Mike Perry commited on 2011-10-07 02:35:15
Zeige 1 geänderte Dateien mit 93 Einfügungen und 33 Löschungen.
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
<?xml version="1.0" encoding="UTF-8"?> |
2 | 2 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
3 |
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 4 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2857732">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2857732"></a>1. Introduction</h2></div></div></div><p> |
|
3 |
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">Oct 6 2011</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="#id2597772">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary">1.1. Adversary Model</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">3. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">3.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">3.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">3.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">3.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">3.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">3.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">3.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#click-to-play">3.8. Click-to-play for plugins and invasive content</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">3.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Packaging">4. Packaging</a></span></dt><dd><dl><dt><span class="sect2"><a href="#build-security">4.1. Build Process Security</a></span></dt><dt><span class="sect2"><a href="#addons">4.2. External Addons</a></span></dt><dt><span class="sect2"><a href="#prefs">4.3. Pref Changes</a></span></dt><dt><span class="sect2"><a href="#update-mechanism">4.4. Update Security</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Testing">5. Testing</a></span></dt><dd><dl><dt><span class="sect2"><a href="#SingleStateTesting">5.1. Single state testing</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2597772"></a>1. Introduction</h2></div></div></div><p> |
|
4 | 4 |
|
5 | 5 |
This document describes the <a class="link" href="#adversary" title="1.1. Adversary Model">adversary model</a>, |
6 | 6 |
<a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, |
... | ... |
@@ -187,7 +187,8 @@ adversary. |
187 | 187 |
</p></li></ol></div></div></div></div><div class="sect1" title="2. Design Requirements and Philosophy"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DesignRequirements"></a>2. Design Requirements and Philosophy</h2></div></div></div><p> |
188 | 188 |
|
189 | 189 |
The Tor Browser Design Requirements are meant to describe the properties of a |
190 |
-Private Browsing Mode that defends against both network and forensic adversaries. |
|
190 |
+Private Browsing Mode that defends against both network and local forensic |
|
191 |
+adversaries. |
|
191 | 192 |
|
192 | 193 |
</p><p> |
193 | 194 |
|
... | ... |
@@ -237,7 +238,9 @@ operating system to write <span class="emphasis"><em>any information</em></span> |
237 | 238 |
of private browsing to disk outside of the application's control. The user |
238 | 239 |
must be able to ensure that secure removal of the software is sufficient to |
239 | 240 |
remove evidence of the use of the software. All exceptions and shortcomings |
240 |
-due to operating system behavior MUST BE wiped by an uninstaller. |
|
241 |
+due to operating system behavior MUST BE wiped by an uninstaller. However, due |
|
242 |
+to permissions issues with access to swap, implementations MAY choose to leave |
|
243 |
+it out of scope, and/or leave it to the user to implement encrypted swap. |
|
241 | 244 |
|
242 | 245 |
</p></li><li class="listitem"><span class="command"><strong>Update Safety</strong></span><p>The browser SHOULD NOT perform unsafe updates or upgrades.</p></li></ol></div></div><div class="sect2" title="2.2. Privacy Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="privacy"></a>2.2. Privacy Requirements</h3></div></div></div><p> |
243 | 246 |
|
... | ... |
@@ -259,10 +262,12 @@ to be the entire fully qualified domain name |
259 | 262 |
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Cross-Origin Identifier Unlinkability</strong></span><p> |
260 | 263 |
|
261 | 264 |
User activity on one url bar origin MUST NOT be linkable to their activity in |
262 |
-any other url bar origin by any third party. This property specifically applies to |
|
263 |
-linkability from stored browser identifiers, authentication tokens, and shared |
|
264 |
-state. This functionality SHOULD NOT interfere with federated login in a |
|
265 |
-substantial way. |
|
265 |
+any other url bar origin by any third party automatically or without user |
|
266 |
+interaction or approval. This requirement specifically applies to linkability |
|
267 |
+from stored browser identifiers, authentication tokens, and shared state. The |
|
268 |
+requirement does not apply to linkable information the user manually submits |
|
269 |
+to sites, or due information submitted during manual link traversal. This |
|
270 |
+functionality SHOULD NOT interfere with federated login in a substantial way. |
|
266 | 271 |
|
267 | 272 |
</p></li><li class="listitem"><span class="command"><strong>Cross-Origin Fingerprinting Unlinkability</strong></span><p> |
