tor-webwml.git

@@ -1,5 +1,5 @@

 <?xml version="1.0" encoding="UTF-8"?>

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp59241696">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp60746000">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp60781056">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp60784992">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp60816992">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp59241696"></a>1. Introduction</h2></div></div></div><p>

+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp42746080">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp45273472">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp45308512">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp45312448">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp45344896">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp42746080"></a>1. Introduction</h2></div></div></div><p>

 This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,

 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a>  of the Tor Browser. It is current as of Tor Browser

@@ -654,13 +654,13 @@ system-wide extensions (through the use of

 disabled, which prevents Flash cookies from leaking from a pre-existing Flash

 directory.

-   </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60523824"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

+   </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45049760"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

 The User Agent MUST (at user option) prevent all disk records of browser activity.

 The user should be able to optionally enable URL history and other history

 features if they so desire. 

-    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60525184"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

+    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45051120"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

 We achieve this goal through several mechanisms. First, we set the Firefox

 Private Browsing preference

@@ -734,7 +734,7 @@ the url bar origin for which browser state exists, possibly with a

 context-menu option to drill down into specific types of state or permissions.

 An example of this simplification can be seen in Figure 1.

-   </p><div class="figure"><a id="idp60547888"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>

+   </p><div class="figure"><a id="idp45073824"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>

 This example UI is a mock-up of how isolating identifiers to the URL bar

 origin can simplify the privacy UI for all data - not just cookies. Once

@@ -954,39 +954,50 @@ determine how many bits of identifying information each attribute provided.

    </p><p>

-Because fingerprinting is a problem that potentially touches every aspect of

-the browser, we reduce the efforts for fingerprinting resistance by only

-concerning ourselves with reducing the fingerprintable differences

-<span class="emphasis"><em>among</em></span> Tor Browser users. We do not believe it is possible

-to solve cross-browser fingerprinting issues.

+Unfortunately, there are limitations to the way the Panopticlick study was

+conducted. Because the Panopticlick dataset is based on browser data spanning

+a number of widely deployed browsers over a number of years, any

+fingerprinting defenses attempted by browsers today are very likely to cause

+Panopticlick to report an <span class="emphasis"><em>increase</em></span> in fingerprintability

+and entropy, because those defenses will stand out in sharp contrast to

+historical data. Moreover, because fingerprinting is a problem that

+potentially touches every aspect of the browser, we do not believe it is

+possible to solve cross-browser fingerprinting issues. We reduce the efforts

+for fingerprinting resistance by only concerning ourselves with reducing the

+fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users. 

    </p><p>

-Unfortunately, the unsolvable nature of the cross-browser fingerprinting

-problem means that the Panopticlick test website itself is not useful for

-evaluating the actual effectiveness of our defenses, or the fingerprinting

-defenses of any other web browser. Because the Panopticlick dataset is based

-on browser data spanning a number of widely deployed browsers over a number of

-years, any fingerprinting defenses attempted by browsers today are very likely

-to cause Panopticlick to report an <span class="emphasis"><em>increase</em></span> in

-fingerprintability and entropy, because those defenses will stand out in sharp

-contrast to historical data. We have been <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/6119" target="_top">working to convince

-the EFF</a> that it is worthwhile to release the source code to

-Panopticlick to allow us to run our own version for this reason.

+The unsolvable nature of the cross-browser fingerprinting problem also means

+that the Panopticlick test website itself is not useful for evaluating the

+actual effectiveness of our defenses, or the fingerprinting defenses of any

+other web browser. We are interested in deploying an improved version of

+Panopticlick that measures entropy and variance only among a specific user

+agent population, but until then, intuition serves as a decent guide.

+Essentially, anything that reveals custom user configuration, third party

+software, highly variable hardware details, and external devices attached to

+the users computer is likely to more fingerprintable than things like

+operating system type and even processor speed.

    </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><p>

 The following defenses are listed roughly in order of most severe

-fingerprinting threat first, though we are desperately in need of updated

-measurements to determine this with certainty. Where our actual implementation

-differs from an ideal solution, we separately describe our <span class="command"><strong>Design

-Goal</strong></span> and our <span class="command"><strong>Implementation Status</strong></span>.

