TBB design doc: Make section anchors more uniform.
Mike Perry commited on 2013-03-08 10:58:38
Zeige 1 geänderte Dateien mit 12 Einfügungen und 12 Löschungen.
- projects/torbrowser/design/index.html.en 64722404c..f9c381723
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
<?xml version="1.0" encoding="UTF-8"?> |
| 2 | 2 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| 3 |
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">March 8 2013</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="sect1"><a href="#idp2245200">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversarygoals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversarypositioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#OtherSecurity">4.8. Other Security Measures</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp5795728">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp2245200"></a>1. Introduction</h2></div></div></div><p> |
|
| 3 |
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="The Design and Implementation of the Tor Browser [DRAFT]"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>></code></p></div></div></div></div><div><p class="pubdate">March 8 2013</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="sect1"><a href="#idp4695088">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt><dt><span class="sect2"><a href="#firefox-patches">4.9. Description of Firefox Patches</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp5836112">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1" title="1. Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp4695088"></a>1. Introduction</h2></div></div></div><p> |
|
| 4 | 4 |
|
| 5 | 5 |
This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>, |
| 6 | 6 |
<a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser 2.3.25-4 |
| ... | ... |
@@ -249,7 +249,7 @@ A Tor web browser adversary has a number of goals, capabilities, and attack |
| 249 | 249 |
types that can be used to illustrate the design requirements for the |
| 250 | 250 |
Tor Browser. Let's start with the goals. |
| 251 | 251 |
|
| 252 |
- </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversarygoals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of |
|
| 252 |
+ </p><div class="sect2" title="3.1. Adversary Goals"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-goals"></a>3.1. Adversary Goals</h3></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Bypassing proxy settings</strong></span><p>The adversary's primary goal is direct compromise and bypass of |
|
| 253 | 253 |
Tor, causing the user to directly connect to an IP of the adversary's |
| 254 | 254 |
choosing.</p></li><li class="listitem"><span class="command"><strong>Correlation of Tor vs Non-Tor Activity</strong></span><p>If direct proxy bypass is not possible, the adversary will likely |
| 255 | 255 |
happily settle for the ability to correlate something a user did via Tor with |
| ... | ... |
@@ -288,7 +288,7 @@ In some cases, the adversary may opt for a heavy-handed approach, such as |
| 288 | 288 |
seizing the computers of all Tor users in an area (especially after narrowing |
| 289 | 289 |
the field by the above two pieces of information). History records and cache |
| 290 | 290 |
data are the primary goals here. |
| 291 |
- </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversarypositioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p> |
|
| 291 |
+ </p></li></ol></div></div><div class="sect2" title="3.2. Adversary Capabilities - Positioning"><div class="titlepage"><div><div><h3 class="title"><a id="adversary-positioning"></a>3.2. Adversary Capabilities - Positioning</h3></div></div></div><p> |
|
| 292 | 292 |
The adversary can position themselves at a number of different locations in |
| 293 | 293 |
order to execute their attacks. |
| 294 | 294 |
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>Exit Node or Upstream Router</strong></span><p> |
| ... | ... |
@@ -606,13 +606,13 @@ events from Torbutton before the OS downloads the URLs the events contained. |
| 606 | 606 |
Tor Browser State is separated from existing browser state through use of a |
| 607 | 607 |
custom Firefox profile. Furthermore, plugins are disabled, which prevents |
| 608 | 608 |
Flash cookies from leaking from a pre-existing Flash directory. |
| 609 |
- </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5537536"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 609 |
+ </p></div><div class="sect2" title="4.3. Disk Avoidance"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5577776"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 610 | 610 |
|
| 611 | 611 |
The User Agent MUST (at user option) prevent all disk records of browser activity. |
| 612 | 612 |
The user should be able to optionally enable URL history and other history |
| 613 | 613 |
features if they so desire. |
| 614 | 614 |
|
| 615 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5538896"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 615 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5579136"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 616 | 616 |
|
| 617 | 617 |
We achieve this goal through several mechanisms. First, we set the Firefox |
| 618 | 618 |
Private Browsing preference |
| ... | ... |
