[tor-commits] [tor-browser-spec/master] Address comments from GK's review.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Nov 6 23:45:48 UTC 2014
commit 9a497560c8e7ac173388d9bd5ac64bdc3fd46bfd
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Thu Nov 6 15:20:10 2014 -0800
Address comments from GK's review.
---
design-doc/design.xml | 121 +++++++++++++++++++++++++------------------------
1 file changed, 62 insertions(+), 59 deletions(-)
diff --git a/design-doc/design.xml b/design-doc/design.xml
index 6e4bfc1..e57def0 100644
--- a/design-doc/design.xml
+++ b/design-doc/design.xml
@@ -23,7 +23,7 @@
<address><email>sjmurdoch#torproject org</email></address>
</affiliation>
</author>
- <pubdate>October 30th, 2014</pubdate>
+ <pubdate>November 6th, 2014</pubdate>
</articleinfo>
<!--
@@ -73,7 +73,7 @@ Tor process management and configuration is accomplished through the <ulink
url="https://gitweb.torproject.org/tor-launcher.git">Tor Launcher</ulink>
addon, which provides the initial Tor configuration splash screen and
bootstrap progress bar. Tor Launcher is also compatible with Thunderbird,
-InstantBird, and XULRunner.
+Instantbird, and XULRunner.
</para>
<para>
@@ -181,7 +181,7 @@ Separation</command></link>
The browser MUST NOT provide the content window with any state from any other
browsers or any non-Tor browsing modes. This includes shared state from
-independent plugins, and shared state from Operating System implementations of
+independent plugins, and shared state from operating system implementations of
TLS and other support libraries.
</para></listitem>
@@ -211,7 +211,7 @@ must be able to ensure that secure deletion of the software is sufficient to
remove evidence of the use of the software. All exceptions and shortcomings
due to operating system behavior MUST be wiped by an uninstaller. However, due
to permissions issues with access to swap, implementations MAY choose to leave
-it out of scope, and/or leave it to the Operating System/platform to implement
+it out of scope, and/or leave it to the operating system/platform to implement
ephemeral-keyed encrypted swap.
</para></listitem>
@@ -361,7 +361,7 @@ that detectably alters browser behavior can be used as a fingerprinting tool.
Similarly, all extensions <ulink
url="http://blog.chromium.org/2010/06/extensions-in-incognito.html">should be
disabled in the mode</ulink> except as an opt-in basis. We should not load
-system-wide and/or Operating System provided addons or plugins.
+system-wide and/or operating system provided addons or plugins.
</para>
<para>
@@ -1435,14 +1435,11 @@ determine how many bits of identifying information each attribute provided.
</para>
<para>
-Because fingerprinting is problem that potentially touches every aspect of the
-browser, we reduce the efforts for fingerprinting resistance by only
+Because fingerprinting is a problem that potentially touches every aspect of
+the browser, we reduce the efforts for fingerprinting resistance by only
concerning ourselves with reducing the fingerprintable differences
<emphasis>among</emphasis> Tor Browser users. We do not believe it is possible
-to solve cross-browser fingerprinting issues. Similarly, we prioritize issues
-that differentiate only MacOS, Windows, and Linux lower than those that
-differentiate aspects of the hardware, third party installed software, and
-configuration differences in those operating systems.
+to solve cross-browser fingerprinting issues.
</para>
<para>
@@ -1641,17 +1638,18 @@ and <ulink url="https://fedorahosted.org/lohit/">Lohit fonts</ulink>. The Droid
font set is fairly complete by itself, but Nanum and Lohit have smaller
versions of many South Asian languages. When combined in a way that chooses the
smallest font implementations for each locale, these three font sets provide
-which provide coverage for the all languages used on Wikipedia with more than
+poverage for the all languages used on Wikipedia with more than
10,000 articles, and several others as well, in approximately 3MB of compressed
overhead. The <ulink url="https://www.google.com/get/noto/">Noto font
set</ulink> is another font set that aims for complete coverage, but is
considerably larger than the combination of the Droid, Nanum, and Lohit fonts.
+
</para>
<para><command>Implementation Status:</command>
In the meantime while we investigate shipping our own fonts, we disable
-plugins, which prevents font enumeration. Additionally, we limit both the
+plugins, which prevents font name enumeration. Additionally, we limit both the
number of font queries from CSS, as well as the total number of fonts that can
be used in a document <ulink
url="https://gitweb.torproject.org/torbrowser.git/blob/maint-2.4:/src/current-patches/firefox/0011-Limit-the-number-of-fonts-per-document.patch">with
@@ -1671,13 +1669,13 @@ font (in any order), we use that font instead of any of the named local fonts.
