Torbutton Development Branch

About

Torbutton is a 1-click way for Firefox users to enable or disable the browser's use of Tor. It adds a panel to the statusbar that says "Tor Enabled" (in green) or "Tor Disabled" (in red). The user may click on the panel to toggle the status. If the user (or some other extension) changes the proxy settings, the change is automatically reflected in the statusbar.

Some users may prefer a toolbar button instead of a statusbar panel. Such a button is included, and one adds it to the toolbar by right-clicking on the desired toolbar, selecting "Customize...", and then dragging the Torbutton icon onto the toolbar. There is an option in the preferences to hide the statusbar panel (Tools->Extensions, select Torbutton, and click on Preferences).

Newer Firefoxes have the ability to send DNS resolves through the socks proxy, and Torbutton will make use of this feature if it is available in your version of Firefox.

FAQ

Due to Firefox Bug 409737, pages can still open popups and perform Javascript redirects and history access after Tor has been toggled. These popups and redirects can be blocked, but unfortunately they are indistinguishable from normal user interactions with the page (such as clicking on links, opening them in new tabs/windows, or using the history buttons), and so those are blocked as a side effect. Once that Firefox bug is fixed, this degree of isolation will become optional (for people who do not want to accidentally click on links and give away information via referrers). A workaround is to right click on the link, and open it in a new tab or window. The tab or window won't load automatically, but you can hit enter in the URL bar, and it will begin loading. Hitting enter in the URL bar will also reload the page without clicking the reload button.

Try to disable Tor by clicking on the button, and then open a new window. If that doesn't fix the issue, go to the preferences page and hit 'Restore Defaults'. This should reset the extension and Firefox to a known good configuration. If you can manage to reproduce whatever issue gets your Firefox wedged, please file details at the bug tracker.

Javascript can do things like wait until you have disabled Tor before trying to contact its source site, thus revealing your IP address. As such, Torbutton must disable Javascript, Meta-Refresh tags, and certain CSS behavior when Tor state changes from the state that was used to load a given page. These features are re-enabled when Torbutton goes back into the state that was used to load the page, but in some cases (particularly with Javascript and CSS) it is sometimes not possible to fully recover from the resulting errors, and the page is broken. Unfortunately, the only thing you can do (and still remain safe from having your IP address leak) is to reload the page when you toggle Tor, or just ensure you do all your work in a page before switching tor state.

Currently, this is tied to the "Block history writes during Tor" setting. If you have enabled that setting, all formfill functionality (both saving and reading) is disabled. If this bothers you, you can uncheck that option, but both history and forms will be saved. To prevent history disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor history reads if you allow history writing during Tor.

This is a tough one. There are thousands of Firefox extensions: making a complete list of ones that are bad for anonymity is near impossible. However, here are a few examples that should get you started as to what sorts of behavior are dangerous.

1. StumbleUpon, et al
These extensions will send all sorts of information about the websites you visit to the stumbleupon servers, and correlate this information with a unique identifier. This is obviously terrible for your anonymity. More generally, any sort of extension that requires registration, or even extensions that provide information about websites you visit should be suspect.
2. FoxyProxy
While FoxyProxy is a nice idea in theory, in practice it is impossible to configure securely for Tor usage without Torbutton. Like all vanilla third party proxy plugins, the main risks are plugin leakage and history disclosure, followed closely by cookie theft by exit nodes and tracking by adservers (see the Torbutton Adversary Model for more information). However, even with Torbutton installed in tandem and always enabled, it is still very difficult (though not impossible) to configure FoxyProxy securely. Since FoxyProxy's 'Patterns' mode only applies to specific urls, and not to an entire tab, setting FoxyProxy to only send specific sites through Tor will still allow adservers to still learn your real IP. Worse, if those sites use offsite logging services such as Google Analytics, you may still end up in their logs with your real IP. Malicious exit nodes can also cooperate with sites to inject images into pages that bypass your filters. Setting FoxyProxy to only send certain URLs via Non-Tor is much more viable, but be very careful with the filters you allow. For example, something as simple as allowing *google* to go via Non-Tor will still cause you to end up in all the logs of all websites that use Google Analytics! See this question on the FoxyProxy FAQ for more information.
3. NoScript
Torbutton currently mitigates all known anonymity issues with Javascript. While it may be tempting to get better security by disabling Javascript for certain sites, you are far better off with an all-or-nothing approach. NoScript is exceedingly complicated, and has many subtleties that can surprise even advanced users. For example, addons.mozilla.org verifies extension integrity via Javascript over https, but downloads them in the clear. Not adding it to your whitelist effectively means you are pulling down unverified extensions. Worse still, using NoScript can actually disable protections that Torbutton itself provides via Javascript, yet still allow malicious exit nodes to compromise your anonymity via the default whitelist (which they can spoof to inject any script they want).