@@ -692,7 +692,7 @@ the url bar origin for which browser state exists, possibly with a |
| 692 | 692 |
context-menu option to drill down into specific types of state or permissions. |
| 693 | 693 |
An example of this simplification can be seen in Figure 1. |
| 694 | 694 |
|
| 695 |
- </p><div class="figure"><a id="idp5562896"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
| 695 |
+ </p><div class="figure"><a id="idp5603216"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p> |
|
| 696 | 696 |
|
| 697 | 697 |
This example UI is a mock-up of how isolating identifiers to the URL bar |
| 698 | 698 |
origin can simplify the privacy UI for all data - not just cookies. Once |
| ... | ... |
@@ -1178,11 +1178,11 @@ In order to avoid long-term linkability, we provide a "New Identity" context |
| 1178 | 1178 |
menu option in Torbutton. This context menu option is active if Torbutton can |
| 1179 | 1179 |
read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT. |
| 1180 | 1180 |
|
| 1181 |
- </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5680880"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 1181 |
+ </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5721200"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"> |
|
| 1182 | 1182 |
|
| 1183 | 1183 |
All linkable identifiers and browser state MUST be cleared by this feature. |
| 1184 | 1184 |
|
| 1185 |
- </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5682128"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1185 |
+ </blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5722448"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1186 | 1186 |
|
| 1187 | 1187 |
First, Torbutton disables Javascript in all open tabs and windows by using |
| 1188 | 1188 |
both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a> |
| ... | ... |
@@ -1211,7 +1211,7 @@ closed. |
| 1211 | 1211 |
</p></blockquote></div><div class="blockquote"><blockquote class="blockquote"> |
| 1212 | 1212 |
If the user chose to "protect" any cookies by using the Torbutton Cookie |
| 1213 | 1213 |
Protections UI, those cookies are not cleared as part of the above. |
| 1214 |
- </blockquote></div></div></div><div class="sect2" title="4.8. Other Security Measures"><div class="titlepage"><div><div><h3 class="title"><a id="OtherSecurity"></a>4.8. Other Security Measures</h3></div></div></div><p> |
|
| 1214 |
+ </blockquote></div></div></div><div class="sect2" title="4.8. Other Security Measures"><div class="titlepage"><div><div><h3 class="title"><a id="other-security"></a>4.8. Other Security Measures</h3></div></div></div><p> |
|
| 1215 | 1215 |
|
| 1216 | 1216 |
In addition to the above mechanisms that are devoted to preserving privacy |
| 1217 | 1217 |
while browsing, we also have a number of technical mechanisms to address other |
| ... | ... |
@@ -1223,7 +1223,7 @@ privacy and security issues. |
| 1223 | 1223 |
Fingerprinting</a> is a statistical attack to attempt to recognize specific |
| 1224 | 1224 |
encrypted website activity. |
| 1225 | 1225 |
|
| 1226 |
- </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5694768"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1226 |
+ </p><div class="sect3" title="Design Goal:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5734960"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1227 | 1227 |
|
| 1228 | 1228 |
We want to deploy a mechanism that reduces the accuracy of features available |
| 1229 | 1229 |
for classification. This mechanism would either impact the true and false |
| ... | ... |
@@ -1244,7 +1244,7 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href |
| 1244 | 1244 |
defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor |
| 1245 | 1245 |
network. |
| 1246 | 1246 |
|
| 1247 |
- </p></blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5700896"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1247 |
+ </p></blockquote></div></div><div class="sect3" title="Implementation Status:"><div class="titlepage"><div><div><h4 class="title"><a id="idp5741184"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p> |
|
| 1248 | 1248 |
Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0017-Randomize-HTTP-request-order-and-pipeline-depth.patch" target="_top">randomize |
| 1249 | 1249 |
pipeline order and depth</a>. Unfortunately, pipelining is very fragile. |
| 1250 | 1250 |
Many sites do not support it, and even sites that advertise support for |
| ... | ... |
@@ -1575,7 +1575,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t |
| 1575 | 1575 |
ourselves</a>, as they are comparatively rare and can be handled with site |
| 1576 | 1576 |
permissions. |
| 1577 | 1577 |
|
| 1578 |
- </p></li></ol></div></div><div class="sect1" title="A.2. Promising Standards"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp5795728"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p> |
|
| 1578 |
+ </p></li></ol></div></div><div class="sect1" title="A.2. Promising Standards"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp5836112"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p> |
|
| 1579 | 1579 |
|
| 1580 | 1580 |
Web-Send is a browser-based link sharing and federated login widget that is |
| 1581 | 1581 |
designed to operate without relying on third-party tracking or abusing other |
| 1582 | 1582 |