Update TBB design doc based on comments from pde.
Mike Perry

Mike Perry commited on 2011-10-07 02:35:15
Zeige 1 geänderte Dateien mit 93 Einfügungen und 33 Löschungen.

... ...
@@ -1,6 +1,6 @@
1 1
 <?xml version="1.0" encoding="UTF-8"?>
2 2
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 4 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2857732">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2857732"></a>1. Introduction</h2></div></div></div><p>
3
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">Oct 6 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2597772">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2597772"></a>1. Introduction</h2></div></div></div><p>
4 4
 
5 5
 This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>,
6 6
 <a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>,
... ...
@@ -187,7 +187,8 @@ adversary.
187 187
      </p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p>
188 188
 
189 189
 The Tor Browser Design Requirements are meant to describe the properties of a
190
-Private Browsing Mode that defends against both network and forensic adversaries. 
190
+Private Browsing Mode that defends against both network and local forensic
191
+adversaries. 
191 192
 
192 193
   </p><p>
193 194
 
... ...
@@ -237,7 +238,9 @@ operating system to write <span class="emphasis"><em>any information</em></span>
237 238
 of private browsing to disk outside of the application's control. The user
238 239
 must be able to ensure that secure removal of the software is sufficient to
239 240
 remove evidence of the use of the software. All exceptions and shortcomings
240
-due to operating system behavior MUST BE wiped by an uninstaller.
241
+due to operating system behavior MUST BE wiped by an uninstaller. However, due
242
+to permissions issues with access to swap, implementations MAY choose to leave
243
+it out of scope, and/or leave it to the user to implement encrypted swap.
241 244
 
242 245
 </p></li><li class="listitem"><span class="command"><strong>Update Safety</strong></span><p>The browser SHOULD NOT perform unsafe updates or upgrades.</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p>
243 246
 
... ...
@@ -259,10 +262,12 @@ to be the entire fully qualified domain name
259 262
    </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p>
260 263
 
261 264
 User activity on one url bar origin MUST NOT be linkable to their activity in
262
-any other url bar origin by any third party. This property specifically applies to
263
-linkability from stored browser identifiers, authentication tokens, and shared
264
-state. This functionality SHOULD NOT interfere with federated login in a
265
-substantial way.
265
+any other url bar origin by any third party automatically or without user
266
+interaction or approval. This requirement specifically applies to linkability
267
+from stored browser identifiers, authentication tokens, and shared state. The
268
+requirement does not apply to linkable information the user manually submits
269
+to sites, or due information submitted during manual link traversal. This
270
+functionality SHOULD NOT interfere with federated login in a substantial way.
266 271
 
267 272
   </p></li><li class="listitem"><span class="command"><strong>Cross-Origin Fingerprinting Unlinkability</strong></span><p>
268 273
 
... ...
@@ -417,13 +422,13 @@ launch a helper app.
417 422
 Tor Browser State is separated from existing browser state through use of a
418 423
 custom Firefox profile. Furthermore, plugins are disabled, which prevents
419 424
 Flash cookies from leaking from a pre-existing Flash directory.
420
-   </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2886678"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
425
+   </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2616664"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
421 426
 Tor Browser MUST (at user option) prevent all disk records of browser activity.
422 427
 The user should be able to optionally enable URL history and other history
423 428
 features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the
424 429
 preferences interface</a>, we will likely just enable Private Browsing
425 430
 mode by default to handle this goal.
426
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874561"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
431
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2606128"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
427 432
 For now, Tor Browser blocks write access to the disk through Torbutton
428 433
 using several Firefox preferences. 
429 434
 
... ...
@@ -488,7 +493,7 @@ the url bar origin for which browser state exists, possibly with a
488 493
 context-menu option to drill down into specific types of state or permissions.
489 494
 An example of this simplification can be seen in Figure 1.
490 495
 
491
-   </p><div class="figure"><a id="id2867838"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
496
+   </p><div class="figure"><a id="id2612402"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
492 497
 
493 498
 On the left is the standard Firefox cookie manager. On the right is a mock-up
494 499
 of how isolating identifiers to the URL bar origin might simplify the privacy
... ...
@@ -608,11 +614,17 @@ Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements"
608 614
 MUST prompt users before following redirects that would cause the user to
609 615
 automatically navigate between two different url bar origins.
610 616
 
