[tor-bugs] #5273 [Firefox Patch Issues]: Update TBB design doc for 2.3.x-alpha

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Jul 18 09:21:22 UTC 2012 

#5273: Update TBB design doc for 2.3.x-alpha
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry                    
     Type:  defect                |         Status:  new                          
 Priority:  major                 |      Milestone:  TorBrowserBundle 2.3.x-stable
Component:  Firefox Patch Issues  |        Version:                               
 Keywords:  MikePerry201207       |         Parent:                               
   Points:                        |   Actualpoints:                               
----------------------------------+-----------------------------------------

Comment(by mikeperry):

 Replying to [comment:16 gk]:
 > Replying to [comment:15 mikeperry]:
 > > The reason to put the beggar's header, the adblocker, and the plugin
 control on a per site basis is to avoid the fingerprinting due to global
 prefs.
 > Maybe I am bit slow here but could you explain the fingerprinting risks
 you see for TBB users a bit? Offering these options seems rather to
 introduce fingerprinting issues as users choosing them are not in the
 default set anymore. Let alone the option for bad exits to test whether
 users are deploying the same filterlists and if not separating them and so
 on...

 Yes, the key thing in my mind is that users are able to define a
 relationship with a specific site under this model. If they decide to end
 this relationship, they hit the delete key and everything is wiped.
 Moreover, their decisions wrt one site do not affect browser behavior on
 other sites (which is the important component for 3rd party
 linkability/correlation through fingerprinting, IMO).

 > > I still hate the beggar's header and dislike the adblocker ideas, but
 siloing them per url bar at least mitigates the damage they can do. The
 per-site adblocker might also drive per-site incentive for ads to not suck
 more than a global adblocker would.
 > I am lost here as well. But maybe your ideas are due to the "Correlate
 activity across multiple site visits" adversary goal you thought about
 adding for completeness' sake? If so, I do not see how options buried in a
 context menu which are off by default could defend against it.

 The core idea here is rooted in the assumption that the crazies who think
 they know better (but really do not) will enable this stuff by default
 globally right now by way of installing Adblock or clicking the Beggar
 Checkbox... That behavior (which we probably can't expect to stop) is
 worse for the total population's anonymity set than per-site options. At
 least, I think so.. Are there reasons to the contrary?

 I also expect that certain sites will have homogenous requirements wrt ad
 blockers and plugins/media because people will naturally decide that those
 sites suck in similar ways... But perhaps that is a poor assumption? If
 so, please explain how/why?

 As a general matter, I prefer allowing user choice if possible, but it
 also seems clear that user choice for global behaviors is really, really
 bad... Allowing easy access to per-site choices would be way better by
 comparison...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5273#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list