commit 4f91198cecbcf88606820d192293655f29d88976 Author: Georg Koppen <gk@torproject.org> Date: Tue Jan 23 20:52:04 2018 +0000 Bug 21256: Update design document for 7.0.X --- design-doc/design.xml | 750 +++++++++++++++++++++++++++++--------------------- 1 file changed, 437 insertions(+), 313 deletions(-) diff --git a/design-doc/design.xml b/design-doc/design.xml index ad6d5f5..a52e7aa 100644 --- a/design-doc/design.xml +++ b/design-doc/design.xml @@ -29,7 +29,7 @@ <address><email>gk#torproject org</email></address> </affiliation> </author> - <pubdate>March 10th, 2017</pubdate> + <pubdate>January 23th, 2017</pubdate> </articleinfo> <sect1> @@ -41,7 +41,7 @@ This document describes the <link linkend="adversary">adversary model</link>, linkend="Implementation">implementation</link> <!-- and <link linkend="Packaging">packaging</link> and <link linkend="Testing">testing procedures</link> --> of the Tor Browser. It is current as of Tor Browser -6.5.1. +7.0.11. </para> <para> @@ -75,7 +75,7 @@ additionally augmented through the <ulink url="https://gitweb.torproject.org/torbutton.git/tree/">Torbutton extension</ulink>, though we are in the process of moving this functionality into direct Firefox patches. We also <ulink -url="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2">change +url="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.5.2esr-7.0-2">change a number of Firefox preferences</ulink> from their defaults. </para> @@ -93,7 +93,7 @@ To help protect against potential Tor Exit Node eavesdroppers, we include <ulink url="https://www.eff.org/https-everywhere">HTTPS-Everywhere</ulink>. To provide users with optional defense-in-depth against JavaScript and other potential exploit vectors, we also include <ulink -url="http://noscript.net/">NoScript</ulink>. We also modify <ulink +url="https://noscript.net/">NoScript</ulink>. We also modify <ulink url="https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js">several extension preferences</ulink> from their defaults. @@ -105,7 +105,7 @@ blocked either by IP, or by protocol fingerprint, we include several <ulink url="https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports">Pluggable Transports</ulink> in the distribution. As of this writing, we include <ulink url="https://gitweb.torproject.org/pluggable-transports/obfs4.git">Obfs3proxy, -Obfs4proxy, Scramblesuit</ulink>, +Obfs4proxy</ulink>, <ulink url="https://trac.torproject.org/projects/tor/wiki/doc/meek">meek</ulink>, and <ulink url="https://fteproxy.org/">FTE</ulink>. @@ -364,7 +364,7 @@ linkability. failure of Torbutton</ulink> was the options panel. Each option that detectably alters browser behavior can be used as a fingerprinting tool. Similarly, all extensions <ulink -url="http://blog.chromium.org/2010/06/extensions-in-incognito.html">should be +url="https://blog.chromium.org/2010/06/extensions-in-incognito.html">should be disabled in the mode</ulink> except as an opt-in basis. We should not load system-wide and/or operating system provided addons or plugins. @@ -390,22 +390,22 @@ permissions can be written to disk. Otherwise, they should remain memory-only. Site-specific or filter-based addons such as <ulink url="https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/">AdBlock -Plus</ulink>, <ulink url="http://requestpolicy.com/">Request Policy</ulink>, -<ulink url="http://www.ghostery.com/about">Ghostery</ulink>, <ulink +Plus</ulink>, <ulink url="https://requestpolicy.com/">Request Policy</ulink>, +<ulink url="https://www.ghostery.com/about-ghostery/">Ghostery</ulink>, <ulink url="http://priv3.icsi.berkeley.edu/">Priv3</ulink>, and <ulink -url="http://sharemenot.cs.washington.edu/">Sharemenot</ulink> are to be +url="https://sharemenot.cs.washington.edu/">Sharemenot</ulink> are to be avoided. We believe that these addons do not add any real privacy to a proper <link linkend="Implementation">implementation</link> of the above <link linkend="privacy">privacy requirements</link>, and that development efforts -should be focused on general solutions that prevent tracking by all -third parties, rather than a list of specific URLs or hosts. +should be focused on general solutions that prevent tracking by all third +parties, rather than a list of specific URLs or hosts. </para> <para> Implementing filter-based blocking directly into the browser, such as done with <ulink -url="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf"> +url="https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf"> Firefox' Tracking Protection</ulink>, does not alleviate the concerns mentioned -in the previous paragraph. There is still just a list concerned with specific +in the previous paragraph. There is still just a list containing specific URLs and hosts which, in this case, are <ulink url="https://services.disconnect.me/disconnect-plaintext.json"> assembled</ulink> by <ulink url="https://disconnect.me/trackerprotection"> @@ -421,13 +421,16 @@ would be missed and sites would be wrongly blocked. </para> <para> Filter-based solutions in general can also introduce strange breakage and cause -usability nightmares. Coping with those easily leads to just <ulink +usability nightmares. For instance, there is a trend to observe that websites +start <ulink url="https://petsymposium.org/2017/papers/issue3/paper25-2017-3-source.pdf"> +detecting filer extensions and block access to content</ulink> on them. Coping +with this fallout easily leads to just <ulink url="https://github.com/mozilla-services/shavar-list-exceptions">whitelisting </ulink> -the affected domains defeating the purpose of the filter in the first place. -Filters will also fail to do their job if an adversary simply -registers a new domain or <ulink -url="http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf"> +the affected domains, hoping that this helps, defeating the purpose of the +filter in the first place. Filters will also fail to do their job if an +adversary simply registers a new domain or <ulink +url="https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf"> creates a new URL path</ulink>. Worse still, the unique filter sets that each user creates or installs will provide a wealth of fingerprinting targets. </para> @@ -735,7 +738,7 @@ Also, JavaScript can be used to query the user's timezone via the url="https://www.khronos.org/registry/webgl/specs/1.0/#5.13">WebGL</ulink> can reveal information about the video card in use, and high precision timing information can be used to <ulink -url="http://w2spconf.com/2011/papers/jspriv.pdf">fingerprint the CPU and +url="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf">fingerprint the cpu and interpreter speed</ulink>. JavaScript features such as <ulink url="https://www.w3.org/TR/resource-timing/">Resource Timing</ulink> may leak an unknown amount of network timing related information. And, moreover, @@ -758,7 +761,7 @@ fingerprintability. Additionally, plugins are capable of extracting font lists, interface addresses, and other machine information that is beyond what the browser would normally provide to content. In addition, plugins can be used to store unique identifiers that are more difficult to clear than standard -cookies. <ulink url="http://epic.org/privacy/cookies/flash.html">Flash-based +cookies. <ulink url="https://epic.org/privacy/cookies/flash.html">Flash-based cookies</ulink> fall into this category, but there are likely numerous other examples. Beyond fingerprinting, plugins are also abysmal at obeying the proxy settings of the browser. @@ -787,9 +790,9 @@ attack would take place between the user and the Guard node, or at the Guard node itself. </para> - <para> The most comprehensive study of the statistical properties of this + <para> The most comprehensive study of the statistical properties of this attack against Tor was done by <ulink -url="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panchenko +url="https://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panchenko et al</ulink>. Unfortunately, the publication bias in academia has encouraged the production of <ulink url="https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks">a @@ -811,7 +814,7 @@ categories to classify</ulink> while maintaining a limit on reliable feature information you can extract, you eventually run out of descriptive feature information, and either true positive accuracy goes down or the false positive rate goes up. This error is called the <ulink -url="http://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm">bias +url="https://www.cs.washington.edu/education/courses/csep573/98sp/lectures/lecture8/sld050.htm">bias in your hypothesis space</ulink>. In fact, even for unbiased hypothesis spaces, the number of training examples required to achieve a reasonable error bound is <ulink @@ -827,7 +830,7 @@ complexity (and thus hinder a real world adversary who attempts this attack) are large numbers of dynamically generated pages, partially cached content, and also the non-web activity of the entire Tor network. This yields an effective number of "web pages" many orders of magnitude larger than even <ulink -url="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panchenko's +url="https://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panchenko's "Open World" scenario</ulink>, which suffered continuous near-constant decline in the true positive rate as the "Open World" size grew (see figure 4). This large level of classification complexity is further confounded by a noisy and @@ -926,7 +929,7 @@ Proxy obedience is assured through the following: <para> Our <ulink -url="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-45.8.0esr-6.5-2">Firefox +url="https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.5.2esr-7.0-2">Firefox preferences file</ulink> sets the