+fingerprinting threat first. This ordering based on the above intuition that

+user configurable aspects of the computer are the most severe source of

+fingerprintability, though we are in need of updated measurements to determine

+this with certainty.

+

+   </p><p>

+Where our actual implementation differs from

+an ideal solution, we separately describe our <span class="command"><strong>Design Goal</strong></span>

+and our <span class="command"><strong>Implementation Status</strong></span>.

    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins

      <p>

-Plugins add to fingerprinting risk via two main vectors: their mere presence in

-window.navigator.plugins, as well as their internal functionality.

+Plugins add to fingerprinting risk via two main vectors: their mere presence

+in window.navigator.plugins (because they are optional, end-user installed

+third party software), as well as their internal functionality.

      </p><p><span class="command"><strong>Design Goal:</strong></span>

@@ -1014,11 +1025,9 @@ leaking plugin installation information.

      </p></li><li class="listitem">HTML5 Canvas Image Extraction

      <p>

-The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5

-Canvas</a> is a feature that has been added to major browsers after the

-EFF developed their Panopticlick study. After plugins and plugin-provided

-information, we believe that the HTML5 Canvas is the single largest

-fingerprinting threat browsers face today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial

+After plugins and plugin-provided information, we believe that the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/HTML/Canvas" target="_top">HTML5

+Canvas</a> is the single largest fingerprinting threat browsers face

+today. <a class="ulink" href="http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf" target="_top">Initial

 studies</a> show that the Canvas can provide an easy-access fingerprinting

 target: The adversary simply renders WebGL, font, and named color data to a

 Canvas element, extracts the image buffer, and computes a hash of that image

@@ -1030,8 +1039,9 @@ image can be used almost identically to a tracking cookie by the web server.

      </p><p>

 In some sense, the canvas can be seen as the union of many other

-fingerprinting vectors. If WebGL were normalized through software rendering,

-and the browser shipped a fixed collection of fonts, it might not be necessary

+fingerprinting vectors. If WebGL is normalized through software rendering,

+system colors were standardized, and the browser shipped a fixed collection of

+fonts (see later points in this list), it might not be necessary

 to create a canvas permission. However, until then, to reduce the threat from

 this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/3b53f525cfb68880e676e64f13cbc0b928ae3ecf" target="_top">prompt

 before returning valid image data</a> to the Canvas APIs, and for <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/fb9f463fe3a69499d6896c217786bafdf0cda62f" target="_top">access

@@ -1047,7 +1057,13 @@ In Firefox, by using either WebSockets or XHR, it is possible for remote

 content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate

 the list of TCP ports open on 127.0.0.1</a>. In other browsers, this can

 be accomplished by DOM events on image or script tags. This open vs filtered

-vs closed port list can provide a very unique fingerprint of a machine.

+vs closed port list can provide a very unique fingerprint of a machine,

+because it essentially enables the detection of many different popular third

+party applications and optional system services (Skype, Bitcoin, Bittorrent

+and other P2P software, SSH ports, SMB and related LAN services, CUPS and

+printer daemon config ports, mail servers, and so on). It is also possible to

+determine when ports are closed versus filtered/blocked (and thus probe

+custom firewall configuration).

      </p><p>In Tor Browser, we prevent access to

 127.0.0.1/localhost by ensuring that even these requests are still sent by

@@ -1055,7 +1071,19 @@ Firefox to our SOCKS proxy (ie we set

 <span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local

 Tor client then rejects them, since it is configured to proxy for internal IP

 addresses by default.

-     </p></li><li class="listitem">USB Device ID enumeration

+     </p></li><li class="listitem">Invasive Authentication Mechanisms (NTLM and SPNEGO)

+     <p>

+

+Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in

+some cases the current username. The only reason why these aren't a more

+serious problem is that they typically involve user interaction, and likely

+aren't an attractive vector for this reason. However, because it is not clear

+if certain carefully-crafted error conditions in these protocols could cause

+them to reveal machine information and still fail silently prior to the

+password prompt, these authentication mechanisms should either be disabled, or

+placed behind a site permission before their use. We simply disable them.

