torproject/webwml
1
0
Fork 0
mirror of https://github.com/torproject/webwml.git synced 2025-01-31 15:13:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Tor Browser Design Doc for 4.5.

Browse Source
This commit is contained in:
Mike Perry 2015-04-29 22:25:35 -07:00
parent 90f3880246
commit 0ab80d6a0f
1 changed files with 334 additions and 222 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

556
projects/torbrowser/design/index.html.en
View File

@ -1,9 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">November 6th, 2014</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp59720528">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp60597904">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp60632800">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp60636736">5.3. Anonymous Verification</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp60669376">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp59720528"></a>1. Introduction</h2></div></div></div><p>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Design and Implementation of the Tor Browser [DRAFT]</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /></head><body><div class="article"><div class="titlepage"><div><div><h2 class="title"><a id="design"></a>The Design and Implementation of the Tor Browser [DRAFT]</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Mike</span> <span class="surname">Perry</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:mikeperry#torproject org">mikeperry#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Erinn</span> <span class="surname">Clark</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:erinn#torproject org">erinn#torproject org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Steven</span> <span class="surname">Murdoch</span></h3><div class="affiliation"><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:sjmurdoch#torproject org">sjmurdoch#torproject org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">April 30th, 2015</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="sect1"><a href="#idp51709072">1. Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="#components">1.1. Browser Component Overview</a></span></dt></dl></dd><dt><span class="sect1"><a href="#DesignRequirements">2. Design Requirements and Philosophy</a></span></dt><dd><dl><dt><span class="sect2"><a href="#security">2.1. Security Requirements</a></span></dt><dt><span class="sect2"><a href="#privacy">2.2. Privacy Requirements</a></span></dt><dt><span class="sect2"><a href="#philosophy">2.3. Philosophy</a></span></dt></dl></dd><dt><span class="sect1"><a href="#adversary">3. Adversary Model</a></span></dt><dd><dl><dt><span class="sect2"><a href="#adversary-goals">3.1. Adversary Goals</a></span></dt><dt><span class="sect2"><a href="#adversary-positioning">3.2. Adversary Capabilities - Positioning</a></span></dt><dt><span class="sect2"><a href="#attacks">3.3. Adversary Capabilities - Attacks</a></span></dt></dl></dd><dt><span class="sect1"><a href="#Implementation">4. Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="#proxy-obedience">4.1. Proxy Obedience</a></span></dt><dt><span class="sect2"><a href="#state-separation">4.2. State Separation</a></span></dt><dt><span class="sect2"><a href="#disk-avoidance">4.3. Disk Avoidance</a></span></dt><dt><span class="sect2"><a href="#app-data-isolation">4.4. Application Data Isolation</a></span></dt><dt><span class="sect2"><a href="#identifier-linkability">4.5. Cross-Origin Identifier Unlinkability</a></span></dt><dt><span class="sect2"><a href="#fingerprinting-linkability">4.6. Cross-Origin Fingerprinting Unlinkability</a></span></dt><dt><span class="sect2"><a href="#new-identity">4.7. Long-Term Unlinkability via "New Identity" button</a></span></dt><dt><span class="sect2"><a href="#other-security">4.8. Other Security Measures</a></span></dt></dl></dd><dt><span class="sect1"><a href="#BuildSecurity">5. Build Security and Package Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="#idp54108896">5.1. Achieving Binary Reproducibility</a></span></dt><dt><span class="sect2"><a href="#idp54129600">5.2. Package Signatures and Verification</a></span></dt><dt><span class="sect2"><a href="#idp54134112">5.3. Anonymous Verification</a></span></dt><dt><span class="sect2"><a href="#update-safety">5.4. Update Safety</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Transparency">A. Towards Transparency in Navigation Tracking</a></span></dt><dd><dl><dt><span class="sect1"><a href="#deprecate">A.1. Deprecation Wishlist</a></span></dt><dt><span class="sect1"><a href="#idp54168528">A.2. Promising Standards</a></span></dt></dl></dd></dl></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp51709072"></a>1. Introduction</h2></div></div></div><p>
This document describes the <a class="link" href="#adversary" title="3. Adversary Model">adversary model</a>,
<a class="link" href="#DesignRequirements" title="2. Design Requirements and Philosophy">design requirements</a>, and <a class="link" href="#Implementation" title="4. Implementation">implementation</a> of the Tor Browser. It is current as of Tor Browser
4.5-alpha-1.
4.5.
</p><p>
@ -12,14 +12,20 @@ describe a reference implementation of a Private Browsing Mode that defends
against active network adversaries, in addition to the passive forensic local
adversary currently addressed by the major browsers.
</p><p>
For more practical information regarding Tor Browser development, please
consult the <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking" target="_top">Tor
Browser Hacking Guide</a>.
</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="components"></a>1.1. Browser Component Overview</h3></div></div></div><p>
The Tor Browser is based on <a class="ulink" href="https://www.mozilla.org/en-US/firefox/organizations/" target="_top">Mozilla's Extended
Support Release (ESR) Firefox branch</a>. We have a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git" target="_top">series of patches</a>
against this browser to enhance privacy and security. Browser behavior is
additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/master" target="_top">Torbutton
additionally augmented through the <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/" target="_top">Torbutton
extension</a>, though we are in the process of moving this functionality
into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/blob/refs/heads/tor-browser-31.2.0esr-4.x-1:/browser/app/profile/000-tor-browser.js" target="_top">change
into direct Firefox patches. We also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">change
a number of Firefox preferences</a> from their defaults.
</p><p>
@ -33,14 +39,14 @@ Instantbird, and XULRunner.
To help protect against potential Tor Exit Node eavesdroppers, we include
<a class="ulink" href="https://www.eff.org/https-everywhere" target="_top">HTTPS-Everywhere</a>. To
provide users with optional defense-in-depth against Javascript and other
potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/refs/heads/master:/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
potential exploit vectors, we also include <a class="ulink" href="http://noscript.net/" target="_top">NoScript</a>. We also modify <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js" target="_top">several
extension preferences</a> from their defaults.
</p><p>
To provide censorship circumvention in areas where the public Tor network is
blocked either by IP, or by protocol fingerprint, we include several <a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports" target="_top">Pluggable
Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/HEAD:/doc/obfs3/obfs3-protocol-spec.txt" target="_top">Obfsproxy</a>,
Transports</a> in the distribution. As of this writing, we include <a class="ulink" href="https://gitweb.torproject.org/pluggable-transports/obfs4.git" target="_top">Obfs4proxy</a>,
<a class="ulink" href="https://trac.torproject.org/projects/tor/wiki/doc/meek" target="_top">meek</a>,
<a class="ulink" href="https://fteproxy.org/" target="_top">FTE</a>, and <a class="ulink" href="https://crypto.stanford.edu/flashproxy/" target="_top">FlashProxy</a>.
