Mike Perry commited on 2011-10-08 01:44:03
Zeige 1 geänderte Dateien mit 25 Einfügungen und 22 Löschungen.
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
<?xml version="1.0" encoding="UTF-8"?> |
2 | 2 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
3 |
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 6 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2650133">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2650133"></a>1. Introduction</h2></div></div></div><p> |
|
3 |
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 7 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2898146">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2898146"></a>1. Introduction</h2></div></div></div><p> |
|
4 | 4 |
|
5 | 5 |
This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>, |
6 | 6 |
<a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, |
... | ... |
@@ -237,14 +237,14 @@ store their browsing history information to disk. |
237 | 237 |
|
238 | 238 |
</p></li><li class="listitem"><span class="command"><strong>Application Data Isolation</strong></span><p> |
239 | 239 |
|
240 |
-The components involved in providing private browsing MUST BE self-contained, |
|
240 |
+The components involved in providing private browsing MUST be self-contained, |
|
241 | 241 |
or MUST provide a mechanism for rapid, complete removal of all evidence of the |
242 | 242 |
use of the mode. In other words, the browser MUST NOT write or cause the |
243 | 243 |
operating system to write <span class="emphasis"><em>any information</em></span> about the use |
244 | 244 |
of private browsing to disk outside of the application's control. The user |
245 | 245 |
must be able to ensure that secure removal of the software is sufficient to |
246 | 246 |
remove evidence of the use of the software. All exceptions and shortcomings |
247 |
-due to operating system behavior MUST BE wiped by an uninstaller. However, due |
|
247 |
+due to operating system behavior MUST be wiped by an uninstaller. However, due |
|
248 | 248 |
to permissions issues with access to swap, implementations MAY choose to leave |
249 | 249 |
it out of scope, and/or leave it to the user to implement encrypted swap. |
250 | 250 |
|
... | ... |
@@ -263,7 +263,7 @@ the descriptions in the <a class="link" href="#Implementation" title="3. Implem |
263 | 263 |
section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the |
264 | 264 |
second-level DNS name. For example, for mail.google.com, the origin would be |
265 | 265 |
google.com. Implementations MAY, at their option, restrict the url bar origin |
266 |
-to be the entire fully qualified domain name |
|
266 |
+to be the entire fully qualified domain name. |
|
267 | 267 |
|
268 | 268 |
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p> |
269 | 269 |
|
... | ... |
@@ -283,7 +283,7 @@ linkability from fingerprinting browser behavior. |
283 | 283 |
|
284 | 284 |
</p></li><li class="listitem"><span class="command"><strong>Long-Term Unlinkability</strong></span><p> |
285 | 285 |
|
286 |
-The browser SHOULD provide an obvious, easy way to remove all of their |
|
286 |
+The browser SHOULD provide an obvious, easy way to remove all of its |
|
287 | 287 |
authentication tokens and browser state and obtain a fresh identity. |
288 | 288 |
Additionally, the browser SHOULD clear linkable state by default automatically |
289 | 289 |
upon browser restart, except at user option. |
... | ... |
@@ -331,7 +331,7 @@ Therefore, if plugins are to be enabled in private browsing modes, they must |
331 | 331 |
be restricted from running automatically on every page (via click-to-play |
332 | 332 |
placeholders), and/or be sandboxed to restrict the types of system calls they |
333 | 333 |
can execute. If the user decides to craft an exemption to allow a plugin to be |
334 |
-used, it MUST ONLY apply to the top level url bar domain, and not to all sites, |
|
334 |
+used, it MUST only apply to the top level url bar domain, and not to all sites, |
|
335 | 335 |
to reduce linkability. |
336 | 336 |
|
337 | 337 |
</p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p> |
... | ... |
@@ -428,13 +428,13 @@ launch a helper app. |
428 | 428 |
Tor Browser State is separated from existing browser state through use of a |
429 | 429 |
custom Firefox profile. Furthermore, plugins are disabled, which prevents |
430 | 430 |
Flash cookies from leaking from a pre-existing Flash directory. |
431 |
- </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2666962"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
431 |
+ </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914975"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
432 | 432 |
Tor Browser MUST (at user option) prevent all disk records of browser activity. |
433 | 433 |
The user should be able to optionally enable URL history and other history |
434 | 434 |
features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the |
435 | 435 |
preferences interface</a>, we will likely just enable Private Browsing |
436 | 436 |
mode by default to handle this goal. |
437 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2666425"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
437 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914438"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
438 | 438 |
For now, Tor Browser blocks write access to the disk through Torbutton |
439 | 439 |
using several Firefox preferences. |
440 | 440 |
|
... | ... |
@@ -499,7 +499,7 @@ the url bar origin for which browser state exists, possibly with a |
499 | 499 |
context-menu option to drill down into specific types of state or permissions. |
500 | 500 |
An example of this simplification can be seen in Figure 1. |
501 | 501 |
|
502 |
- </p><div class="figure"><a id="id2663383"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