+

+     </p></li><li class="listitem">USB Device ID Enumeration

      <p>

 The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad" target="_top">GamePad

@@ -1066,38 +1094,6 @@ should be behind a site permission in Private Browsing Modes, or should present

 controller type (perhaps a two button controller that can be mapped to the keyboard) in all cases.

 We simply disable it via the pref <span class="command"><strong>dom.gamepad.enabled</strong></span>.

-     </p></li><li class="listitem">Invasive Authentication Mechanisms (NTLM and SPNEGO)

-     <p>

-Both NTLM and SPNEGO authentication mechanisms can leak the hostname, and in

-some cases the machine username. These authentication mechanisms should either

-be disabled, or placed behind a site permission before their use. We simply

-disable them.

-     </p></li><li class="listitem">WebGL

-     <p>

-

-WebGL is fingerprintable both through information that is exposed about the

-underlying driver and optimizations, as well as through performance

-fingerprinting.

-

-     </p><p>

-

-Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed

-vulnerability surface</a>, we deploy a similar strategy against WebGL as

-for plugins. First, WebGL Canvases have click-to-play placeholders (provided

-by NoScript), and do not run until authorized by the user. Second, we

-obfuscate driver information by setting the Firefox preferences

-<span class="command"><strong>webgl.disable-extensions</strong></span> and

-<span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information

-provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,

-<span class="command"><strong>getSupportedExtensions()</strong></span>, and

-<span class="command"><strong>getExtension()</strong></span>.

-

-     </p><p>

-

-Another option for WebGL might be to use software-only rendering, using a

-library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of

-such a library would avoid hardware-specific rendering differences.

-

      </p></li><li class="listitem">Fonts

      <p>

@@ -1106,7 +1102,8 @@ they are provided as an enumerable list in filesystem order, via either the

 Flash or Java plugins. However, it is still possible to use CSS and/or

 Javascript to query for the existence of specific fonts. With a large enough

 pre-built list to query, a large amount of fingerprintable information may

-still be available.

+still be available, especially given that additional fonts often end up

+installed by third party software and for multilingual support.

      </p><p><span class="command"><strong>Design Goal:</strong></span> The sure-fire way to address font

 linkability is to ship the browser with a font for every language, typeface,

@@ -1143,13 +1140,16 @@ To improve rendering, we exempt remote <a class="ulink" href="https://developer.

 fonts</a> from these counts, and if a font-family CSS rule lists a remote

 font (in any order), we use that font instead of any of the named local fonts.

-     </p></li><li class="listitem">Monitor and OS Desktop resolution

+     </p></li><li class="listitem">Monitor and OS Desktop Resolution

      <p>

 Both CSS and Javascript have access to a lot of information about the screen

 resolution, usable desktop size, OS widget size, toolbar size, title bar size,

 and OS desktop widget sizing information that are not at all relevant to

-rendering and serve only to provide information for fingerprinting.

+rendering and serve only to provide information for fingerprinting. Since many

+aspects of desktop widget positioning and size are user configurable, these

+properties yield customized information about the computer, even beyond the

+monitor size.

      </p><p><span class="command"><strong>Design Goal:</strong></span>

@@ -1190,7 +1190,7 @@ Beyond simple resolution information, a large amount of so-called "Media"

 information is also exported to content. Even without Javascript, CSS has

 access to a lot of information about the device orientation, system theme

 colors, and other desktop features that are not at all relevant to rendering

-and serve only to provide information for fingerprinting. Most of this

+and also user configurable. Most of this

 information comes from <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries" target="_top">CSS

 Media Queries</a>, but Mozilla has exposed <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors" target="_top">several

 user and OS theme defined color values</a> to CSS as well.

@@ -1210,6 +1210,32 @@ detection of font smoothing on OSX</a>. We also always

 <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/09561f0e5452305b9efcb4e6169c613c8db33246" target="_top">report

 landscape-primary</a> for the screen orientation.

+     </p></li><li class="listitem">WebGL

+     <p>

+

+WebGL is fingerprintable both through information that is exposed about the

+underlying driver and optimizations, as well as through performance

+fingerprinting.

