Additional comments from Georg Koppen.
Mike Perry

Mike Perry commited on 2011-10-08 01:44:03
Zeige 1 geänderte Dateien mit 25 Einfügungen und 22 Löschungen.

... ...
@@ -1,6 +1,6 @@
1 1
 <?xml version="1.0" encoding="UTF-8"?>
2 2
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 6 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2650133">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2650133"></a>1. Introduction</h2></div></div></div><p>
3
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 7 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2898146">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2898146"></a>1. Introduction</h2></div></div></div><p>
4 4
 
5 5
 This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
6 6
 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
... ...
@@ -237,14 +237,14 @@ store their browsing history information to disk.
237 237
 
238 238
 </p></li><li class="listitem"><span class="command"><strong>Application Data Isolation</strong></span><p>
239 239
 
240
-The components involved in providing private browsing MUST BE self-contained,
240
+The components involved in providing private browsing MUST be self-contained,
241 241
 or MUST provide a mechanism for rapid, complete removal of all evidence of the
242 242
 use of the mode. In other words, the browser MUST NOT write or cause the
243 243
 operating system to write <span class="emphasis"><em>any information</em></span> about the use
244 244
 of private browsing to disk outside of the application's control. The user
245 245
 must be able to ensure that secure removal of the software is sufficient to
246 246
 remove evidence of the use of the software. All exceptions and shortcomings
247
-due to operating system behavior MUST BE wiped by an uninstaller. However, due
247
+due to operating system behavior MUST be wiped by an uninstaller. However, due
248 248
 to permissions issues with access to swap, implementations MAY choose to leave
249 249
 it out of scope, and/or leave it to the user to implement encrypted swap.
250 250
 
... ...
@@ -263,7 +263,7 @@ the descriptions in the <a class="link" href="#Implementation" title="3. Implem
263 263
 section</a>, a <span class="command"><strong>url bar origin</strong></span> means at least the
264 264
 second-level DNS name.  For example, for mail.google.com, the origin would be
265 265
 google.com. Implementations MAY, at their option, restrict the url bar origin
266
-to be the entire fully qualified domain name
266
+to be the entire fully qualified domain name.
267 267
 
268 268
    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p>
269 269
 
... ...
@@ -283,7 +283,7 @@ linkability from fingerprinting browser behavior.
283 283
 
284 284
   </p></li><li class="listitem"><span class="command"><strong>Long-Term Unlinkability</strong></span><p>
285 285
 
286
-The browser SHOULD provide an obvious, easy way to remove all of their
286
+The browser SHOULD provide an obvious, easy way to remove all of its
287 287
 authentication tokens and browser state and obtain a fresh identity.
288 288
 Additionally, the browser SHOULD clear linkable state by default automatically
289 289
 upon browser restart, except at user option.
... ...
@@ -331,7 +331,7 @@ Therefore, if plugins are to be enabled in private browsing modes, they must
331 331
 be restricted from running automatically on every page (via click-to-play
332 332
 placeholders), and/or be sandboxed to restrict the types of system calls they
333 333
 can execute. If the user decides to craft an exemption to allow a plugin to be
334
-used, it MUST ONLY apply to the top level url bar domain, and not to all sites,
334
+used, it MUST only apply to the top level url bar domain, and not to all sites,
335 335
 to reduce linkability.
336 336
 
337 337
        </p></li><li class="listitem"><span class="command"><strong>Minimize Global Privacy Options</strong></span><p>
... ...
@@ -428,13 +428,13 @@ launch a helper app.
428 428
 Tor Browser State is separated from existing browser state through use of a
429 429
 custom Firefox profile. Furthermore, plugins are disabled, which prevents
430 430
 Flash cookies from leaking from a pre-existing Flash directory.
431
-   </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2666962"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
431
+   </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914975"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
432 432
 Tor Browser MUST (at user option) prevent all disk records of browser activity.
433 433
 The user should be able to optionally enable URL history and other history
434 434
 features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
435 435
 preferences interface</a>, we will likely just enable Private Browsing
436 436
 mode by default to handle this goal.
437
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2666425"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
437
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2914438"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
438 438
 For now, Tor Browser blocks write access to the disk through Torbutton
439 439
 using several Firefox preferences. 
440 440
 
... ...
@@ -499,7 +499,7 @@ the url bar origin for which browser state exists, possibly with a
499 499
 context-menu option to drill down into specific types of state or permissions.
500 500
 An example of this simplification can be seen in Figure 1.
501 501
 