1. RefControl
Mentioned above, this extension allows more fine-grained referrer spoofing than Torbutton currently provides. It should break less sites than Torbutton's referrer spoofing option.
2. SafeCache
If you use Tor excessively, and rarely disable it, you probably want to install this extension to minimize the ability of sites to store long term identifiers in your cache. This extension applies same origin policy to the cache, so that elements are retrieved from the cache only if they are fetched from a document in the same origin domain as the cached element.

There is currently one known unfixed security issue with Torbutton: it is possible to unmask the javascript hooks that wrap the Date object to conceal your timezone in Firefox 2, and the timezone masking code does not work at all on Firefox 3. We are working with the Firefox team to fix one of Bug 399274 or Bug 419598 to address this. In the meantime, it is possible to set the TZ environment variable to UTC to cause the browser to use UTC as your timezone. Under Linux, you can add an export TZ=UTC to the /usr/bin/firefox script, or edit your system bashrc to do the same. Under Windows, you can set either a User or System Environment Variable for TZ via My Computer's properties. In MacOS, the situation is a lot more complicated, unfortunately.

In addition, RSS readers such as Firefox Livemarks can perform periodic fetches. Due to Firefox Bug 436250, there is no way to disable Livemark fetches during Tor. This can be a problem if you have a lot of custom Livemark urls that can give away information about your identity.

Description of Options

The development branch of Torbutton adds several new security features to protect your anonymity from all the major threats the author is aware of. The defaults should be fine for most people, but in case you are the tweaker type, or if you prefer to try to outsource some options to more flexible extensions, here is the complete list. (In an ideal world, these descriptions should all be tooltips in the extension itself, but Firefox bugs 45375 and 218223 currently prevent this).