@ -418,8 +424,6 @@ interpreter speed</a>. In the future, new JavaScript features such as
Timing</a> may leak an unknown amount of network timing related
information.
</p></li><li class="listitem"><span class="command"><strong>Inserting Plugins</strong></span><p>
The Panopticlick project found that the mere list of installed plugins (in
@ -552,7 +556,7 @@ Proxy obedience is assured through the following:
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Firefox proxy settings, patches, and build flags
<p>
Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/blob/refs/heads/tor-browser-31.2.0esr-4.x-1:/browser/app/profile/000-tor-browser.js" target="_top">Firefox
Our <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-31.6.0esr-4.5-1" target="_top">Firefox
preferences file</a> sets the Firefox proxy settings to use Tor directly
as a SOCKS proxy. It sets <span class="command"><strong>network.proxy.socks_remote_dns</strong></span>,
<span class="command"><strong>network.proxy.socks_version</strong></span>,
@ -568,9 +572,9 @@ as set the pref <span class="command"><strong>media.peerconnection.enabled</stro
</p><p>
We also patch Firefox in order to provide several defense-in-depth mechanisms
for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/8527bec0ad59fb3d885c5639735fb188eefa336f" target="_top">patch
for proxy safety. Notably, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=8c6604d2b776f0d8e33ed9130c5f5b8cf744bac8" target="_top">patch
the DNS service</a> to prevent any browser or addon DNS resolution, and we
also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/04c046e11f6622f44ca010bcb8ecf68cf470a4c0" target="_top">patch
also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=c96c854c0eca21fed1362d1ddd164b657d351795" target="_top">patch
OCSP and PKIX code</a> to prevent any use of the non-proxied command-line
tool utility functions from being functional while linked in to the browser.
In both cases, we could find no direct paths to these routines in the browser,
@ -578,7 +582,7 @@ but it seemed better safe than sorry.
</p><p>
During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/HEAD:/audits" target="_top">in-depth
During every Extended Support Release transition, we perform <a class="ulink" href="https://gitweb.torproject.org/tor-browser-spec.git/tree/audits" target="_top">in-depth
code audits</a> to verify that there were no system calls or XPCOM
activity in the source tree that did not use the browser proxy settings.
</p><p>
@ -590,7 +594,7 @@ geolocation queries, searchbox queries, XPCOM addon HTTPS/HTTP activity,
WebSockets, and live bookmark updates. We have also verified that IPv6
connections are not attempted, through the proxy or otherwise (Tor does not
yet support IPv6). We have also verified that external protocol helpers, such
as smb urls and other custom protocol handlers are all blocked.
as SMB URLs and other custom protocol handlers are all blocked.
</p></li><li class="listitem">Disabling plugins
@ -610,8 +614,10 @@ restricted from automatic load through Firefox's click-to-play preference
In addition, to reduce any unproxied activity by arbitrary plugins at load
time, and to reduce the fingerprintability of the installed plugin list, we
also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/2ecf6c33618ecee554155f735a3e92860f519f9c" target="_top">
prevent the load of any plugins except for Flash and Gnash</a>.
also patch the Firefox source code to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=465cb8295db58a6450dc14a593d29372cbebc71d" target="_top">
prevent the load of any plugins except for Flash and Gnash</a>. Even for
Flash and Gnash, we also patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e5531b1baa3c96dee7d8d4274791ff393bafd241" target="_top">prevent loading them into the
address space</a> until they are explicitly enabled.
</p></li><li class="listitem">External App Blocking and Drag Event Filtering
<p>
@ -619,7 +625,7 @@ prevent the load of any plugins except for Flash and Gnash</a>.
External apps can be induced to load files that perform network activity.
Unfortunately, there are cases where such apps can be launched automatically
with little to no user input. In order to prevent this, Torbutton installs a
component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">
component to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">
provide the user with a popup</a> whenever the browser attempts to launch
a helper app.
@ -629,7 +635,7 @@ Additionally, modern desktops now pre-emptively fetch any URLs in Drag and
Drop events as soon as the drag is initiated. This download happens
independent of the browser's Tor settings, and can be triggered by something
as simple as holding the mouse button down for slightly too long while
clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob_plain/HEAD:/src/components/external-app-blocker.js" target="_top">from
clicking on an image link. We filter drag and drop events events <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js" target="_top">from
Torbutton</a> before the OS downloads the URLs the events contained.
</p></li><li class="listitem">Disabling system extensions and clearing the addon whitelist
@ -654,24 +660,24 @@ system-wide extensions (through the use of
disabled, which prevents Flash cookies from leaking from a pre-existing Flash
directory.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60374176"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="disk-avoidance"></a>4.3. Disk Avoidance</h3></div></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp53861360"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
The User Agent MUST (at user option) prevent all disk records of browser activity.
The user should be able to optionally enable URL history and other history
features if they so desire.
</blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60375536"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
</blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp53862720"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
We achieve this goal through several mechanisms. First, we set the Firefox
Private Browsing preference
<span class="command"><strong>browser.privatebrowsing.autostart</strong></span>. In addition, four Firefox patches are needed to prevent disk writes, even if
Private Browsing Mode is enabled. We need to
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/4ebc3cda4b704c0149fb9e0fdcbb6e5ee3a8e75c" target="_top">prevent
the permissions manager from recording HTTPS STS state</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/8904bfc10cd537bd35be5ddd23c58fdaa72baa21" target="_top">prevent
intermediate SSL certificates from being recorded</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/86f6bc9dc28b6f8d7eae7974c7e9b537c3a08e41" target="_top">prevent
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=44b8ae43a83191bbf5161cbdbf399e10c1b943d0" target="_top">prevent
the permissions manager from recording HTTPS STS state</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e5abcb28f131aa96e8762212573488d303b3614d" target="_top">prevent
intermediate SSL certificates from being recorded</a>, <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=ee34e122ac2929a7668314483e36e58a88c98c08" target="_top">prevent
the clipboard cache from being written to disk for large pastes</a>, and
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/d5da6f8b7de089335e49e2f7dbd2b8d74e4cb613" target="_top">prevent
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=c8e357740dd7bafa2a129007f27d2b243e36f4a2" target="_top">prevent
the content preferences service from recording site zoom</a>. We also had
to disable the media cache with the pref <span class="command"><strong>media.cache_size</strong></span>,
to prevent HTML5 videos from being written to the OS temporary directory,
@ -734,7 +740,7 @@ the url bar origin for which browser state exists, possibly with a
context-menu option to drill down into specific types of state or permissions.
An example of this simplification can be seen in Figure 1.