</para>
</listitem>
- <listitem>Monitor and Desktop resolution
+ <listitem>Monitor and OS Desktop resolution
<para>
Both CSS and Javascript have access to a lot of information about the screen
resolution, usable desktop size, OS widget size, toolbar size, title bar size,
-screen orientation, and other desktop features that are not at all relevant
-to rendering and serve only to provide information for fingerprinting.
+and OS desktop widget sizing information that are not at all relevant to
+rendering and serve only to provide information for fingerprinting.
</para>
<para><command>Design Goal:</command>
@@ -1719,21 +1717,26 @@ to privacy in this mode.
</para>
</listitem>
- <listitem>CSS Media Queries
+ <listitem>Display Media information
<para>
-Even without Javascript, CSS has access to a lot of information about the screen
-resolution, usable desktop size, OS widget size, toolbar size, title bar size,
-system theme colors, and other desktop features that are not at all relevant
-to rendering and serve only to provide information for fingerprinting. Most of this information comes from
-<ulink url="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries">CSS Media Queries</ulink>, but
-Mozilla has exposed <ulink url="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors">several user and OS theme defined color values</ulink> to CSS as well.
+Beyond simple resolution information, a large amount of so-called "Media"
+information is also exported to content. Even without Javascript, CSS has
+access to a lot of information about the device orientation, system theme
+colors, and other desktop features that are not at all relevant to rendering
+and serve only to provide information for fingerprinting. Most of this
+information comes from <ulink
+url="https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries">CSS
+Media Queries</ulink>, but Mozilla has exposed <ulink
+url="https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors">several
+user and OS theme defined color values</ulink> to CSS as well.
</para>
<para><command>Design Goal:</command>
-In Private Browsing Mode, CSS should not be able infer anything that the user
-has configured about their computer. Additionally, it should not be able to
-infer machine-specific details such as screen orientation or type.
+
+CSS should not be able infer anything that the user has configured about their
+computer. Additionally, it should not be able to infer machine-specific
+details such as screen orientation or type.
</para>
<para><command>Implementation Status:</command>
@@ -1811,7 +1814,7 @@ software should detect if the users clock is significantly divergent from the
clocks of the relays that it connects to, and use this to reset the clock
values used in Tor Browser to something reasonably accurate. Alternatively,
the browser can obtain this clock skew via a mechanism similar to that used in
-<ulink linkend="https://github.com/ioerror/tlsdate">tlsdate</ulink>.
+<ulink url="https://github.com/ioerror/tlsdate">tlsdate</ulink>.
</para>
<para><command>Implementation Status:</command>
@@ -1887,12 +1890,12 @@ fingerprinting: timestamp quantization and jitter.
We have no implementation as of yet.
</para>
</listitem>
- <listitem>Operating System type fingerprinting
+ <listitem>Operating system type fingerprinting
<para>
As we mentioned in the introduction of this section, OS type fingerprinting is
currently considered a lower priority, due simply to the numerous ways that
-characteristics of the Operating System type may leak into content, and the
+characteristics of the operating system type may leak into content, and the
comparatively low contribution of OS to overall entropy. In particular, there
are likely to be many ways to measure the differences in widget size,
scrollbar size, and other rendered details on a page. Also, directly exported
@@ -1924,7 +1927,7 @@ tag on our bugtracker</ulink>.
</orderedlist>
</sect3>
<para>
-For more details on identifier linkability bugs and enhancements, see the <ulink
+For more details on fingerprinting bugs and enhancements, see the <ulink
url="https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=!closed">tbb-fingerprinting tag in our bugtracker</ulink>
</para>
</sect2>
@@ -1972,10 +1975,10 @@ url="https://developer.mozilla.org/en-US/docs/Supporting_private_browsing_mode#P
(which instructs addons and various Firefox components to clear their session
state), and then manually clear the following state: searchbox and findbox
text, HTTP auth, SSL state, OCSP state, site-specific content preferences
-(including HSTS state), content and image cache, offline cache, Cookies, DOM
-storage, crypto tokens, DOM local storage, the safe browsing key, and the
+(including HSTS state), content and image cache, offline cache, offline
+storage, Cookies, crypto tokens, DOM storage, the safe browsing key, and the
Google wifi geolocation token (if it exists). We also clear NoScript's site
-and temporary permissions.
