Another fix to the design doc.
Mike Perry

Mike Perry commited on 2014-11-07 02:16:21
Zeige 1 geänderte Dateien mit 13 Einfügungen und 13 Löschungen.

... ...
@@ -1,5 +1,5 @@
1 1
 <?xml version="1.0" encoding="UTF-8"?>
2
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp42746080">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp45273472">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp45308512">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp45312448">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp45344896">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp42746080"></a>1. Introduction</h2></div></div></div><p>
2
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp65114112">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp67866160">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp67901104">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp67905040">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp67937488">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp65114112"></a>1. Introduction</h2></div></div></div><p>
3 3
 
4 4
 This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
5 5
 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser
... ...
@@ -654,13 +654,13 @@ system-wide extensions (through the use of
654 654
 disabled, which prevents Flash cookies from leaking from a pre-existing Flash
655 655
 directory.
656 656
 
657
-   </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45049760"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
657
+   </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67642512"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
658 658
 
659 659
 The User Agent MUST (at user option) prevent all disk records of browser activity.
660 660
 The user should be able to optionally enable URL history and other history
661 661
 features if they so desire. 
662 662
 
663
-    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45051120"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
663
+    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67643872"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
664 664
 
665 665
 We achieve this goal through several mechanisms. First, we set the Firefox
666 666
 Private Browsing preference
... ...
@@ -734,7 +734,7 @@ the url bar origin for which browser state exists, possibly with a
734 734
 context-menu option to drill down into specific types of state or permissions.
735 735
 An example of this simplification can be seen in Figure 1.
736 736
 
737
-   </p><div class="figure"><a id="idp45073824"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
737
+   </p><div class="figure"><a id="idp67666576"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
738 738
 
739 739
 This example UI is a mock-up of how isolating identifiers to the URL bar
740 740
 origin can simplify the privacy UI for all data - not just cookies. Once
... ...
@@ -982,7 +982,7 @@ operating system type and even processor speed.
982 982
    </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><p>
983 983
 
984 984
 The following defenses are listed roughly in order of most severe
985
-fingerprinting threat first. This ordering based on the above intuition that
985
+fingerprinting threat first. This ordering is based on the above intuition that
986 986
 user configurable aspects of the computer are the most severe source of
987 987
 fingerprintability, though we are in need of updated measurements to determine
988 988
 this with certainty.
... ...
@@ -1377,11 +1377,11 @@ In order to avoid long-term linkability, we provide a "New Identity" context
1377 1377
 menu option in Torbutton. This context menu option is active if Torbutton can
1378 1378
 read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
1379 1379
 
1380
-   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45220704"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
1380
+   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67813456"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
1381 1381
 
1382 1382
 All linkable identifiers and browser state MUST be cleared by this feature.
1383 1383
 
1384
-    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45221952"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1384
+    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67814704"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1385 1385
 
1386 1386
 First, Torbutton disables Javascript in all open tabs and windows by using
1387 1387
 both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>
... ...
@@ -1461,7 +1461,7 @@ all non-WebM HTML5 codecs (<span class="command"><strong>media.ogg.enabled</stro
1461 1461
 Fingerprinting</a> is a statistical attack to attempt to recognize specific
1462 1462
 encrypted website activity.
1463 1463
 
1464
-     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45250352"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1464
+     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67843072"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1465 1465
 
1466 1466
 We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
1467 1467
 for classification. This mechanism would either impact the true and false
... ...
@@ -1483,7 +1483,7 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href
1483 1483
 defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
1484 1484
 network, making them also effectively no-overhead.
1485 1485
 
1486
-     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45257248"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1486
+     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67849968"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
1487 1487
 Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/27ef32d509ed1c9eeb28f7affee0f9ba11773f72" target="_top">randomize
1488 1488
 pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
1489 1489
 Many sites do not support it, and even sites that advertise support for
... ...
@@ -1548,7 +1548,7 @@ contend with. For this reason, we have deployed a build system
1548 1548
 that allows anyone to use our source code to reproduce byte-for-byte identical
1549 1549
 binary packages to the ones that we distribute.
1550 1550
 
1551
-  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45273472"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
1551
+  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67866160"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
1552 1552
 
1553 1553
 The GNU toolchain has been working on providing reproducible builds for some
1554 1554
 time, however a large software project such as Firefox typically ends up
... ...
@@ -1665,7 +1665,7 @@ unitialized memory</a> that only appear in LXC mode, as well as
1665 1665
 <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to
1666 1666
 time-based dependency tracking</a> that only appear in LXC containers.
1667 1667
 
1668
-   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45308512"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
1668
+   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67901104"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
1669 1669
 
1670 1670
 The build process produces a single sha256sums.txt file that contains a sorted
1671 1671
 list of the SHA-256 hashes of every package produced for that build version. Each
... ...
@@ -1699,7 +1699,7 @@ and by their nature are based on non-public key material, providing native
1699 1699
 code-signed packages while still preserving ease of reproducibility
1700 1700
 verification has not yet been achieved.
1701 1701
 
1702
-    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45312448"></a>5.3. Anonymous Verification</h3></div></div></div><p>
1702
+    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67905040"></a>5.3. Anonymous Verification</h3></div></div></div><p>
1703 1703
 
1704 1704
 Due to the fact that bit-identical packages can be produced by anyone, the
1705 1705
 security of this build system extends beyond the security of the official
... ...
@@ -1815,7 +1815,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t
1815 1815
 ourselves</a>, as they are comparatively rare and can be handled with site
1816 1816
 permissions.
1817 1817
 
1818
-   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp45344896"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
1818
+   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp67937488"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
1819 1819
 
1820 1820
 Web-Send is a browser-based link sharing and federated login widget that is
1821 1821
 designed to operate without relying on third-party tracking or abusing other
1822 1822