</p><div class="figure"><a id="idp60398240"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
</p><div class="figure"><a id="idp53885184"></a><p class="title"><strong>Figure 1. Improving the Privacy UI</strong></p><div class="figure-contents"><div class="mediaobject" align="center"><img src="NewCookieManager.png" align="middle" alt="Improving the Privacy UI" /></div><div class="caption"><p></p>
This example UI is a mock-up of how isolating identifiers to the URL bar
origin can simplify the privacy UI for all data - not just cookies. Once
@ -761,59 +767,35 @@ unlinkability trumps that desire.
</p></li><li class="listitem">Cache
<p>
Cache is isolated to the url bar origin by using a technique pioneered by
Colin Jackson et al, via their work on <a class="ulink" href="http://www.safecache.com/" target="_top">SafeCache</a>. The technique re-uses the
<a class="ulink" href="https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsICachingChannel" target="_top">nsICachingChannel.cacheKey</a>
attribute that Firefox uses internally to prevent improper caching and reuse
of HTTP POST data.
</p><p>
However, to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3666" target="_top">increase the
security of the isolation</a> and to <a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/3754" target="_top">solve conflicts
with OCSP relying the cacheKey property for reuse of POST requests</a>, we
had to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/18dfd3064aff23a402fec248aab797036a9ba615" target="_top">patch
Firefox to provide a cacheDomain cache attribute</a>. We use the fully
qualified url bar domain as input to this field, to avoid the complexities
of heuristically determining the second-level DNS name.
</p><p>
Furthermore, we chose a different
isolation scheme than the Stanford implementation. First, we decoupled the
cache isolation from the third party cookie attribute. Second, we use several
mechanisms to attempt to determine the actual location attribute of the
top-level window (to obtain the url bar FQDN) used to load the page, as
opposed to relying solely on the Referer property.
</p><p>
Therefore, <a class="ulink" href="http://crypto.stanford.edu/sameorigin/safecachetest.html" target="_top">the original
Stanford test cases</a> are expected to fail. Functionality can still be
verified by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and
viewing the key used for each cache entry. Each third party element should
have an additional "domain=string" property prepended, which will list the
FQDN that was used to source the third party element.
In Firefox, there are actually two distinct caching mechanisms: One for
general content (HTML, Javascript, CSS), and one specifically for images. The
content cache is isolated to the URL bar domain by <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=7c58be929777d386a03e1faaee648909151fd951" target="_top">altering
each cache key</a> to include an additional ID that includes the URL bar
domain. This functionality can be observed by navigating to <a class="ulink" href="about:cache" target="_top">about:cache</a> and viewing the key used for each cache
entry. Each third party element should have an additional "id=string"
property prepended, which will list the FQDN that was used to source the third
party element.
</p><p>
Additionally, because the image cache is a separate entity from the content
cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/114cd22282f8b3cd6e6a5c29de8a8c396a79acc0" target="_top">isolate
cache, we had to patch Firefox to also <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=d8b98a75fb200268c40886d876adc19e00b933bf" target="_top">isolate
this cache per url bar domain</a>.
</p></li><li class="listitem">HTTP Auth
<p>
HTTP authentication tokens are removed for third party elements using the
<a class="ulink" href="https://developer.mozilla.org/en/Setting_HTTP_request_headers#Observers" target="_top">http-on-modify-request
observer</a> to remove the Authorization headers to prevent <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
linkability between domains</a>.
HTTP Authorization headers can be used by Javascript to encode <a class="ulink" href="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html" target="_top">silent
third party tracking identifiers</a>. To prevent this, we remove HTTP
authentication tokens for third party elements through a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=b8ce4a0760759431f146c71184c89fbd5e1a27e4" target="_top">patch
to nsHTTPChannel</a>.
</p></li><li class="listitem">DOM Storage
<p>
DOM storage for third party domains MUST be isolated to the url bar origin,
to prevent linkability between sites. This functionality is provided through a
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/973468a07fb9e7d9995d01b250223a8df16d6cfd" target="_top">patch
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=97490c4a90ca1c43374486d9ec0c5593d5fe5720" target="_top">patch
to Firefox</a>.
</p></li><li class="listitem">Flash cookies
@ -830,37 +812,83 @@ We are currently <a class="ulink" href="https://trac.torproject.org/projects/tor
difficulties</a> causing Flash player to use this settings
file on Windows, so Flash remains difficult to enable.
</p></li><li class="listitem">SSL+TLS session resumption, HTTP Keep-Alive and SPDY
</p></li><li class="listitem">SSL+TLS session resumption
<p><span class="command"><strong>Design Goal:</strong></span>
TLS session resumption tickets and SSL Session IDs MUST be limited to the url
bar origin. HTTP Keep-Alive connections from a third party in one url bar
origin MUST NOT be reused for that same third party in another url bar origin.
bar origin.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
We currently clear SSL Session IDs upon <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New
Identity</a>, we disable TLS Session Tickets via the Firefox Pref
<span class="command"><strong>security.enable_tls_session_tickets</strong></span>. We disable SSL Session
IDs via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/5524ae43780e4738310852cc2a0b7c5d25aa69ed" target="_top">patch
IDs via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=a01fb747d4b8b24687de538cb6a1304fe27d9d88" target="_top">patch
to Firefox</a>. To compensate for the increased round trip latency from disabling
these performance optimizations, we also enable
<a class="ulink" href="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00" target="_top">TLS
False Start</a> via the Firefox Pref
<span class="command"><strong>security.ssl.enable_false_start</strong></span>.
</p><p>
</p></li><li class="listitem">IP address, Tor Circuit, and HTTP Keep-Alive linkability
<p>
Because of the extreme performance benefits of HTTP Keep-Alive for interactive
web apps, and because of the difficulties of conveying urlbar origin
information down into the Firefox HTTP layer, as a compromise we currently
merely reduce the HTTP Keep-Alive timeout to 20 seconds (which is measured
from the last packet read on the connection) using the Firefox preference
<span class="command"><strong>network.http.keep-alive.timeout</strong></span>.
IP addresses, Tor Circuits, and HTTP connections from a third party in one URL
bar origin MUST NOT be reused for that same third party in another URL bar
origin.
</p><p>
This isolation functionality is provided by the combination of a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=b3ea705cc35b79a9ba27323cb3e32d5d004ea113" target="_top">Firefox
patch to allow SOCKS username and passwords</a>, as well as a Torbutton
component that <a class="ulink" href="" target="_top">sets
the SOCKS username and password for each request</a>. The Tor client has
logic to prevent connections with different SOCKS usernames and passwords from
using the same Tor Circuit, which provides us with IP address unlinkability.
Firefox has existing logic to ensure that connections with SOCKS proxy do not
re-use existing HTTP Keep Alive connections unless the proxy settings match.
We extended this logic to cover SOCKS username and password authentication,
providing us with HTTP Keep-Alive unlinkability.