+

+     </p><p>

+

+Because of the large amount of potential fingerprinting vectors and the <a class="ulink" href="http://www.contextis.com/resources/blog/webgl/" target="_top">previously unexposed

+vulnerability surface</a>, we deploy a similar strategy against WebGL as

+for plugins. First, WebGL Canvases have click-to-play placeholders (provided

+by NoScript), and do not run until authorized by the user. Second, we

+obfuscate driver information by setting the Firefox preferences

+<span class="command"><strong>webgl.disable-extensions</strong></span> and

+<span class="command"><strong>webgl.min_capability_mode</strong></span>, which reduce the information

+provided by the following WebGL API calls: <span class="command"><strong>getParameter()</strong></span>,

+<span class="command"><strong>getSupportedExtensions()</strong></span>, and

+<span class="command"><strong>getExtension()</strong></span>.

+

+     </p><p>

+

+Another option for WebGL might be to use software-only rendering, using a

+library such as <a class="ulink" href="http://www.mesa3d.org/" target="_top">Mesa</a>. The use of

+such a library would avoid hardware-specific rendering differences.

+

      </p></li><li class="listitem">User Agent and HTTP Headers

      <p><span class="command"><strong>Design Goal:</strong></span>

@@ -1241,12 +1267,13 @@ We set the fallback character set to set to windows-1252 for all locales, via

 the JS engine</a> to use en-US as its internal C locale for all Date, Math,

 and exception handling.

-     </p></li><li class="listitem">Timezone and clock offset

+     </p></li><li class="listitem">Timezone and Clock Offset

      <p>

 While the latency in Tor connections varies anywhere from milliseconds to

-several seconds, it is still possible for the remote site to detect large

+a few seconds, it is still possible for the remote site to detect large

 differences between the user's clock and an official reference time source. 

+

      </p><p><span class="command"><strong>Design Goal:</strong></span>

 All Tor Browser users MUST report the same timezone to websites. Currently, we

@@ -1264,7 +1291,7 @@ the browser can obtain this clock skew via a mechanism similar to that used in

 We set the timezone using the TZ environment variable, which is supported on

 all platforms.

-     </p></li><li class="listitem">Javascript performance fingerprinting

+     </p></li><li class="listitem">Javascript Performance Fingerprinting

      <p>

 <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Javascript performance

@@ -1278,13 +1305,18 @@ We have <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3

 mitigation approaches</a> to reduce the accuracy of performance

 fingerprinting without risking too much damage to functionality. Our current

 favorite is to reduce the resolution of the Event.timeStamp and the Javascript

-Date() object, while also introducing jitter. Our goal is to increase the

-amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found that

-even with the default precision in most browsers, they required up to 120

+Date() object, while also introducing jitter. We believe that Javascript time

+resolution may be reduced all the way up to the second before it seriously

+impacts site operation. Our goal with this quantization is to increase the

+amount of time it takes to mount a successful attack. <a class="ulink" href="http://w2spconf.com/2011/papers/jspriv.pdf" target="_top">Mowery et al</a> found

+that even with the default precision in most browsers, they required up to 120

 seconds of amortization and repeated trials to get stable results from their

 feature set. We intend to work with the research community to establish the

-optimum trade-off between quantization+jitter and amortization time.

-

+optimum trade-off between quantization+jitter and amortization time, as well

+as identify highly variable Javascript operations. As long as these attacks

+take several seconds or more to execute, they are unlikely to be appealing to

+advertisers, and are also very likely to be noticed if deployed against a

+large number of people.

      </p><p><span class="command"><strong>Implementation Status:</strong></span>

@@ -1293,17 +1325,7 @@ disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="

 Timing</a> through the Firefox preference

 <span class="command"><strong>dom.enable_performance</strong></span>.

-     </p></li><li class="listitem">Non-Uniform HTML5 API Implementations

-     <p>

-

-At least two HTML5 features have different implementation status across the

-major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery

-API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network

-Connection API</a>. We disable these APIs

-through the Firefox preferences <span class="command"><strong>dom.battery.enabled</strong></span> and

-<span class="command"><strong>dom.network.enabled</strong></span>. 

-

-     </p></li><li class="listitem">Keystroke fingerprinting

+     </p></li><li class="listitem">Keystroke Fingerprinting

      <p>

 Keystroke fingerprinting is the act of measuring key strike time and key

@@ -1316,7 +1338,7 @@ fingerprinting: timestamp quantization and jitter.