268 | 273 |
|
... | ... |
@@ -417,13 +422,13 @@ launch a helper app. |
417 | 422 |
Tor Browser State is separated from existing browser state through use of a |
418 | 423 |
custom Firefox profile. Furthermore, plugins are disabled, which prevents |
419 | 424 |
Flash cookies from leaking from a pre-existing Flash directory. |
420 |
- </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2886678"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
425 |
+ </p></div><div class="sect2" title="3.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>3.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2616664"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
421 | 426 |
Tor Browser MUST (at user option) prevent all disk records of browser activity. |
422 | 427 |
The user should be able to optionally enable URL history and other history |
423 | 428 |
features if they so desire. Once we <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3100" target="_top">simplify the |
424 | 429 |
preferences interface</a>, we will likely just enable Private Browsing |
425 | 430 |
mode by default to handle this goal. |
426 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874561"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
431 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2606128"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
427 | 432 |
For now, Tor Browser blocks write access to the disk through Torbutton |
428 | 433 |
using several Firefox preferences. |
429 | 434 |
|
... | ... |
@@ -488,7 +493,7 @@ the url bar origin for which browser state exists, possibly with a |
488 | 493 |
context-menu option to drill down into specific types of state or permissions. |
489 | 494 |
An example of this simplification can be seen in Figure 1. |
490 | 495 |
|
491 |
- </p><div class="figure"><a id="id2867838"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
496 |
+ </p><div class="figure"><a id="id2612402"></a><p class="title"><b>Figure 1. Improving the Privacy UI</b></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="CookieManagers.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
492 | 497 |
|
493 | 498 |
On the left is the standard Firefox cookie manager. On the right is a mock-up |
494 | 499 |
of how isolating identifiers to the URL bar origin might simplify the privacy |
... | ... |
@@ -608,11 +614,17 @@ Unlinkability <a class="link" href="#privacy" title="2.2. Privacy Requirements" |
608 | 614 |
MUST prompt users before following redirects that would cause the user to |
609 | 615 |
automatically navigate between two different url bar origins. |
610 | 616 |
|
611 |
- </p><p><span class="command"><strong>Implementation status:</strong></span> |
|
617 |
+</p><p> |
|
612 | 618 |
|
613 |
-There are numerous ways for the user to be redirected, and the Firefox API |
|
614 |
-support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug |
|
615 |
-open</a> to implement what we can. |
|
619 |
+However, to |
|
620 |
+reduce the occurrence of warning fatigue, these warning messages MAY be limited |
|
621 |
+to automated redirect cycles only. For example, the automated redirect |
|
622 |
+sequence <span class="command"><strong>User Click -> t.co -> bit.ly -> cnn.com</strong></span> can be |
|
623 |
+assumed to be benign, but the redirect sequence <span class="command"><strong>User Click -> t.co -> |
|
624 |
+bit.ly -> cnn.com -> 2o7.net -> scorecardresearch.net -> cnn.com</strong></span> is |
|
625 |
+clearly due to tracking. Non-automated redirect cycles that require |
|
626 |
+user input at some step (such as federated login systems) need not be |
|
627 |
+interrupted by the UI. |
|
616 | 628 |
|
617 | 629 |
</p><p> |
618 | 630 |
|
... | ... |
@@ -622,6 +634,12 @@ assumed that private browsing sessions will be relatively short-lived, |
622 | 634 |
especially with frequent use of the <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New |
623 | 635 |
Identity</a> button. |
624 | 636 |
|
637 |
+ </p><p><span class="command"><strong>Implementation status:</strong></span> |
|
638 |
+ |
|
639 |
+There are numerous ways for the user to be redirected, and the Firefox API |
|
640 |
+support to detect each of them is poor. We have a <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3600" target="_top">trac bug |
|
641 |
+open</a> to implement what we can. |
|
642 |
+ |
|
625 | 643 |
</p></li><li class="listitem">window.name |
626 | 644 |
<p> |
627 | 645 |
|
... | ... |
@@ -639,6 +657,35 @@ time we encounter a blank referer. This behavior allows window.name to persist |
639 | 657 |
for the duration of a link-driven navigation session, but as soon as the user |
640 | 658 |
enters a new URL or navigates between https/http schemes, the property is cleared. |
641 | 659 |
|
660 |
+ </p></li><li class="listitem">Auto form-fill |
|
661 |
+ <p> |
|
662 |
+ |
|
663 |
+We disable the password saving functionality in the browser as part of our |
|
664 |
+<a class="link" href="#disk-avoidance" title="3.3. Disk Avoidance">Disk Avoidance</a> requirement. However, |
|
665 |
+since users may decide to re-enable disk history records and password saving, |
|
666 |
+we also set the <a class="ulink" href="http://kb.mozillazine.org/Signon.autofillForms" target="_top">signon.autofillForms</a> |
