[tor-commits] [tor-browser-spec/master] More updates for GK's comments.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Sat Mar 16 16:42:02 2013 -0700
More updates for GK's comments.
docs/design/design.xml | 54 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 43 insertions(+), 11 deletions(-)
diff --git a/docs/design/design.xml b/docs/design/design.xml
index 68f899c..d1cdf0f 100644
@@ -23,7 +23,7 @@
- <pubdate>March 11, 2013</pubdate>
+ <pubdate>March 15, 2013</pubdate>
@@ -777,7 +777,7 @@ url="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panche
"Open World" scenario</ulink>, which suffered continous near-constant decline
in the true positive rate as the "Open World" size grew (see figure 4). This
large level of classification complexity is further confounded by a noisy and
-low resolution featureset - one which is also realtively easy for the defender
+low resolution featureset - one which is also relatively easy for the defender
to manipulate at low cost.
@@ -812,15 +812,27 @@ OS</command>
Last, but definitely not least, the adversary can exploit either general
browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
install malware and surveillance software. An adversary with physical access
-can perform similar actions. Regrettably, this last attack capability is
-outside of the browser's ability to defend against, but it is worth mentioning
-for completeness. In fact, <ulink
-url="http://tails.boum.org/contribute/design/">The Tails system</ulink> can
-provide some defense against this adversary, and it does include the Tor
-Browser. We do however aim to defend against an adersary that has passive
-forensic access the disk after browsing activity takes place, as part of our
+can perform similar actions.
+For the purposes of the browser itself, we limit the scope of this adversary
+to one that has passive forensic access to the disk after browsing activity
+has taken place. This adversary motivates our
<link linkend="disk-avoidance">Disk Avoidance</link> defenses.
+An adversary with arbitrary code execution typically has more power, though.
+It can be quite hard to really significantly limit the capabilities of such an
+url="http://tails.boum.org/contribute/design/">The Tails system</ulink> can
+provide some defense against this adversary through the use of readonly media
+and frequent reboots, but even this can be circumvented on machines without
+Secure Boot through the use of BIOS rootkits.
@@ -960,14 +972,34 @@ events from Torbutton before the OS downloads the URLs the events contained.
+ <listitem>Disabling system extensions and clearing the addon whitelist
+Firefox addons can perform arbitrary activity on your computer, including
+bypassing Tor. It is for this reason we disable the addon whitelist
+(<command>xpinstall.whitelist.add</command>), so that users are prompted
+before installing addons regardless of the source. We also exclude
+system-level addons from the browser through the use of
Tor Browser State is separated from existing browser state through use of a
-custom Firefox profile. Furthermore, plugins are disabled, which prevents
-Flash cookies from leaking from a pre-existing Flash directory.
+custom Firefox profile, and by setting the $HOME environment variable to the
+root of the bundle's directory. The browser also does not load any
+system-wide extensions (through the use of
+<command>extensions.autoDisableScopes</command>. Furthermore, plugins are
+disabled, which prevents Flash cookies from leaking from a pre-existing Flash
More information about the tor-commits