[tbb-dev] Sandboxing Tor Browser - Next Step

Matthew Finkel matthew.finkel at gmail.com
Thu Jul 26 02:44:59 UTC 2018 

Hi Everyone,

We had a productive meeting yesterday about sandboxing Tor Browser. I
sent a high-level summary on tor-dev@ [0]. We ended the meeting while we
were discussing/considering the different criteria for how we decide
which sandboxing implementation(s) we persue [1]. This is the
continuation of that topic.

Specifically, we currently have four sandboxing options under
consideration (there may be more we aren't considering):

  a) one standard VM on all desktop OSes running Tor Browser on Linux
  b) Per-OS container/virtualization solution
  c) No container/vm, but sandboxing the parent and content
     processes using OS-specific mechanisms (dropping privs etc.)
  d) a mix of all options choosing the best per platform

With each of these mechanisms, we enumerated some criteria for
evaluating them and choosing the best option for Tor Browser:

  1) (in the face of a browser exploit) tracking protection
  2) (no browser exploit) tracking protection
  3) (in the face of a browser exploit) proxy bypass protection
  4) (no browser exploit) proxy bypass protection
  5) user experience 
  6) development effort (including time to market with
     improved security)
  7) maintainability
  8) uplift possibilities
  9) installation size? (part of user experience?)
  10) ability to take advantage of expected future
      security improvements
  11) Compatibility with future browser/app
      development plans at the Tor Project

As mentioned during the meeting, there doesn't currently exist a common
set of sandboxing mechanisms across all platforms. Maybe this will exist
in some years when Docker is the de facto standard run-time. Until then,
we have platform-specific implementations we must use.

How should we document ranking each of the sandboxing options with the
stated criteria? Would this be easier on another pad or using a
spreadsheet (ethercalc)?

Thanks,
Matt

[0] https://lists.torproject.org/pipermail/tor-dev/2018-July/013350.html
[1] https://pad.riseup.net/p/sandbox-07-24

More information about the tbb-dev mailing list