611
-    </p><p><span class="command"><strong>Implementation status:</strong></span>
617
+</p><p>
612 618
 
613
-There are numerous ways for the user to be redirected, and the Firefox API
614
-support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
615
-open</a> to implement what we can.
619
+However, to
620
+reduce the occurrence of warning fatigue, these warning messages MAY be limited
621
+to automated redirect cycles only. For example, the automated redirect
622
+sequence <span class="command"><strong>User Click -&gt; t.co -&gt; bit.ly -&gt; cnn.com</strong></span> can be
623
+assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -&gt; t.co -&gt;
624
+bit.ly -&gt; cnn.com -&gt; 2o7.net -&gt; scorecardresearch.net -&gt; cnn.com</strong></span> is
625
+clearly due to tracking. Non-automated redirect cycles that require
626
+user input at some step (such as federated login systems) need not be
627
+interrupted by the UI.
616 628
 
617 629
     </p><p>
618 630
 
... ...
@@ -622,6 +634,12 @@ assumed that private browsing sessions will be relatively short-lived,
622 634
 especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
623 635
 Identity</a> button.
624 636
 
637
+    </p><p><span class="command"><strong>Implementation status:</strong></span>
638
+
639
+There are numerous ways for the user to be redirected, and the Firefox API
640
+support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug
641
+open</a> to implement what we can.
642
+
625 643
     </p></li><li class="listitem">window.name
626 644
      <p>
627 645
 
... ...
@@ -639,6 +657,35 @@ time we encounter a blank referer. This behavior allows window.name to persist
639 657
 for the duration of a link-driven navigation session, but as soon as the user
640 658
 enters a new URL or navigates between https/http schemes, the property is cleared.
641 659
 
660
+     </p></li><li class="listitem">Auto form-fill
661
+     <p>
662
+
663
+We disable the password saving functionality in the browser as part of our
664
+<a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However,
665
+since users may decide to re-enable disk history records and password saving,
666
+we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a>
667
+preference to false to prevent saved values from immediately populating
668
+fields upon page load. Since Javascript can read these values as soon as they
669
+appear, setting this preference prevents automatic linkability from stored passwords.
670
+
671
+     </p></li><li class="listitem">HSTS supercookies
672
+      <p>
673
+An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
674
+supercookies. Since HSTS effectively stores one bit of information per domain
675
+name, an adversary in possession of numerous domains can use them to construct
676
+cookies based on stored HSTS state.
677
+
678
+      </p><p><span class="command"><strong>Design Goal:</strong></span>
679
+
680
+There appears to be three options for us: 1. Disable HSTS entirely, and rely
681
+instead on HTTPS-Everywhere. 2. Restrict the number of HSTS-enabled third
682
+parties allowed per url bar origin. 3. Prevent third parties from storing HSTS
683
+rules. We have not yet decided upon the best approach.
684
+
685
+      </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is
686
+cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
687
+defend against the creation of these cookies between <span class="command"><strong>New
688
+Identity</strong></span> invocations.
642 689
       </p></li><li class="listitem">Exit node usage
643 690
      <p><span class="command"><strong>Design Goal:</strong></span>
644 691
 
... ...
@@ -715,11 +762,22 @@ Javascript to query for the existence of specific fonts. With a large enough
715 762
 pre-built list to query, a large amount of fingerprintable information may
716 763
 still be available.
717 764
 
765
+     </p><p>
766
+
767
+The sure-fire way to address font linkability is to ship the browser with a
768
+font for every language, typeface, and style in use in the world, and to only
769
+use those fonts at the exclusion of system fonts.  However, this set may be
770
+impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common
771
+subset</a> may be found that provides total coverage. However, we believe
772
+that with strong url bar origin identifier isolation, a simpler approach can reduce the
773
+number of bits available to the adversary while avoiding the rendering and
774
+language issues of supporting a global font set.
775
+
718 776
      </p><p><span class="command"><strong>Design Goal:</strong></span>
719 777
 