Firefox proxy settings to use Tor directly as a SOCKS proxy. It sets <command>network.proxy.socks_remote_dns</command>, <command>network.proxy.socks_version</command>, @@ -945,12 +948,12 @@ as set the pref <command>media.peerconnection.enabled</command> to false. We also patch Firefox in order to provide several defense-in-depth mechanisms for proxy safety. Notably, we <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=177e78923b3252a7442160486ec48252a6adb77a">patch +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=35ce9974e034c0374fb3c8e00e9eb0231c4f3378">patch the DNS service</ulink> to prevent any browser or addon DNS resolution, and we -also <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=6e17cef8f3cf61fdabf99e40d5e09a730142d6cd"> +also <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=ee28d8f27fdb1e47481987535c7da70095042ee2"> remove the DNS lookup for the profile lock signature</ulink>. Furhermore, we <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8197f6ffe58ba167e3bca4230c5721ebcfae55de">patch +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=ffba8d1b84431b4024d5012b326cbcb986047f27">patch OCSP and PKIX code</ulink> to prevent any use of the non-proxied command-line tool utility functions from being functional while linked in to the browser. In both cases, we could find no direct paths to these routines in the browser, @@ -960,7 +963,7 @@ but it seemed better safe than sorry. <para> -For further defense-in-depth we disabled WebIDE because it can bypass proxy +For further defense-in-depth we disable WebIDE because it can bypass proxy settings for remote debugging, and also because it downloads extensions we have not reviewed. We are doing this by setting @@ -969,30 +972,25 @@ are doing this by setting <command>devtools.webide.enabled</command>, and <command>devtools.appmanager.enabled</command> to <command>false</command>. Moreover, we removed the Roku Screen Sharing and screencaster code with a -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id= ad4abdb2e724fec060063f460604b829c66ea08a"> +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=055bdffbef68bc8d5e8005b3c7dd2f5d99da1163"> Firefox patch</ulink> as these features can bypass proxy settings as well. </para> <para> -Shumway is removed, too, for possible proxy bypass risks. We did this by -backporting a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d020a4992d8d25baf7dfb5c8b308d80b47a8d312"> -number</ulink> <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=98bf6c81b22cb5e4651a5fc060182f27b26c8ee5"> -of</ulink> <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=14b723f28a6b1dd78093691013d1bf7d49dc4413">Mozilla patches</ulink>. -Further down on our road to proxy safety we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a9e1d8eac28abb364bbfd3adabeae287751a6a8e"> -disabled the network tickler</ulink> as it has the capability to send UDP -traffic. - </para> - - <para> - -Finally, we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=8e52265653ab223dc5af679f9f0c073b44371fa4"> -disabled mDNS support</ulink>, since mDNS uses UDP packets. We also disable +Further down on our road to proxy safety we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=7222d02638689a64d7297b8e5c202f9c37547523"> +disable the network tickler</ulink> as it has the capability to send UDP +traffic and we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=5bc957b4f635a659f9aecaa374972ecca7f770a8"> +disable mDNS support</ulink>, since mDNS uses UDP packets as well. We also disable Mozilla's TCPSocket by setting <command>dom.mozTCPSocket.enabled</command> to <command>false</command>. We <ulink url="https://trac.torproject.org/projects/tor/ticket/18866">intend to rip out</ulink> the TCPSocket code in the future to have an even more solid guarantee that it won't be used by accident. + </para> + <para> +Finally, we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=55bd129f081bd37ae9e72ae32434fbb56ff4e446"> +remove</ulink> potentially unsafe Rust code. </para> <para> @@ -1017,7 +1015,7 @@ blocked. <para> Plugins, like Flash, have the ability to make arbitrary OS system calls and -<ulink url="http://decloak.net/">bypass proxy settings</ulink>. This includes +<ulink url="https://ip-check.info/">bypass proxy settings</ulink>. This includes the ability to make UDP sockets and send arbitrary data independent of the browser proxy settings. </para> @@ -1038,10 +1036,10 @@ restricted from automatic load through Firefox's click-to-play preference In addition, to reduce any unproxied activity by arbitrary plugins at load time, and to reduce the fingerprintability of the installed plugin list, we also patch the Firefox source code to <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09883246904ce4dede9f3c4d4bb8d644aefe9d1d"> +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=95a0100fd8ac0fdbe9f517e9b7ea86d6b77ec2c9"> prevent the load of any plugins except for Flash and Gnash</ulink>. Even for Flash and Gnash, we also patch Firefox to <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9a0d506e3655f2fdec97ee4217f354941e39b5b3"> +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=39f5a767c0c082b1e4a001cf685a6efb31bd62c6"> prevent loading them into the address space</ulink> until they are explicitly enabled. </para> @@ -1054,14 +1052,20 @@ can't be built reproducibly or are binary blobs which we are not allowed to audit (or both). For the EME case we use the <command>--disable-eme</command> configure switch and set <command>browser.eme.ui.enabled</command>, +<command>media.gmp-eme-adobe.visible</command>, <command>media.gmp-eme-adobe.enabled</command>, +<command>media.gmp-widevinecdm.visible</command>, +<command>media.gmp-widevinecdm.enabled</command>, <command>media.eme.enabled</command>, and <command>media.eme.apiVisible</command> to <command>false</command> to indicate to the user that this feature is disabled. For GMPs in general we make sure that the external server is not even pinged for updates/downloads in the first place by setting <command>media.gmp-manager.url.override</command> to <command>data:text/plain,</command> and avoid any UI with <command> -media.gmp-provider.enabled</command> set to <command>false</command>. + media.gmp-provider.enabled</command> set to <command>false</command>. Moreover, +we disable GMP downloads via local fallback by setting +<command>media.gmp-manager.updateEnabled</command> to <command>false</command>. +To reduce our attack surface we exclude the ClearKey EME system, too. </para> </listitem> @@ -1070,11 +1074,23 @@ media.gmp-provider.enabled</command> set to <command>false</command>. External apps can be induced to load files that perform network activity. Unfortunately, there are cases where such apps can be launched automatically -with little to no user input. In order to prevent this, Torbutton installs a -component to <ulink +with little to no user input. In order to prevent this, we ship <ulink +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=d179d8a4861199e203934ecc36dd6d8ade549dfa"> +Firefox</ulink> <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=99173c3a5f83d9ac44091a72c5570efd296dff8f">patches</ulink> and Torbutton installs a component to <ulink url="https://gitweb.torproject.org/torbutton.git/tree/src/components/external-app-blocker.js"> provide the user with a popup</ulink> whenever the browser attempts to launch -a helper app. +a helper application. + + </para> + <para> + +Furthermore, we ship a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=d75b79f6fa920e6a1e3043005dfd50060ea70e57">patch for Linux users</ulink> that makes +sure sftp:// and smb:// URLs are not passed along to the operating system as this +can lead to proxy bypasses on systems that have GIO/GnomeVS support. And proxy +bypass risks due to file:// URLs should be mitigated for macOS and Linux users +by <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=8db44df10d1d82850e8b4cfe81ac3b5fce32a663"> +two</ulink> <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=a8e1fcc8678aa1583f73ef231c99f77cf17196d9"> +further patches</ulink>. </para> <para> @@ -1101,7 +1117,14 @@ system-level addons from the browser through the use of <command>extensions.autoDisableScopes</command>. Furthermore, we set <command>extensions.systemAddon.update.url</command> and <command> extensions.hotfix.id</command> to an empty string in order -to avoid the risk of getting extensions installed by Mozilla into Tor Browser. +to avoid the risk of getting extensions installed by Mozilla into Tor Browser, +and remove unused system extensions with a +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=4d90fcf15e328ca369751011ad0a9c0c1ba2f153"> +Firefox patch</ulink>. +In order to make it harder for users to accidentally install extensions which +Mozilla presents to them on the <emphasis>about:addons</emphasis> page, we hide +the <emphasis>Get Addons</emphasis> option on it by setting +<command>extensions.getAddons.showPane</command> to <command>false</command>. </para> </listitem> @@ -1137,40 +1160,37 @@ features if they so desire. <sect3> <title>Implementation Status:</title> <blockquote> - We are working towards this goal through several mechanisms. First, we set the Firefox Private Browsing preference - <command>browser.privatebrowsing.autostart</command>. + <command>browser.privatebrowsing.autostart</command> to <command>true</command>. We also had to disable the media cache with the pref <command>media.cache_size</command>, to prevent HTML5 videos from being written to the OS temporary directory, which happened regardless of the private browsing mode setting. - Finally, we needed to disable asm.js as it turns out that - <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=1047105">asm.js - cache entries get