Mike Perry commited on 2014-11-07 02:16:21
Zeige 1 geänderte Dateien mit 13 Einfügungen und 13 Löschungen.
... | ... |
@@ -1,5 +1,5 @@ |
1 | 1 |
<?xml version="1.0" encoding="UTF-8"?> |
2 |
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp42746080">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp45273472">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp45308512">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp45312448">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp45344896">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp42746080"></a>1. Introduction</h2></div></div></div><p> |
|
2 |
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp65114112">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp67866160">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp67901104">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp67905040">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp67937488">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp65114112"></a>1. Introduction</h2></div></div></div><p> |
|
3 | 3 |
|
4 | 4 |
This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>, |
5 | 5 |
<a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser |
... | ... |
@@ -654,13 +654,13 @@ system-wide extensions (through the use of |
654 | 654 |
disabled, which prevents Flash cookies from leaking from a pre-existing Flash |
655 | 655 |
directory. |
656 | 656 |
|
657 |
- </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45049760"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
657 |
+ </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67642512"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
658 | 658 |
|
659 | 659 |
The User Agent MUST (at user option) prevent all disk records of browser activity. |
660 | 660 |
The user should be able to optionally enable URL history and other history |
661 | 661 |
features if they so desire. |
662 | 662 |
|
663 |
- </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45051120"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
663 |
+ </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67643872"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
664 | 664 |
|
665 | 665 |
We achieve this goal through several mechanisms. First, we set the Firefox |
666 | 666 |
Private Browsing preference |
... | ... |
@@ -734,7 +734,7 @@ the url bar origin for which browser state exists, possibly with a |
734 | 734 |
context-menu option to drill down into specific types of state or permissions. |
735 | 735 |
An example of this simplification can be seen in Figure 1. |
736 | 736 |
|
737 |
- </p><div class="figure"><a id="idp45073824"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
737 |
+ </p><div class="figure"><a id="idp67666576"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
738 | 738 |
|
739 | 739 |
This example UI is a mock-up of how isolating identifiers to the URL bar |
740 | 740 |
origin can simplify the privacy UI for all data - not just cookies. Once |
... | ... |
@@ -982,7 +982,7 @@ operating system type and even processor speed. |
982 | 982 |
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><p> |
983 | 983 |
|
984 | 984 |
The following defenses are listed roughly in order of most severe |
985 |
-fingerprinting threat first. This ordering based on the above intuition that |
|
985 |
+fingerprinting threat first. This ordering is based on the above intuition that |
|
986 | 986 |
user configurable aspects of the computer are the most severe source of |
987 | 987 |
fingerprintability, though we are in need of updated measurements to determine |
988 | 988 |
this with certainty. |
... | ... |
@@ -1377,11 +1377,11 @@ In order to avoid long-term linkability, we provide a "New Identity" context |
1377 | 1377 |
menu option in Torbutton. This context menu option is active if Torbutton can |
1378 | 1378 |
read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT. |
1379 | 1379 |
|
1380 |
- </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45220704"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
1380 |
+ </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67813456"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
1381 | 1381 |
|
1382 | 1382 |
All linkable identifiers and browser state MUST be cleared by this feature. |
1383 | 1383 |
|
1384 |
- </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45221952"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1384 |
+ </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67814704"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1385 | 1385 |
|
1386 | 1386 |
First, Torbutton disables Javascript in all open tabs and windows by using |
1387 | 1387 |
both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a> |
... | ... |
@@ -1461,7 +1461,7 @@ all non-WebM HTML5 codecs (<span class="command"><strong>media.ogg.enabled</stro |
1461 | 1461 |
Fingerprinting</a> is a statistical attack to attempt to recognize specific |
1462 | 1462 |
encrypted website activity. |
1463 | 1463 |
|
1464 |
- </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45250352"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1464 |
+ </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67843072"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1465 | 1465 |
|
1466 | 1466 |
We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available |
1467 | 1467 |
for classification. This mechanism would either impact the true and false |
... | ... |
@@ -1483,7 +1483,7 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href |
1483 | 1483 |
defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor |
1484 | 1484 |
network, making them also effectively no-overhead. |
1485 | 1485 |
|
1486 |
- </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45257248"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1486 |
+ </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp67849968"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
1487 | 1487 |
Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/27ef32d509ed1c9eeb28f7affee0f9ba11773f72" target="_top">randomize |
1488 | 1488 |
pipeline order and depth</a>. Unfortunately, pipelining is very fragile. |
1489 | 1489 |
Many sites do not support it, and even sites that advertise support for |
... | ... |
@@ -1548,7 +1548,7 @@ contend with. For this reason, we have deployed a build system |
1548 | 1548 |
that allows anyone to use our source code to reproduce byte-for-byte identical |
1549 | 1549 |
binary packages to the ones that we distribute. |
1550 | 1550 |
|
1551 |
- </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45273472"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p> |
|
1551 |
+ </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67866160"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p> |
|
1552 | 1552 |
|
1553 | 1553 |
The GNU toolchain has been working on providing reproducible builds for some |
1554 | 1554 |
time, however a large software project such as Firefox typically ends up |
... | ... |
@@ -1665,7 +1665,7 @@ unitialized memory</a> that only appear in LXC mode, as well as |
1665 | 1665 |
<a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to |
1666 | 1666 |
time-based dependency tracking</a> that only appear in LXC containers. |
1667 | 1667 |
|
1668 |
- </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45308512"></a>5.2. Package Signatures and Verification</h3></div></div></div><p> |
|
1668 |
+ </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67901104"></a>5.2. Package Signatures and Verification</h3></div></div></div><p> |
|
1669 | 1669 |
|
1670 | 1670 |
The build process produces a single sha256sums.txt file that contains a sorted |
1671 | 1671 |
list of the SHA-256 hashes of every package produced for that build version. Each |
... | ... |
@@ -1699,7 +1699,7 @@ and by their nature are based on non-public key material, providing native |
1699 | 1699 |
code-signed packages while still preserving ease of reproducibility |
1700 | 1700 |
verification has not yet been achieved. |
1701 | 1701 |
|
1702 |
- </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45312448"></a>5.3. Anonymous Verification</h3></div></div></div><p> |
|
1702 |
+ </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp67905040"></a>5.3. Anonymous Verification</h3></div></div></div><p> |
|
1703 | 1703 |
|
1704 | 1704 |
Due to the fact that bit-identical packages can be produced by anyone, the |
1705 | 1705 |
security of this build system extends beyond the security of the official |
... | ... |
@@ -1815,7 +1815,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t |
1815 | 1815 |
ourselves</a>, as they are comparatively rare and can be handled with site |
1816 | 1816 |
permissions. |
1817 | 1817 |
|
1818 |
- </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp45344896"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p> |
|
1818 |
+ </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp67937488"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p> |
|
1819 | 1819 |
|
1820 | 1820 |
Web-Send is a browser-based link sharing and federated login widget that is |
1821 | 1821 |
designed to operate without relying on third-party tracking or abusing other |
1822 | 1822 |