720
-To address the Javascript issue, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of
721
-fonts</a> an origin can load, gracefully degrading to built-in and/or
722
-remote fonts once the limit is reached.
778
+We intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of
779
+fonts</a> a url bar origin can load, gracefully degrading to built-in
780
+and/or remote fonts once the limit is reached.
723 781
 
724 782
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
725 783
 
... ...
@@ -805,7 +863,7 @@ amount of time it takes to mount a successful attack. <a class="ulink" href="htt
805 863
 even with the default precision in most browsers, they required up to 120
806 864
 seconds of amortization and repeated trials to get stable results from their
807 865
 feature set. We intend to work with the research community to establish the
808
-optimum tradeoff between quantization+jitter and amortization time.
866
+optimum trade-off between quantization+jitter and amortization time.
809 867
 
810 868
 
811 869
      </p><p><span class="command"><strong>Implementation Status:</strong></span>
... ...
@@ -852,22 +910,24 @@ Currently we simply disable WebGL.
852 910
      </p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via &quot;New Identity&quot; button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
853 911
 In order to avoid long-term linkability, we provide a "New Identity" context
854 912
 menu option in Torbutton.
855
-   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2853903"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
913
+   </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2626323"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
856 914
 
857 915
 All linkable identifiers and browser state MUST be cleared by this feature.
858 916
 
859
-    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874701"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
860
-   First, Torbutton disables
861
-all open tabs and windows via nsIContentPolicy blocking, and then closes each
862
-tab and window. The extra step for blocking tabs is done as a precaution to
863
-ensure that any asynchronous Javascript is in fact properly disabled. After
864
-closing all of the windows, we then clear the following state: OCSP (by
865
-toggling security.OCSP.enabled), cache, site-specific zoom and content
866
-preferences, Cookies, DOM storage, safe browsing key, the Google wifi
867
-geolocation token (if exists), HTTP auth, SSL Session IDs, and the last opened URL
868
-field (via the pref general.open_location.last_url). After clearing the
869
-browser state, we then send the NEWNYM signal to the Tor control port to cause
870
-a new circuit to be created.
917
+    </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2612376"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
918
+
919
+   First, Torbutton disables all open tabs and windows via nsIContentPolicy
920
+blocking, and then closes each tab and window. The extra step for blocking
921
+tabs is done as a precaution to ensure that any asynchronous Javascript is in
922
+fact properly disabled. After closing all of the windows, we then clear the
923
+following state: OCSP (by toggling security.OCSP.enabled), cache,
924
+site-specific zoom and content preferences, Cookies, DOM storage, safe
925
+browsing key, the Google wifi geolocation token (if exists), HTTP auth, SSL
926
+Session IDs, HSTS state, and the last opened URL field (via the pref
927
+general.open_location.last_url). After clearing the browser state, we then
928
+send the NEWNYM signal to the Tor control port to cause a new circuit to be
929
+created.
930
+
871 931
     </blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p>
872 932
 Some content types are too invasive and/or too opaque for us to properly
873 933
 eliminate their linkability properties. For these content types, we use
... ...
@@ -895,7 +955,8 @@ Firebox version, but not much else.
895 955
 
896 956
 This patch exposes a pref 'permissions.memory_only' that properly isolates the
897 957
 permissions manager to memory, which is responsible for all user specified
898
-site permissions, as well as stored HTTPS STS policy from visited sites.
958
+site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a>
959
+policy from visited sites.
899 960
 
900 961
 The pref does successfully clear the permissions manager memory if toggled. It
901 962
 does not need to be set in prefs.js, and can be handled by Torbutton.
... ...
@@ -952,7 +1013,7 @@ ruin our day, and censorship filters). Hence we rolled our own.
952 1013
 This patch prevents random URLs from being inserted into content-prefs.sqllite in
953 1014
 the profile directory as content prefs change (includes site-zoom and perhaps
954 1015
 other site prefs?).
955
-     </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2886800"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2882777"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2864076"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
1016
+     </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2621568"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2614080"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2613296"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p>
956 1017
 
957 1018
 The purpose of this section is to cover all the known ways that Tor browser
958 1019
 security can be subverted from a penetration testing perspective. The hope
959 1020