written to disk</ulink> in private browsing mode. This - is done by setting <command>javascript.options.asmjs</command> to - <command>false</command> (for linkability concerns with asm.js see below). - </blockquote> - <blockquote> + Finally, we set <command>security.nocertdb</command> to <command>true</command> + to make the intermediate certificate store memory-only. + </blockquote> + <blockquote> + Moreover, we prevent text leaking from the web console to the /tmp + directory with a direct <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=48b68533d113c5998d19d4e5acfb8967ba2d5f5b">Firefox patch</ulink>. + </blockquote> + <blockquote> -As an additional defense-in-depth measure, we set the following preferences: -<command></command>, +As an additional defense-in-depth measure, we set <command>browser.cache.disk.enable</command>, <command>browser.cache.offline.enable</command>, -<command>dom.indexedDB.enabled</command>, -<command>network.cookie.lifetimePolicy</command>, <command>signon.rememberSignons</command>, -<command>browser.formfill.enable</command>, -<command>browser.download.manager.retention</command>, -<command>browser.sessionstore.privacy_level</command>, -and <command>network.cookie.lifetimePolicy</command>. Many of these -preferences are likely redundant with -<command>browser.privatebrowsing.autostart</command>, but we have not done the -auditing work to ensure that yet. - - </blockquote> - <blockquote> +<command>browser.formfill.enable</command> to <command>true</command>, +<command>browser.download.manager.retention</command> to <command>1</command>, +and both <command>browser.sessionstore.privacy_level</command> and +<command>network.cookie.lifetimePolicy</command> to <command>2</command>. Many +of these preferences are likely redundant with +<command>browser.privatebrowsing.autostart</command> enabled, but we have not +done the auditing work to ensure that yet. + + </blockquote> + <blockquote> For more details on disk leak bugs and enhancements, see the <ulink url="https://trac.torproject.org/projects/tor/query?keywords=~tbb-disk-leak&status=!closed">tbb-disk-leak tag in our bugtracker</ulink> - </blockquote> + </blockquote> </sect3> </sect2> <sect2 id="app-data-isolation"> @@ -1240,11 +1260,14 @@ form history, login values, and so on within a context menu for each site. <para> Unfortunately, many aspects of browser state can serve as identifier storage, -and no other browser vendor or standards body has invested the effort to +and no other browser vendor or standards body had invested the effort to enumerate or otherwise deal with these vectors for third party tracking. As such, we have had to enumerate and isolate these identifier sources on a -piecemeal basis. Here is the list that we have discovered and dealt with to -date: +piecemeal basis. This has gotten better lately with Mozilla stepping up and +helping us with uplifting our patches, and with contributing own ones where we +lacked proper fixes. However, we are not done yet with our unlinkability defense +as new identifier sources are still getting added to the web platform. Here is +the list that we have discovered and dealt with to date: </para> <orderedlist> @@ -1252,19 +1275,19 @@ date: <para><command>Design Goal:</command> All cookies MUST be double-keyed to the URL bar origin and third-party -origin. There exists a <ulink -url="https://bugzilla.mozilla.org/show_bug.cgi?id=565965">Mozilla bug</ulink> -that contains a prototype patch, but it lacks UI, and does not apply to modern -Firefox versions. +origin. </para> <para><command>Implementation Status:</command> -As a stopgap to satisfy our design requirement of unlinkability, we currently -entirely disable 3rd party cookies by setting -<command>network.cookie.cookieBehavior</command> to <command>1</command>. We -would prefer that third party content continue to function, but we believe the -requirement for unlinkability trumps that desire. +Double-keying cookies should just work by setting <command>privacy.firstparty.isolate +</command> to <command>true</command>. However, +<ulink url="https://trac.torproject.org/projects/tor/ticket/21905">we have not +audited that</ulink> yet and there is still the +<ulink url="https://trac.torproject.org/projects/tor/ticket/10353">UI part +missing for managing cookies in Private Browsing Mode</ulink>. We therefore +opted to keep third-party cookies disabled for now by setting +<command>network.cookie.cookieBehavior</command> to <command>1</command>. </para> </listitem> @@ -1272,94 +1295,74 @@ requirement for unlinkability trumps that desire. <para><command>Design Goal:</command> All cache entries MUST be isolated to the URL bar domain. </para> - <para><command>Implementation Status:</command> - -In Firefox, there are actually several distinct caching mechanisms: One is for -general content (HTML, JavaScript, CSS). That content cache is isolated to the -URL bar domain by <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9e88ab764b1c9c5d26a398ec6381eef88689929c">altering -each cache key</ulink> to include an additional ID that includes the URL bar -domain. This functionality can be observed by navigating to <ulink -url="about:cache">about:cache</ulink> and viewing the key used for each cache -entry. Each third party element should have an additional "string@:" -property prepended, which will list the base domain that was used to source it. - - </para> - <para> - -Additionally, there is the image cache. Because it is a separate entity from -the content cache, we had to patch Firefox to also <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=05749216781d470ab95c2d101dd28ad000d9161f">isolate -this cache per URL bar domain</ulink>. + <para><command>Implementation Status:</command> +We isolate the content and image cache to the URL bar domain by setting +<command>privacy.firstparty.isolate</command> to <command>true</command>. - </para> - <para> + </para> + <para> Furthermore there is the Cache API (CacheStorage). That one is currently not available in Tor Browser as we do not allow third party cookies and are in Private Browsing Mode by default. - </para> - <para> + </para> + <para> Finally, we have the asm.js cache. The cache entry of the sript is (among others things, like type of CPU, build ID, source characters of the asm.js module etc.) keyed <ulink url="https://blog.mozilla.org/luke/2014/01/14/asm-js-aot-compilation-and-startup-performance/">to the origin of the script</ulink>. -Lacking a good solution for binding it to the URL bar domain instead (and given -the storage of asm.js modules in Private Browsing Mode) we decided to disable -asm.js for the time being by setting <command>javascript.options.asmjs</command> to -<command>false</command>. It remains to be seen whether keying the cache entry -to the source characters of the asm.js module helps to avoid using it for -cross-origin tracking of users. We did not investigate that yet. - </para> +Lacking a good solution for binding it to the URL bar domain instead we decided +to disable asm.js for the time being by setting +<command>javascript.options.asmjs</command> to <command>false</command>. It +remains to be seen whether keying the cache entry e.g. to the source characters +of the asm.js module helps to avoid using it for cross-origin tracking of users. +We did not investigate that yet. + </para> </listitem> <listitem><command>HTTP Authentication</command> - <para> + <para> HTTP Authorization headers can be used to encode <ulink url="http://jeremiahgrossman.blogspot.com/2007/04/tracking-users-without-cookies.html">silent -third party tracking identifiers</ulink>. To prevent this, we remove HTTP -authentication tokens for third party elements through a <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5e686c690cbc33cf3fdf984e6f3d3fe7b4d83701">patch -to nsHTTPChannel</ulink>. +third party tracking identifiers</ulink>. To prevent this, we set +<command>privacy.firstparty.isolate</command> to <command>true</command>. - </para> + </para> </listitem> <listitem><command>DOM Storage</command> - <para> + <para> DOM storage for third party domains MUST be isolated to the URL bar domain, -to prevent linkability between sites. This functionality is provided through a -<ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=20fee895321a7a18e79547e74f6739786558c0e8">patch -to Firefox</ulink>. +to prevent linkability between sites. We achieve this by setting +<command>privacy.firstparty.isolate</command> to <command>true</command>. - </para> - </listitem> + </para> + </listitem> <listitem><command>Flash cookies</command> - <para><command>Design Goal:</command> + <para><command>Design Goal:</command> Users should be able to click-to-play flash objects from trusted sites. To make this behavior unlinkable, we wish to include a settings file for all platforms that disables flash cookies using the <ulink -url="http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html">Flash +url="https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html">Flash settings manager</ulink>. - </para> - <para><command>Implementation Status:</command> + </para> + <para><command>Implementation Status:</command> We are currently <ulink url="https://trac.torproject.org/projects/tor/ticket/3974">having difficulties</ulink> causing Flash player to use this settings file on Windows, so Flash remains difficult to enable. - </para> + </para> </listitem> <listitem><command>SSL+TLS session resumption</command> - <para><command>Design Goal:</command> + <para><command>Design Goal:</command> TLS session resumption tickets and SSL Session IDs MUST be limited to the URL bar domain. - </para> - <para><command>Implementation Status:</command> + </para> + <para><command>Implementation Status:</command> We disable TLS Session