• Disable plugins on Tor Usage (crucial)
This option is key to Tor security. Plugins perform their own networking independent of the browser, and many plugins only partially obey even their own proxy settings.
• Isolate Dynamic Content to Tor State (crucial)
Another crucial option, this setting causes the plugin to disable Javascript on tabs that are loaded during a Tor state different than the current one, to prevent delayed fetches of injected URLs that contain unique identifiers, and to prevent meta-refresh tags from revealing your IP when you turn off Tor. It also prevents all fetches from tabs loaded with an opposite Tor state. This serves to block non-Javascript dynamic content such as CSS popups from revealing your IP address if you disable Tor.
• Hook Dangerous Javascript (crucial)
This setting enables the Javascript hooking code. Javascript is injected into pages to hook the Date object to mask your timezone, and to hook the navigator object to mask OS and user agent properties not handled by the standard Firefox user agent override settings.
• Resize window dimensions to multiples of 50px on toggle (recommended)
To cut down on the amount of state available to fingerprint users uniquely, this pref causes windows to be resized to a multiple of 50 pixels on each side when Tor is enabled and pages are loaded.
• Disable Updates During Tor (recommended)
Under Firefox 2, many extension authors did not update their extensions from SSL-enabled websites. It is possible for malicious Tor nodes to hijack these extensions and replace them with malicious ones, or add malicious code to existing extensions. Since Firefox 3 now enforces encrypted and/or authenticated updates, this setting is no longer as important as it once was (though updates do leak information about which extensions you have, it is fairly infrequent).
• Disable Search Suggestions during Tor (optional)
This optional setting governs if you get Google search suggestions during Tor usage. Since no cookie is transmitted during search suggestions, this is a relatively benign behavior.
• Block Tor/Non-Tor access to network from file:// urls (recommended)
These settings prevent local html documents from transmitting local files to arbitrary websites under Firefox 2. Since exit nodes can insert headers that force the browser to save arbitrary pages locally (and also inject script into arbitrary html files you save to disk via Tor), it is probably a good idea to leave this setting on.
• Close all Non-Tor/Tor windows and tabs on toggle (optional)
These two settings allow you to obtain a greater degree of assurance that after you toggle out of Tor, the pages are really gone and can't perform any extra network activity. Currently, there is no known way that pages can still perform activity after toggle, but these options exist as a backup measure just in case a flaw is discovered. They can also serve as a handy 'Boss Button' feature for clearing all Tor browsing off your screen in a hurry.
• Isolate access to history navigation to Tor state (crucial)
This setting prevents both Javascript and accidental user clicks from causing the session history to load pages that were fetched in a different Tor state than the current one. Since this can be used to correlate Tor and Non-Tor activity and thus determine your IP address, it is marked as a crucial setting.
• Block History Reads during Tor (crucial)
Based on code contributed by Collin Jackson, when enabled and Tor is enabled, this setting prevents the rendering engine from knowing if certain links were visited. This mechanism defeats all document-based history disclosure attacks, including CSS-only attacks.
• Block History Reads during Non-Tor (recommended)
This setting accomplishes the same but for your Non-Tor activity.
• Block History Writes during Tor (recommended)
This setting prevents the rendering engine from recording visited URLs, and also disables download manager history. Note that if you allow writing of Tor history, it is recommended that you disable non-Tor history reads, since malicious websites you visit without Tor can query your history for .onion sites and other history recorded during Tor usage (such as Google queries).
• Block History Writes during Non-Tor (optional)
This setting also disables recording any history information during Non-Tor usage.
• Clear History During Tor Toggle (optional)
This is an alternate setting to use instead of (or in addition to) blocking history reads or writes.
• Block Password+Form saving during Tor/Non-Tor
These options govern if the browser writes your passwords and search submissions to disk for the given state.
• Block Tor disk cache and clear all cache on Tor Toggle
Since the browser cache can be leveraged to store unique identifiers, cache must not persist across Tor sessions. This option keeps the memory cache active during Tor usage for performance, but blocks disk access for caching.
• Block disk and memory cache during Tor
This setting entirely blocks the cache during Tor, but preserves it for Non-Tor usage.
• Clear Cookies on Tor Toggle
Fully clears all cookies on Tor toggle.
• Store Non-Tor cookies in a protected jar
This option stores your persistent Non-Tor cookies in a special cookie jar file, in case you wish to preserve some cookies. Based on code contributed by Collin Jackson. It is compatible with third party extensions that you use to manage your Non-Tor cookies. Your Tor cookies will be cleared on toggle, of course.
• Store both Non-Tor and Tor cookies in a protected jar (dangerous)
This option stores your persistent Tor and Non-Tor cookies separate cookie jar files. Note that it is a bad idea to keep Tor cookies around for any length of time, as they can be retrieved by exit nodes that inject spoofed forms into plaintext pages you fetch.
• Manage My Own Cookies (dangerous)
This setting allows you to manage your own cookies with an alternate extension, such as CookieCuller. Note that this is particularly dangerous, since malicious exit nodes can spoof document elements that appear to be from sites you have preserved cookies for (and can then do things like fetch your entire gmail inbox, even if you were not using gmail or visiting any google pages at the time!).
• Do not write Tor/Non-Tor cookies to disk
These settings prevent Firefox from writing any cookies to disk during the corresponding Tor state. If cookie jars are enabled, those jars will exist in memory only, and will be cleared when Firefox exits.
• Disable DOM Storage during Tor usage (crucial)
Firefox has recently added the ability to store additional state and identifiers in persistent tables, called DOM Storage. Obviously this can compromise your anonymity if stored content can be fetched across Tor-state.
• Clear HTTP auth sessions (recommended)
HTTP authentication credentials can be probed by exit nodes and used to both confirm that you visit a certain site that uses HTTP auth, and also impersonate you on this site.
• Clear cookies on Tor/Non-Tor shutdown
These settings install a shutdown handler to clear cookies on Tor and/or Non-Tor browser shutdown. It is independent of your Clear Private Data settings, and does in fact clear the corresponding cookie jars.
• Prevent session store from saving Tor-loaded tabs (recommended)
This option augments the session store to prevent it from writing out Tor-loaded tabs to disk. Unfortunately, this also disables your ability to undo closed tabs. The reason why this setting is recommended is because after a session crash, your browser will be in an undefined Tor state, and can potentially load a bunch of Tor tabs without Tor. The following option is another alternative to protect against this.
• On normal startup, set state to: Tor, Non-Tor, Shutdown State
This setting allows you to choose which Tor state you want the browser to start in normally: Tor, Non-Tor, or whatever state the browser shut down in.
• On crash recovery or session restored startup, restore via: Tor, Non-Tor
When Firefox crashes, the Tor state upon restart usually is completely random, and depending on your choice for the above option, may load a bunch of tabs in the wrong state. This setting allows you to choose which state the crashed session should always be restored in to.
• Prevent session store from saving Non-Tor/Tor-loaded tabs
These two settings allow you to control what the Firefox Session Store writes to disk. Since the session store state is used to automatically load websites after a crash or upgrade, it is advisable not to allow Tor tabs to be written to disk, or they may get loaded in Non-Tor after a crash (or the reverse, depending upon the crash recovery setting, of course).
• Set user agent during Tor usage (crucial)
User agent masking is done with the idea of making all Tor users appear uniform. A recent Firefox 2.0.0.4 Windows build was chosen to mimic for this string and supporting navigator.* properties, and this version will remain the same for all TorButton versions until such time as specific incompatibility issues are demonstrated. Uniformity of this value is obviously very important to anonymity. Note that for this option to have full effectiveness, the user must also allow Hook Dangerous Javascript ensure that the navigator.* properties are reset correctly. The browser does not set some of them via the exposed user agent override preferences.
• Spoof US English Browser
This option causes Firefox to send http headers as if it were an English browser. Useful for internationalized users.
• Don't send referrer during Tor Usage
This option disables the referrer header, preventing sites from determining where you came from to visit them. This can break some sites, however. Digg in particular seemed to be broken by this. A more streamlined, less intrusive version of this option should be available eventually. In the meantime, RefControl can provide this functionality via a default option of Forge.