[tor-dev] Improving Private Browsing Mode/Tor Browser

Georg Koppen g.koppen at jondos.de
Tue Jul 12 05:57:58 UTC 2011

>> That is definitely a good approach. But maybe there is research to be
>> done here as well. Just a rough (and in part research) idea that I had
>> in mind while asking you the question above: What about if we first
>> started looking at different services offered in the web whether they
>> can be deployed anonymously *at all* (or maybe more precisely (but not
>> much): that can be deployed in a way that there is either no linkability
>> at all or the linkability is not strong enough to endanger the user)
>> (that would be worth some research, I guess)?
> What technical properties of the web makes such services impossible to
> use?

The web is not the right object to reason about here. The more
interesting question would be "What techical properties of a service
makes it impossible to get used anonymously?" That remains to be
researched. At the end, maybe there isn't any (though I doubt that).

> Most of the ones I can think of are problematic because of "Layer
> 8" issues like users divilging too much information to specific
> services.

That may hold for most services, yes.

>> We would probably find some services where we had to say: "Well,
>> there is no way to get them used anonymously due to their nature and
>> the power of the companies and/or owners behind them." (Facebook
>> comes here to my mind as a candidate and the Google universe as well
>> due to the power Google has).  Should we say we make the Tor anon
>> mode compatible with these services nevertheless (due to usability
>> issues) and abandon stronger anonymity measures? I would say no. Not
>> at all. Rather we should be honest and say: "Dear User, surfing
>> anonymously AND using Facebook does not work.  You may use the Tor
>> anon mode for that purpose though but there is a high probability
>> that it breaks functionality." 
> How do we be "honest"? Filter their browsing?

No, not at all. That sentence in quotes was not meant literally (in the
sense that we pop up a dialog and show that sentence to the user). The
idea would be (as I wrote above) not to start a race to the bottom and
adapt (i.e. weaken) the unlinkability features to get the anon mode
working with thoses sites as well. That in turn could mean that these
sites break (worst case) while being used in anon mode or are "just"
more inconvenient to use then.

>> The idea of getting more users due to being not too strict here
>> might be appealing but is not the right decision in the end. I think
>> one has to realize that there are services in the web that are
>> *designed* in a way that one EITHER may use them OR use anonymity
>> services. Sure, the devil is in the details (e.g.  there are
>> probably a lot of services that may be usable anonymously but then
>> are accompanied with a certain lack of usability. What about them?
>> Should we decide against usability again or should we loosen our
>> means to provide unlinkability here?) but that does not mean there
>> is no way to find a good solution though. 
> At the end of the day, I don't believe we have to sacrifice much in
> terms of usability if we properly reason through the adversary
> capabilities.

I would be glad if that would be the case but I doubt that (having e.g.
Facebook in mind).

>> In short (and still roughly): I would like to start thinking from
>> having all means available to surf the web anonymously and then
>> downgrade them piece-by-piece to reach a trade-off between anonymity
>> and usability.  Services that may not be used anonymously at all
>> would not trigger such a painful downgrade ("painful" as one usually
>> tries first to hack around existing problems encountering
>> unbelievable design issues and bugs and has to concede finally that
>> it is in the user's interest to exclude that feature (again)).
> Downgrading privacy would be a UI nightmare that no one would
> understand how to use, but assuming we can solve that problem: if we
> can find a way to apply these downgrade options to specific urlbar
> domains, this might make sense. Otherwise you introduce too many
> global fingerprinting issues by providing different privacy options.

No, you got me wrong here. The downgrading occurs while designing the
anon mode not while using it. There should be just one mode in order to
avoid fingerprinting issues. It is merely meant as a design principle
for the dev: starting with all we can get and then downgrading our
defenses until we reach a good balance between usability and anon features.

> What do you have in mind in terms of stricter controls?

Hmmm... Dunno what you mean here.

>>> The need for science especially comes in on the fingerprinting arena.
>>> Some fingerprinting opportunities may not actually be appealing to
>>> adversaries. Some may even appear appealing in theory, but in practice
>>> would be noticeable to the user, too noisy, and/or too error-prone.
>>> Hence I called for more panopticlick-style studies, especially of
>>> Javascript features, in the blog post.
>> Yes, that is definitely a good idea though I tend to avoid them all even
>> if currently no adversary is using them (especially if no usability
>> issue is at stake). First: no one knows whether one did not miss an
>> attacker using this kind of attack vector and second: Getting rid of
>> attack vectors is a good thing per se.
> But going back to your original point, I contend you're not getting
> rid of any attack vectors by eliminating window.name and referer
> transmission. The adversary still has plenty of other ways to
> transmit the same information to 3rd party elements..

Yes, that's true.

> You're just preventing "accidental" information leakage at the cost of
> breaking functionality.
> The ad networks will adapt to this sort of change, and then you're
> right back where you started in terms of actual tracking, after years
> of punishing your users with broken sites..

This depends on how one designs the single features. But I got your point.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110712/f0b70bf2/attachment.pgp>

More information about the tor-dev mailing list