|
667 |
+preference to false to prevent saved values from immediately populating |
|
668 |
+fields upon page load. Since Javascript can read these values as soon as they |
|
669 |
+appear, setting this preference prevents automatic linkability from stored passwords. |
|
670 |
+ |
|
671 |
+ </p></li><li class="listitem">HSTS supercookies |
|
672 |
+ <p> |
|
673 |
+An extreme (but not impossible) attack to mount is the creation of <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a> |
|
674 |
+supercookies. Since HSTS effectively stores one bit of information per domain |
|
675 |
+name, an adversary in possession of numerous domains can use them to construct |
|
676 |
+cookies based on stored HSTS state. |
|
677 |
+ |
|
678 |
+ </p><p><span class="command"><strong>Design Goal:</strong></span> |
|
679 |
+ |
|
680 |
+There appears to be three options for us: 1. Disable HSTS entirely, and rely |
|
681 |
+instead on HTTPS-Everywhere. 2. Restrict the number of HSTS-enabled third |
|
682 |
+parties allowed per url bar origin. 3. Prevent third parties from storing HSTS |
|
683 |
+rules. We have not yet decided upon the best approach. |
|
684 |
+ |
|
685 |
+ </p><p><span class="command"><strong>Implementation Status:</strong></span> Currently, HSTS state is |
|
686 |
+cleared by <a class="link" href="#new-identity" title="3.7. Long-Term Unlinkability via "New Identity" button">New Identity</a>, but we don't |
|
687 |
+defend against the creation of these cookies between <span class="command"><strong>New |
|
688 |
+Identity</strong></span> invocations. |
|
642 | 689 |
</p></li><li class="listitem">Exit node usage |
643 | 690 |
<p><span class="command"><strong>Design Goal:</strong></span> |
644 | 691 |
|
... | ... |
@@ -715,11 +762,22 @@ Javascript to query for the existence of specific fonts. With a large enough |
715 | 762 |
pre-built list to query, a large amount of fingerprintable information may |
716 | 763 |
still be available. |
717 | 764 |
|
765 |
+ </p><p> |
|
766 |
+ |
|
767 |
+The sure-fire way to address font linkability is to ship the browser with a |
|
768 |
+font for every language, typeface, and style in use in the world, and to only |
|
769 |
+use those fonts at the exclusion of system fonts. However, this set may be |
|
770 |
+impractically large. It is possible that a smaller <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/Unicode_typeface#List_of_Unicode_fonts" target="_top">common |
|
771 |
+subset</a> may be found that provides total coverage. However, we believe |
|
772 |
+that with strong url bar origin identifier isolation, a simpler approach can reduce the |
|
773 |
+number of bits available to the adversary while avoiding the rendering and |
|
774 |
+language issues of supporting a global font set. |
|
775 |
+ |
|
718 | 776 |
</p><p><span class="command"><strong>Design Goal:</strong></span> |
719 | 777 |
|
720 |
-To address the Javascript issue, we intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of |
|
721 |
-fonts</a> an origin can load, gracefully degrading to built-in and/or |
|
722 |
-remote fonts once the limit is reached. |
|
778 |
+We intend to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/2872" target="_top">limit the number of |
|
779 |
+fonts</a> a url bar origin can load, gracefully degrading to built-in |
|
780 |
+and/or remote fonts once the limit is reached. |
|
723 | 781 |
|
724 | 782 |
</p><p><span class="command"><strong>Implementation Status:</strong></span> |
725 | 783 |
|
... | ... |
@@ -805,7 +863,7 @@ amount of time it takes to mount a successful attack. <a class="ulink" href="htt |
805 | 863 |
even with the default precision in most browsers, they required up to 120 |
806 | 864 |
seconds of amortization and repeated trials to get stable results from their |
807 | 865 |
feature set. We intend to work with the research community to establish the |
808 |
-optimum tradeoff between quantization+jitter and amortization time. |
|
866 |
+optimum trade-off between quantization+jitter and amortization time. |
|
809 | 867 |
|
810 | 868 |
|
811 | 869 |
</p><p><span class="command"><strong>Implementation Status:</strong></span> |
... | ... |
@@ -852,22 +910,24 @@ Currently we simply disable WebGL. |
852 | 910 |
</p></li></ol></div></div><div class="sect2" title="3.7. Long-Term Unlinkability via "New Identity" button"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>3.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p> |
853 | 911 |
In order to avoid long-term linkability, we provide a "New Identity" context |
854 | 912 |
menu option in Torbutton. |
855 |
- </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2853903"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
913 |
+ </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="id2626323"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
856 | 914 |
|
857 | 915 |
All linkable identifiers and browser state MUST be cleared by this feature. |
858 | 916 |
|
859 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2874701"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
860 |
- First, Torbutton disables |
|
861 |
-all open tabs and windows via nsIContentPolicy blocking, and then closes each |
