Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
The source repo lives at: https://gitweb.torproject.org/tor-browser-spec.git/tree/refs/heads/master:/d...
On 30 October 2014 00:10, Mike Perry mikeperry@torproject.org wrote:
Feedback welcome!
I found the following dead links to patches: - DOM storage for third party domains MUST be isolated to the url bar origin, to prevent linkability between sites. This functionality is provided through a patch to Firefox. - We disable SSL Session IDs via a patch to Firefox. - Additionally, we limit both the number of font queries from CSS, as well as the total number of fonts that can be used in a document with a Firefox patch. - Currently, we patch Firefox to randomize pipeline order and depth.
Also, decloak.net seems to be dead?
In "History records and other on-disk information" I think extracting unique identifiers about the user's hardware would be worth mentioning (seeing as it actually happened.) MAC address, hostname, etc.
I think a couple of other promising standards are FIDO, and the referrer policy in CSP 2.0 (http://www.w3.org/TR/CSP11/) but I understand if you don't want to try and read a whole bunch about them to figure out if you think they're promising or not.
-tom
Mike Perry:
Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
In chronological order:
1) s/InstantBird/Instantbird/
2) s/Because fingerprinting is problem/Because fingerprinting is a problem/
3) "Similarly, we prioritize issues that differentiate only MacOS, Windows, and Linux lower"
Might be good to link to the OS type fingerprinting section here. Otherwise one might be confused about what does that "Similarly" refer to? That we do not believe OS fingerprinting is solvable (similar to cross-browser fingerprinting)? If so, why are we just prioritizing it lower than other things and don't give up on fixing these problems in the first place? etc.
4) s/provide which provide coverage for the all/provide coverage for the/
5) Monitor and Desktop resolution/CSS Media Queries section
Talking only about Montor/Desktop resolution in one section is fine but then the first paragraph should only contain those fingerprinting vectors relevant to it (screen orientation and other desktop features are not mentioned in the Design Goal/Implementation Status parts).
I think talking about a certain technique used for extracting fingerprinting information (CSS Media Queries) is a bit cumbersome given that there is no specific Javascript section but only sections about different fingerprinting vectors (leaving the means of exploiting them either opaque or mentioning Javascript/CSS). Moreover, screen orientation does not fit there as it can get queried by Javascript as well. Thus, instead of focusing on CSS as a technique a better approach might be to point to the remaining vectors related to the screen like its orientation, system colors exposed etc. and see this section as a complement to the Monitor/Screen/Desktop resolution one.
6) The tlsdate link points to the Tor Browser design document (s/linkend/url).
7) s/of the Operating System/of the operating system/
8) "We have no defenses deployed that address OS type fingerprinting, but nothing else." <- not sure what you mean here
9) s/linkability bugs and enhancements, see the tbb-fingerprinting/fingerprintability bugs and enhancements, see the tbb-fingerprinting/
10) We clear site permissions as well on New Identity (see commit 2418d8693fc6bd4b4a18aeb14cf39fd9cb660cf8). Mentioning "DOM local storage" and "DOM Storage" might be confusing. Maybe we should rename the former to "Offline application cache" as these are different beasts.
11) s/For Mac OS, we use toolchain4/For Mac OS, we use crosstools-ng/
12) libfaketime we use in Tor Browser 4.0 has no spoofing issues anymore wrt the fine-grained timestamps
13) There are more LXC related leaks worth mentioning, see #12237 and child tickets
14) s/contains a sorted list the SHA-256/contains a sorted list of the SHA-256/
Georg
Mike Perry:
Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
Ok. After thinking about it a bit more, here is additional feedback:
15) In 4.6.10 we might want to mention our #13027 backport.
16) There are some links pointing still to the maint-2.4 patches. We should replace them with links to the current ones.
Georg
Georg Koppen:
Mike Perry:
Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
Ok. After thinking about it a bit more, here is additional feedback:
- In 4.6.10 we might want to mention our #13027 backport.
I believe I've fixed all of Tom's and your comments in the latest update (and also added 4.5-alpha-1 material too), except for this one. I think it is a distracting implementation detail, especially since Mozilla has already committed the fix for future versions. Other browsers are unlikely to hit this same bug, and may also have different bugs related to directly JS-exposed OS and arch info.
Mike Perry:
Georg Koppen:
Mike Perry:
Hello all,
I've finally updated the design doc to cover TBB 4.0: https://www.torproject.org/projects/torbrowser/design/
In particular, the fingerprinting section saw substantial updates: https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkab...
I also added a build security section that could probably use more links and more details: https://www.torproject.org/projects/torbrowser/design/#BuildSecurity
Feedback welcome! Patches are even more welcomer! ;)
Ok. After thinking about it a bit more, here is additional feedback:
- In 4.6.10 we might want to mention our #13027 backport.
I believe I've fixed all of Tom's and your comments in the latest update (and also added 4.5-alpha-1 material too), except for this one. I think it is a distracting implementation detail, especially since Mozilla has already committed the fix for future versions. Other browsers are unlikely to hit this same bug, and may also have different bugs related to directly JS-exposed OS and arch info.
Good points. Nits after looking at your recent changes:
1) s/is likely to more fingerprintable/is likely to be more fingerprintable/
2) s/If WebGL is normalized/If WebGL were normalized/ <- still irrealis as the other things you mention, no? :)
3) s/poverage for the all languages/coverage for all the languages/
4) We disable "gfx.font_rendering.opentype_svg.enabled" on the low level of the security slider.
5) s/disable Javascript entirely all elements/disable Javascript entirely for all elements/
6 s/pyc timestamps had to be address/pyc timestamps had to be addressed/
Looks good! (Good hint at CSP 2.0 for the Referer)
Georg