Tickets and SSL Session IDs by setting <command>security.ssl.disable_session_identifiers</command> to @@ -1369,21 +1372,23 @@ these performance optimizations, we also enable <ulink url="https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00">TLS False Start</ulink> via the Firefox Pref <command>security.ssl.enable_false_start</command>. +However, URL bar domain isolation should be working both for session tickets and +session IDs but we <ulink url="https://trac.torproject.org/projects/tor/ticket/17252"> +have not verified that yet</ulink>. - </para> + </para> </listitem> <listitem><command>Tor circuit and HTTP connection linkability</command> - <para> + <para><command>Design Goal:</command> Tor circuits and HTTP connections from a third party in one URL bar origin MUST NOT be reused for that same third party in another URL bar origin. - </para> - <para> + </para> + <para><command>Implementation Status:</command> -This isolation functionality is provided by a Torbutton -component that <ulink -linkend="https://gitweb.torproject.org/torbutton.git/tree/src/components/domain-isolator.js">sets +The isolation functionality is provided by a Torbutton component that <ulink +url="https://gitweb.torproject.org/torbutton.git/tree/src/components/domain-isolator.js">sets the SOCKS username and password for each request</ulink>. The Tor client has logic to prevent connections with different SOCKS usernames and passwords from using the same Tor circuit. Firefox has existing logic to ensure that @@ -1393,30 +1398,32 @@ connections unless the proxy settings match. this logic</ulink> to cover SOCKS username and password authentication, providing us with HTTP Keep-Alive unlinkability. - </para> + </para> + <para> + +While the vast majority of web requests adheres to the circuit and connection +unlinkability requirement there are still corner cases we +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=8661822237c56d543d5c9117c8a4708c402a110f"> + need to treat separately</ulink> or that +<ulink href="https://bugs.torproject.org/22343">lack a fix altogether</ulink>. + </para> </listitem> <listitem><command>SharedWorkers</command> - <para> + <para> <ulink url="https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker">SharedWorkers</ulink> are a special form of JavaScript Worker threads that have a shared scope between -all threads from the same Javascript origin. - - </para> - <para> - -The SharedWorker scope MUST be isolated to the URL bar domain. I.e. a -SharedWorker launched from a third party from one URL bar domain MUST NOT have -access to the objects created by that same third party loaded under another URL -bar domain. This functionality is provided by a -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=d17c11445645908086c8d0af84e970e880f586eb"> -Firefox patch</ulink>. +all threads from the same Javascript origin. They MUST be isolated to the URL +bar domain. I.e. a SharedWorker launched from a third party from one URL bar +domain MUST NOT have access to the objects created by that same third party +loaded under another URL bar domain. This functionality is provided by setting +<command>privacy.firstparty.isolate</command> to <command>true</command>. - </para> + </para> </listitem> <listitem><command>blob: URIs (URL.createObjectURL)</command> - <para> + <para> The <ulink url="https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL">URL.createObjectURL</ulink> @@ -1428,29 +1435,24 @@ predictable, it can still be used to tag a set of users that are of high interest to an adversary. </para> - <para><command>Design Goal:</command> + <para> URIs created with URL.createObjectURL MUST be limited in scope to the first -party URL bar domain that created them. - - </para> - <para><command>Implementation Status:</command> - -We provide the isolation in Tor Browser via a <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f">direct -patch to Firefox</ulink>. However, downloads of PDF files via the download button in the PDF viewer <ulink url="https://bugs.torproject.org/17933">are not isolated yet</ulink>. +party URL bar domain that created them. We provide the isolation in Tor +Browser by setting <command>privacy.firstparty.isolate</command> to +<command>true</command>. - </para> + </para> </listitem> <listitem><command>SPDY and HTTP/2</command> - <para><command>Design Goal:</command> + <para><command>Design Goal:</command> SPDY and HTTP/2 connections MUST be isolated to the URL bar domain. Furthermore, all associated means that could be used for cross-domain user tracking (alt-svc headers come to mind) MUST adhere to this design principle as well. - </para> - <para><command>Implementation status:</command> + </para> + <para><command>Implementation status:</command> SPDY and HTTP/2 are currently disabled by setting the Firefox preferences <command>network.http.spdy.enabled</command>, @@ -1462,10 +1464,10 @@ Firefox preferences <command>network.http.spdy.enabled</command>, <command>network.http.altsvc.enabled</command>, and <command>network.http.altsvc.oe</command> to <command>false</command>. - </para> + </para> </listitem> <listitem><command>Automated cross-origin redirects</command> - <para><command>Design Goal:</command> + <para><command>Design Goal:</command> To prevent attacks aimed at subverting the Cross-Origin Identifier Unlinkability <link linkend="privacy">privacy requirement</link>, the browser @@ -1475,34 +1477,34 @@ For example, if a user clicks on a bit.ly URL that redirects to a doubleclick.net URL that finally redirects to a cnn.com URL, only cookies from cnn.com should be retained after the redirect chain completes. - </para> - <para> + </para> + <para> Non-automated redirect chains that require user input at some step (such as federated login systems) SHOULD still allow identifiers to persist. - </para> - <para><command>Implementation status:</command> + </para> + <para><command>Implementation status:</command> There are numerous ways for the user to be redirected, and the Firefox API support to detect each of them is poor. We have a <ulink url="https://trac.torproject.org/projects/tor/ticket/3600">trac bug open</ulink> to implement what we can. - </para> + </para> </listitem> - <listitem><command>window.name</command> - <para> + <listitem><command>window.name</command> + <para> <ulink url="https://developer.mozilla.org/En/DOM/Window.name">window.name</ulink> is a magical DOM property that for some reason is allowed to retain a persistent value for the lifespan of a browser tab. It is possible to utilize this property for -<ulink url="http://www.thomasfrank.se/sessionvars.html">identifier +<ulink url="https://www.thomasfrank.se/sessionvars.html">identifier storage</ulink>. - </para> - <para> + </para> + <para> In order to eliminate non-consensual linkability but still allow for sites that utilize this property to function, we reset the window.name property of @@ -1511,10 +1513,10 @@ allows window.name to persist for the duration of a click-driven navigation session, but as soon as the user enters a new URL or navigates between HTTPS/HTTP schemes, the property is cleared. - </para> + </para> </listitem> <listitem><command>Auto form-fill</command> - <para> + <para> We disable the password saving functionality in the browser as part of our <link linkend="disk-avoidance">Disk Avoidance</link> requirement. However, @@ -1525,14 +1527,14 @@ preference to false to prevent saved values from immediately populating fields upon page load. Since JavaScript can read these values as soon as they appear, setting this preference prevents automatic linkability from stored passwords. - </para> + </para> </listitem> - <listitem><command>HSTS and HPKP supercookies</command> + <listitem><command>HSTS and HPKP supercookies</command> <para> An extreme (but not impossible) attack to mount is the creation of <ulink - url="http://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html">HSTS</ulink> -<ulink url="http://www.radicalresearch.co.uk/lab/hstssupercookies/"> + url="https://www.leviathansecurity.com/blog/archives/12-The-Double-Edged-Sword-of-HSTS-Persistence-and-Privacy.html">HSTS</ulink> +<ulink url="https://www.radicalresearch.co.uk/lab/hstssupercookies/"> supercookies</ulink>. Since HSTS effectively stores one bit of information per domain name, an adversary in possession of numerous domains can use them to construct cookies based on stored HSTS state. @@ -1560,9 +1562,8 @@ but we don't defend against the creation and usage of any of these supercookies between <command>New Identity</command> invocations. </para> - </listitem> - - <listitem><command>Broadcast Channels</command> + </listitem> + <listitem><command>Broadcast Channels</command> <para> The BroadcastChannel API allows cross-site communication within the same @@ -1572,10 +1573,8 @@ instead be isolated to the URL bar domain. </para> <para> -We provide the isolation in Tor Browser via a <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=3460a38721810b5b7e785e18f202dde20b3434e8">direct -patch to Firefox</ulink>. If we lack a window for determining the URL bar -domain (e.g. in some worker contexts) the use of broadcast channels is disabled. +We provide the isolation in Tor Browser by setting +<command>privacy.firstparty.isolate</command> to <command>true</command>. </para> </listitem> @@ -1588,30 +1587,35 @@ no cached results are available. Thus, to avoid information leaks, e.g. to exit relays, OCSP requests MUST go over the same circuit as the HTTPS request causing them and MUST therefore be isolated to the URL bar domain. The resulting cache entries MUST be bound to the URL bar domain as well. This functionality is -provided by a -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb1568275acd4fdf61359c9b1e97c2753e7b2be">Firefox patch</ulink>. +provided