</p></li><li class="listitem">SharedWorkers
<p>
<a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker" target="_top">SharedWorkers</a>
are a special form of Javascript Worker Threads that have a shared scope
between all threads from the same Javascript origin.
</p><p><span class="command"><strong>Design Goal:</strong></span>
SharedWorker scope MUST be isolated to the URL bar domain. A SharedWorker
launched from a third party from one URL bar domain MUST NOT have access to
the objects created by that same third party loaded under another URL bar domain.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
For now, we disable SharedWorkers via the pref
<span class="command"><strong>dom.workers.sharedWorkers.enabled</strong></span>.
</p></li><li class="listitem">blob: URIs (URL.createObjectURL)
<p>
The <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>
API allows a site to load arbitrary content into a random UUID that is stored
in the user's browser, and this content can be accessed via a URL of the form
<span class="command"><strong>blob:UUID</strong></span> from any other content element anywhere on the
web. While this UUID value is neither under control of the site nor
predictable, it can still be used to tag a set of users that are of high
interest to an adversary.
</p><p>
However, because SPDY can store identifiers and has extremely long keepalive
duration, it is disabled through the Firefox preference
<span class="command"><strong>network.http.spdy.enabled</strong></span>.
URIs created with URL.createObjectURL MUST be limited in scope to the first
party URL bar domain that created them. We provide this isolation in Tor
Browser via a <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=0d67ab406bdd3cf095802cb25c081641aa1f0bcc" target="_top">direct
patch to Firefox</a>.
</p></li><li class="listitem">SPDY
<p>
Because SPDY can store identifiers, it is disabled through the
Firefox preference <span class="command"><strong>network.http.spdy.enabled</strong></span>.
</p></li><li class="listitem">Automated cross-origin redirects MUST NOT store identifiers
<p><span class="command"><strong>Design Goal:</strong></span>
@ -932,65 +960,106 @@ the best approach.
cleared by <a class="link" href="#new-identity" title="4.7. Long-Term Unlinkability via &quot;New Identity&quot; button">New Identity</a>, but we don't
defend against the creation of these cookies between <span class="command"><strong>New
Identity</strong></span> invocations.
</p></li><li class="listitem">Exit node usage
<p>
All content elements associated with a given URL bar domain (including the
main page) are given a SOCKS username and password for this domain, which
causes Tor to isolate all of these requests on their own set of Tor circuits.
</p></li></ol></div><p>
</p></li></ol></div><p>
For more details on identifier linkability bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-linkability&amp;status=!closed" target="_top">tbb-linkability tag in our bugtracker</a>
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="fingerprinting-linkability"></a>4.6. Cross-Origin Fingerprinting Unlinkability</h3></div></div></div><p>
In order to properly address the fingerprinting adversary on a technical
level, we need a metric to measure linkability of the various browser
properties beyond any stored origin-related state. <a class="ulink" href="https://panopticlick.eff.org/about.php" target="_top">The Panopticlick Project</a>
by the EFF provides us with a prototype of such a metric. The researchers
conducted a survey of volunteers who were asked to visit an experiment page
that harvested many of the above components. They then computed the Shannon
Entropy of the resulting distribution of each of several key attributes to
determine how many bits of identifying information each attribute provided.
Browser fingerprinting is the act of inspecting browser behaviors and features in
an attempt to differentiate and track individual users. Fingerprinting attacks
are typically broken up into passive and active vectors. Passive
fingerprinting makes use of any information the browser provides automatically
to a website without any specific action on the part of the website. Active
fingerprinting makes use of any information that can be extracted from the
browser by some specific website action, usually involving Javascript.
Some definitions of browser fingerprinting also include supercookies and
cookie-like identifier storage, but we deal with those issues separately in
the <a class="link" href="#identifier-linkability" title="4.5. Cross-Origin Identifier Unlinkability">preceding section on identifier
linkability</a>.
</p><p>
Unfortunately, there are limitations to the way the Panopticlick study was
conducted. Because the Panopticlick dataset is based on browser data spanning
a number of widely deployed browsers over a number of years, any
fingerprinting defenses attempted by browsers today are very likely to cause
Panopticlick to report an <span class="emphasis"><em>increase</em></span> in fingerprintability
and entropy, because those defenses will stand out in sharp contrast to
historical data. Moreover, because fingerprinting is a problem that
potentially touches every aspect of the browser, we do not believe it is
possible to solve cross-browser fingerprinting issues. We reduce the efforts
for fingerprinting resistance by only concerning ourselves with reducing the
fingerprintable differences <span class="emphasis"><em>among</em></span> Tor Browser users.
For the most part, however, we do not differentiate between passive or active
fingerprinting sources, since many active fingerprinting mechanisms are very
rapid, and can be obfuscated or disguised as legitimate functionality.
Instead, we believe fingerprinting can only be rationally addressed if we
understand where the problem comes from, what sources of issues are the most
severe, and how to study the efficacy of defenses properly.
</p><p>
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-scope"></a>Sources of Fingerprinting Issues</h4></div></div></div><p>
The unsolvable nature of the cross-browser fingerprinting problem also means
that the Panopticlick test website itself is not useful for evaluating the
actual effectiveness of our defenses, or the fingerprinting defenses of any
other web browser. We are interested in deploying an improved version of
Panopticlick that measures entropy and variance only among a specific user
agent population, but until then, intuition serves as a decent guide.
Essentially, anything that reveals custom user configuration, third party
software, highly variable hardware details, and external devices attached to
the users computer is likely to more fingerprintable than things like
operating system type and even processor speed.
All fingerprinting issues arise from one of four primary sources. In order
from most severe to least severe, these sources are:
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><p>
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><span class="command"><strong>End-user Configuration Details</strong></span><p>
End-user configuration details are by far the most severe threat to
fingerprinting, as they will quickly provide enough information to uniquely
identify a user. We believe it is essential to avoid exposing platform
configuration details to website content at all costs. We also discourage
excessive fine-grained customization of Tor Browser by minimizing and
aggregating user-facing privacy and security options, as well as by
discouraging the use of additional addons. When it is necessary to expose
configuration details in the course of providing functionality, we strive to
do so only on a per-site basis via site permissions, to avoid linkability.
</p></li><li class="listitem"><span class="command"><strong>Device and Hardware Characteristics</strong></span><p>
Device and hardware characteristics can be determined three ways: they can be
reported explicitly by the browser, they can be inferred through API behavior,
or they can be extracted through statistical measurements of system
performance. We are most concerned with the cases where this information is
either directly reported or can be determined via a single use of an API or
feature, and prefer to place such APIs either behind site permissions, or
disable them entirely.
</p><p>
On the other hand, because statistical inference of system performance
requires many iterations to achieve accuracy in the face of noise and
concurrent activity, we are less concerned with this mechanism of extracting
this information. We also expect that reducing the resolution of Javascript's
time sources will significantly increase the duration of execution required to
extract accurate results, and thus make statistical approaches both
unattractive and highly noticeable due to excessive resource consumption.
