Table of Contents
- 1. Introduction
- 2. Design Requirements and Philosophy
- 3. Implementation
- 3.1. Proxy Obedience
- 3.2. State Separation
- 3.3. Disk Avoidance
- 3.4. Application Data Isolation
- 3.5. Cross-Origin Identifier Unlinkability
- 3.6. Cross-Origin Fingerprinting Unlinkability
- 3.7. Long-Term Unlinkability via "New Identity" button
- 3.8. Click-to-play for plugins and invasive content
- 3.9. Description of Firefox Patches
- 4. Packaging
- 5. Testing
+
Table of Contents
- 1. Introduction
- 2. Design Requirements and Philosophy
- 3. Implementation
- 3.1. Proxy Obedience
- 3.2. State Separation
- 3.3. Disk Avoidance
- 3.4. Application Data Isolation
- 3.5. Cross-Origin Identifier Unlinkability
- 3.6. Cross-Origin Fingerprinting Unlinkability
- 3.7. Long-Term Unlinkability via "New Identity" button
- 3.8. Click-to-play for plugins and invasive content
- 3.9. Description of Firefox Patches
- 4. Packaging
- 5. Testing
This document describes the adversary model, design requirements, @@ -394,6 +394,22 @@ Proxy obedience is assured through the following: SOCKS proxy. It sets network.proxy.socks_remote_dns, network.proxy.socks_version, and network.proxy.socks_port. +
+ +We have verified that these settings properly proxy HTTPS, OCSP, HTTP, FTP, +gopher (now defunct), DNS, SafeBrowsing Queries, all javascript activity, +including HTML5 audio and video objects, addon updates, wifi geolocation +queries, searchbox queries, XPCOM addon HTTPS/HTTP activity, and live bookmark +updates. We have also verified that IPv6 connections are not attempted, +through the proxy or otherwise (Tor does not yet support IPv6). We have also +verified that external protocol helpers, such as smb urls and other custom +protocol handers are all blocked. + +
+ +Numerous other third parties have also reviewed and tested the proxy settings +and have provided test cases based on their work. See in particular decloak.net. +
Plugins have the ability to make arbitrary OS system calls and bypass proxy settings. This includes @@ -428,13 +444,13 @@ launch a helper app. Tor Browser State is separated from existing browser state through use of a custom Firefox profile. Furthermore, plugins are disabled, which prevents Flash cookies from leaking from a pre-existing Flash directory. -
+
Tor Browser MUST (at user option) prevent all disk records of browser activity. The user should be able to optionally enable URL history and other history features if they so desire. Once we simplify the preferences interface, we will likely just enable Private Browsing mode by default to handle this goal. -
For now, Tor Browser blocks write access to the disk through Torbutton using several Firefox preferences. @@ -499,7 +515,7 @@ the url bar origin for which browser state exists, possibly with a context-menu option to drill down into specific types of state or permissions. An example of this simplification can be seen in Figure 1. -Figure 1. Improving the Privacy UI
+Figure 1. Improving the Privacy UI
On the left is the standard Firefox cookie manager. On the right is a mock-up of how isolating identifiers to the URL bar origin might simplify the privacy @@ -522,7 +538,7 @@ Firefoxes. As a stopgap to satisfy our design requirement of unlinkability, we currently entirely disable 3rd party cookies by setting network.cookie.cookieBehavior to 1. We would prefer that -third party content continue to function , but we believe the requirement for +third party content continue to function, but we believe the requirement for unlinkability trumps that desire.Cache @@ -609,10 +625,12 @@ not be reused for that same third party in another url bar origin. Implementation Status: -We plan to -disable TLS session resumption, and limit HTTP Keep-alive duration. We -currently clear TLS Session IDs upon New -Identity. +We currently clear TLS Session IDs upon New +Identity, but we have no origin restriction implementation as of yet. +We plan to disable TLS session +resumption, and limit HTTP Keep-alive duration as stopgaps to limit +linkability until we can implement true origin +isolation (the latter we feel will be fairly tricky).
User confirmation for cross-origin redirects Design Goal: @@ -921,11 +939,11 @@ Currently we simply disable WebGL.
In order to avoid long-term linkability, we provide a "New Identity" context menu option in Torbutton. -
+First, Torbutton disables all open tabs and windows via nsIContentPolicy blocking, and then closes each tab and window. The extra step for blocking @@ -1024,7 +1042,7 @@ ruin our day, and censorship filters). Hence we rolled our own. This patch prevents random URLs from being inserted into content-prefs.sqllite in the profile directory as content prefs change (includes site-zoom and perhaps other site prefs?). -