by setting <command>privacy.firstparty.isolate</command> to +<command>true</command>. </para> </listitem> <listitem><command>Favicons</command> - <para> + <para><command>Design Goal:</command> When visiting a website its favicon is fetched via a request originating from the browser itself (similar to the OCSP mechanism mentioned in the previous -section). Those requests MUST be isolated to the URL bar domain. This -functionality is provided by a -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=f29f3ff28bbc471ea209d2181770677223c394d1">Firefox patch</ulink>. +section). Those requests MUST be isolated to the URL bar domain. </para> + <para><command>Implemetation Status:</command> + +Favicon requests are isolated to the URL bar domain by setting +<command>privacy.firstparty.isolate</command> to <command>true</command>. +However, we need an additional +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=eaa22334adaf8f79544ee4318982e5f4990c1a6f">Firefox patch</ulink> +to take care of favicons in tab list menuitems. + </para> </listitem> <listitem><command>mediasource: URIs and MediaStreams</command> <para> Much like blob URLs, mediasource: URIs and MediaStreams can be used to tag users. Therefore, mediasource: URIs and MediaStreams MUST be isolated to the URL bar domain. -This functionality is part of a -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7eb0b7b7a9c7257140ae5683718e82f3f0884f4f">Firefox patch</ulink> - +This functionality is provided by setting <command>privacy.firstparty.isolate</command> +to <command>true</command>. </para> </listitem> <listitem><command>Speculative and prefetched connections</command> @@ -1632,31 +1636,50 @@ url="https://trac.torproject.org/projects/tor/ticket/18762#comment:3"> comment rel="prefetch" attribute is still performed, however. </para> - <para><command>Design Goal:</command> + <para> All pre-loaded links and speculative connections MUST be isolated to the URL bar domain, if enabled. This includes isolating both Tor circuit use, as well as the caching and associate browser state for the prefetched resource. </para> - <para><command>Implementation Status:</command> + <para> For automatic speculative connects and rel="preconnect", we leave them disabled as per the Mozilla default for proxy settings. However, if enabled, speculative connects will be isolated to the proper first party Tor circuit by -the same mechanism as is used for HTTP Keep-alive. This is true for rel="prefetch" -requests as well. For rel="preconnect", we isolate them <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=9126303651785d02f2df0554f391fffba0b0a00e">via -this patch</ulink>. This isolation makes both preconnecting and cache warming -via rel=prefetch ineffective for links to domains other than the current URL -bar domain. For links to the same domain as the URL bar domain, the full cache -warming benefit is obtained. As an optimization, any preconnecting to domains -other than the current URL bar domain can thus be disabled (perhaps with the -exception of frames), but we do not do this. We allow these requests to -proceed, but we isolate them. +the same mechanism as is used for HTTP Keep-Alive. This is true for rel="prefetch" +requests as well. For rel="preconnect", we set <command>privacy.firstparty.isolate</command> +to <command>true</command>. This isolation makes both preconnecting and cache +warming via rel="prefetch" ineffective for links to domains other than the +current URL bar domain. For links to the same domain as the URL bar domain, +the full cache warming benefit is obtained. As an optimization, any +preconnecting to domains other than the current URL bar domain can thus be +disabled (perhaps with the exception of frames), but we do not do this. +We allow these requests to proceed, but we isolate them. </para> + </listitem> + <listitem><command>Permissions API</command> + <para> + +The Permissions API allows a website to query the status of different +permissions. Although permissions are keyed to the origin, that is not enough to +alleviate cross-linkabilility concerns: the combined permission state could work +like an identifier given more and more permissions and their state being +accessible under this API. + + </para> + <para><command>Design Goal:</command> +Permissions MUST be isolated to the URL bar domain. + + </para> + <para><command>Implementation Status:</command> + +Right now we provide a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=14374d30767f83923561084530b54c066bb661b4">Firefox patch</ulink> that makes sure permissions are isolated to the URL bar domain. + + </para> </listitem> </orderedlist> <para> @@ -1908,10 +1931,10 @@ each interaction between a user and a site provides a different fingerprint. </para> <para> -Although <ulink url="http://research.microsoft.com/pubs/209989/tr1.pdf">some -research suggests</ulink> that randomization can be effective, so far striving -for uniformity has generally proved to be a better strategy for Tor Browser -for the following reasons: +Although <ulink url="https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr1-1.pdf"> +some research suggests</ulink> that randomization can be effective, so far +striving for uniformity has generally proved to be a better strategy for Tor +Browser for the following reasons: </para> @@ -2058,8 +2081,8 @@ available, the rest are entirely blocked from loading by the Firefox patches mentioned in the <link linkend="proxy-obedience">Proxy Obedience section</link>. We also set the Firefox -preference <command>plugin.expose_full_path</command> to false, to avoid -leaking plugin installation information. +preference <command>plugin.expose_full_path</command> to +<command>false</command>, to avoid leaking plugin installation information. </para> </listitem> @@ -2087,7 +2110,7 @@ fingerprinting vectors. If WebGL is normalized through software rendering, system colors were standardized, and the browser shipped a fixed collection of fonts (see later points in this list), it might not be necessary to create a canvas permission. However, until then, to reduce the threat from this vector, -we have patched Firefox to <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=526e6d0bc5c68d8c409cbaefc231c71973d949cc">prompt before returning valid image data</ulink> to the Canvas APIs, +we have patched Firefox to <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=196354d7951a48b4e6f5309d2a8e46962fff9d5f">prompt before returning valid image data</ulink> to the Canvas APIs, and for access to isPointInPath and related functions. Moreover, we put media streams on a canvas behind the site permission in that patch as well. If the user hasn't previously allowed the site in the URL bar to access Canvas @@ -2124,7 +2147,10 @@ Tor client then rejects them, since it is configured to proxy for internal IP addresses by default. Access to the local network is forbidden via the same mechanism. We also disable the WebRTC API as mentioned previously, since even if it were usable over Tor, it still currently provides the local IP address -and associated network information to websites. +and associated network information to websites. Additionally, we +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=13baf9df4b47bd13bb7da045048ed4339615ac03"> +rip out</ulink> the option to collect local IP addresses via the +NetworkInfoService. </para> @@ -2139,7 +2165,8 @@ aren't an attractive vector for this reason. However, because it is not clear if certain carefully-crafted error conditions in these protocols could cause them to reveal machine information and still fail silently prior to the password prompt, these authentication mechanisms should either be disabled, or -placed behind a site permission before their use. We simply disable them. +placed behind a site permission before their use. We simply disable them +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=fe465944545a76287842321175cc7713091e77b1">with a patch</ulink>. </para> </listitem> @@ -2171,7 +2198,7 @@ it via the pref <command>dom.gamepad.enabled</command>. <para> According to the Panopticlick study, fonts provide the most linkability when -they are provided as an enumerable list in file system order, via either the +they are available as an enumerable list in file system order, via either the Flash or Java plugins. However, it is still possible to use CSS and/or JavaScript to query for the existence of specific fonts. With a large enough pre-built list to query, a large amount of fingerprintable information may @@ -2198,7 +2225,8 @@ vary in detail. For Windows and macOS we use a preference, <command>font.system.whitelist</command>, to restrict fonts being used to those in the whitelist. This functionality is -provided <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=80d233db514a556d7255034ae057b138527cb2ea">by a Firefox patch</ulink>. +provided by setting <command>privacy.resistFingerprinting</command> to +<command>true</command>. The whitelist for Windows and macOS contains both a set of <ulink url="https://www.google.com/get/noto">Noto fonts</ulink> which we bundle and fonts provided by the operating system. For Linux systems we only bundle @@ -2261,12 +2289,13 @@ maximizing their windows can lead to fingerprintability under the current scheme </para> <para><command>Implementation Status:</command> -We automatically resize new browser windows to a 200x100 pixel multiple <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b3e68bd7172d4f3feac11e74c65b06729a502b2">based -on desktop resolution</ulink> which is provided by a Firefox patch. To minimize -the effect of the long tail of large monitor sizes, we also cap the window size -at 1000 pixels in each direction. In addition to that we set -<command>privacy.resistFingerprinting</command> +We