[tor-dev] Improving Private Browsing Mode/Tor Browser

[Mike Perry]

Thus spake Georg Koppen (g.koppen at jondos.de):

> > Can you provide specific concerns about facebook wrt the properties
> > from the blog post?
> 
> Not yet, no. I am not a Facebook user and have therefore to look at
> research papers investigating it. And the things I read e.g. in
> http://www.research.att.com/~bala/papers/w2sp11.pdf or in
> http://www.research.att.com/~bala/papers/wosn09.pdf do not seem to break
> the idea proposed in the blog post. But again, there is research to be
> done here, I guess. Redirects (you mentioned them already) could pose a
> serious threat to the approach in the blog post, though (systems like
> Phorm http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf come to my mind).

Wrt redirects: https://trac.torproject.org/projects/tor/ticket/3600

> >>> What do you have in mind in terms of stricter controls?
> >>
> >> Hmmm... Dunno what you mean here.
> > 
> > What changes to the design might you propose?
> 
> There are basically two points to be mentioned here IMO:
> 
> 1) Having a tab (window) isolation additionally (see my comments below)
> 
> and
> 
> 2) Having some means to break the linkage between the same domain called
> more than once in a tab. That would be the best I can imagine and would
> help against attacks using redirects as well but is hard to get right.
> E.g. one had to give the user means to fine-tune the default setting to
> their needs without ending up in a UI nightmare. And there are probably
> numerous other pitfalls lurking here... We have already done some basic
> research (we supervised a BA thesis investigating this concerning
> cookies) but there is still a lot to do. But yes, I would like to have
> that feature and invest some energy to investigate if one can get it
> right in a meaningful way.

Yeah, the issue I see with both this and tab isolation is that it
seems like it will be difficult to teach users who are used to being
able to log into their gmail/etc that they have to keep doing this if
they use a different tab, or try to open pieces of the interface in
new tabs/windows... A non-trivial number of expert users may also like
to have multiple windows open to the same site for live updates from the
same service (which in some cases may prevent multiple concurrent
logins).

> > More broadly, perhaps there is some balance of per-tab isolation and
> > origin isolation that is easily achievable in Firefox?
> 
> I hope so (at least if we had a Firefox fork that would not be much of a
> problem anymore). The Multifox Add-On
> (http://br.mozdev.org/multifox/all.html) claims to have implemented per
> tab identities and I have looked at it superficially. It is quite
> promising and deserves a thorough test.

This is very interesting. If you get around to evaluating it, let me
know. I am still concerned about the usability approach, but if this
dropdown menu is smart enough, maybe it can work out. (If the download
wasn't http-only I would have installed it already).

> Regarding the research grant: I already wrote pde and asked him whether
> he has some interesting stuff that we should try to incorporate into the
> application. If you (Mike) have something don't hesitate and drop me a
> mail. We still have the opportunity to move the things we already have a
> bit around to get something we overlooked into our proposal (the
> deadline is end of July). The topic is investigating and solving issues
> regarding an anonymous browser (profile) and to develop one that is
> resilient to e.g. different fingerprinting attacks and tracking means in
> general.

Funding for user studies and breakage studies would be top of the list
for me, esp if we're talking about tab-isolation, and browser/user
behavior changes.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110729/12ab2bfb/attachment.pgp>