</h3></div></div></div><p>
1349
+
1350
+The tests in this section are geared towards a page that would instruct the
1351
+user to toggle their Tor state after the fetch and perform some operations:
1352
+mouseovers, stray clicks, and potentially reloads.
1353
+
1354
+   </p><div class="sect3" title="Cookies and Cache Correlation"><div class="titlepage"><div><div><h4 class="title"><a id="id2549316"></a>Cookies and Cache Correlation</h4></div></div></div><p>
1355
+The most obvious test is to set a cookie, ask the user to toggle tor, and then
1356
+have them reload the page. The cookie should no longer be set if they are
1357
+using the default Torbutton settings. In addition, it is possible to leverage
1358
+the cache to <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">store unique
1359
+identifiers</a>. The default settings of Torbutton should also protect
1360
+against these from persisting across Tor Toggle.
1361
+
1362
+    </p></div><div class="sect3" title="Javascript timers and event handlers"><div class="titlepage"><div><div><h4 class="title"><a id="id2549339"></a>Javascript timers and event handlers</h4></div></div></div><p>
1363
+
1364
+Javascript can set timers and register event handlers in the hopes of fetching
1365
+URLs after the user has toggled Torbutton. 
1366
+    </p></div><div class="sect3" title="CSS Popups and non-script Dynamic Content"><div class="titlepage"><div><div><h4 class="title"><a id="id2549351"></a>CSS Popups and non-script Dynamic Content</h4></div></div></div><p>
1367
+
1368
+Even if Javascript is disabled, CSS is still able to 
1369
+<a class="ulink" href="http://www.tjkdesign.com/articles/css%20pop%20ups/" target="_top">create popup-like
1370
+windows</a>
1371
+via the 'onmouseover' CSS attribute, which can cause arbitrary browser
1372
+activity as soon as the mouse enters into the content window. It is also
1373
+possible for meta-refresh tags to set timers long enough to make it likely
1374
+that the user has toggled Tor before fetching content.
1375
+
1376
+    </p></div></div><div class="sect2" title="7.3. Active testing (aka How to Hack Torbutton)"><div class="titlepage"><div><div><h3 class="title"><a id="HackTorbutton"></a>7.3. Active testing (aka How to Hack Torbutton)</h3></div></div></div><p>
1377
+
1378
+The idea behind active testing is to discover vulnerabilities in Torbutton to
1379
+bypass proxy settings, run script in an opposite Tor state, store unique
1380
+identifiers, leak location information, or otherwise violate <a class="link" href="#requirements" title="1.2. Torbutton Requirements">its requirements</a>. Torbutton has ventured out
1381
+into a strange and new security landscape. It depends on Firefox mechanisms
1382
+that haven't necessarily been audited for security, certainly not for the
1383
+threat model that Torbutton seeks to address. As such, it and the interfaces
1384
+it depends upon still need a 'trial by fire' typical of new technologies. This
1385
+section of the document was written with the intention of making that period
1386
+as fast as possible. Please help us get through this period by considering
1387
+these attacks, playing with them, and reporting what you find (and potentially
1388
+submitting the test cases back to be run in the standard batch of Torbutton
1389
+tests.
1390
+
1391
+   </p><div class="sect3" title="Some suggested vectors to investigate"><div class="titlepage"><div><div><h4 class="title"><a id="id2549406"></a>Some suggested vectors to investigate</h4></div></div></div><p>
1392
+    </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">Strange ways to register Javascript <a class="ulink" href="http://en.wikipedia.org/wiki/DOM_Events" target="_top">events</a> and <a class="ulink" href="http://www.devshed.com/c/a/JavaScript/Using-Timers-in-JavaScript/" target="_top">timeouts</a> should
1393
+be verified to actually be ineffective after Tor has been toggled.</li><li class="listitem">Other ways to cause Javascript to be executed after
1394
+<span class="command"><strong>javascript.enabled</strong></span> has been toggled off.</li><li class="listitem">Odd ways to attempt to load plugins. Kyle Williams has had
1395
+some success with direct loads/meta-refreshes of plugin-handled URLs.</li><li class="listitem">The Date and Timezone hooks should be verified to work with
1396
+crazy combinations of iframes, nested iframes, iframes in frames, frames in
1397
+iframes, and popups being loaded and
1398
+reloaded in rapid succession, and/or from one another. Think race conditions and deep, 
1399
+parallel nesting, involving iframes from both <a class="ulink" href="http://en.wikipedia.org/wiki/Same_origin_policy" target="_top">same-origin and
1400
+non-same-origin</a> domains.</li><li class="listitem">In addition, there may be alternate ways and other
1401
+methods to query the timezone, or otherwise use some of the Date object's
1402
+methods in combination to deduce the timezone offset. Of course, the author
1403
+tried his best to cover all the methods he could foresee, but it's always good
1404
+to have another set of eyes try it out.</li><li class="listitem">Similarly, is there any way to confuse the <a class="link" href="#contentpolicy" title="@torproject.org/cssblocker;1 - components/cssblocker.js">content policy</a>
1405
+mentioned above to cause it to allow certain types of page fetches? For
1406
+example, it was recently discovered that favicons are not fetched by the
1407
+content, but the chrome itself, hence the content policy did not look up the
1408
+correct window to determine the current Tor tag for the favicon fetch. Are
1409
+there other things that can do this? Popups? Bookmarklets? Active bookmarks? </li><li class="listitem">Alternate ways to store and fetch unique identifiers. For example, <a class="ulink" href="http://developer.mozilla.org/en/docs/DOM:Storage" target="_top">DOM Storage</a>
1410
+caught us off guard. 
1411
+It was
1412
+also discovered by <a class="ulink" href="http://pseudo-flaw.net" target="_top">Gregory
1413
+Fleischer</a> that <a class="ulink" href="http://pseudo-flaw.net/content/tor/torbutton/" target="_top">content window access to
1414
+chrome</a> can be used to build <a class="link" href="#fingerprinting">unique
1415
+identifiers</a>. 
1416
+Are there any other
1417
+arcane or experimental ways that Firefox provides to create and store unique
1418
+identifiers? Or perhaps unique identifiers can be queried or derived from
1419
+properties of the machine/browser that Javascript has access to? How unique
1420
+can these identifiers be?
1421
+     </li><li class="listitem">Is it possible to get the browser to write some history to disk
1422
+(aside from swap) that can be retrieved later? By default, Torbutton should
1423
+write no history, cookie, or other browsing activity information to the
1424
+harddisk.</li><li class="listitem">Do popup windows make it easier to break any of the above
1425
+behavior? Are javascript events still canceled in popups? What about recursive
1426
+popups from Javascript, data, and other funky URL types? What about CSS
1427
+popups? Are they still blocked after Tor is toggled?</li><li class="listitem">Chrome-escalation attacks. The interaction between the
1428
+Torbutton chrome Javascript and the client content window javascript is pretty
1429
+well-defined and carefully constructed, but perhaps there is a way to smuggle
1430
+javascript back in a return value, or otherwise inject network-loaded
1431
+javascript into the chrome (and thus gain complete control of the browser).
1432
+</li></ul></div><p>
1433
+
1434
+    </p></div></div></div></div></body></html>
0 1435