|
862 |
-tab and window. The extra step for blocking tabs is done as a precaution to |
|
863 |
-ensure that any asynchronous Javascript is in fact properly disabled. After |
|
864 |
-closing all of the windows, we then clear the following state: OCSP (by |
|
865 |
-toggling security.OCSP.enabled), cache, site-specific zoom and content |
|
866 |
-preferences, Cookies, DOM storage, safe browsing key, the Google wifi |
|
867 |
-geolocation token (if exists), HTTP auth, SSL Session IDs, and the last opened URL |
|
868 |
-field (via the pref general.open_location.last_url). After clearing the |
|
869 |
-browser state, we then send the NEWNYM signal to the Tor control port to cause |
|
870 |
-a new circuit to be created. |
|
917 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="id2612376"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
918 |
+ |
|
919 |
+ First, Torbutton disables all open tabs and windows via nsIContentPolicy |
|
920 |
+blocking, and then closes each tab and window. The extra step for blocking |
|
921 |
+tabs is done as a precaution to ensure that any asynchronous Javascript is in |
|
922 |
+fact properly disabled. After closing all of the windows, we then clear the |
|
923 |
+following state: OCSP (by toggling security.OCSP.enabled), cache, |
|
924 |
+site-specific zoom and content preferences, Cookies, DOM storage, safe |
|
925 |
+browsing key, the Google wifi geolocation token (if exists), HTTP auth, SSL |
|
926 |
+Session IDs, HSTS state, and the last opened URL field (via the pref |
|
927 |
+general.open_location.last_url). After clearing the browser state, we then |
|
928 |
+send the NEWNYM signal to the Tor control port to cause a new circuit to be |
|
929 |
+created. |
|
930 |
+ |
|
871 | 931 |
</blockquote></div></div></div><div class="sect2" title="3.8. Click-to-play for plugins and invasive content"><div class="titlepage"><div><div><h3 class="title"><a id="click-to-play"></a>3.8. Click-to-play for plugins and invasive content</h3></div></div></div><p> |
872 | 932 |
Some content types are too invasive and/or too opaque for us to properly |
873 | 933 |
eliminate their linkability properties. For these content types, we use |
... | ... |
@@ -895,7 +955,8 @@ Firebox version, but not much else. |
895 | 955 |
|
896 | 956 |
This patch exposes a pref 'permissions.memory_only' that properly isolates the |
897 | 957 |
permissions manager to memory, which is responsible for all user specified |
898 |
-site permissions, as well as stored HTTPS STS policy from visited sites. |
|
958 |
+site permissions, as well as stored <a class="ulink" href="https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Strict_Transport_Security" target="_top">HSTS</a> |
|
959 |
+policy from visited sites. |
|
899 | 960 |
|
900 | 961 |
The pref does successfully clear the permissions manager memory if toggled. It |
901 | 962 |
does not need to be set in prefs.js, and can be handled by Torbutton. |
... | ... |
@@ -952,7 +1013,7 @@ ruin our day, and censorship filters). Hence we rolled our own. |
952 | 1013 |
This patch prevents random URLs from being inserted into content-prefs.sqllite in |
953 | 1014 |
the profile directory as content prefs change (includes site-zoom and perhaps |
954 | 1015 |
other site prefs?). |
955 |
- </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2886800"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2882777"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2864076"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p> |
|
1016 |
+ </p></li></ol></div></div></div><div class="sect1" title="4. Packaging"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Packaging"></a>4. Packaging</h2></div></div></div><p> </p><div class="sect2" title="4.1. Build Process Security"><div class="titlepage"><div><div><h3 class="title"><a id="build-security"></a>4.1. Build Process Security</h3></div></div></div><p> </p></div><div class="sect2" title="4.2. External Addons"><div class="titlepage"><div><div><h3 class="title"><a id="addons"></a>4.2. External Addons</h3></div></div></div><p> </p><div class="sect3" title="Included Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2621568"></a>Included Addons</h4></div></div></div></div><div class="sect3" title="Excluded Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2614080"></a>Excluded Addons</h4></div></div></div></div><div class="sect3" title="Dangerous Addons"><div class="titlepage"><div><div><h4 class="title"><a id="id2613296"></a>Dangerous Addons</h4></div></div></div></div></div><div class="sect2" title="4.3. Pref Changes"><div class="titlepage"><div><div><h3 class="title"><a id="prefs"></a>4.3. Pref Changes</h3></div></div></div><p> </p></div><div class="sect2" title="4.4. Update Security"><div class="titlepage"><div><div><h3 class="title"><a id="update-mechanism"></a>4.4. Update Security</h3></div></div></div><p> </p></div></div><div class="sect1" title="5. Testing"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Testing"></a>5. Testing</h2></div></div></div><p> |
|
956 | 1017 |
|
957 | 1018 |
The purpose of this section is to cover all the known ways that Tor browser |
958 | 1019 |
security can be subverted from a penetration testing perspective. The hope |
959 | 1020 |