</p></li><li class="listitem"><span class="command"><strong>Operating System Vendor and Version Differences</strong></span><p>
Operating system vendor and version differences permeate many different
aspects of the browser. While it is possible to address these issues with some
effort, the relative lack of diversity in operating systems causes us to
primarily focus our efforts on passive operating system fingerprinting
mechanisms at this point in time. For the purposes of protecting user
anonymity, it is not strictly essential that the operating system be
completely concealed, though we recognize that it is useful to reduce this
differentiation ability where possible, especially for cases where the
specific version of a system can be inferred.
</p></li><li class="listitem"><span class="command"><strong>Browser Vendor and Version Differences</strong></span><p>
Due to vast differences in feature set and implementation behavior even
between different versions of the same browser, browser vendor and version
differences are simply not possible to conceal in any realistic way. It
is only possible to minimize the differences among different installations of
the same browser vendor and version. We make no effort to mimic any other
major browser vendor, and in fact most of our fingerprinting defenses serve to
differentiate Tor Browser users from normal Firefox users. Because of this,
any study that lumps browser vendor and version differences in to its analysis
of the fingerprintability of a population is largely useless for evaluating
either attacks or defenses. Unfortunately, this includes popular large-scale
studies such as <a class="ulink" href="https://panopticlick.eff.org/" target="_top">Panopticlick</a> and <a class="ulink" href="https://amiunique.org/" target="_top">Am I Unique</a>.
</p></li></ol></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="fingerprinting-defenses"></a>Fingerprinting defenses in the Tor Browser</h4></div></div></div><p>
The following defenses are listed roughly in order of most severe
fingerprinting threat first. This ordering is based on the above intuition that
user configurable aspects of the computer are the most severe source of
fingerprintability, though we are in need of updated measurements to determine
this with certainty.
fingerprinting threat first. This ordering is based on the above intuition
that user configurable aspects of the computer are the most severe source of
fingerprintability, followed by device characteristics and hardware, and then
finally operating system vendor and version information.
</p><p>
Where our actual implementation differs from
an ideal solution, we separately describe our <span class="command"><strong>Design Goal</strong></span>
and our <span class="command"><strong>Implementation Status</strong></span>.
Where our actual implementation differs from an ideal solution, we separately
describe our <span class="command"><strong>Design Goal</strong></span> and our <span class="command"><strong>Implementation
Status</strong></span>.
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">Plugins
<p>
@ -1017,8 +1086,9 @@ Currently, we entirely disable all plugins in Tor Browser. However, as a
compromise due to the popularity of Flash, we allow users to re-enable Flash,
and flash objects are blocked behind a click-to-play barrier that is available
only after the user has specifically enabled plugins. Flash is the only plugin
available, the rest are <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/1ef32dcf0cc64876f5b92a583b788dc921f22c5d" target="_top">entirely
blocked from loading by a Firefox patch</a>. We also set the Firefox
available, the rest are entirely
blocked from loading by the Firefox patches mentioned in the <a class="link" href="#proxy-obedience" title="4.1. Proxy Obedience">Proxy Obedience
section</a>. We also set the Firefox
preference <span class="command"><strong>plugin.expose_full_path</strong></span> to false, to avoid
leaking plugin installation information.
@ -1041,13 +1111,12 @@ image can be used almost identically to a tracking cookie by the web server.
In some sense, the canvas can be seen as the union of many other
fingerprinting vectors. If WebGL is normalized through software rendering,
system colors were standardized, and the browser shipped a fixed collection of
fonts (see later points in this list), it might not be necessary
to create a canvas permission. However, until then, to reduce the threat from
this vector, we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/3b53f525cfb68880e676e64f13cbc0b928ae3ecf" target="_top">prompt
before returning valid image data</a> to the Canvas APIs, and for <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/fb9f463fe3a69499d6896c217786bafdf0cda62f" target="_top">access
to isPointInPath and related functions</a>. If the user hasn't previously
allowed the site in the URL bar to access Canvas image data, pure white image
data is returned to the Javascript APIs.
fonts (see later points in this list), it might not be necessary to create a
canvas permission. However, until then, to reduce the threat from this vector,
we have patched Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=6a169ef0166b268b1a27546a17b3d7470330917d" target="_top">prompt
before returning valid image data</a> to the Canvas APIs. If the user
hasn't previously allowed the site in the URL bar to access Canvas image data,
pure white image data is returned to the Javascript APIs.
</p><p>
</p></li><li class="listitem">Open TCP Port Fingerprinting
@ -1055,22 +1124,25 @@ data is returned to the Javascript APIs.
In Firefox, by using either WebSockets or XHR, it is possible for remote
content to <a class="ulink" href="http://www.andlabs.org/tools/jsrecon.html" target="_top">enumerate
the list of TCP ports open on 127.0.0.1</a>. In other browsers, this can
be accomplished by DOM events on image or script tags. This open vs filtered
vs closed port list can provide a very unique fingerprint of a machine,
because it essentially enables the detection of many different popular third
party applications and optional system services (Skype, Bitcoin, Bittorrent
and other P2P software, SSH ports, SMB and related LAN services, CUPS and
printer daemon config ports, mail servers, and so on). It is also possible to
determine when ports are closed versus filtered/blocked (and thus probe
custom firewall configuration).
the list of TCP ports open on 127.0.0.1</a>, as well as on any other
machines on the local network. In other browsers, this can be accomplished by
DOM events on image or script tags. This open vs filtered vs closed port list
can provide a very unique fingerprint of a machine, because it essentially
enables the detection of many different popular third party applications and
optional system services (Skype, Bitcoin, Bittorrent and other P2P software,
SSH ports, SMB and related LAN services, CUPS and printer daemon config ports,
mail servers, and so on). It is also possible to determine when ports are
closed versus filtered/blocked (and thus probe custom firewall configuration).
</p><p>In Tor Browser, we prevent access to
127.0.0.1/localhost by ensuring that even these requests are still sent by
Firefox to our SOCKS proxy (ie we set
</p><p>
In Tor Browser, we prevent access to 127.0.0.1/localhost by ensuring that even
these requests are still sent by Firefox to our SOCKS proxy (ie we set
<span class="command"><strong>network.proxy.no_proxies_on</strong></span> to the empty string). The local
Tor client then rejects them, since it is configured to proxy for internal IP
addresses by default.
addresses by default. Access to the local network is forbidden via the same
mechanism.
</p></li><li class="listitem">Invasive Authentication Mechanisms (NTLM and SPNEGO)
<p>
@ -1127,7 +1199,7 @@ considerably larger than the combination of the Droid, Nanum, and Lohit fonts.
