Hi Everyone,
We had a productive meeting yesterday about sandboxing Tor Browser. I sent a high-level summary on tor-dev@ [0]. We ended the meeting while we were discussing/considering the different criteria for how we decide which sandboxing implementation(s) we persue [1]. This is the continuation of that topic.
Specifically, we currently have four sandboxing options under consideration (there may be more we aren't considering):
a) one standard VM on all desktop OSes running Tor Browser on Linux b) Per-OS container/virtualization solution c) No container/vm, but sandboxing the parent and content processes using OS-specific mechanisms (dropping privs etc.) d) a mix of all options choosing the best per platform
With each of these mechanisms, we enumerated some criteria for evaluating them and choosing the best option for Tor Browser:
1) (in the face of a browser exploit) tracking protection 2) (no browser exploit) tracking protection 3) (in the face of a browser exploit) proxy bypass protection 4) (no browser exploit) proxy bypass protection 5) user experience 6) development effort (including time to market with improved security) 7) maintainability 8) uplift possibilities 9) installation size? (part of user experience?) 10) ability to take advantage of expected future security improvements 11) Compatibility with future browser/app development plans at the Tor Project
As mentioned during the meeting, there doesn't currently exist a common set of sandboxing mechanisms across all platforms. Maybe this will exist in some years when Docker is the de facto standard run-time. Until then, we have platform-specific implementations we must use.
How should we document ranking each of the sandboxing options with the stated criteria? Would this be easier on another pad or using a spreadsheet (ethercalc)?
Thanks, Matt
[0] https://lists.torproject.org/pipermail/tor-dev/2018-July/013350.html [1] https://pad.riseup.net/p/sandbox-07-24