502
-   </p><div class="figure"><a id="id2663383"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
502
+   </p><div class="figure"><a id="id2911396"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
503 503
 
504 504
 On the left is the standard Firefox cookie manager. On the right is a mock-up
505 505
 of how isolating identifiers to the URL bar origin might simplify the privacy
... ...
@@ -574,7 +574,7 @@ observer to modify it.
574 574
      </p></li><li class="listitem">DOM Storage
575 575
      <p><span class="command"><strong>Design Goal:</strong></span>
576 576
 
577
-DOM storage for third party domains MUST BE isolated to the url bar origin,
577
+DOM storage for third party domains MUST be isolated to the url bar origin,
578 578
 to prevent linkability between sites.
579 579
 
580 580
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
... ...
@@ -619,13 +619,14 @@ Identity</a>.
619 619
 
620 620
 To prevent attacks aimed at subverting the Cross-Origin Identifier
621 621
 Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy requirement</a>, the browser
622
-MUST prompt users before following redirects that would cause the user to
623
-automatically navigate between two different url bar origins.
622
+MUST prompt the user before following redirects that would cause the user to
623
+automatically navigate between two different url bar origins. The prompt
624
+SHOULD inform the user about the ability to use <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a> to clear the linked identifiers
625
+created by the redirect.
624 626
 
625 627
 </p><p>
626 628
 
627
-However, to
628
-reduce the occurrence of warning fatigue, these warning messages MAY be limited
629
+To reduce the occurrence of warning fatigue, these warning messages MAY be limited
629 630
 to automated redirect cycles only. For example, the automated redirect
630 631
 sequence <span class="command"><strong>User Click -&gt; t.co -&gt; bit.ly -&gt; cnn.com</strong></span> can be
631 632
 assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -&gt; t.co -&gt;
... ...
@@ -678,17 +679,19 @@ appear, setting this preference prevents automatic linkability from stored passw
678 679
 
679 680
      </p></li><li class="listitem">HSTS supercookies
680 681
       <p>
681
-An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
682
-supercookies. Since HSTS effectively stores one bit of information per domain
682
+
683
+An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html" target="_top">HSTS
684
+supercookies</a>. Since HSTS effectively stores one bit of information per domain
683 685
 name, an adversary in possession of numerous domains can use them to construct
684 686
 cookies based on stored HSTS state.
685 687
 
686 688
       </p><p><span class="command"><strong>Design Goal:</strong></span>
687 689
 
688 690
 There appears to be three options for us: 1. Disable HSTS entirely, and rely
689
-instead on HTTPS-Everywhere. 2. Restrict the number of HSTS-enabled third
690
-parties allowed per url bar origin. 3. Prevent third parties from storing HSTS
691
-rules. We have not yet decided upon the best approach.
691
+instead on HTTPS-Everywhere to crawl and ship rules for HSTS sites. 2.
692
+Restrict the number of HSTS-enabled third parties allowed per url bar origin.
693
+3. Prevent third parties from storing HSTS rules. We have not yet decided upon
694
+the best approach.
692 695
 
693 696
       </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
694 697
 cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
... ...
@@ -918,11 +921,11 @@ Currently we simply disable WebGL.
918 921
      </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
919 922
 In order to avoid long-term linkability, we provide a "New Identity" context
920 923
 menu option in Torbutton.
921
-   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2662516"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
924
+   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2910661"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
922 925
 
923 926
 All linkable identifiers and browser state MUST be cleared by this feature.
924 927
 
925
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2678689"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
928
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2888916"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
926 929
 
927 930
    First, Torbutton disables all open tabs and windows via nsIContentPolicy
928 931
 blocking, and then closes each tab and window. The extra step for blocking
... ...
@@ -1021,7 +1024,7 @@ ruin our day, and censorship filters). Hence we rolled our own.
1021 1024
 This patch prevents random URLs from being inserted into content-prefs.sqllite in
1022 1025
 the profile directory as content prefs change (includes site-zoom and perhaps
1023 1026
 other site prefs?).
1024
-     </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2671107"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2671454"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2674390"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
1027
+     </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2924325"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2896172"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2917044"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
1025 1028
 
1026 1029
 The purpose of this section is to cover all the known ways that Tor browser
1027 1030
 security can be subverted from a penetration testing perspective. The hope
1028 1031