On Tue, Jul 24, 2018 at 01:37:10AM +0000, Matthew Finkel wrote:
On Mon, Jul 16, 2018 at 01:32:19AM +0000, Matthew Finkel wrote:
Hi Everyone,
We'll discuss this at a meeting next Tuesday, 24 July at 15:00 UTC in #tor-meeting on OTFC.
Reminder!
We had a good meeting yesterday - meeting notes are available online[0].
During the meeting we briefly discussed the different methods we can use for sandboxing Tor Browser on the different platforms. We then moved on to discussing our goals with sandboxing Tor Browser and what are the criteria for the solution we choose. That conversation led us to enumerate the criteria[1] and start thinking about the trade-offs associated with them and how we evaluate them (not exhaustive).
Types of sandbox: a) one standard VM on all desktop OSes running Tor Browser on Linux b) Per-OS container/virtualization solution c) No container/vm, but sandboxing the parent and content processes using OS-specific mechanisms (dropping privs etc.) d) a mix of all options choosing the best per platform
Evaluation criteria for a)-d) 1) (in the face of a browser exploit) tracking protection 2) (no browser exploit) tracking protection 3) (in the face of a browser exploit) proxy bypass protection 4) (no browser exploit) proxy bypass protection 5) user experience 6) development effort (including time to market with improved security) 7) maintainability 8) uplift possibilities 9) installation size? (part of user experience?) 10) ability to take advantage of expected future security improvements 11) Compatibility with future browser/app development plans at the Tor Project
We ran out of time, and we didn't finish, but we'll continue this discussion on the tbb-dev@lists.torproject.org mailing list. Please come join us if you're interested!
[0] http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-07-24-14.59.txt [1] https://pad.riseup.net/p/sandbox-07-24
Thanks, Matt