[tor-commits] [tor-browser-spec/master] Update design doc for 4.5-alpha-1.

mikeperry at torproject.org mikeperry at torproject.org
Thu Nov 6 23:45:48 UTC 2014 

commit f33dc32759d65bdf39748f5df5dc6d19044b5a85
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Thu Nov 6 14:44:59 2014 -0800

    Update design doc for 4.5-alpha-1.
---
 design-doc/design.xml |   87 ++++++++++++++++++++++++++++++++++---------------
 1 file changed, 60 insertions(+), 27 deletions(-)

diff --git a/design-doc/design.xml b/design-doc/design.xml
index 914a84d..6e4bfc1 100644
--- a/design-doc/design.xml
+++ b/design-doc/design.xml
@@ -40,7 +40,7 @@ This document describes the <link linkend="adversary">adversary model</link>,
 linkend="Implementation">implementation</link> <!-- and <link
 linkend="Packaging">packaging</link> and <link linkend="Testing">testing
 procedures</link> --> of the Tor Browser. It is current as of Tor Browser
-4.0.
+4.5-alpha-1.
 
   </para>
   <para>
@@ -530,10 +530,14 @@ least <link linkend="fingerprinting">tracking their activities</link>.
      <listitem><command>History records and other on-disk
 information</command>
      <para>
+
 In some cases, the adversary may opt for a heavy-handed approach, such as
 seizing the computers of all Tor users in an area (especially after narrowing
 the field by the above two pieces of information). History records and cache
-data are the primary goals here.
+data are the primary goals here. Secondary goals may include confirming
+on-disk identifiers (such as hostname and disk-logged spoofed MAC adddress
+history) obtained by other means.
+
      </para>
      </listitem>
     </orderedlist>
@@ -938,13 +942,6 @@ yet support IPv6). We have also verified that external protocol helpers, such
 as smb urls and other custom protocol handlers are all blocked.
 
  </para>
- <para>
-
-Numerous other third parties have also reviewed and tested the proxy settings
-and have provided test cases based on their work. See in particular <ulink
-url="http://decloak.net/">decloak.net</ulink>. 
-
- </para>
 </listitem>
 
  <listitem>Disabling plugins
@@ -1407,22 +1404,13 @@ Identity</command> invocations.
       </para>
      </listitem>
     <listitem>Exit node usage
-     <para><command>Design Goal:</command>
-
-Every distinct navigation session (as defined by a non-blank Referer header)
-MUST exit through a fresh Tor circuit in Tor Browser to prevent exit node
-observers from linking concurrent browsing activity.
-
-     </para>
-     <para><command>Implementation Status:</command>
+    <para>
 
-The Tor feature that supports this ability only exists in the 0.2.3.x-alpha
-series. <ulink
-url="https://trac.torproject.org/projects/tor/ticket/3455">Ticket
-#3455</ulink> is the Torbutton ticket to make use of the new Tor
-functionality.
+All content elements associated with a given URL bar domain (including the
+main page) are given a SOCKS username and password for this domain, which
+causes Tor to isolate all of these requests on their own set of Tor circuits.
 
-     </para>
+    </para>
     </listitem>
    </orderedlist>
    <para>
@@ -1829,10 +1817,7 @@ the browser can obtain this clock skew via a mechanism similar to that used in
      <para><command>Implementation Status:</command>
 
 We set the timezone using the TZ environment variable, which is supported on
-all platforms. Additionally, we plan to <ulink
-url="https://trac.torproject.org/projects/tor/ticket/3652">obtain a clock
-offset from Tor</ulink>, but this won't be available until Tor 0.2.3.x is in
-use.
+all platforms.
 
      </para>
     </listitem>
@@ -2037,6 +2022,46 @@ privacy and security issues.
 
    </para>
    <orderedlist>
+    <listitem id="security-slider"><command>Security Slider</command>
+     <para>
+
+In order to provide vulnerability surface reduction for users that need high
+security, we have implemented a "Security Slider" that essentially represents a
+tradeoff between usability and security. Using metrics collected from
+Mozilla's bugtracker, we analyzed the vulnerability counts of core components,
+and used <ulink
+url="https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle">information
+gathered from a study performed by iSec Partners</ulink> to inform which
+features should be disabled at which security levels.
+
+     </para>
+     <para>
+
+The Security Slider consists of four positions. At the lowest security level
+(the default), we disable
+<command>gfx.font_rendering.graphite.enabled</command> for Latin locales, as
+well as <command>gfx.font_rendering.graphite.enabled</command>. At the
+medium-low level, we disable most Javascript JIT and related optimizations
+(<command>javascript.options.ion.content</command>,
+<command>javascript.options.typeinference</command>,
+<command>javascript.options.asmjs</command>). We also make HTML5 media
+click-to-play (<command>noscript.forbidMedia</command>), and disable WebAudio
+(<command>media.webaudio.enabled</command>). At the medium-high level, we
+disable the baseline JIT
+(<command>javascript.options.baselinejit.content</command>), disable
+Javascript entirely all elements that are loaded when the URL bar is not
+HTTPS (<command>noscript.globalHttpsWhitelist</command>), and fully disable
+graphite font rendering for all locales
+(<command>gfx.font_rendering.graphite.enable</command>). At the highest level,
+Javascript is fully disabled (<command>noscript.global</command>), as well as
+all non-WebM HTML5 codecs (<command>media.ogg.enabled</command>,
+<command>media.opus.enabled</command>, <command>media.opus.enabled</command>,
+<command>media.DirectShow.enabled</command>,
+<command>media.wave.enabled</command>, and
+<command>media.apple.mp3.enabled</command>).
+
+     </para>
+    </listitem>
     <listitem id="traffic-fingerprinting-defenses"><command>Website Traffic Fingerprinting Defenses</command>
      <para>
 
@@ -2146,6 +2171,14 @@ informs the user</ulink> that their browser is out of
 date.
 
      </para>
+     <para>
+
+We also make use of the in-browser Mozilla updater, and have <ulink
+url="https://gitweb.torproject.org/tor-browser.git/commitdiff/777695d09e3cff4c79c48839e1c9d5102b772d6f">patched
+the updater</ulink> to avoid sending OS and Kernel version information as part
+of its update pings.
+
+     </para>
     </listitem>
 
    </orderedlist>

More information about the tor-commits mailing list