[tor-commits] [tor-browser-spec/master] More updates for GK's comments.

mikeperry at torproject.org mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014

commit efc014ed1d45f157ed1430375ac17a8e633a2768
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Sat Mar 16 16:42:02 2013 -0700

    More updates for GK's comments.
 docs/design/design.xml |   54 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 43 insertions(+), 11 deletions(-)

diff --git a/docs/design/design.xml b/docs/design/design.xml
index 68f899c..d1cdf0f 100644
--- a/docs/design/design.xml
+++ b/docs/design/design.xml
@@ -23,7 +23,7 @@
      <address><email>sjmurdoch#torproject org</email></address>
-   <pubdate>March 11, 2013</pubdate>
+   <pubdate>March 15, 2013</pubdate>
@@ -777,7 +777,7 @@ url="http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf">Panche
 "Open World" scenario</ulink>, which suffered continous near-constant decline
 in the true positive rate as the "Open World" size grew (see figure 4). This
 large level of classification complexity is further confounded by a noisy and
-low resolution featureset - one which is also realtively easy for the defender
+low resolution featureset - one which is also relatively easy for the defender
 to manipulate at low cost.
@@ -812,15 +812,27 @@ OS</command>
 Last, but definitely not least, the adversary can exploit either general
 browser vulnerabilities, plugin vulnerabilities, or OS vulnerabilities to
 install malware and surveillance software. An adversary with physical access
-can perform similar actions. Regrettably, this last attack capability is
-outside of the browser's ability to defend against, but it is worth mentioning
-for completeness. In fact, <ulink
-url="http://tails.boum.org/contribute/design/">The Tails system</ulink> can
-provide some defense against this adversary, and it does include the Tor
-Browser. We do however aim to defend against an adersary that has passive
-forensic access the disk after browsing activity takes place, as part of our
+can perform similar actions.
+    </para>
+    <para>
+For the purposes of the browser itself, we limit the scope of this adversary
+to one that has passive forensic access to the disk after browsing activity
+has taken place. This adversary motivates our 
 <link linkend="disk-avoidance">Disk Avoidance</link> defenses.
+    </para>
+    <para>
+An adversary with arbitrary code execution typically has more power, though.
+It can be quite hard to really significantly limit the capabilities of such an
+adversary. <ulink
+url="http://tails.boum.org/contribute/design/">The Tails system</ulink> can
+provide some defense against this adversary through the use of readonly media
+and frequent reboots, but even this can be circumvented on machines without
+Secure Boot through the use of BIOS rootkits.
@@ -960,14 +972,34 @@ events from Torbutton before the OS downloads the URLs the events contained.
+ <listitem>Disabling system extensions and clearing the addon whitelist
+  <para>
+Firefox addons can perform arbitrary activity on your computer, including
+bypassing Tor. It is for this reason we disable the addon whitelist
+(<command>xpinstall.whitelist.add</command>), so that users are prompted
+before installing addons regardless of the source. We also exclude
+system-level addons from the browser through the use of
+<command>extensions.enabledScopes</command> and
+  </para>
+ </listitem>
   <sect2 id="state-separation">
    <title>State Separation</title>
 Tor Browser State is separated from existing browser state through use of a
-custom Firefox profile. Furthermore, plugins are disabled, which prevents
-Flash cookies from leaking from a pre-existing Flash directory.
+custom Firefox profile, and by setting the $HOME environment variable to the
+root of the bundle's directory.  The browser also does not load any
+system-wide extensions (through the use of
+<command>extensions.enabledScopes</command> and
+<command>extensions.autoDisableScopes</command>. Furthermore, plugins are
+disabled, which prevents Flash cookies from leaking from a pre-existing Flash
   <sect2 id="disk-avoidance">

More information about the tor-commits mailing list