502 |
+ </p><div class="figure"><a id="id2911396"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
503 | 503 |
|
504 | 504 |
On the left is the standard Firefox cookie manager. On the right is a mock-up |
505 | 505 |
of how isolating identifiers to the URL bar origin might simplify the privacy |
... | ... |
@@ -574,7 +574,7 @@ observer to modify it. |
574 | 574 |
</p></li><li class="listitem">DOM Storage |
575 | 575 |
<p><span class="command"><strong>Design Goal:</strong></span> |
576 | 576 |
|
577 |
-DOM storage for third party domains MUST BE isolated to the url bar origin, |
|
577 |
+DOM storage for third party domains MUST be isolated to the url bar origin, |
|
578 | 578 |
to prevent linkability between sites. |
579 | 579 |
|
580 | 580 |
</p><p><span class="command"><strong>Implementation Status:</strong></span> |
... | ... |
@@ -619,13 +619,14 @@ Identity</a>. |
619 | 619 |
|
620 | 620 |
To prevent attacks aimed at subverting the Cross-Origin Identifier |
621 | 621 |
Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser |
622 |
-MUST prompt users before following redirects that would cause the user to |
|
623 |
-automatically navigate between two different url bar origins. |
|
622 |
+MUST prompt the user before following redirects that would cause the user to |
|
623 |
+automatically navigate between two different url bar origins. The prompt |
|
624 |
+SHOULD inform the user about the ability to use <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a> to clear the linked identifiers |
|
625 |
+created by the redirect. |
|
624 | 626 |
|
625 | 627 |
</p><p> |
626 | 628 |
|
627 |
-However, to |
|
628 |
-reduce the occurrence of warning fatigue, these warning messages MAY be limited |
|
629 |
+To reduce the occurrence of warning fatigue, these warning messages MAY be limited |
|
629 | 630 |
to automated redirect cycles only. For example, the automated redirect |
630 | 631 |
sequence <span class="command"><strong>User Click -> t.co -> bit.ly -> cnn.com</strong></span> can be |
631 | 632 |
assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -> t.co -> |
... | ... |
@@ -678,17 +679,19 @@ appear, setting this preference prevents automatic linkability from stored passw |
678 | 679 |
|
679 | 680 |
</p></li><li class="listitem">HSTS supercookies |
680 | 681 |
<p> |
681 |
-An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a> |
|
682 |
-supercookies. Since HSTS effectively stores one bit of information per domain |
|
682 |
+ |
|
683 |
+An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS |
|
684 |
+supercookies</a>. Since HSTS effectively stores one bit of information per domain |
|
683 | 685 |
name, an adversary in possession of numerous domains can use them to construct |
684 | 686 |
cookies based on stored HSTS state. |
685 | 687 |
|
686 | 688 |
</p><p><span class="command"><strong>Design Goal:</strong></span> |
687 | 689 |
|
688 | 690 |
There appears to be three options for us: 1. Disable HSTS entirely, and rely |
689 |
-instead on HTTPS-Everywhere. 2. Restrict the number of HSTS-enabled third |
|
690 |
-parties allowed per url bar origin. 3. Prevent third parties from storing HSTS |
|
691 |
-rules. We have not yet decided upon the best approach. |
|
691 |
+instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2. |
|
692 |
+Restrict the number of HSTS-enabled third parties allowed per url bar origin. |
|
693 |
+3. Prevent third parties from storing HSTS rules. We have not yet decided upon |
|
694 |
+the best approach. |
|
692 | 695 |
|
693 | 696 |
</p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is |
694 | 697 |
cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't |
... | ... |
@@ -918,11 +921,11 @@ Currently we simply disable WebGL. |
918 | 921 |
</p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p> |
919 | 922 |
In order to avoid long-term linkability, we provide a "New Identity" context |
920 | 923 |
menu option in Torbutton. |
921 |
- </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2662516"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
924 |
+ </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2910661"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
922 | 925 |
|
923 | 926 |
All linkable identifiers and browser state MUST be cleared by this feature. |
924 | 927 |
|
925 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2678689"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
928 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2888916"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
926 | 929 |
|
927 | 930 |
First, Torbutton disables all open tabs and windows via nsIContentPolicy |
928 | 931 |
blocking, and then closes each tab and window. The extra step for blocking |
... | ... |
@@ -1021,7 +1024,7 @@ ruin our day, and censorship filters). Hence we rolled our own. |
1021 | 1024 |
This patch prevents random URLs from being inserted into content-prefs.sqllite in |
1022 | 1025 |
the profile directory as content prefs change (includes site-zoom and perhaps |
1023 | 1026 |
other site prefs?). |
1024 |
- </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2671107"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2671454"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2674390"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p> |
|
1027 |
+ </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2924325"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2896172"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2917044"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p> |
|
1025 | 1028 |
|
1026 | 1029 |
The purpose of this section is to cover all the known ways that Tor browser |
1027 | 1030 |
security can be subverted from a penetration testing perspective. The hope |
1028 | 1031 |