[tor-commits] [tor-browser-spec/master] Enumerate the firefox patches.

mikeperry at torproject.org mikeperry at torproject.org
Mon Apr 28 15:18:47 UTC 2014

commit 594385e416fd3b6ee8fb90705cc52f329e31d3bf
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Fri Sep 23 22:26:35 2011 -0700

    Enumerate the firefox patches.
    Also add some prose.
 docs/design/design.xml |  139 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 116 insertions(+), 23 deletions(-)

diff --git a/docs/design/design.xml b/docs/design/design.xml
index 586184c..619f76d 100644
--- a/docs/design/design.xml
+++ b/docs/design/design.xml
@@ -532,48 +532,98 @@ Flash cookies from leaking from a pre-existing Flash directory.
   <sect2 id="disk-avoidance">
    <title>Disk Avoidance</title>
-   <para>
+   <para><command>Design Goal:</command>
+Tor Browser should optionally prevent all disk records of browser activity.
+The user should be able to optionally enable URL history and other history
+features if they so desire. Once we <ulink
+url="https://trac.torproject.org/projects/tor/ticket/3100">simplify the
+preferences interface</ulink>, we will likely just enable Private Browsing
+mode by default to handle this goal.
+   </para>
+   <para><command>Implementation Status:</command>
+For now, Tor Browser blocks write access to the disk through Torbutton
+using several Firefox preferences. 
 <!-- XXX: http auth on disk??? -->
-browser.download.manager.retention <!-- XXX: needs patch -->
-network.cookie.lifetimePolicy = 2
+The set of prefs is:
+<command>browser.download.manager.retention <!-- XXX: needs patch --></command>,
+and <command>network.cookie.lifetimePolicy</command>.
+    </para>
+    <para>
+In addition, three Firefox patches are needed to prevent disk writes, even if
+Private Browsing Mode is enabled. We need to
+the permissions manager from recording HTTPS STS state</ulink>,
+intermediate SSL certficates from being recorded</ulink>, and
+the content preferences service from recording site zoom</ulink>.
+For more details on these patches, <link linkend="firefox-patches">see the
+Firefox Patches section</link>.
   <sect2 id="disk-isolation">
    <title>Disk Isolation</title>
-<!-- XXX: sjmurdoch, Erinn -->
+Tor Browser Bundle MUST NOT cause any information to be written outside of the
+bundle directory. This is to ensure that the user is able to completely and
+safely remove the bundle without leaving other traces of Tor usage on their
+   <para>XXX: sjmurdoch, Erinn: explain what magic we do to satisfy this,
+and/or what additional work or auditing needs to be done.
   <sect2 id="update-safety">
    <title>Update Safety</title>
-<!-- XXX: Design goal -->
+<!-- XXX: Design goal vs implementation status -->
   <sect2 id="identifier-linkability">
    <title>Cross-Domain Identifier Unlinkability</title>
+   <!-- XXX: Design goals vs implementation status -->
+   <para>
+The Tor Browser MUST prevent a user's activity on one site from being linked
+to their activity on another site. When this goal cannot yet be met with an
+existing web technology, that technology or functionality is disabled. Our
+design goal is to ultimately eliminate the need to disable arbitrary
+technologies, and instead simply alter them in ways that allows them to
+function in a backwards-compatible way while avoiding linkability.
+   </para>
-The Tor Browser MUST prevent a user's activity on one site from being
-linked to their activity on another site.
+The benefit of this approach comes not only in the form of reduced
+linkability, but also in terms of simplified privacy UI. If all stored browser
+state and permissions become associated with the top-level url-bar domain, the
+six or seven different pieces of privacy UI governing these identifiers and
+permissions can become just one piece of UI. For instance, a window that lists
+the top-level url bar domains for which browser state exists with the ability
+to clear and/or block them, possibly with a context-menu option to drill down
+into specific types of state.
-<!-- XXX: Explain Why. UI simplification link -->
+<!-- XXX: Include graphic as a 'Design Goal' -->
@@ -592,7 +642,8 @@ apply to modern Firefoxes.
 As a stopgap to satisfy our design requirement of unlinkability, we currently
 entirely disable 3rd party cookies by setting
 <command>network.cookie.cookieBehavior</command> to 1. We would prefer that
-third party content continue to funtion , but we believe unlinkability.
+third party content continue to funtion , but we believe the requirement for 
+unlinkability trumps that desire.
@@ -692,7 +743,8 @@ observers from linking concurrent browsing activity.
 The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
 series. <ulink
-#3455</ulink> is the Torbutton ticket.
+#3455</ulink> is the Torbutton ticket to make use of the new Tor
@@ -706,12 +758,53 @@ url="https://trac.torproject.org/projects/tor/ticket/3455">Ticket
   <sect2 id="click-to-play">
    <title>Click-to-play for plugins and invasive content</title>
+Some content types are too invasive and/or too opaque for us to properly
+eliminate their linkability properties. For these content types, we use
+NoScript to provide click-to-play placeholders that do not activate the
+content until the user clicks on it. This will eliminate the ability for an
+adversary to use such content types to link users in a dragnet fashion across
+arbitrary sites.
+   </para>
+   <para>
+<!-- XXX: Where do we discuss our plans w/ flash -->
+Currently, the content types isolated in this way include Flash, WebGL, and
+audio and video objects.
   <sect2 id="firefox-patches">
    <title>Description of Firefox Patches</title>
+   <orderedlist>
+    <listitem>Block Components.interfaces and Components.lookupMethod
+     <para> </para>
+    </listitem>
+    <listitem>Make Permissions Manager memory only
+     <para> </para>
+    </listitem>
+    <listitem>Make Intermediate Cert Store memory-only
+     <para> </para>
+    </listitem>
+    <listitem>Add HTTP auth headers before on-modify-request fires
+     <para> </para>
+    </listitem>
+    <listitem>Add a string-based cacheKey property for domain isolation
+     <para> </para>
+    </listitem>
+    <listitem>Randomize HTTP pipeline order and depth
+     <para>
+     </para>
+    </listitem>
+    <listitem>Block all plugins except flash
+     <para> </para>
+    </listitem>
+    <listitem>Make content-prefs service memory only
+     <para>
+     </para>
+    </listitem>
+   </orderedlist>

More information about the tor-commits mailing list