In the meantime while we investigate shipping our own fonts, we disable
plugins, which prevents font name enumeration. Additionally, we limit both the
number of font queries from CSS, as well as the total number of fonts that can
be used in a document <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/d515c79ffd115b132caade7f881e5b467448964d" target="_top">with
be used in a document <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e78bc05159a79c1358fa9c64e565af9d98c141ee" target="_top">with
a Firefox patch</a>. We create two prefs,
<span class="command"><strong>browser.display.max_font_attempts</strong></span> and
<span class="command"><strong>browser.display.max_font_count</strong></span> for this purpose. Once these
@ -1170,18 +1242,22 @@ this scheme.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
We automatically resize new browser windows to a 200x100 pixel multiple using
a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/tree/src/chrome/content/torbutton.js#n3361" target="_top">resize
new windows based on desktop resolution</a>. To minimize the effect of the
long tail of large monitor sizes, we also cap the the window size at 1000
pixels in each direction. Additionally, we patch
Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5" target="_top">for
window.screen</a>, and to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=a5648c8d80f396caf294d761cc4a9a76c0b33a9d" target="_top">report
a window.devicePixelRatio of 1.0</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=3c02858027634ffcfbd97047dfdf170c19ca29ec" target="_top">patch
DOM events to return content window relative points</a>. We also
We have implemented the above strategy using a window observer to <a class="ulink" href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/chrome/content/torbutton.js#l2960" target="_top">resize
new windows based on desktop resolution</a>. Additionally, we patch
Firefox to use the client content window size <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/8fc2421becd0ab0cfb5ebbc19af67469552202b2" target="_top">for
window.screen</a>. Similarly, we <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/81e7fc3a10d27b1d8f0832faf1685899d21f6fef" target="_top">patch
DOM events to return content window relative points</a>. We also force
We also force
popups to open in new tabs (via
<span class="command"><strong>browser.link.open_newwindow.restriction</strong></span>), to avoid
full-screen popups inferring information about the browser resolution. In
addition, we prevent auto-maximizing on browser start, and are investigating a
user-friendly way of informing users that maximized windows are detrimental
to privacy in this mode.
addition, we prevent auto-maximizing on browser start, and inform users that
maximized windows are detrimental to privacy in this mode.
</p></li><li class="listitem">Display Media information
<p>
@ -1204,10 +1280,10 @@ details such as screen orientation or type.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
We patch
Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/30dc2c4290698af81ceafae9d628a34c53faabe1" target="_top">report
a fixed set of system colors to content window CSS</a>, and <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/8f6e979d30598569dea14ac6f4eef4e96543b3d7" target="_top">prevent
detection of font smoothing on Mac OS X</a>. We also always
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/09561f0e5452305b9efcb4e6169c613c8db33246" target="_top">report
Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=cf8956b4460107c5b0053c8fc574e34b0a30ec1e" target="_top">report
a fixed set of system colors to content window CSS</a>, and <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bbc138486e0489b0d559343fa0522df4ee3b3533" target="_top">prevent
detection of font smoothing on OSX</a>. We also always
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e17d60442ab0db92664ff68d90fe7bf737374912" target="_top">report
landscape-primary</a> for the screen orientation.
</p></li><li class="listitem">WebGL
@ -1249,7 +1325,7 @@ these headers should remain identical across the population even when updated.
Firefox provides several options for controlling the browser user agent string
which we leverage. We also set similar prefs for controlling the
Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/95cd0e8071aa1fe3f4914331d4036f218007e31d" target="_top">remove
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=e9841ee41e7f3f1535be2d605084c41ee9faf6c2" target="_top">remove
content script access</a> to Components.interfaces, which <a class="ulink" href="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html" target="_top">can be
used</a> to fingerprint OS, platform, and Firefox minor version. </p></li><li class="listitem">Locale Fingerprinting
<p>
@ -1263,7 +1339,7 @@ completeness, we attempt to maintain this property.
We set the fallback character set to set to windows-1252 for all locales, via
<span class="command"><strong>intl.charset.default</strong></span>. We also patch Firefox to allow us to
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/fe42a78575df7f460fa0ac48eabb57bc8812c23e" target="_top">instruct
<a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=4545ecd6dc2ca7d10aefe36b81658547ea97b800" target="_top">instruct
the JS engine</a> to use en-US as its internal C locale for all Date, Math,
and exception handling.
@ -1320,10 +1396,12 @@ large number of people.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
Currently, the only mitigation against performance fingerprinting is to
Currently, the our mitigation against performance fingerprinting is to
disable <a class="ulink" href="http://www.w3.org/TR/navigation-timing/" target="_top">Navigation
Timing</a> through the Firefox preference
<span class="command"><strong>dom.enable_performance</strong></span>.
<span class="command"><strong>dom.enable_performance</strong></span>, and to disable the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties" target="_top">Mozilla
Video Statistics</a> API extensions via the preference
<span class="command"><strong>media.video_stats.enabled</strong></span>.
</p></li><li class="listitem">Keystroke Fingerprinting
<p>
@ -1347,8 +1425,8 @@ characteristics of the operating system type may leak into content, and the
comparatively low contribution of OS to overall entropy. In particular, there
are likely to be many ways to measure the differences in widget size,
scrollbar size, and other rendered details on a page. Also, directly exported
OS routines, such as the Math library, expose differences in their
implementations due to these results.
OS routines (such as those from the standard C math library) expose
differences in their implementations through their return values.
</p><p><span class="command"><strong>Design Goal:</strong></span>
@ -1362,26 +1440,27 @@ tag on our bug tracker</a>.
</p><p><span class="command"><strong>Implementation Status:</strong></span>
At least two HTML5 features have different implementation status across the
major OS vendors: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
API</a> and the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
Connection API</a>. We disable these APIs through the Firefox preferences
<span class="command"><strong>dom.battery.enabled</strong></span> and
<span class="command"><strong>dom.network.enabled</strong></span>.
At least three HTML5 features have different implementation status across the
major OS vendors and/or the underlying hardware: the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.battery" target="_top">Battery
API</a>, the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/DOM/window.navigator.connection" target="_top">Network
Connection API</a>, and the <a class="ulink" href="https://wiki.mozilla.org/Sensor_API" target="_top">Sensor API</a>. We disable these APIs through the Firefox preferences
<span class="command"><strong>dom.battery.enabled</strong></span>,
<span class="command"><strong>dom.network.enabled</strong></span>, and
<span class="command"><strong>device.sensors.enabled</strong></span>.
</p></li></ol></div></div><p>
</p></li></ol></div><p>
For more details on fingerprinting bugs and enhancements, see the <a class="ulink" href="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&amp;status=!closed" target="_top">tbb-fingerprinting tag in our bug tracker</a>
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
</p></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="new-identity"></a>4.7. Long-Term Unlinkability via "New Identity" button</h3></div></div></div><p>
In order to avoid long-term linkability, we provide a "New Identity" context
menu option in Torbutton. This context menu option is active if Torbutton can
read the environment variables $TOR_CONTROL_PASSWD and $TOR_CONTROL_PORT.