+and temporary permissions, and all other browser site permissions.
</para>
<para>
@@ -2570,7 +2573,7 @@ authentication, as well as transfer intermediate build outputs between the
stages of the build process. Because Gitian creates an Ubuntu build
environment, we must use cross-compilation to create packages for Windows and
Mac OS. For Windows, we use mingw-w64 as our cross compiler. For Mac OS, we
-use toolchain4 in combination with a binary redistribution of the Mac OS 10.6
+use crosstools-ng in combination with a binary redistribution of the Mac OS 10.6
SDK.
</para>
@@ -2630,22 +2633,11 @@ patch</ulink>.
The standard way of controlling timestamps in Gitian is to use libfaketime,
which hooks time-related library calls to provide a fixed timestamp. However,
-libfaketime does not spoof the millisecond and microsecond components of
-timestamps, which found their way into pyc files and also in explicit Firefox
-build process timestamp embedding.
- </para>
- <para>
-
-We addressed the Firefox issues with direct patches to their build process,
-which have since been merged. However, pyc timestamps had to be address with
-an additional <ulink
+due to our use of wine to run py2exe for python-based pluggable transports,
+pyc timestamps had to be address with an additional <ulink
url="https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/build-helpers/pyc-timestamp.sh">helper
-script</ulink>.
- </para>
- <para>
-
-The timezone leaks were addressed by setting the <command>TZ</command>
-environment variable to UTC in our descriptors.
+script</ulink>. The timezone leaks were addressed by setting the
+<command>TZ</command> environment variable to UTC in our descriptors.
</para>
</listitem>
@@ -2687,7 +2679,15 @@ hostname and Linux kernel version can leak from the host OS into the LXC
container. We addressed umask by setting it explicitly in our Gitian
descriptor scriptlet, and addressed the hostname and kernel version leaks by
directly patching the aspects of the Firefox build process that included this
-information into the build.
+information into the build. It also turns out that some libraries (in
+particular: libgmp) attempt to detect the current CPU to determine which
+optimizations to compile in. This CPU type is uniform on our KVM instances,
+but differs under LXC. We are also investigating currently <ulink
+url="https://trac.torproject.org/projects/tor/ticket/12239">unknown sources of
+unitialized memory</ulink> that only appear in LXC mode, as well as
+<ulink url="https://trac.torproject.org/projects/tor/ticket/12240">oddities related to
+time-based dependency tracking</ulink> that only appear in LXC containers.
+
</para>
</listitem>
</orderedlist>
@@ -2698,7 +2698,7 @@ information into the build.
<para>
The build process produces a single sha256sums.txt file that contains a sorted
-list the SHA-256 hashes of every package produced for that build version. Each
+list of the SHA-256 hashes of every package produced for that build version. Each
official builder uploads this file and a GPG signature of it to a directory
on a Tor Project's web server. The build scripts have an optional matching
step that downloads these signatures, verifies them, and ensures that the
@@ -3100,14 +3100,17 @@ source URL parameters.
</para>
<para>
-We believe the Referer header should be made explicit. If a site wishes to
-transmit its URL to third party content elements during load or during
-link-click, it should have to specify this as a property of the associated HTML
-tag. With an explicit property, it would then be possible for the user agent to
-inform the user if they are about to click on a link that will transmit Referer
-information (perhaps through something as subtle as a different color in the
-lower toolbar for the destination URL). This same UI notification can also be
-used for links with the <ulink
+We believe the Referer header should be made explicit, and believe that CSP
+2.0 provides a <ulink
+url="http://www.w3.org/TR/CSP11/#directive-referrer">decent step in this
+direction</ulink>. If a site wishes to transmit its URL to third party content
+elements during load or during link-click, it should have to specify this as a
+property of the associated HTML tag or CSP policy. With an explicit property
+or policy, it would then be possible for the user agent to inform the user if
+they are about to click on a link that will transmit Referer information
+(perhaps through something as subtle as a different color in the lower toolbar
+for the destination URL). This same UI notification can also be used for links
+with the <ulink
url="https://developer.mozilla.org/en-US/docs/HTML/Element/a#Attributes">"ping"</ulink>
attribute.
More information about the tor-commits
mailing list