Thus spake Georg Koppen (g.koppen@jondos.de):
Can you provide specific concerns about facebook wrt the properties from the blog post?
Not yet, no. I am not a Facebook user and have therefore to look at research papers investigating it. And the things I read e.g. in http://www.research.att.com/~bala/papers/w2sp11.pdf or in http://www.research.att.com/~bala/papers/wosn09.pdf do not seem to break the idea proposed in the blog post. But again, there is research to be done here, I guess. Redirects (you mentioned them already) could pose a serious threat to the approach in the blog post, though (systems like Phorm http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf come to my mind).
Wrt redirects: https://trac.torproject.org/projects/tor/ticket/3600
What do you have in mind in terms of stricter controls?
Hmmm... Dunno what you mean here.
What changes to the design might you propose?
There are basically two points to be mentioned here IMO:
- Having a tab (window) isolation additionally (see my comments below)
and
- Having some means to break the linkage between the same domain called
more than once in a tab. That would be the best I can imagine and would help against attacks using redirects as well but is hard to get right. E.g. one had to give the user means to fine-tune the default setting to their needs without ending up in a UI nightmare. And there are probably numerous other pitfalls lurking here... We have already done some basic research (we supervised a BA thesis investigating this concerning cookies) but there is still a lot to do. But yes, I would like to have that feature and invest some energy to investigate if one can get it right in a meaningful way.
Yeah, the issue I see with both this and tab isolation is that it seems like it will be difficult to teach users who are used to being able to log into their gmail/etc that they have to keep doing this if they use a different tab, or try to open pieces of the interface in new tabs/windows... A non-trivial number of expert users may also like to have multiple windows open to the same site for live updates from the same service (which in some cases may prevent multiple concurrent logins).
More broadly, perhaps there is some balance of per-tab isolation and origin isolation that is easily achievable in Firefox?
I hope so (at least if we had a Firefox fork that would not be much of a problem anymore). The Multifox Add-On (http://br.mozdev.org/multifox/all.html) claims to have implemented per tab identities and I have looked at it superficially. It is quite promising and deserves a thorough test.
This is very interesting. If you get around to evaluating it, let me know. I am still concerned about the usability approach, but if this dropdown menu is smart enough, maybe it can work out. (If the download wasn't http-only I would have installed it already).
Regarding the research grant: I already wrote pde and asked him whether he has some interesting stuff that we should try to incorporate into the application. If you (Mike) have something don't hesitate and drop me a mail. We still have the opportunity to move the things we already have a bit around to get something we overlooked into our proposal (the deadline is end of July). The topic is investigating and solving issues regarding an anonymous browser (profile) and to develop one that is resilient to e.g. different fingerprinting attacks and tracking means in general.
Funding for user studies and breakage studies would be top of the list for me, esp if we're talking about tab-isolation, and browser/user behavior changes.