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60545136"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp54050880"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote">
All linkable identifiers and browser state MUST be cleared by this feature.
</blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60546384"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
</blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp54052128"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
First, Torbutton disables Javascript in all open tabs and windows by using
both the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIDocShell#Attributes" target="_top">browser.docShell.allowJavascript</a>
@ -1409,8 +1488,13 @@ After the state is cleared, we then close all remaining HTTP keep-alive
connections and then send the NEWNYM signal to the Tor control port to cause a
new circuit to be created.
</p><p>
Finally, a fresh browser window is opened, and the current browser window is
closed (this does not spawn a new Firefox process, only a new window).
closed (this does not spawn a new Firefox process, only a new window). Upon
the close of the final window, an unload handler is fired to invoke the <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIDOMWindowUtils#garbageCollect%28%29" target="_top">garbage
collector</a>, which has the effect of immediately purging any blob:UUID
URLs that were created by website content via <a class="ulink" href="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL" target="_top">URL.createObjectURL</a>.
</p></blockquote></div><div class="blockquote"><blockquote class="blockquote">
If the user chose to "protect" any cookies by using the Torbutton Cookie
Protections UI, those cookies are not cleared as part of the above.
@ -1423,45 +1507,58 @@ privacy and security issues.
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a id="security-slider"></a><span class="command"><strong>Security Slider</strong></span><p>
In order to provide vulnerability surface reduction for users that need high
security, we have implemented a "Security Slider" that essentially represents a
tradeoff between usability and security. Using metrics collected from
Mozilla's bug tracker, we analyzed the vulnerability counts of core components,
and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
security, we have implemented a "Security Slider" to allow users to make a
tradeoff between usability and security while minimizing the total number of
choices (to reduce fingerprinting). Using metrics collected from
Mozilla's bug tracker, we analyzed the vulnerability counts of core
components, and used <a class="ulink" href="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle" target="_top">information
gathered from a study performed by iSec Partners</a> to inform which
features should be disabled at which security levels.
</p><p>
The Security Slider consists of four positions. At the lowest security level
(the default), we disable
<span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span> for Latin locales, as
well as <span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>. At the
medium-low level, we disable most Javascript JIT and related optimizations
(<span class="command"><strong>javascript.options.ion.content</strong></span>,
<span class="command"><strong>javascript.options.typeinference</strong></span>,
<span class="command"><strong>javascript.options.asmjs</strong></span>). We also make HTML5 media
click-to-play (<span class="command"><strong>noscript.forbidMedia</strong></span>), and disable WebAudio
(<span class="command"><strong>media.webaudio.enabled</strong></span>). At the medium-high level, we
disable the baseline JIT
(<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), disable
Javascript entirely all elements that are loaded when the URL bar is not
HTTPS (<span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and fully disable
graphite font rendering for all locales
(<span class="command"><strong>gfx.font_rendering.graphite.enable</strong></span>). At the highest level,
Javascript is fully disabled (<span class="command"><strong>noscript.global</strong></span>), as well as
all non-WebM HTML5 codecs (<span class="command"><strong>media.ogg.enabled</strong></span>,
<span class="command"><strong>media.opus.enabled</strong></span>, <span class="command"><strong>media.opus.enabled</strong></span>,
<span class="command"><strong>media.DirectShow.enabled</strong></span>,
<span class="command"><strong>media.wave.enabled</strong></span>, and
<span class="command"><strong>media.apple.mp3.enabled</strong></span>).
The Security Slider consists of four positions:
</p></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><span class="command"><strong>Low</strong></span><p>
At this security level, the preferences are the Tor Browser defaults.
</p></li><li class="listitem"><span class="command"><strong>Medium-Low</strong></span><p>
At this security level, we disable the ION JIT
(<span class="command"><strong>javascript.options.ion.content</strong></span>), TypeInference JIT
(<span class="command"><strong>javascript.options.typeinference</strong></span>), ASM.JS
(<span class="command"><strong>javascript.options.asmjs</strong></span>), WebAudio
(<span class="command"><strong>media.webaudio.enabled</strong></span>), MathML
(<span class="command"><strong>mathml.disabled</strong></span>), block remote JAR files
(<span class="command"><strong>network.jar.block-remote-files</strong></span>), and make HTML5 audio and
video click-to-play via NoScript (<span class="command"><strong>noscript.forbidMedia</strong></span>).
</p></li><li class="listitem"><span class="command"><strong>Medium-High</strong></span><p>
This security level inherits the preferences from the Medium-Low level, and
additionally disables the baseline JIT
(<span class="command"><strong>javascript.options.baselinejit.content</strong></span>), disables graphite
font rendering (<span class="command"><strong>gfx.font_rendering.graphite.enabled</strong></span>), and
only allows Javascript to run if it is loaded over HTTPS and the URL bar is
HTTPS (by setting <span class="command"><strong>noscript.global</strong></span> to false and
<span class="command"><strong>noscript.globalHttpsWhitelist</strong></span> to true).
</p></li><li class="listitem"><span class="command"><strong>High</strong></span><p>
This security level inherits the preferences from the Medium-Low and
Medium-High levels, and additionally disables remote fonts
(<span class="command"><strong>noscript.forbidFonts</strong></span>), completely disables Javascript (by
unsetting <span class="command"><strong>noscript.globalHttpsWhitelist</strong></span>), and disables SVG
images (<span class="command"><strong>svg.in-content.enabled</strong></span>).
</p></li></ul></div></li><li class="listitem"><a id="traffic-fingerprinting-defenses"></a><span class="command"><strong>Website Traffic Fingerprinting Defenses</strong></span><p>
<a class="link" href="#website-traffic-fingerprinting">Website Traffic
Fingerprinting</a> is a statistical attack to attempt to recognize specific
encrypted website activity.
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60574784"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
</p><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp54085840"></a>Design Goal:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
We want to deploy a mechanism that reduces the accuracy of <a class="ulink" href="https://en.wikipedia.org/wiki/Feature_selection" target="_top">useful features</a> available
for classification. This mechanism would either impact the true and false
@ -1483,8 +1580,8 @@ Congestion-Sensitive BUFLO</a>. It may be also possible to <a class="ulink" href
defenses</a> such that they only use existing spare Guard bandwidth capacity in the Tor
network, making them also effectively no-overhead.
