[tbb-dev] [Tails-dev] future of tor-launcher? - Firefox XPCOM / XUL based add-ons deprecation

Yawning Angel yawning at schwanenlied.me
Mon Jan 30 11:48:35 UTC 2017

Sorry for messing threading up, I wasn't subbed to this list.

anonym wrote:
> > It is also worth noting that Yawning created a new launcher/updater
> > for Linux as part of his Sandboxed Tor Browser Project (it uses go,
> > Gtk+ 3, and libnotify).
> > https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux
> Interesting, but I wonder how much of this launcher that is about
> setting up the sandboxes -- my fear is that it simply is designed for
> something else than what we want. Any way, I haven't looked at it, I'm
> just speculating. :)

Well.  Any decent sandboxing solution can't have firefox being the
process launching the tor daemon, because that requires granting
it things like network access, filesystem access to the tor data
directory, etc that it frankly has no business of ever accessing.

From a security standpoint, I think that tor-launcher needs to die,
and I wrote sandboxed-tor-browser accordingly.  Since it's an Alpha,
and I had limited time, it doesn't do everything that tor-launcher
currently can, it currently supports:

 * Configure a tor daemon.

   * Pluggable transports (limited to that supported by obfs4proxy
     because I don't have a good answer for sandboxing meek/snowflake,
     and no one uses FTE).

   * Bridges, both custom and built in.

   * External network proxies (HTTPS/SOCKS4(a)/SOCKS5).

 * Launch the tor daemon and monitor bootstrapping status.

 * (what tor-browser-launcher does)

 * (update check/fetch/apply)

 * (lots of sandboxing stuff that only I care about)

Things it should have:

 * i18n support (Dropped in favor of "get something done").

 * Support the rest of the Pluggable Transports.

 * Support user specified torrc directives (eg: ExcludeNodes related
   tinfoil hattery).

 * Support runtime reconfiguration.  The torrc is never checkpointed to
   disk, and is regenerated on each launch.  I don't think firefox
   should ever get to talk to the control port either (and
   sandboxed-tor-browser enforces this), so this might be somewhat

I don't think what I wrote is what people want here, because:

 * It was written to only support Tor Browser.

 * As you note, it has lots of stuff related to sandboxing, though in
   an ideal world, everything should be sandboxed.

 * I used Gtk because the sandboxing implementation I wrote assumes

If I were to be the one working on a "tor-launcher" replacement, I'd
probably write an external launcher, using Qt or something...


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170130/05d9e897/attachment.sig>

More information about the tbb-dev mailing list