      </p><p><span class="command"><strong>Implementation Status:</strong></span>

 We have no implementation as of yet.

-     </p></li><li class="listitem">Operating system type fingerprinting

+     </p></li><li class="listitem">Operating System Type Fingerprinting

      <p>

 As we mentioned in the introduction of this section, OS type fingerprinting is

@@ -1335,15 +1356,18 @@ We intend to reduce or eliminate OS type fingerprinting to the best extent

 possible, but recognize that the effort for reward on this item is not as high

 as other areas. The entropy on the current OS distribution is somewhere around

 2 bits, which is much lower than other vectors which can also be used to

-fingerprint configuration and user-specific information.

+fingerprint configuration and user-specific information.  You can see the

+major areas of OS fingerprinting we're aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os

+tag on our bug tracker</a>.

      </p><p><span class="command"><strong>Implementation Status:</strong></span>

-We have no defenses deployed that address OS type fingerprinting by itself.

-Several defenses may help also mitigate it, in addition to reducing a lot more

-entropy elsewhere. You can see the major areas of OS fingerprinting we're

-aware of using the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os" target="_top">tbb-fingerprinting-os

-tag on our bugtracker</a>.

+At least two HTML5 features have different implementation status across the

+major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery

+API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network

+Connection API</a>. We disable these APIs through the Firefox preferences

+<span class="command"><strong>dom.battery.enabled</strong></span> and

+<span class="command"><strong>dom.network.enabled</strong></span>. 

      </p></li></ol></div></div><p>

 For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>

@@ -1353,11 +1377,11 @@ In order to avoid long-term linkability, we provide a "New Identity" context

 menu option in Torbutton. This context menu option is active if Torbutton can

 read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.

-   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60693264"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

+   </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45220704"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">

 All linkable identifiers and browser state MUST be cleared by this feature.

-    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60694512"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

+    </blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45221952"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

 First, Torbutton disables Javascript in all open tabs and windows by using

 both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>

@@ -1437,7 +1461,7 @@ all non-WebM HTML5 codecs (<span class="command"><strong>media.ogg.enabled</stro

 Fingerprinting</a> is a statistical attack to attempt to recognize specific

 encrypted website activity.

-     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60722880"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

+     </p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45250352"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

 We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available

 for classification. This mechanism would either impact the true and false

@@ -1459,7 +1483,7 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href

 defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor

 network, making them also effectively no-overhead.

-     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60729776"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

+     </p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp45257248"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>

 Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/27ef32d509ed1c9eeb28f7affee0f9ba11773f72" target="_top">randomize

 pipeline order and depth</a>. Unfortunately, pipelining is very fragile.

 Many sites do not support it, and even sites that advertise support for

@@ -1524,7 +1548,7 @@ contend with. For this reason, we have deployed a build system

 that allows anyone to use our source code to reproduce byte-for-byte identical

 binary packages to the ones that we distribute.

-  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60746000"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>

+  </p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45273472"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>

 The GNU toolchain has been working on providing reproducible builds for some

 time, however a large software project such as Firefox typically ends up

@@ -1641,7 +1665,7 @@ unitialized memory</a> that only appear in LXC mode, as well as

 <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to

 time-based dependency tracking</a> that only appear in LXC containers.

-   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60781056"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>

+   </p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45308512"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>

 The build process produces a single sha256sums.txt file that contains a sorted

 list of the SHA-256 hashes of every package produced for that build version. Each

@@ -1675,7 +1699,7 @@ and by their nature are based on non-public key material, providing native

 code-signed packages while still preserving ease of reproducibility

 verification has not yet been achieved.

-    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60784992"></a>5.3. Anonymous Verification</h3></div></div></div><p>

+    </p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp45312448"></a>5.3. Anonymous Verification</h3></div></div></div><p>

 Due to the fact that bit-identical packages can be produced by anyone, the

 security of this build system extends beyond the security of the official

@@ -1791,7 +1815,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t

 ourselves</a>, as they are comparatively rare and can be handled with site

 permissions.

-   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp60816992"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>

+   </p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp45344896"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>

 Web-Send is a browser-based link sharing and federated login widget that is

 designed to operate without relying on third-party tracking or abusing other