</p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp60581680"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/27ef32d509ed1c9eeb28f7affee0f9ba11773f72" target="_top">randomize
</p></blockquote></div></div><div class="sect3"><div class="titlepage"><div><div><h4 class="title"><a id="idp54092736"></a>Implementation Status:</h4></div></div></div><div class="blockquote"><blockquote class="blockquote"><p>
Currently, we patch Firefox to <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=20a59cec9886cf2575b1fd8e92b43e31ba053fbd" target="_top">randomize
pipeline order and depth</a>. Unfortunately, pipelining is very fragile.
Many sites do not support it, and even sites that advertise support for
pipelining may simply return error codes for successive requests, effectively
@ -1493,7 +1590,7 @@ off and reduce or eliminate the pipeline if this happens. These
shortcomings and fallback behaviors are the primary reason that Google
developed SPDY as opposed simply extending HTTP to improve pipelining. It
turns out that we could actually deploy exit-side proxies that allow us to
<a class="ulink" href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xxx-using-spdy.txt" target="_top">use
<a class="ulink" href="https://gitweb.torproject.org/torspec.git/tree/proposals/ideas/xxx-using-spdy.txt" target="_top">use
SPDY from the client to the exit node</a>. This would make our defense not
only free, but one that actually <span class="emphasis"><em>improves</em></span> performance.
@ -1535,7 +1632,7 @@ date.
</p><p>
We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commitdiff/777695d09e3cff4c79c48839e1c9d5102b772d6f" target="_top">patched
We also make use of the in-browser Mozilla updater, and have <a class="ulink" href="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-31.6.0esr-4.5-1&amp;id=bcf51aae541fc28de251924ce9394224bd2b814c" target="_top">patched
the updater</a> to avoid sending OS and Kernel version information as part
of its update pings.
@ -1548,7 +1645,7 @@ contend with. For this reason, we have deployed a build system
that allows anyone to use our source code to reproduce byte-for-byte identical
binary packages to the ones that we distribute.
</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60597904"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp54108896"></a>5.1. Achieving Binary Reproducibility</h3></div></div></div><p>
The GNU toolchain has been working on providing reproducible builds for some
time, however a large software project such as Firefox typically ends up
@ -1598,9 +1695,9 @@ The fix for this is to perform an additional sorting step on the input list
for archives, but care must be taken to instruct libc and other sorting routines
to use a fixed locale to determine lexicographic ordering, or machines with
different locale settings will produce different sort results. We chose the
'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
<a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
'C' locale for this purpose. We created wrapper scripts for <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dtar.sh" target="_top">tar</a>,
<a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/dzip.sh" target="_top">zip</a>,
and <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/ddmg.sh" target="_top">DMG</a>
to aid in reproducible archive creation.
</p></li><li class="listitem">Uninitialized memory in toolchain/archivers
@ -1609,7 +1706,7 @@ to aid in reproducible archive creation.
We ran into difficulties with both binutils and the DMG archive script using
uninitialized memory in certain data structures that ended up written to disk.
Our binutils fixes were merged upstream, but the DMG archive fix remains an
<a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/patches/libdmg.patch" target="_top">independent
<a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/patches/libdmg.patch" target="_top">independent
patch</a>.
</p></li><li class="listitem">Fine-grained timestamps and timezone leaks
@ -1618,7 +1715,7 @@ patch</a>.
The standard way of controlling timestamps in Gitian is to use libfaketime,
which hooks time-related library calls to provide a fixed timestamp. However,
due to our use of wine to run py2exe for python-based pluggable transports,
pyc timestamps had to be address with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
pyc timestamps had to be address with an additional <a class="ulink" href="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/pyc-timestamp.sh" target="_top">helper
script</a>. The timezone leaks were addressed by setting the
<span class="command"><strong>TZ</strong></span> environment variable to UTC in our descriptors.
@ -1665,7 +1762,7 @@ unitialized memory</a> that only appear in LXC mode, as well as
<a class="ulink" href="https://trac.torproject.org/projects/tor/ticket/12240" target="_top">oddities related to
time-based dependency tracking</a> that only appear in LXC containers.
</p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60632800"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
</p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp54129600"></a>5.2. Package Signatures and Verification</h3></div></div></div><p>
The build process produces a single sha256sums.txt file that contains a sorted
list of the SHA-256 hashes of every package produced for that build version. Each
@ -1693,13 +1790,12 @@ consensus, and encoding the package hashes in the Bitcoin blockchain.
</p><p>
At the time of this writing, we do not yet support native code signing for Mac
OS or Windows. Because these signatures are embedded in the actual packages,
and by their nature are based on non-public key material, providing native
code-signed packages while still preserving ease of reproducibility
verification has not yet been achieved.
The Windows releases are also signed by a hardware token provided by Digicert.
In order to verify package integrity, the signature must be stripped off using
the osslsigncode tool, as described on the <a class="ulink" href="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification" target="_top">Signature
Verification</a> page.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp60636736"></a>5.3. Anonymous Verification</h3></div></div></div><p>
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="idp54134112"></a>5.3. Anonymous Verification</h3></div></div></div><p>
Due to the fact that bit-identical packages can be produced by anyone, the
security of this build system extends beyond the security of the official
@ -1718,6 +1814,22 @@ the public builders/signers, hopefully using a pseudonym or our anonymous
bug tracker account, to avoid revealing the fact that they are a build
verifier.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a id="update-safety"></a>5.4. Update Safety</h3></div></div></div><p>
We make use of the Firefox updater in order to provide automatic updates to
users. We make use of certificate pinning to ensure that update checks
be tampered with, and we sign the individual MAR update files with an offline
signing key.
</p><p>
The Firefox updater also has code to ensure that it can reliably access the
update server to prevent availability attacks, and complains to the user of 48
hours go by without a successful response from the server. Additionally, we
use Tor's SOCKS username and password isolation to ensure that every new
request to the updater traverses a separate circuit, to avoid holdback attacks
by exit nodes.
</p></div></div><div class="appendix"><h2 class="title" style="clear: both"><a id="Transparency"></a>A. Towards Transparency in Navigation Tracking</h2><p>
The <a class="link" href="#privacy" title="2.2. Privacy Requirements">privacy properties</a> of Tor Browser are based
@ -1815,7 +1927,7 @@ possible for us to <a class="ulink" href="https://trac.torproject.org/projects/t
ourselves</a>, as they are comparatively rare and can be handled with site
permissions.
</p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp60669376"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
</p></li></ol></div></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="idp54168528"></a>A.2. Promising Standards</h2></div></div></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><a class="ulink" href="http://web-send.org" target="_top">Web-Send Introducer</a><p>
Web-Send is a browser-based link sharing and federated login widget that is
designed to operate without relying on third-party tracking or abusing other
@ -1831,4 +1943,4 @@ not directly provide the link sharing capabilities that Web-Send does, it is a
better solution to the privacy issues associated with federated login than
Web-Send is.
</p></li></ol></div></div></div></div></body></html>
</p></li></ol></div></div></div></div></body></html>