automatically resize new browser windows to a 200x100 pixel multiple based +on desktop resolution by backporting patches from +<ulink href="https://bugzilla.mozilla.org/show_bug.cgi?id=1330882">bug 1330882</ulink> +and setting <command>privacy.resistfingerprinting</command> to +<command>true</command>. To minimize the effect of the long tail of large +monitor sizes, we also cap the window size at 1000 pixels in each direction. +In addition to that we set <command>privacy.resistFingerprinting</command> to <command>true</command> to use the client content window size for window.screen, and to report a window.devicePixelRatio of 1.0. Similarly, we use that preference to return content window relative points for DOM events. @@ -2304,12 +2333,12 @@ details such as screen orientation or type. <para><command>Implementation Status:</command> We set <command>ui.use_standins_for_native_colors</command> to <command>true -</command> and provide a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=c6be9ba561a69250c7d5926d90e0112091453643">Firefox patch</ulink> +</command> and provide a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=9e84b962ae4e7369fcf13fdf3adb646877d48f1d">Firefox patch</ulink> to report a fixed set of system colors to content window CSS, and prevent detection of font smoothing on macOS with the help of -<command>privacy.resistFingerprinting</command>. We also always -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=5a159c6bfa310b4339555de389ac16cf8e13b3f5"> -report landscape-primary</ulink> for the <ulink url="https://w3c.github.io/screen-orientation/">screen orientation</ulink>. +<command>privacy.resistFingerprinting</command> set to <command>true</command>. +We use the same preference, too, to always report landscape-primary for the +<ulink url="https://w3c.github.io/screen-orientation/">screen orientation</ulink>. </para> </listitem> @@ -2324,25 +2353,26 @@ fingerprinting. <para> Because of the large amount of potential fingerprinting vectors and the <ulink -url="http://www.contextis.com/resources/blog/webgl/">previously unexposed -vulnerability surface</ulink>, we deploy a similar strategy against WebGL as -for plugins. First, WebGL Canvases have click-to-play placeholders (provided -by NoScript), and do not run until authorized by the user. Second, we -obfuscate driver information by setting the Firefox preferences +url="https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/"> +previously unexposed vulnerability surface</ulink>, we deploy a similar strategy +against WebGL as for plugins. First, WebGL Canvases have click-to-play +placeholders (provided by NoScript), and do not run until authorized by the user. +Second, we obfuscate driver information by setting the Firefox preferences <command>webgl.disable-extensions</command>, <command>webgl.min_capability_mode</command>, and -<command>webgl.disable-fail-if-major-performance-caveat</command> which reduce -the information provided by the following WebGL API calls: -<command>getParameter()</command>, <command>getSupportedExtensions()</command>, -and <command>getExtension()</command>. To make the minimal WebGL mode usable we -additionally <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=7b0caa1224c3417754d688344eacc97fbbabf7d5"> +<command>webgl.disable-fail-if-major-performance-caveat</command> to +<command>true</command> which reduces the information provided by the following +WebGL API calls: <command>getParameter()</command>, +<command>getSupportedExtensions()</command>, and <command>getExtension()</command>. Furthermore, WebGL2 is disabled by setting <command>webgl.enable-webgl2</command> +to <command>false</command>. To make the minimal WebGL mode usable we +additionally <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=1acd0c7fae9121240401cf4a8f0e2b1f6fdb9827"> normalize its properties with a Firefox patch</ulink>. </para> <para> Another option for WebGL might be to use software-only rendering, using a -library such as <ulink url="http://www.mesa3d.org/">Mesa</ulink>. The use of +library such as <ulink url="https://www.mesa3d.org/">Mesa</ulink>. The use of such a library would avoid hardware-specific rendering differences. </para> @@ -2368,11 +2398,46 @@ on the application software and/or drivers a user chose to install. Web pages can not only estimate the amount of MIME types registered by checking <command>navigator.mimetypes.length</command>. Rather, they are even able to test whether particular MIME types are available which can have a non-negligible -impact on a user's fingerprint. We prevent both of these information leaks with -a direct <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=38999857761196b0b7f59f49ee93ae13f73c6149">Firefox patch</ulink>. - +impact on a user's fingerprint. We prevent both of these information leaks by +setting <command>privacy.resistfingerprinting</command> to <command>true</command>. </para> </listitem> + <listitem><command>Web Speech API</command> + <para> + +The Web Speech API consists of two parts: SpeechSynthesis (Text-to-Speech) and +SpeechRecognition (Asynchronous Speech Recognition). The latter is still +disabled in Firefox. However, the former is enabled by default and there is the +risk that <command>speechSynthesis.getVoices()</command> has access to +computer-specific speech packages making them available in an enumerable +fashion. Morevover, there are callbacks that would allow JavaScript to time how +long a phrase takes to be "uttered". To prevent both we set +<command>media.webspeech.synth.enabled</command> to <command>false</command>. + + </para> + </listitem> + + <listitem><command>Touch API</command> + <para> + +Touch events are able to reveal the absolute screen coordinates of a device +which would defeat our approach to mitigate leaking the screen size as described +above. In order to prevent that we implemented two defenses: first we disable +the Touch API by setting <command>dom.w3c_touch_events.enabled</command> to +<command>false</command>. Second, for those user that really need or want to +have this API available we patched the code to give content-window related +coordinates back. Furthermore, we made sure that the touch area described by +<command>Touch.radiusX</command>, <command>Touch.radiusY</command>, and +<command>Touch.rotationAngle</command> does not leak further information and +<command>Touch.force</command> does not reveal how much pressure a user applied +to the surface. That is achieved by a direct +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=7d9701c2b6a203b1b7a556f614858588e3e5976e"> +Firefox patch</ulink> which reports back <command>1</command> for the first two +properties and <command>0.0</command> for the two last ones. + + </para> + </listitem> + <listitem><command>System Uptime</command> <para> @@ -2404,9 +2469,9 @@ Browser user. </para> <para><command>Implementation Status:</command> -We provide <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a65b5269ff04e4fbbb3689e2adf853543804ffbf">two</ulink> -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=383b8e7e073ea79e70f19858efe1c5fde64b99cf">Firefox patches</ulink> that -take care of spoofing <command>KeyboardEvent.code</command> and <command> +We provide <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=d6d29f155e60c63b38918c8879ee221b9c90b1f7">two</ulink> +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=789bad5fe5a7a0c2d27e1d8dd7b9a7e35de91cc8">Firefox patches</ulink> +that take care of spoofing <command>KeyboardEvent.code</command> and <command> KeyboardEvent.keyCode</command> by providing consensus (US-English-style) fake properties. This is achieved by hiding the user's use of the numpad, and any non-QWERTY US English keyboard. Characters from non-en-US languages @@ -2431,7 +2496,7 @@ Firefox provides several options for controlling the browser user agent string which we leverage. We also set similar prefs for controlling the Accept-Language and Accept-Charset headers, which we spoof to English by default. Additionally, we <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=848da9cdb2b7c09dc8ec335d687f535fc5c87a67">remove +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=bd51d0c24d339c5135028297f5eeb591a65e99df">remove content script access</ulink> to Components.interfaces, which <ulink url="http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html">can be used</ulink> to fingerprint OS, platform, and Firefox minor version. </para> @@ -2457,12 +2522,15 @@ timing-based side channels. <para><command>Implementation Status:</command> The cleanest solution to timing-based side channels would be to get rid of them. -However, this does not seem to be trivial even considering just a +This has been <ulink url="https://acmccs.github.io/papers/p163-caoA.pdf">proposed</ulink> +in the research community. However, we remain skeptical as it does not seem to +be trivial even considering just a <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=711043">single</ulink> -<ulink url="https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf">side channel</ulink>. -Thus, we rely on disabling all possible timing sources or making them -coarse-grained enough in order to render timing side channels unsuitable as a -means for fingerprinting browser users. +<ulink url="https://cseweb.ucsd.edu/~dkohlbre/papers/subnormal.pdf">side channel</ulink> +and <ulink url="https://gruss.cc/files/fantastictimers.pdf">more and more +potential side channels</ulink> are showing up. Thus, we rely on disabling all +possible timing sources or making them coarse-grained enough in order to render +timing side channels unsuitable as a means for fingerprinting browser users. </para> @@ -2471,13 +2539,16 @@ means for fingerprinting browser users. We set <command>dom.enable_user_timing</command> and <command>dom.enable_resource_timing</command> to <command>false</command> to disable these explicit timing sources. Furthermore, we clamp the resolution of -explicit clocks to 100ms <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774">with a Firefox patch</ulink>. +explicit clocks to 100ms <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=1736ea256276546c899d712dffdae2c8d050d8a0">with two Firefox</ulink> <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=a4c6d2c07d483acfd729c7a50dd3f7b07fcba03a">patches</ulink>. This includes <command>performance.now()</command>, <command>new Date().getTime() </command>, <command>audioContext.currentTime</command>, <command> canvasStream.currentTime</command>, <command>video.currentTime</command>, <command>audio.currentTime</command>, <command>new File([], "").lastModified -</command>, and <command>new File([], "").lastModifiedDate.getTime()</command>. +</command>, <command>new File([], "").lastModifiedDate.getTime()</command>, +<command>animation.startTime</command>, <command>animation.currentTime</command>, +<command>animation.timeline.currentTime</command>, +and <command>document.timeline.currentTime</command>. </para> <para> @@ -2513,7 +2584,7 @@ out of a Tor Browser user by deploying resource:// and/or chrome:// URIs. Until this is fixed in Firefox <ulink url="https://gitweb.torproject.org/torbutton.git/tree/src/components/content-policy.js"> we filter</ulink> resource:// and chrome:// requests done by web content denying them by default. We need a whitelist of resource:// and -chrome:// URIs, though, to avoid breaking parts of Firefox. Those nearly a +chrome:// URIs, though, to avoid breaking parts of Firefox. Those more than a dozen Firefox resources do not aid in fingerprinting Tor Browser users as they are not different on the platforms and in the locales we support. @@ -2536,7 +2607,7 @@ We set the fallback character set to set to windows-1252 for all locales, via <command>javascript.use_us_english_locale</command> to <command>true</command> to instruct the JS engine to use en-US as its internal C locale for all Date, Math, and exception handling. Additionally, we provide a patch to use an -<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0080b2d6bafcbfb8a57f54a26e53d7f74d239389"> +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=d144738fedeeb23746d7a9f16067bd985b0d59aa"> en-US label for the <command>isindex</command> HTML element</ulink> instead of letting the label leak the browser's UI locale. </para> @@ -2556,7 +2627,7 @@ All Tor Browser users MUST report the same timezone to websites. Currently, we choose UTC for this purpose, although an equally valid argument could be made for EDT/EST due to the large English-speaking population density (coupled with the fact that we spoof a US English user agent). Additionally, the Tor -software should detect if the users clock is significantly divergent from the +software should detect if the user's clock is significantly divergent from the clocks of the relays that it connects to, and use this to reset the clock values used in Tor Browser to something reasonably accurate. Alternatively, the browser can obtain this clock skew via a mechanism similar to that used in @@ -2565,10 +2636,10 @@ the browser can obtain this clock skew via a mechanism similar to that used in </para> <para><command>Implementation Status:</command> -We <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=0ee3aa4cbeb1be3301d8960d0cf3a64831ea6d1b"> +We <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=dd1ba0b5c9281ee3207e5a87991159b8d2609a11"> set the timezone to UTC</ulink> with a Firefox patch using the TZ environment variable, which is supported on all platforms. Moreover, with an additional -patch just needed for the Windows platform, <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=bdd0303a78347d17250950a4cf858de556afb1c7"> +patch just needed for the Windows platform, <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=008649e2ce0357f31eb67d874e6429c39ddd7e8f"> we make sure</ulink> the TZ environment variable is respected by the <ulink url="http://site.icu-project.org/">ICU library</ulink> as well. @@ -2577,10 +2648,10 @@ we make sure</ulink> the TZ environment variable is respected by the <listitem><command>JavaScript Performance Fingerprinting</command> <para> -<ulink url="http://w2spconf.com/2011/papers/jspriv.pdf">JavaScript performance -fingerprinting</ulink> is the act of profiling the performance -of various JavaScript functions for the purpose of fingerprinting the -JavaScript engine and the CPU. +<ulink url="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf">JavaScript +performance fingerprinting</ulink> is the act of profiling the performance of +various JavaScript functions for the purpose of fingerprinting the JavaScript +engine and the CPU. </para> <para><command>Design Goal:</command> @@ -2594,7 +2665,7 @@ Date() object, while also introducing jitter. We believe that JavaScript time resolution may be reduced all the way up to the second before it seriously impacts site operation. Our goal with this quantization is to increase the amount of time it takes to mount a successful attack. <ulink -url="http://w2spconf.com/2011/papers/jspriv.pdf">Mowery et al</ulink> found +url="https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf">Mowery et al</ulink> found that even with the default precision in most browsers, they required up to 120 seconds of amortization and repeated trials to get stable results from their feature set. We intend to work with the research community to establish the @@ -2608,12 +2679,13 @@ large number of people. <para><command>Implementation Status:</command> Currently, our mitigation against performance fingerprinting is to -disable <ulink url="http://www.w3.org/TR/navigation-timing/">Navigation -Timing</ulink> through the Firefox preference -<command>dom.enable_performance</command>, and to disable the <ulink +disable <ulink url="https://www.w3.org/TR/navigation-timing/">Navigation +Timing</ulink> by setting the Firefox preference +<command>dom.enable_performance</command> to <command>false</command>, and to +disable the <ulink url="https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement#Gecko-specific_properties">Mozilla -Video Statistics</ulink> API extensions via the preference -<command>media.video_stats.enabled</command>. +Video Statistics</ulink> API extensions by setting the preference +<command>media.video_stats.enabled</command> to <command>false</command>, too. </para> </listitem> @@ -2633,10 +2705,53 @@ fingerprinting: timestamp quantization and jitter. <para><command>Implementation Status:</command> -We clamp keyboard event resolution to 100ms with a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=1febc98f7ae5dbec845567415bd5b703ee45d774">Firefox patch</ulink>. +We clamp keyboard event resolution to 100ms with a <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=1736ea256276546c899d712dffdae2c8d050d8a0">Firefox patch</ulink>. </para> </listitem> + <listitem><command>Amount of Processor Cores (hardwareConcurrency)</command> + <para> + +Modern computers have multiple physical processor cores in their CPU available. +One core typically allows to run more than one thread at a time and +<command>navigator.hardwareConcurrency</command> makes the number of those +threads (i.e. logical processors) available to web content. + + </para> + <para><command>Design Goal:</command> + +Websites MUST NOT be able to fingerprint a Tor Browser user taking advantage of +the amount of logical processors available. + + </para> + <para><command>Implementation Status:</command> + +We set <command>dom.maxHardwareConcurrency</command> to <command>1</command> to +report the same amount of logical processors for everyone. However, there are +<ulink url="https://github.com/oftn/core-estimator">probablistic ways of +determining the same information available</ulink> which we are not defending +against currently. Moreover, we might even want to think about a more elaborate +approach defending against this fingerprinting technique by not making all users +uniform but rather <ulink url="https://bugs.torproject.org/22127">by following +a bucket approach</ulink> as we currently do in our defense against screen +size exfiltration. + + </para> + </listitem> + <listitem><command>MediaError.message</command> + <para> + +The <command>MediaError</command> object allows the user agent to report errors +that occurred while handling media, for instance using <command>audio</command> +or <command>video</command> elements. The <command>message</command> property +provides specific diagnostic information to help understanding the error +condition. As a defense-in-depth we make sure that no information aiding in +fingerprinting is leaking to websites that way +<command url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=ee404a8341b5ecef535bfc0cad89b1682598fb68"> +by returning just an empty string</command>. + + </para> + </listitem> <listitem><command>Connection State</command> <para> @@ -2689,7 +2804,12 @@ datareporting.healthreport.about.reportUrl</command> and the new tiles feature related <command>browser.newtabpage.directory.ping</command> and <command> browser.newtabpage.directory.source</command> preferences. Additionally, we disable the UITour backend by setting <command>browser.uitour.enabled</command> -to <command>false</command>. +to <command>false</command>. Finally, we provide <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=9f24ce35cd8776a0f7c3a4d54992ecb0eaad6311">a patch</ulink> +to prevent Mozilla's websites from querying whether particular extensions are +installed and what their state in Tor Browser is by using the +<command>window.navigator.AddonManager</command> API. As a defense-in-depth the +patch makes sure that not only Mozilla's websites can't get at that information +but that the whitelist governing this access is empty in general. </para> </listitem> <listitem><command>Operating System Type Fingerprinting</command> @@ -2711,7 +2831,7 @@ We intend to reduce or eliminate OS type fingerprinting to the best extent possible, but recognize that the effort for reward on this item is not as high as other areas. The entropy on the current OS distribution is somewhere around 2 bits, which is much lower than other vectors which can also be used to -fingerprint configuration and user-specific information. You can see the +fingerprint configuration and user-specific information. You can see the major areas of OS fingerprinting we're aware of using the <ulink url="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting-os">tbb-fingerprinting-os tag on our bug tracker</ulink>. @@ -2795,15 +2915,15 @@ After closing all tabs, we then clear the searchbox and findbox text and emit state). Then we manually clear the following state: HTTP auth, SSL state, crypto tokens, OCSP state, site-specific content preferences (including HSTS state), the undo tab history, content and image cache, offline and memory cache, -offline storage, cookies, DOM storage, the safe browsing key, the -Google wifi geolocation token (if it exists), and the domain isolator state. We -also clear NoScript's site and temporary permissions, and all other browser site -permissions. +offline storage, IndexedDB storage, asm.js cache, cookies, DOM storage, the +safe browsing key, the Google wifi geolocation token (if it exists), and the +domain isolator state. We also clear NoScript's site and temporary permissions, +and all other browser site permissions. </para> <para> -After the state is cleared, we then close all remaining HTTP keep-alive +After the state is cleared, we then close all remaining HTTP Keep-Alive connections and then send the NEWNYM signal to the Tor control port to cause a new circuit to be created. </para> @@ -2880,7 +3000,9 @@ includes three features that were formerly governed by the slider at higher security levels: <command>gfx.font_rendering.graphite.enabled</command> is set to <command>false</command> now after Mozilla got convinced that <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=1255731">leaving -it enabled is too risky</ulink>. <command>network.jar.block-remote-files</command> +it enabled is too risky</ulink>. Even though Mozilla reverted that decision +after another round of fixing critical Graphite bugs, we remain skeptical +and keep that feature disabled for now. <command>network.jar.block-remote-files</command> is set to <command>true</command>. Mozilla tried to block remote JAR files in Firefox 45 but needed to revert that decision due to breaking IBM's iNotes. While Mozilla <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=1329336"> @@ -2897,9 +3019,9 @@ Unlinkability</link> sections for further details. <para> At this security level, we disable the ION JIT -(<command>javascript.options.ion.content</command>), TypeInference JIT -(<command>javascript.options.typeinference</command>), Baseline JIT -(<command>javascript.options.baselinejit.content</command>), WebAudio +(<command>javascript.options.ion</command>), native regular expressions +(<command>javascript.options.native_regexp</command>), Baseline JIT +(<command>javascript.options.baselinejit</command>), WebAudio (<command>media.webaudio.enabled</command>), MathML (<command>mathml.disabled</command>), SVG Opentype font rendering (<command>gfx.font_rendering.opentype_svg.enabled</command>), and make HTML5 audio @@ -2949,14 +3071,14 @@ Ideally, this mechanism would be as light-weight as possible, and would be tunable in terms of overhead. We suspect that it may even be possible to deploy a mechanism that reduces feature extraction resolution without any network overhead. In the no-overhead category, we have <ulink -url="http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf">HTTPOS</ulink> and +url="https://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf">HTTPOS</ulink> and <ulink url="https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting">better use of HTTP pipelining and/or SPDY</ulink>. In the tunable/low-overhead category, we have <ulink url="https://arxiv.org/abs/1512.00524">Adaptive -Padding</ulink> and <ulink url="http://www.cs.sunysb.edu/~xcai/fp.pdf"> +Padding</ulink> and <ulink url="https://www3.cs.stonybrook.edu/~xcai/fp.pdf"> Congestion-Sensitive BUFLO</ulink>. It may be also possible to <ulink url="https://trac.torproject.org/projects/tor/ticket/7028">tune such defenses</ulink> such that they only use existing spare Guard bandwidth capacity in the Tor @@ -2970,7 +3092,7 @@ network, making them also effectively no-overhead. <blockquote> <para> Currently, we patch Firefox to <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=60f9e7f73f3dba5542f7fbe882f7c804cb8ecc18">randomize +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=b9fa77472aa67e26bd46a5ca889b20ce3448f9d1">randomize pipeline order and depth</ulink>. Unfortunately, pipelining is very fragile. Many sites do not support it, and even sites that advertise support for pipelining may simply return error codes for successive requests, effectively @@ -3035,7 +3157,7 @@ date. <para> We also make use of the in-browser Mozilla updater, and have <ulink -url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=a5a23f5d316a850f11063ead15353d677c9153fd">patched +url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=0efd496826cc3dfb0a6874d150e8acecd4eb6a92">patched the updater</ulink> to avoid sending OS and Kernel version information as part of its update pings. @@ -3637,16 +3759,17 @@ occurring. <listitem><command>The Referer Header</command> <para> -When leaving a .onion domain we <ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.8.0esr-6.5-2&id=09188cb14dfaa8ac22f687c978166c7bd171b576"> -set the Referer header to the destination</ulink> to avoid leaking information -which might be especially problematic in the case of transitioning from a .onion -domain to one reached over clearnet. Apart from that we haven't disabled or -restricted the Referer ourselves because of the non-trivial number of sites -that rely on the Referer header to "authenticate" image requests and deep-link -navigation on their sites. Furthermore, there seems to be no real privacy -benefit to taking this action by itself in a vacuum, because many sites have -begun encoding Referer URL information into GET parameters when they need it to -cross HTTP to HTTPS scheme transitions. Google's +1 buttons are the best +When leaving a .onion domain we set the Referer header to the destination by +<ulink url="https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52.5.2esr-7.0-2&id=021bffff111b6b93eecb5859e680d540991c20c9"> +providing a preference</ulink>, <command>network.http.referer.hideOnionSource</command>, and setting it to <command>true</command>. That avoids leaking +information which might be especially problematic in the case of transitioning +from a .onion domain to one reached over clearnet. Apart from that we haven't +disabled or restricted the Referer ourselves because of the non-trivial number +of sites that rely on the Referer header to "authenticate" image requests and +deep-link navigation on their sites. Furthermore, there seems to be no real +privacy benefit to taking this action by itself in a vacuum, because many sites +have begun encoding Referer URL information into GET parameters when they need +it to cross HTTP to HTTPS scheme transitions. Google's +1 buttons are the best example of this activity. </para> @@ -3655,9 +3778,9 @@ example of this activity. Because of the availability of these other explicit vectors, we believe the main risk of the Referer header is through inadvertent and/or covert data leakage. In fact, <ulink -url="http://www2.research.att.com/~bala/papers/wosn09.pdf">a great deal of -personal data</ulink> is inadvertently leaked to third parties through the -source URL parameters. +url="http://web2.research.att.com/export/sites/att_labs/people/Krishnamurthy_Balachander/papers/wosn09.pdf"> +a great deal of personal data</ulink> is inadvertently leaked to third parties +through the source URL parameters. </para> <para> @@ -3684,7 +3807,7 @@ attribute. url="https://developer.mozilla.org/En/DOM/Window.name">window.name</ulink> is a DOM property that for some reason is allowed to retain a persistent value for the lifespan of a browser tab. It is possible to utilize this property for -<ulink url="http://www.thomasfrank.se/sessionvars.html">identifier +<ulink url="https://www.thomasfrank.se/sessionvars.html">identifier storage</ulink> during click navigation. This is sometimes used for additional CSRF protection and federated login. </para> @@ -3723,14 +3846,15 @@ permissions. <sect1> <title>Promising Standards</title> <orderedlist> - <listitem><ulink url="http://web-send.org">Web-Send Introducer</ulink> + <listitem><ulink url="https://web.archive.org/web/20130213034335/http://web-send.org:80/">Web-Send Introducer</ulink> <para> Web-Send is a browser-based link sharing and federated login widget that is designed to operate without relying on third-party tracking or abusing other cross-origin link-click side channels. It has a compelling list of <ulink -url="http://web-send.org/features.html">privacy and security features</ulink>, -especially if used as a "Like button" replacement. +url="https://web.archive.org/web/20130213034335/http://web-send.org:80/featurs.html"> +privacy and security features</ulink>, especially if used as a "Like button" +replacement. </para> </listitem>